CYBER SECURITY CHAPTER NO 1 // LEARN CYBER SECURITY // CYBER_SUSHANT

         TODAYS CYBER SECURITY CHALANGE 

THREATS ARE RISING 

AERTS ARE RISING

AVAILIBLE ANALYTICS ARE LOW

IN THIS FIELD WE NEED MORE KNOLEDGE

IF ATACK IS HAPPEND IN ANY ORG THEN WE HAVE LOW TIME FIX IT

BY 2022,

THERE WILL BE 1.8 MILLION UNFILED CYBER SECURITY JOBS

SOCS ANALYST TASK

REVIEW SECURITY INCIDENT IN SEIM

Review the data that compromise the incident 

Expand the search to capture more data around that incident

Decide which incident to focus on next 

Identify the name of malware 

Find other internal IP's are potentially infected with the same malware

Search  threats feeds+ search engine + virus total + your favorite tools for this outliers /indicators ;find newly find  malware id play

Start another investigation around each of these IP's 

Review another investigation around each of these IP's

Review the payload outline events for anything

Search more website for ioc inforamation for that malware from the internet

 Information Security:-

    according to NIST it is the protection of information systems from unauthorized activities in order to provide confidentiality, integrity and availability. 

    These three principles are known as the CIA Triad. The CIA Triad here. Here we have three different principles confidentiality which is similar or equivalent to privacy. 

    For confidentiality access to resources or data must be restricted to only authorized subjects or entities. Data encryption is a common method of ensuring confidentiality.

    Integrity on the other hand involves maintaining the consistency and accuracy of data over its entire life cycle. Data must not be changed in transit, for example, when it is sent over the Internet or using a local area network. And steps must be taken to ensure that no one or an unauthorized person or subject makes any changes to our data, so it cannot be altered by unauthorized people. It is very common to use hash values for data integrity verification, for example, when you download a new operating system from the Internet. One of the first things to do once the download is ready is to compare the hash values that there are provided by the author of the operating system and the hash value of the down loaded file. They must match to make sure that the integrity is accurate. 

    Then we have availability. Ensuring availability requires maintenance and upgrading of hardware and software and operating system environments. So basically it is about keeping the business operations up and running, firewalls, proxies, computers everything has to be up and running 24 by 7, 365 days. Now business continuity plans, disaster recovery, redundancy, all those are best practices consider for availability to guarantee that the business is always running.

 Section we will review four key terms. Vulnerability, threat, exploit, and risk.

    A vulnerability is a flaw, loophole, oversight, or error that can be exploited to violate system security policy. For example, a software or an application that has code vulnerable to a buffer or flow exploit.

    Threat is an event, natural or man-made, able to cause negative impact to an organization. It could be a storm or a hurricane or a hacker, for instance.

     An exploit is a defined way to breach the security of an IT system through a vulnerability. Like the buffer overflow example that I gave you before. An exploit could be a piece of code available on the internet to execute such attack against an application that happens to be vulnerable. 

    Risk is the probability of an event or that an event could actually happen. In this case, the likelihood of a vulnerability to be exploited

Basically, we have internal factors and external threats.

    For the internal factors we have former employees and current employees. This is very important, because most of the attacks that are actually detected, or that are critical for our an organization, come from internal factors like internal employees. Also, former employees are threat, because they used to have access to internal resources, so if they are not properly offloaded, and their accounts are not properly disabled, then they will represent a threat for the organization. They also have knowledge about how the organization works and how the internals are executed. So they certainly represent a huge factor. Then we have the external threats, we have malicious events like for instance an attack coming from a specific country, targeting one of our DMZ servers, hackers or crackers.

    These guys who tried to exploit vulnerabilities, they try to find a way to get in, and the viruses, Trojans, or worms, which are just different attack vectors to compromise an organization. All these are human factors, because they either interact with humans or they are developed by humans. For instance, a virus is developed by a hacker to take advantage of a specific user. But also, a user in a not negative, or harmful way,

    get access to something that compromised the system with a virus. Also we have the natural factors like lightning, hurricanes, tornadoes, tsunami, all those are important to consider, especially when we design business continuity plans and disaster record strategies.

 A vulnerability assessment

         is the process of identifying, analyzing, and ranking vulnerabilities in the specific environment. Basically a tool is used, for instance, to analyze these specific asset, identify the associated vulnerabilities, and rank each vulnerability according to a specific criteria, whether the vulnerability can be exploitable in the while, if it is a null vulnerability, and many other parameters can be considered. Now there are two points to uptake into consideration. Many systems are shipped with known and unknown security holes and bugs, for instance. This is also associated with misconfigurations like when you get a modem and these modem has, for instance, the username and password admin, this could be considered a vulnerability since a hacker from the Internet or a threat attack could actually connect to the modem and use those user account or those credentials to access the modem and perform any malicious activity. So the vulnerability assessment tool will be able to detect that these modem has the default credentials and will flag that as a misconfiguration vulnerability. So the system admin can actually go ahead and make the necessary actions or take the necessary actions to fake the vulnerability. In this case, change the username and the password or change the password to something more or a stronger. So it will be more difficult to get access to the modem.

Roles in Cyber Security 

     These are very common roles that you can find in large organizations. Like the Chief Information Security Officer, which is we can say fairly new role introduced to make sure that there's a head and someone in charge of the Information Security Division to supervise, manage and be the leader of the Information Security Tower. Now, then we have the Information Security Architect, Information Security Consultants Specialist, Information Security Analysts, Security Auditor, Security Software Developer, the Penetration Tester which is also known as member of the red team, a Vulnerability Assessor. We also have the Digital Forensic Analyst, who is part of a blue team for instance. We also have the SEM Engineer, the person who is familiar with different SEM technologies. So all of these roles are very important, and if you notice, they already existed in the IT realm. However, we are now early in the security portion to these roles to make them more specific and make sure that they are security-oriented. So they make sure that they guarantee that the organization follows security best practices and standards

        Ronald Reagan was United States president that also who was a Hollywood actor. He asked to the security personnel to their security advisors if something that he saw on the movie could be real. What movie? Let's take a quick look into the movie that Reagan saw and he ask to the advisors.

