Most if not all professions have basic principles that make those individuals working in those professions effective. Some of the basic principles of the medical profession are to never intentionally cause harm and help individuals with their medical care. Some of the basic principles in the food service industry include temperature control, customer courtesy, etc. After 40 years working in the profession of computing technologies, networking and cyber security, some basic principles have been identified and are presented here. These are not absolute by any means but are some of the basic principles that can and should be considered when attempting to deploy a network.
First Principle of Cyber Defense
Security is not a tool; it is a Frame of Mind!
Effective security must include:
- Due Diligence (Policy, enforcement)
- Logical Thought (Left versus right brain concepts)
- Experience (Implementing proven techniques)
- Constant assessment (Effectiveness, accuracy, monitoring)
- Security is a Knowledge Treadmill
(One year in security is like seven years of a dog’s life) - Exercise cyber street smarts
Second Principle of Cyber Defense
What you don’t know will hurt you!
Constant vulnerability assessments are a requirement
- Hackers never sleep, neither can we, perform constant vulnerability assessments
- Dark Networks are right in front of you, just because you don’t see it doesn’t mean it isn’t there
- Network Blind spots exist, find them, files in flash, ROM, false extensions, system folders
Third Principle of Cyber Defense
Effective defense requires understanding offense
- View your own network the same way a hacker or a cyber criminal would, because they are!
- Sun Tsu, Know your enemy, Know Yourself!
- Hack your own network, because someone else is
Fifteen minutes on the open Internet is a very long time
Fourth Principle of Cyber Defense
The weakest link is biological, not electronic
- Social Engineering
- Human error
- Lack of due diligence
- Ego
- Right brain thinking in a left brain profession
- Lack of understanding of networking
- Lack of understanding of cyberspace
- Lack of experience with security
- Password revealing
Fifth Principle of Cyber Defense
The Newer the Technology, the Less Proven it is
- Which means it may be the most vulnerable and you just don’t know it yet
- 0 day playground!
- New does not mean secure, it means new and unproven!
- Lewis rule # 1! Never rely on the first version of anything!
Sixth Principle of Cyber Defense
The Older the Technology, the Less Secure it is
- Which means it has already been compromised and those vulnerabilities are well known
- Demonstration of reliability is not evidence of security
- Analog telephone systems have been around for more than 100 years. They older they are the less secure they are!
Seventh Principle of Cyber Defense
If you have physical access, you own it!
- Unlimited time for examination
- Mount the device as an object instead of loading it
- Easier to bypass a password than to interact with it over the network
Eighth Principle of Cyber Defense
Due Diligence is a legal requirement
- Downstream liability – your responsibility!
- Upstream liability – your responsibility!
- How you use your network
– United States Codes
– State Cyber Crime Laws
- Regulatory requirements:
– HIPPA
– Sarbanes Oxley
– Gramm Leach Bliley
Ninth Principle of Cyber Defense
Cyber Space is a Man Made Dimension
- An electronic environment that is non-tangible to human beings, where virtual money, intellectual property, human thoughts, feelings and emotions are manifested by real people, with real consequences, and can be seen by anyone who wants to bad enough
- Understand cyberspace = understand its vulnerabilities (Sun Tsu)
Tenth Principle of Cyber Defense
In order to understand security, you must understand networking
- Everything is addressing, bits and bytes
- Security vulnerabilities result from one imperfect electronic system relying on or interacting with another imperfect electronic system, configured by an imperfect biological system
Eleventh Principle of Cyber Defense
In order to understand networking, you must understand hardware
- Hardware capabilities, roles, limitations and interactions
- Everything has an address, unless it is analog
Twelfth Principle of Cyber Defense
Cyber defense has transformed from shielding from physical interception to preventing logical manipulation
- Old school wiretapping and inductive taps have been displaced by logical interrogation and manipulation of logical ports
- Social engineering a port to achieve a desired code response
Thirteenth Principle of Cyber Defense
A layered approach is the only deterrence
- Multi-layered security means the attacker must dig through more layers, more layers means longer time for detection leaving more bread crumbs
- Obscurity is one deterrent, it is not THE deterrent
Fourteenth Principle of Cyber Defense
Backup and recovery is not a luxury
- Not if you are compromised, but when
- Waiting to figure it out during the compromise is the wrong time
- No Policy, No Recovery!
- Liability!
- Regulatory issues apply!
Fifteenth Principle of Cyber Defense
The quieter you are, the more you can hear
- Bull through the China shop approach – detected
- Passive monitoring – not detected
- Paranoid mode – bury scans in the traffic
Sixteenth Principle of Cyber Defense
Everything has an Attack Vector
- Find them before someone else does
- Everything is vulnerable one way or another
Seventeenth Principle of Cyber Defense
The Six Points of Law and Technology
- The use of information technology has transformed how countries are sustained
- The use of information technology is blending cultures faster than any time in history
- The use of information technology is aligning those with similar suggestions faster than any time in history
- The use of information technology has served as a catalyst for the advancement of every aspect of knowledge
- No longer can users of information technology accept the risk that only their information is vulnerable in the event their system is compromised
- The misuse of information technology is transforming law
Eighteenth Principle of Cyber Defense
Half of being intelligent is knowing what we are dumb at
- Know your network and its boundaries
- Test your network – Because other people are!
- Test yourself
Nineteenth Principle of Cyber Defense
Predicting the Future comes from extrapolating the past
- No history, no future
- Monitor traffic and events
Twentieth Principle of Cyber Defense
All passwords have already been cracked
- Hash tables – 64 characters
- Keystroke loggers
Twenty-First Principle of Cyber Defense
Education without experience provides neither
- It is a seminar!
- Networks don’t appear at the click of a mouse, they must be designed, built, configured, monitored, maintained, analyzed, recovered, upgraded, and re-designed, re-built, etc,
Twenty-Second Principle of Cyber Defense
Academia lags industry
- Academia trains for industry, industry develops for society, society feeds academia
- Thus, capstone experience is vital in practitioner based programs
- Academia must take direction from industry needs
Twenty-Third Principle of Cyber Defense
Attack prediction is quantifiable and measurable
- Calculate a two or three-day moving average of all events reported per day
- Predict the future through statistics, but only with monitoring
- A positive attack prediction factor may indicate premeditation if it can be traced to the same attacker or source address
- May be necessary for legal prosecution
Twenty-Fourth Principle of Cyber Defense
Social engineering is hacking the biological system
- Don’t be a Tool! Succumbing to false authority, fear, or a pretty face attack makes you one
- Adhere to adequate and tested policies and procedures
- Security Awareness – for all employees
- Exercising due diligence is a mitigating factor
Twenty-Fifth Principle of Cyber Defense
The bad guys are getting smarter! (Or at least more devious!)
- IDS evasion techniques
- Hidden storage in toys and devices
- Social engineering
- Neuro-linguistic programming
- Crafting zero day exploit tools
- Mobile device techniques