{"id":162,"date":"2017-03-05T22:51:11","date_gmt":"2017-03-05T22:51:11","guid":{"rendered":"https:\/\/cyberdefenseresearch.com\/?page_id=162"},"modified":"2017-03-05T23:29:53","modified_gmt":"2017-03-05T23:29:53","slug":"twenty-five-principles-of-cyber-defense","status":"publish","type":"page","link":"https:\/\/cyberdefenseresearch.com\/?page_id=162","title":{"rendered":"Twenty-Five Principles of Cyber Defense"},"content":{"rendered":"<p>Most if not all professions have basic principles that make those individuals working in those professions effective. Some of the basic principles of the medical profession are to never intentionally cause harm and help individuals with their medical care.\u00a0 Some of the basic principles in the food service industry include temperature control, customer courtesy, etc.\u00a0 After 40 years working in the profession of computing technologies, networking and cyber security, some basic principles have been identified and are presented here.\u00a0 These are not absolute by any means but are some of the basic principles that can and should be considered when attempting to deploy a network.<\/p>\n<p><strong><u>First Principle of Cyber Defense<br \/>\n<\/u><\/strong><strong>Security is not a tool; it is a Frame of Mind!<\/strong><\/p>\n<p><strong>Effective security must include:<\/strong><\/p>\n<ul>\n<li>Due Diligence (Policy, enforcement)<\/li>\n<li>Logical Thought (Left versus right brain concepts)<\/li>\n<li>Experience (Implementing proven techniques)<\/li>\n<li>Constant assessment (Effectiveness, accuracy, monitoring)<\/li>\n<li>Security is a Knowledge Treadmill<br \/>\n(One year in security is like seven years of a dog\u2019s life)<\/li>\n<li>Exercise cyber street smarts<\/li>\n<\/ul>\n<p><strong><u>Second Principle of Cyber Defense<br \/>\n<\/u><\/strong><strong>What you don\u2019t know will hurt you!<\/strong><\/p>\n<p><strong>Constant vulnerability assessments are a requirement<\/strong><\/p>\n<ul>\n<li>Hackers never sleep, neither can we, perform constant vulnerability assessments<\/li>\n<li>Dark Networks are right in front of you, just because you don\u2019t see it doesn\u2019t mean it isn\u2019t there<\/li>\n<li>Network Blind spots exist, find them, files in flash, ROM, false extensions, system folders<\/li>\n<\/ul>\n<p><strong><u>Third Principle of Cyber Defense<\/u><\/strong><br \/>\n<strong>Effective defense requires understanding offense <\/strong><\/p>\n<ul>\n<li>View your own network the same way a hacker or a cyber criminal would, because they are!<\/li>\n<li>Sun Tsu, Know your enemy, Know Yourself!<\/li>\n<li>Hack your own network, because someone else is<br \/>\nFifteen minutes on the open Internet is a very long time<\/li>\n<\/ul>\n<p><strong><u>Fourth Principle of Cyber Defense<br \/>\n<\/u><\/strong><strong>The weakest link is biological, not electronic<\/strong><\/p>\n<ul>\n<li>Social Engineering<\/li>\n<li>Human error<\/li>\n<li>Lack of due diligence<\/li>\n<li>Ego<\/li>\n<li>Right brain thinking in a left brain profession<\/li>\n<li>Lack of understanding of networking<\/li>\n<li>Lack of understanding of cyberspace<\/li>\n<li>Lack of experience with security<\/li>\n<li>Password revealing<\/li>\n<\/ul>\n<p><strong><u>Fifth Principle of Cyber Defense<br \/>\n<\/u><\/strong><strong>The Newer the Technology, the Less Proven it is<\/strong><\/p>\n<ul>\n<li>Which means it may be the most vulnerable and you just don\u2019t know it yet<\/li>\n<li>0 day playground!<\/li>\n<li>New does not mean secure, it means new and unproven!<\/li>\n<li>Lewis rule # 1! Never rely on the first version of anything!<\/li>\n<\/ul>\n<p><strong><u>Sixth Principle of Cyber Defense<br \/>\n<\/u><\/strong><strong>The Older the Technology, the Less Secure it is<\/strong><\/p>\n<ul>\n<li>Which means it has already been compromised and those vulnerabilities are well known<\/li>\n<li>Demonstration of reliability is not evidence of security<\/li>\n<li>Analog telephone systems have been around for more than 100 years. They older they are the less secure they are!<\/li>\n<\/ul>\n<p><strong><u>Seventh Principle of Cyber Defense<br \/>\n<\/u><\/strong><strong>If you have physical access, you own it<u>!<\/u><\/strong><\/p>\n<ul>\n<li>Unlimited time for examination<\/li>\n<li>Mount the device as an object instead of loading it<\/li>\n<li>Easier to bypass a password than to interact with it over the network<\/li>\n<\/ul>\n<p><strong><u>Eighth Principle of Cyber Defense<br \/>\n<\/u><\/strong><strong>Due Diligence is a legal requirement<\/strong><\/p>\n<ul>\n<li>Downstream liability &#8211; your responsibility!<\/li>\n<li>Upstream liability &#8211; your responsibility!