        We are in. It thunks I'm falcon. Hello. How can it ask you that? It asks you whatever is programmed to ask you. You want to hear it talk? Yeah. I'll ask it how it feels. I am fine, how are you? Excellent. It has been long time. Can you explain whether you are the user account June, 23rd, 1973. It must have totally died. People sometimes make mistakes. Yes they do. How can it talk? It's not a real voice. This box just interpret signals from the computer and turns them into sound. Shall we play a game?

        So that movie was war games. It's a pretty old movie actually, but the main argument of the movie was that, someone actually that teenager hack into a computer into the Pentagon and start a game the main computer of the Pentagon. The artificial intelligence that runs that computer understand that this is a war game, but it could or actually use the real missiles and the real nuclear arsenal. So teenager from their home office, from their basement hacked into a computer into the Pentagon and take the ownership of the missiles from their home. So Ronald Reagan asked the advisors, these could be real, this could be happening right now. So they start working on something, they actually work on the first policy for a cybersecurity field in United States that is called the National policy of telecommunication and automated Information Systems Security NSDD155. Then we jump to the 9/11. As soon as the 9/11 happened, a lot of people into the US government started asking, how can we avoid the next 9/11? How can we avoid the next cyber threat that will cause an interruption of for example, the lighting system, forward plans, energy systems on the United State field? The last part of this history class is the use of technology. Thirty years ago, 40 years ago, nobody had a computer in the house, right now, everyone has at least a computer, and at least one cell phone, one smartphone on their house. So there is a lot of people, there is a lot of technology arbiter and there is a lot of information that could be shared, could be stolen, and could be compromised using that technology.

    The 9/11 obviously was something physical, was couple of planes that crashed into the Twin Towers in New York. But one of the things that the US government tried to understand also was, first of all, how this could happen, how the coordination between different parts happens. What happen if there is a 9/11 but not necessarily on the physical world, but on the technology? Something like the destruction of the power plant or the destruction of electricity network or the power network into or in any major or important city. One of the important things to keep an eye on right now is the use of technology for almost anyone. So basically anyone right now has a cell phone. Anyone can access data. Anyone can upload and download data from the Internet. We are going to talk about this specific topic in a couple of minutes, but that's something important to understand. We have access to the technology. In those years, in the Reagan years, not everybody has access to that technology. But right now, anyone could actually start and attack using their cellphone, using their computer in their home. So that's something important also to understand, the use of technology. Here we have some nice early operations regarding cybersecurity in the nation, state, or a cyberwar to be specific. One nice operation was Clipper Chip operation developed by the NSA. In simple words, this operation was something that those guys in the NSA tried to incorporate like a chip into any landline for phones in most of the US homes to try to spy the communications. Obviously that project, that operation didn't go well, didn't receive any approval from the Congress. But since the last leaks from Edward Snowden, we already know that, well, it's not Clipper Chip, the operation that goes into operation. It was something different that catch not just communications over the landlines, but also communications over emails and other communication methods. Moonlight Maze was an operation actually that's pretty important to understand. In the year 2000, Newsweek report create a series of reports regarding the Moon Maze story. In simple words, Moon Maze operation was the process to collect or dump passwords from Unix and Linux servers, not just from the NSA, but also from the NASA, the Department of Defense, and a couple of other organizations in the United States. This operation was one of the first things that happened on the cybersecurity warfare arena. Well, at this moment, there is no indicator or there is no relaxation for nation or for someone in another country that perform this attack. But it's supposed to be that the Russians that perform these operations. The tool that they use to launch this attack was something lucky tool. One particular thing that happened with this operation is the attackers use a lot of proxies. So they, in fact, computers around the world, especially in United States, and they hide their real connection using those computers. So when they start, sorry. When the US government start looking and monitoring the unauthorized access and the activities on those networks on the NSA, on the NASA, on the Department of Defense networks, they collect information not from the real attackers. They collect information from the proxies that the attackers are actually using. Another operation, the Solar Sunrise. This operation is important. This operation has one interesting component here. First of all, this operation was a series of attacks to the Department of Defense computer networks. It launched on February of '98. Essentially, they exploit a known vulnerability on operating system, on the network of the Department of Defense. They use or they start the attack following a series of steps. Actually that's part of the interesting part of the operation. They tried to determinate or understand if the vulnerability that the attacker wants to exploit exists on the network. If the vulnerability exist, they exploit a vulnerability. They implant in a program like backdoor or a sniffer to gather data or to get information from the network. The system lift the backdoor and the sniffer there and return later to retrieve the collected data. The attackers launched not just this attack for the Department of Defense network, but also for the Air Force, Navy, the Marine Corps, and also in another countries such as Israel, France, Germany, and they target some of the key parts of the network. They tried to dump also passwords and documents from the

        technological or from the infrastructure on the networks that they attack. But the interesting part here is who launch this attack? It was something, I don't know, maybe the terrorist, maybe a rogue state such as Iraq or something like that. Well, no. Actually the attack was launched by two teenagers from California. Actually one of the teenagers was from Israel. So this is a good example of things that could happen even if we are not dealing with the nation state cyber command on what things could happen if we do not secure our network. The Buckshoot Yankee was categorized as the most significant breach of the US military computers ever by the Secretary of Defense, Willian J. Lynn. This operation was part of a series of compromises on the year 2008. Everything starts with USB drive inserted into a computer in the Middle East military based operation. They used Trojan called Agent.BTZ, and the Trojan, the worm keep or stay on the network for 14 months until the IT security staff from the military clean the infection. No one, at this moment, has attributed the attack. It seems like it's from China, but there is no real accusation right now on the courts. So that's one important major security breach and security operation, or cyberwarfare operation from the last 10-15 years. Then we have some other examples. Desert Storm operation on the early '90s and the Bosnia war. Actually wars are not necessarily cyberwars, but there is a component for the cyberwar there. For example on the Desert Storm, some of the radars that Saddam Hussein used to try to alert their military forces that airplanes are coming to destroy bases or things like that. Some of the radars are destroyed or are tampered with fake formation. So that's one of the things that the US military command used to successfully attack some of their key military buildings of Saddam Hussein. On Bosnia, there was a lot of cyber operations. But things like, for example, fake news, fake information delivered to the militaries in the field, things like that, was used in Bosnia.

        The 9/11 obviously was something physical, was couple of planes that crashed into the Twin Towers in New York. But one of the things that the US government tried to understand also was, first of all, how this could happen, how the coordination between different parts happens. What happen if there is a 9/11 but not necessarily on the physical world, but on the technology? Something like the destruction of the power plant or the destruction of electricity network or the power network into or in any major or important city. One of the important things to keep an eye on right now is the use of technology for almost anyone. So basically anyone right now has a cell phone. Anyone can access data. Anyone can upload and download data from the Internet. We are going to talk about this specific topic in a couple of minutes, but that's something important to understand. We have access to the technology. In those years, in the Reagan years, not everybody has access to that technology. But right now, anyone could actually start and attack using their cellphone, using their computer in their home. So that's something important also to understand, the use of technology. Here we have some nice early operations regarding cybersecurity in the nation, state, or a cyberwar to be specific. One nice operation was Clipper Chip operation developed by the NSA. In simple words, this operation was something that those guys in the NSA tried to incorporate like a chip into any landline for phones in most of the US homes to try to spy the communications. Obviously that project, that operation didn't go well, didn't receive any approval from the Congress. But since the last leaks from Edward Snowden, we already know that, well, it's not Clipper Chip, the operation that goes into operation. It was something different that catch not just communications over the landlines, but also communications over emails and other communication methods. Moonlight Maze was an operation actually that's pretty important to understand. In the year 2000, Newsweek report create a series of reports regarding the Moon Maze story. In simple words, Moon Maze operation was the process to collect or dump passwords from Unix and Linux servers, not just from the NSA, but also from the NASA, the Department of Defense, and a couple of other organizations in the United States. This operation was one of the first things that happened on the cybersecurity warfare arena. Well, at this moment, there is no indicator or there is no relaxation for nation or for someone in another country that perform this attack. But it's supposed to be that the Russians that perform these operations. The tool that they use to launch this attack was something lucky tool. One particular thing that happened with this operation is the attackers use a lot of proxies. So they, in fact, computers around the world, especially in United States, and they hide their real connection using those computers. So when they start, sorry. When the US government start looking and monitoring the unauthorized access and the activities on those networks on the NSA, on the NASA, on the Department of Defense networks, they collect information not from the real attackers. They collect information from the proxies that the attackers are actually using. Another operation, the Solar Sunrise. This operation is important. This operation has one interesting component here. First of all, this operation was a series of attacks to the Department of Defense computer networks. It launched on February of '98. Essentially, they exploit a known vulnerability on operating system, on the network of the Department of Defense. They use or they start the attack following a series of steps. Actually that's part of the interesting part of the operation. They tried to determinate or understand if the vulnerability that the attacker wants to exploit exists on the network. If the vulnerability exist, they exploit a vulnerability. They implant in a program like backdoor or a sniffer to gather data or to get information from the network. The system lift the backdoor and the sniffer there and return later to retrieve the collected data. The attackers launched not just this attack for the Department of Defense network, but also for the Air Force, Navy, the Marine Corps, and also in another countries such as Israel, France, Germany, and they target some of the key parts of the network. They tried to dump also passwords and documents from the

        technological or from the infrastructure on the networks that they attack. But the interesting part here is who launch this attack? It was something, I don't know, maybe the terrorist, maybe a rogue state such as Iraq or something like that. Well, no. Actually the attack was launched by two teenagers from California. Actually one of the teenagers was from Israel. So this is a good example of things that could happen even if we are not dealing with the nation state cyber command on what things could happen if we do not secure our network. The Buckshoot Yankee was categorized as the most significant breach of the US military computers ever by the Secretary of Defense, Willian J. Lynn. This operation was part of a series of compromises on the year 2008. Everything starts with USB drive inserted into a computer in the Middle East military based operation. They used Trojan called Agent.BTZ, and the Trojan, the worm keep or stay on the network for 14 months until the IT security staff from the military clean the infection. No one, at this moment, has attributed the attack. It seems like it's from China, but there is no real accusation right now on the courts. So that's one important major security breach and security operation, or cyberwarfare operation from the last 10-15 years. Then we have some other examples. Desert Storm operation on the early '90s and the Bosnia war. Actually wars are not necessarily cyberwars, but there is a component for the cyberwar there. For example on the Desert Storm, some of the radars that Saddam Hussein used to try to alert their military forces that airplanes are coming to destroy bases or things like that. Some of the radars are destroyed or are tampered with fake formation. So that's one of the things that the US military command used to successfully attack some of their key military buildings of Saddam Hussein. On Bosnia, there was a lot of cyber operations. But things like, for example, fake news, fake information delivered to the militaries in the field, things like that, was used in Bosnia.

         You will learn to describe why comprehensive cybersecurity architecture can be very complex to implement in reality. So let's talk now about how the Internet works and why the online security is so hard to implement and to maintain. First, it is important to understand what is the current picture that we're having in our online presence. This is our report soon where we actually have the report presented by Domo on 2018.

        Here we could see that there is almost, for example, nearly 25,000 GIFs are sent on Facebook Messenger, that's a curious fact. Actually, there is a lot of tweets, almost 473,000 tweets are sent on Twitter and 4.2 million of videos are viewed on a Snapchat. Why those numbers are important? These numbers represents that everybody, everyone that has a smartphone, that has a computer are on the Internet, are sending and receiving information from not just web servers, but from another people in the Internet. The interesting part here is those numbers are minute numbers. So every minute 4.2 million of videos are seen on Snapchat, every minute 25,000 GIFs are sent into Facebook. So there is a lot of data, there is a lot of information that we are using and we are dealing with the Internet right now. Quick example and something that it's a nice exercise to perform, Datum it's an organization that collects and understand data around the world. They try to analyze data using big data technologies and artificial intelligence and things like that. They put together a site where you can calculate how much or what is the cost of your information over the Internet. For example, when a couple of clicks same, for example, that you have a Facebook page, that you normally send tweets that you receive, or you have a personal blog on Wordpress, or something like that, we can estimate that the information that you already have on the Internet cost almost $1,000. So that's something important because normally, we don't actually pay attention to the information that we share or we have on the Internet. That's one of things that we need to understand in order to implement controls on our accounts. We're going to talk about authentication. We're going to talk about identification and the methods that we could use to protect our information not just on the business side, but also in our personal digital life. So that's something important. We need to understand the amount of money that we're putting into the table for the attackers for the cyber crime, to exploit, to capture. Now what is so difficult? What is so difficult to implement to understand and to keep track of Internet security or Internet privacy on these days? Well, first of all, we need to care about data protection, and that's something important. But in the past, if we want to protect the data, we protect the server, we protect the computer, we protect our printed documents and lock them into a box or something like that. Right now, we actually need to protect not just the computer, we need to protect our tablet, we need to protect our smartphone, we need to protect our smartwatch. We have a lot of devices, and those devices carry the information that we shared, that we care. The part of the must be changed. We don't need to protect right now the asset, we need to protect the data on the asset. The asset is something important also but we should care about data. We shouldn't care about the asset. Then we have mobile technology. There is a lot of mobile right now. We have 4G networks that practically mimics the speeds or actually improve the speed of WiFi in some businesses or houses. We have cellphones. Actually, most of the people right now are using their cell phones, their tablets, and try to replace their computers with that. Again, we need to protect the devices, but we need to protect the confidential data on that device. We need to be sure that the devices are secure with authentication methods that will increase or will have enough controls, enough control mechanisms, to protect the data that a mobile device is carry on. We're dealing now with global businesses, we're not dealing with a single obvious or the single headquarter in one city and that's all. We are dealing with a lot of offices and a lot of places in the world. So we need to protect each of those fields, each of those businesses, their communication between those businesses, those offices. The data transportation between those enterprises and those offices from the same company should be protected, and that's difficult. We need to understand not just the technical stuff, but also administrative stuff, for example, policies in countries, compliance in countries, things like that are difficult to keep track off. Last, we have multiple vendors. In the past, we deal with, for example, Lenovo, we deal with Dell, with Asus to buy computers, buy servers, and that's it. Then we have providers or vendors that will give us routers, network equipment, things like that. Then we have our ISP to give us Internet access. But right now, we're dealing not just with one vendor, we're dealing with multiple vendors on computers. It's something common that we go into any office and we've seen not just PCs, but they're also Macs. We see computers with Windows, but also with Linux. So there is a lot of vendors there. We're dealing right now with Cloud computing. Cloud computing is a key part of the expansion of the technology. But also there is a lot of vendors, there is a lot of technology there and we need to understand those technologies in order to protect the infrastructure that we are implementing or we are having in our companies and our personal life.

         An approach where we could start on the cyber security arena. So first of all, we need to have a security program, we need to evaluate, we need to identify, we need to understand the risk, the threats that we are dealing with, we need to assess, monitor, and control those risks and those threats. Then we have to manage the assets. By assets, I don't mean the computer that you have in front of or your cell phone or your share, but I mean documents, I mean systems, each document that you have in your computer should be managed with classification, with controls, with confidentiality, with integrity, with availability. We will explore those terms in a couple of minutes in the next videos. Then we need to implement not just technical controls, for example, network infrastructure, servers, protection endpoints, vulnerability management, UTMs, firewalls. But also, we need to implement administrative controls. For example, policies, procedures, incident response teams, disaster recovery procedures, compliance, and physical security also it's important. So here is just a quick example of the things that we need to implement in our company, in our [inaudible] life. But there is a lot of things that we need to implement also, so we are going to explore those in next videos.

        Within the principles of security, certainly, we'll hear about CIA. That talks about confidentiality, integrity, and authentication. So it's actually a little wider than that, right? So confidentiality, is a major principle. This is where only the sender and the receiver, can understand the message. So if it is intercepted midway, we'll take a look at some diagrams for that, that those intercept doors will not be able to understand the message. So fundamentally, the sender, which would be Bob right in the literature, sends the encrypted message. Alice on the other end, receives and decrypts the message. Associated with this is authentication, where the two senders Alice and Bob in our example, need to confirm the identity of each other, before sending a message. Equally important for authentication, is integrity, that the sender and receiver, Alice and Bob, want to have some assurances that the message has not been changed, right? Whether this is going to be in transit or whether it's going to be in some intermediate stage on the receiver's end. Most importantly, has it been changed and they want to be able to ascertain if it's been changed without detection. We will look at several mechanisms for that to happen. Last, is the access and availability, right? So that the security services, the IT services that are available in the enterprise, have the correct access control mechanisms in place and also has significant availability to allow the enterprise to operate according to spec.

    I'm a big fun of Sun Tzu. The Art of War teaches us not to rely on the likelihood, the enemy is not common, but our own readiness to receive him. Not on the chance of his not attacking, but rather on the fact that we have made our position unassailable. So this speaks to that principle of a well, it couldn't happen to me. Largely, you need to be ready. I'll follow onto this, the combination of space, time, and strength. They must be considered as the basic elements of this theory of defense, makes us a fairly complicated met. Consequently, it's not easy to find a fixed point of departure, right? So security is a complex field that's dynamic and changing.

        Before we jump into the dynamics and the interaction with cryptography, let's take a look at the playing field, so that we can get the lexicon, the terms defined, and the actors. Well, so Alice, Bob, and Trudy, you'll see this throughout cryptography literature. So it's A, B, and T, are the actors back in the 60's in a few papers. These were given names; Alice, Bob, and Trudy and they continue today. So Bob and Alice want to communicate securely. They can be for any reason, or personal reason, or business reason. Trudy, who is the interceptor, desires to intercept, delete, add messages, change messages; effectively a bad actor. So we take a look at the diagram here on Slide 7. We see Alice on the right-hand side and Alice has some data. This could be an email, it could be a note, could be a Web page, number of elements for that. She secures this message, moving from clear text to ciphertext, transmits it across a channel. Now, the channel can be any form of transmission that we can consider. So certainly, email, direct transfer, file transfer, protocol. It could be a text message these days. Back in the Napoleonic period, this would be a letter that a young naval midshipmen may carry between Whitehall and other parts of London. So the channel, right? Is the transmission mechanism. Within the channel, is the data. This is the payload, right? Control messages, who is it going to? How long is it good for? What's the address of the recipient Bob in this case? Obviously, in the Internet world, we look at IP addresses. We look at mac addresses. In the manual world, we think about the Napoleonic era, when British intelligence started its ascendancy. This would be a name and a physical mailing address. So physical mailing addresses are manual interpretations of control messages. So Bob receives the message, decodes it, and has the clear text that Alice sent to him. Trudy has the ability to intercept these messages on the channel. But because of the secure nature of the encryption, the protection for that, cannot read, delete, alter those message. So who could Bob and Alice be? Well, they could be Bob and Alice. There's no reason it's not real people. But that also could be a client-server relationship, right? Client servers in banking elements, DNS servers communicating with clients during the IP lease phase. Certainly, network routers, right? Exchanging information with other routers and updating tables. There's other examples, such as firewalls communicating with security intelligence systems, security intelligence systems communicating with database protection. So we have the sender and the receiver, many instantiations of that. So our next slide, nine right now, the NIST group from the US government, right? Has a very reliable computer security practice. I have a definition for computer security that's been provided. The protection afforded to an automated information system, in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources. It includes hardware, software, firmware, information data, and telecommunications. So taking a look in reverse order, right? The scope of computer security is the OSI protocol stack that starts with applications on the top, moves down to the presentation and the session, down through the transport layers, down into the physical layers. All of those are within scope of computer security. You'll notice, that this is the protection provided to an automated information system. So this is protection for not only the platforms, the host, software, but the information that these systems are processing.

        Translation of simple business requirements into technical specifications and deployment decisions can be very difficult. The protection mechanism itself is subject to attack. Protectors have to be right all the time. Attackers only have to be right once. An additional challenge to the security ecosphere has to do with the complexity of the solutions. So the first point about security not as simple as it seems is a huge understatement. Our customers frequently have very simple requirements. For example, one requirement might be that all users will authenticate to the enterprise. Sounds easy enough, but when we start looking at the implementation and the engineering behind a comprehensive access control system, role-based access control, or perhaps attribute-based access control, and privileged users, and archiving, the solution gets very complicated, even though it's got a very simple high level requirement. You see this all the time. It is part of the security professionals job description to take these somewhat simple requirements and being able to decompose them into accomplishable or achievable modules for that. An additional complexity for security architecture is the fact that the solution itself could be attacked. There's the principle of the security enforcement point or SEP. The security enforcement point is a technical implementation of a business policy. For example, as we were just talking about access control, is that the business security requirement is, all users will sign on to the system. The technical implementation of that might be for strong authentication or something you know, something you have, the tracking of privileged or system administrators. Somebody can change a security policy. So we have technologies, we have software, and we have hardware, we have firmware that implements or delivers the technical solution to these business security requirements. That's the definition with security enforcement point. Well, the similar point is that, the adversaries, the attackers know that to get to the information that they are after, that they need to defeat the protection mechanisms. They need to breach the moat, scale the wall, break the gate, right? So these enforcement structures are just as much a target as the actual data itself. So level of complexity that's not found in other technical disciplines are then we very much need to be aware of within the security world. As we pointed out the protection of the security enforcement structure, not can but will complicate the solutions. Because you've got this additional layer of protection, in terms of protecting the protection mechanisms.

    Some additional challenges that face the security professional has to do with our security architecture decisions, right? So we'll talk about logical architectures that describe more what we're doing as opposed to how we're doing it. So then we start getting into the topology of this, where these enforcement mechanisms will be placed within the architecture. For example, generally, we want access control technologies closer to the parameter, closer to the DMZ. However, some insecurity, some Net flow sensors may be more towards the center of the enterprise. So there's some architectural decisions, there's trade space studies, there's trade offs, there's risks, and benefits for these decisions. It takes a seasoned architect to be able to help define where these deployment decisions will place these technologies. Second point, we'll talk about key management being very difficult. So when we talk about key management, we're talking about cryptographic keys. You remember the earlier diagram with Alice and Bob. Alice would encrypt or protect her message before putting it onto the transmission channel. A cryptographic system uses a key, and there's a corresponding key in Bob's domain for him to decrypt that message. So the key management of the creation of those keys and the distribution of those keys, which we will look at little later, is a very complicated solution. So something to keep aware of would that. Then there's this larger principle that we as the defenders need to do, have to be right all the time. So the dynamic attacks that are out there, that change every day, every week, right? The security architecture needs to be flexible enough to be able to protect against those attacks, so 100 percent of the time. So people, places, things, time, and money, all of which are in quite in terms of having a dynamic security architecture that protects the information, protects the enforcement points against these constantly changing elements. So they have to be right all the time. Security architecture that protects 90 percent of the time is not going to be well embraced by any business. However, the attackers really only need to be right once in order to succeed. So you see the disparity, the imbalance, the disproportionality of success between attackers and protectors. The business line generally considers security unnecessarily either. There's principle about the seat belt philosophy. A seat belt costs about $200 to put into a vehicle, but that one-half second before a serious automobile accident, that seat belt is worth more than a million dollars. Security constructs are exactly the same thing. The security of the business lines frequently considered to be security in the way it is incumbent upon us as security professionals, to ensure that the security constructs are actually enabled, right? So that we make it easier to conduct business in a complex world. Our last set of challenges and of course, these are fairly high level, but can be decomposed into additional challenges. Talk about the constant effort being afterthought towards security, and that security is frequently viewed as a obstacle. So somewhat in reverse order, that the business lines within the enterprise frequently view security as an obstacle, as a barrier. This is something that is necessarily evil, and we need to operate and just do our best to get sometimes to. That encourages, by the way, people to try to do end runs around security. Security professionals responsibility is to make security an enabler, all right? So make it a positive value. This helps us do business in a very complex and very threatening world. We'll talk more about that a little bit later. So why is security sometimes viewed as an obstacle? Is the fact that it's not integrated early into the development life cycle, system life cycle development for the project. So we look at life cycle models such as our work model or iterative engineering, and you don't see security in the functional definition. So the security professional needs to convince the project leaders that this is at least expensive way to integrate security into the approach is to be included early. So that way you'll have application developers, infrastructure, our security people there, test engineers, Q&A. All of those have a place fairly early in table. The top point about security architecture is requiring constant effort speaks to the dynamic nature of our task, that the adversaries are constantly introducing new attack profiles, new vulnerabilities are released from software manufacturers that are turned into exploits, just the war changes and it changes every week. So constantly, our defense mechanisms, our security architectures also need to be very mobile, very agile to adapt and to change to these changing attacks. Otherwise, we will be very much like we go back in the 1990s with static, castle, moat drawbridge type of security architectures.

Critical Thinking 

     This talk, Beyond Technology, this was a talk that I put together a few months back for a conference here in Boston called Day of Security. It's a conference geared toward women in cybersecurity, and this is geared towards women who are early on in their career. What I wanted to do was highlight critical thinking as an important part of cybersecurity. So often when we think of cybersecurity, our immediate thought is it's very technical field. We think automatic, our thoughts automatically with the operating systems, networking, very technical things. I think that our minds are [inaudible] to the problems. If they critically through problems, this is often overlooked and so that's what I'm trying to present with this talk. So what is critical thinking? It's one of those things that doesn't have a hard and fast definition. Everybody's got their own definition of what is critical thinking. I went through a dictionary search, and I found a few definition, and then I made up my own that I liked, that I put at the bottom. So for the purposes of this discussion, critical thinking is controlled, purposeful thinking directed toward a goal. It's different than daydreaming. It's different than thinking about what you had for breakfast or your to-do list. It's very controlled purposeful thinking. Again, my goal with this presentation is to present the basic foundations of critical thinking, and also to highlight this as an essential skill for any career in cybersecurity domain. Whether you're in finance, whether you're an HR, whether you're [inaudible] , you have a technical role. I think you'll take something away from this, and you still will apply regardless of your role or the project that you're on. So why in cybersecurity? Why am I focusing on critical thinking, specifically, inside of cybersecurity? Beside the fact that I work in cybersecurity, there's a number of characteristics of the domain that I think lend itself to this kind of discussion. One is that, it's a constantly changing environment. It's very fast-paced. We've got different technology that's changing every day. There's multiple stakeholders, whether that comes from a variety of backgrounds, whether that's economic, legal, HR, and we also got an adversary. There's an adversary presence in there, so it's very multifaceted. It's a new field. It's a relatively new field, and we don't have all the answers. We don't have cyber figure it out, and so critical thinking skills force us to think, and act in situations where there are no clear answers, and where there are no specific procedures in place. Again, this is part art, part science. There's no defined way to do this. It's subjective. It's impossible to measure. But I think it's so important that we talk about it, and have these discussions. One other point I like to bring up a lot is that when you live in this age of Google it, where often our immediate reaction when we're faced with a problem is to use Google, to go enter or question in your search box, then the Internet tells us the answer. That's different from the situation in which we had to rely on books to libraries and slower research methods to answer our questions. Information was not as widely available. So this wealth of information isn't always good. More data doesn't [inaudible] knowledge, and that can quickly start to overwhelm our reasoning abilities. Because of this, critical thinking is more important now than ever. The ability to discern important information from, that feeds information and make an educated intelligent decision.

        When we think about skills, the sought-after skills in cyber security, media we go to the technical skills now. These are, I did an informal survey of some big tech companies, what they were hiring for in cybersecurity. And I looked at IBM, and I looked at Microsoft, Facebook, Google. The big tech companies, I saw a lot of, what really jumped out at me were these technical job skills. So operating [INAUDIBLE] instrusion detection, reverse engineering, all very important. With that comes a slew of supporting tools to help support these activities. So whether that's Wireshark or Spelunk or a number of different database tools help support these activities. Now, you've got a conundrum where you've got hundreds and hundreds of tools that are updated regularly. Everybody's got a favorite, they have got different data formats, they don't always play nice. This can be messy to deal with and it can also be impossible to keep up with. It's impossible to become proficient in all these tools.

    And so, this is what I mean when I say there's common misconception of keeping up with the latest technical tools and trends is the key to success. But the reality is that they are always going to be changing. The technology is constantly changing, our average terrain is always changing. But the good news is that the security and design fundamentals change slowly. TCP IP operating systems, kernel fundamentals, those change slowly. And so critical thinking, combining these critical thinking skills with an understanding of security fundamentals will allow us to identify solutions to unknown, undefined complex problems situations regardless of technology, regardless of the tool that we have in front of us.

    So, I just more you know, thinking about critical thinking and I was wondering you what, what differentiates

        a good critical thinker from a not so good critical thinker. What are the characteristics that enable critical thinking? And I did some research. I really couldn't find anything that was specific to cybersecurity, but where this has been studied a lot is in healthcare. So if you think about healthcare, you think about an emergency room.

        You've got doctors and nurses who are in a high stress situation. They have to make sometimes lifesaving decisions in just a matter of minutes, just based on incomplete data, and so the ability to think critically, to pull together decision,

        intelligent decision in that short amount of time is very important. And so critical thinking has been studied a lot in this field and so this model on the slide is actually pulled from a healthcare text book. I really like this model and I think these same principles still apply to cyber security and so I'll just briefly walk us through each of these characteristics. So at the top, in that top circle, are your critical thinking characteristics. Your attitudes and behaviors at a person. This is your personality, your outlook on the world. How you approach problems. It's going to be a product of your upbringing, your life experiences, your job experiences. It's going to be different for each of us, and that's good. That's good, because this is a field where we want that diversity. We want that diversity of perception.

        If there's one thing that I've seen in my career that I've seen in cybersecurity in particular is that the most successful people are often the most curious. They're the most curious of the world, they've got a constant hunger to keep learning, to keep growing, to solve problems. If they're on a threat hunt or they're doing some kind of investigative work, they've got this intrinsic desire to get to the answer to finish to find a solution. And so just that, that curiosity will take you far. Going clockwise, the next characteristic is your theoretical and experiential knowledge there. Now this is like the fundamental knowledge that you pick up. Maybe in school about how operating systems work. Your knowledge that comes from on the job with different projects that you've been on, what you've learned from those projects. Your intellectual skills, that's what that circle represents.

        Moving on to your interpersonal self. How well do you interact with other people? To what degree are you interacting with your coworkers, with your peers? Are you asking questions? Are you offering your own input?

        Because cyber security is not a solo profession. I rely on my colleagues every single day whether we're sharing information or I've got questions or need help. I'm relying on other researchers that are out within the company that are external to IBM maybe that are in a different domain. So how well can you work together with others and share information? And then then last is the technical skills and competencies. So these are you know, your ability to use wire shark your ability to triage maybe sure. These are the technical skills and competencies that were outlined on that skill slide [INAUDIBLE] reverse engineering, that's what these skills are. And in this model, their overlaps represents a person's critical thinking ability.

        you will learn to describe the five keys skills of critical thinking: challenge assumptions, consider alternatives, evaluate data, identify key drivers, understand context. Five skills. So now, how do you practice these skills? How do you actually apply these in your everyday life, on your job? How can you grow these and becoming a better critical thinker? So these skills, these are not my skills. These came from a women that I worked with at a previous job. These five skills came out of her time working, studying psychology and studying how humans make decisions. So for each of these skill, on the next slide, what I'm going to do is I'm going to go through each of the skills, explain what they mean, provide some additional work to examine how can that be applied to cybersecurity, and how can you actually exercise this. So we'll start with challenge your assumptions. This sounds easy, but it's hard in practice. It requires questioning your mental model. Questioning the mental model that underlies your reasoning, how do you do that? Because assumptions oftentimes we're not even aware that we're making them. They're based on our past experiences, thoughts, and evidence, or personality. So oftentimes we don't even know that we're making an assumption. What I found is that it's very useful to bring in other perspectives to talk to other people and start brainstorming and listing out your assumptions into continually do this. Throughout the life span of your project, throughout the project timeline, question your assumptions, gather more data, take a systematic disciplined approach to this. So what I usually do is I try to make a framework out of this. I tried to put this into steps that distill how you would do this. So step one is explicitly list all assumptions. Again, this requires other people. Invite all of the stakeholders involved whether it's your project manager, colleague, whoever. Have a brainstorming session where you start to list every possible assumption that you could be having. Then for each of those assumptions, question them, examine them with some key questions. Why do I think this is correct? When could this be untrue? How confident am I that this is valid? What's my confidence level? If it is valid, what would the impact be? This gives you a way start to triage your assumptions, and then now you can categorize them based on evidence into the solid and well-supported assumption. Is it correct with caveats, or is it unsupported or questionable? Unsupported and questionable doesn't necessarily mean wrong. It just means we need more data. So after you go through this categorization, you refine, you remove, you collect additional data as needed, and you iterate over this. This happens naturally throughout the life span of your project, and so that is your key assumptions check. Number two. So now, we've checked our assumptions. Are there alternative explanations for a behavior, for an activity? Like I said, our brain computes together a situation with just a few bits of data. But the scary thing is that, if we fail to consider missing data or alternatives, this can lead us down to the wrong path. We have to be able to consider alternative explanations. Avoid letting yourself become entrenched in one explanation. I can't tell you how many times this has happened to me. We're going to become so engrossed in one explanation. They turned out to be wrong because I failed to consider alternative explanations. So again, how do you do this? Brainstorming, get more people in the room. You need those different perspectives. You just need different perspectives of looking at the problem in different creative thought processes. I like to use the fixed classic journals to take question as a framework for this, which I'll talk about in the next slide, to evaluate all different dimensions and then also consider the null hypothesis. This is the exact opposite of what your main hypothesis is. This is a good exercise because sometimes it forces you to look at a problem from a different perspective. So the six W's. Again, they are very simple. We all know this: who, what, where, when, why, and how. I find that they're very useful for examining explanations or examining these alternative explanations. So in case of I like to use a prep hunt example, who is involved? Who's the victim? Who is the target? Who are the stakeholders? Who's affected by the outcome of this? What is at stake? Whether it's data, whether it's a physical asset. What happened? What is the problem? What's the desired outcome of this? Where did this take place? Does geography matter? Where's the infrastructure? Where's the victim? Where's the adversary? Does this matter? Again, when? Does timing matter? Are there key dates? Are there deadlines that we need to be aware of? Why are we doing this? Ask yourself that. Make sure you're solving the right problem. Also what are the key drivers? What could be a motive? How? How are we approaching this? Is it feasible? Then be detailed and specific. Really think through each alternative and what that would entail and whether that's plausible. So again, examine alternative explanations, look at them through the lens of these six different questions to characterize each explanation, and examine it from different dimensions. So we've identified our assumptions, we've evaluated alternative explanations. Now, we get to evaluate our data. This is one of my favorite skills. This is the crux of the scientific method. Assess the data against multiple hypotheses to see how well it fits. If you've got a favorite hypothesis that the data doesn't fit, then you unfortunately have to let go of that hypothesis. There's a few couple of points I'd like to make on this slide that aren't necessarily related directly to critical thinking but I still think are very important to make. In the start and the bottom, the first is that cyber data is notoriously hard to get, and oftentimes people don't realize that until they need the data. I mean, this can be for a number of reasons, whether it's policy, privacy issues, maybe HIPAA, GPR. Maybe there are reasons that your customer, your client, or whoever, you can't get the data. It could be that it's not uncollected. If your network is not instrumented to collect certain data or your hosts systems aren't instrumented to collect certain loss, the data doesn't exist. Then you can't do anything. So what I like to tell people is to be proactive. Be proactive when you're setting up a new network environment, a new system. Establish a baseline for what's normal. Understand what's important on your network and what data you would need to capture in order to triage problems or to monitor its health and wellness. So the nice thing about this two is that it helps you establish a baseline for what's normal. It helps you to see what is normal source and destination web traffic look like, what is normal activity look like. This is key to anomaly detection. This is how you'll be on the lookout too for inconsistent data. So again, evaluating data, if the data is not there, it's not there. Be proactive. Be proactive in establishing good data collection practices.

        Skill number four. So identifying key drivers. So again, key drivers are things that can significantly impact a situation, and they're not always technical in nature. So think about the behavior from a cybersecurity perspective, these obviously do include technology so encryption, authentication, tools/frameworks, infrastructure availability, but they also include things like regulatory and political drivers. So privacy, GDPR, General Data Protection Regulation, intellectual property, supply chain, logistics issues. Your employee, employee themselves, their training needs, their perspective, their skills, and then your threat actors. We always have that adversary, that other person. What are their technical capabilities? What are their motives? What are their opportunities? So a nation-state threat actor is going to have a lot more financial capability, and perhaps different motives than a Swiftkey, or somebody who's hacking at your server from a basement somewhere. A number of different drivers that can impact your situation, that it's important to be aware of because they're not always technical.

        Number 5, Understanding Contexts. So what does this mean. Contexts is the operational environment in which you are working, and so the context [inaudible] is different with the context at a university, which is different than a context perhaps at Microsoft, or another company. So context matters. Be aware of different perspectives of your managers, your colleagues, your clients. Ask yourself these questions, what do they need from me, how can I explain the issue, do I need to place their questions in a broader context? This is where the notion of framing techniques comes into play. So you'll call at the beginning of the presentation when I outlined the goal of this talk, and also what I mean by critical thinking. That was a framing technique to ensure that we are all on the same page, and to understand that we're all using the same vocabulary because this helps to avoid confusion, and avoid problems down the line. So I love framing techniques as just the solution to mitigate problems down the line.

        So framing the issue. Again, there's a number of steps that you can do to help you look at an issue or situation more objectively. The first is to identify the key components inherent in whatever the situation is. So what does this mean, who or what are the key components? You break them down into component parts, it start listing your key actors, key categories. Then from there, try to identify the different factors at play. You understand the components. What are the driving forces, and again, this will allow you, going back to that driving forces diagram, to start revealing additional insights in relationships that you might not have been aware of initially. Now you can start to look at relationship, or patterns in relationships exist among different components and factors. Are they static? Are they dynamic? In the case of maybe doing a threat hunt investigation, often graphing databases, may help you to help start to visualize different relationships among entities. In similarities and differences, are there historical analogies that you could fall back on? Have you seen similar patterns, behaviors, or situation in a different context or in different experience? You're okay to pull from that. Then redefining. Experiment with different ways to reframe your problem. Write down what you know, what you don't know. How can you look at it differently, if their root cause perhaps that you're not seeing. So going back to our elevator problem, again, just to remind us, we're managers of a high rise apartment complex, people are complaining that the elevators are too slow. We've got a number of different approaches to fixing this problem. I'm sure all of you came up with your own approach. You have a varied thought process. This is a real anecdote. This is a real situation that happened, and what they ended up doing was installing mirrors, they installed mirrors. The complaints died. All of a sudden, the elevators are faster.

        This is a classic example of problem framing, and how you can by changing the problem, problem framing, fundamentally changing the solution space. By installing mirrors, the problem wasn't that the elevator was too slow. The real problem that people are complaining about was that waiting is boring. It was boring to stand there and wait because that their minds weren't focused. They're focused on the waiting. By installing mirrors, now, all of a sudden, people who are waiting for the elevator are distracted. They can look at themselves, they can look at other people. They're not focused on the elevator. So rather than making the elevator faster, the solution space is transferred into shorten the perceived wait time. That can be done a lot more simply and cheaply by putting up mirrors, playing music, installing art displays, things like that. So this is an example of this notion of problem framing, and how to refine these different aspects of a problem to deliver it, like these radical improvements in spark solutions to seemingly intractable problem. Again, this is why having that big diversity of perception, or a thought within cybersecurity is so important. So again just to recap the five skills that I've outlined here, challenge your assumptions, refine as you learn more, consider alternative explanations, don't get entrenched in one explanation, evaluate data. Again, does the data fit your hypothesis? Identify the key drivers, and what are the driving forces that play, remembering that they're not always tap and go, they might be political. They might be personnel issues. There could be a number of the driving forces, and understand the context, understand the context in which you are working. Can you put yourself in other people's shoes? Can you reframe the problem, so the solution space is different.