<\/li>\n<li>How you use your network<\/li>\n<\/ul>\n<p style=\"padding-left: 60px;\">&#8211; United States Codes<br \/>\n&#8211; State Cyber Crime Laws<\/p>\n<ul>\n<li>Regulatory requirements:<\/li>\n<\/ul>\n<p style=\"padding-left: 60px;\">&#8211; HIPPA<br \/>\n&#8211; Sarbanes Oxley<br \/>\n&#8211; Gramm Leach Bliley<\/p>\n<p><strong><u>Ninth Principle of Cyber Defense<br \/>\n<\/u><\/strong><strong>Cyber Space is a Man Made Dimension<\/strong><\/p>\n<ul>\n<li>An electronic environment that is non-tangible to human beings, where virtual money, intellectual property, human thoughts, feelings and emotions are manifested by real people, with real consequences, and can be seen by anyone who wants to bad enough<\/li>\n<li>Understand cyberspace = understand its vulnerabilities (Sun Tsu)<\/li>\n<\/ul>\n<p><strong><u>Tenth Principle of Cyber Defense<\/u><\/strong><strong><br \/>\nIn order to understand security, you must understand networking<\/strong><\/p>\n<ul>\n<li>Everything is addressing, bits and bytes<\/li>\n<li>Security vulnerabilities result from one imperfect electronic system relying on or interacting with another imperfect electronic system, configured by an imperfect biological system<\/li>\n<\/ul>\n<p><strong><u>Eleventh Principle of Cyber Defense<br \/>\n<\/u><\/strong><strong>In order to understand networking, you must understand hardware<\/strong><\/p>\n<ul>\n<li>Hardware capabilities, roles, limitations and interactions<\/li>\n<li>Everything has an address, unless it is analog<\/li>\n<\/ul>\n<p><strong><u>Twelfth Principle of Cyber Defense<br \/>\n<\/u><\/strong><strong>Cyber defense has transformed from shielding from physical interception to preventing logical manipulation<\/strong><\/p>\n<ul>\n<li>Old school wiretapping and inductive taps have been displaced by logical interrogation and manipulation of logical ports<\/li>\n<li>Social engineering a port to achieve a desired code response<\/li>\n<\/ul>\n<p><strong><u>Thirteenth Principle of Cyber Defense<br \/>\n<\/u><\/strong><strong>A layered approach is the only deterrence<\/strong><\/p>\n<ul>\n<li>Multi-layered security means the attacker must dig through more layers, more layers means longer time for detection leaving more bread crumbs<\/li>\n<li>Obscurity is one deterrent, it is not THE deterrent<\/li>\n<\/ul>\n<p><strong><u>Fourteenth Principle of Cyber Defense<\/u><\/strong><strong><br \/>\nBackup and recovery is not a luxury<\/strong><\/p>\n<ul>\n<li>Not if you are compromised, but when<\/li>\n<li>Waiting to figure it out during the compromise is the wrong time<\/li>\n<li>No Policy, No Recovery!<\/li>\n<li>Liability!<\/li>\n<li>Regulatory issues apply!<\/li>\n<\/ul>\n<p><strong><u>Fifteenth Principle of Cyber Defense<br \/>\n<\/u><\/strong><strong>The quieter you are, the more you can hear<\/strong><\/p>\n<ul>\n<li>Bull through the China shop approach &#8211; detected<\/li>\n<li>Passive monitoring \u2013 not detected\n<ul>\n<li>Paranoid mode &#8211; bury scans in the traffic<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong><u>Sixteenth Principle of Cyber Defense<br \/>\n<\/u><\/strong><strong>Everything has an Attack Vector<\/strong><\/p>\n<ul>\n<li>Find them before someone else does<\/li>\n<li>Everything is vulnerable one way or another<\/li>\n<\/ul>\n<p><strong><u>Seventeenth Principle of Cyber Defense<\/u><\/strong><strong><br \/>\nThe Six Points of Law and Technology<\/strong><\/p>\n<ul>\n<li>The use of information technology has transformed how countries are sustained<\/li>\n<li>The use of information technology is blending cultures faster than any time in history<\/li>\n<li>The use of information technology is aligning those with\u00a0similar suggestions faster than any time in history<\/li>\n<li>The use of information technology has served as a catalyst for the advancement of every aspect of knowledge<\/li>\n<li>No longer can users of information technology accept the risk that only their information\u00a0 is vulnerable in the event their system is compromised<\/li>\n<li>The misuse of information technology is transforming law<\/li>\n<\/ul>\n<p><strong><u>Eighteenth Principle of Cyber Defense<br \/>\n<\/u><\/strong><strong>Half of being intelligent is knowing what we are dumb at<\/strong><\/p>\n<ul>\n<li>Know your network and its boundaries<\/li>\n<li>Test your network &#8211; Because other people are!<\/li>\n<li>Test yourself<\/li>\n<\/ul>\n<p><strong><u>Nineteenth Principle of Cyber Defense<br \/>\n<\/u><\/strong><strong>Predicting the Future comes from extrapolating the past<\/strong><\/p>\n<ul>\n<li>No history, no future<\/li>\n<li>Monitor traffic and events<\/li>\n<\/ul>\n<p><strong><u>Twentieth Principle of Cyber Defense<\/u><\/strong><strong><br \/>\nAll passwords have already been cracked<\/strong><\/p>\n<ul>\n<li>Hash tables &#8211; 64 characters<\/li>\n<li>Keystroke loggers<\/li>\n<\/ul>\n<p><strong><span style=\"text-decoration: underline;\">T<\/span><u>wenty-First Principle of Cyber Defense<br \/>\n<\/u><\/strong><strong>Education without experience provides neither<\/strong><\/p>\n<ul>\n<li>It is a seminar!<\/li>\n<li>Networks don&#8217;t appear at the click of a mouse, they must be designed, built, configured, monitored, maintained, analyzed, recovered, upgraded, and re-designed, re-built, etc,<\/li>\n<\/ul>\n<p><strong><u>Twenty-Second Principle of Cyber Defense<br \/>\n<\/u><\/strong><strong>Academia lags industry<\/strong><\/p>\n<ul>\n<li>Academia trains for industry, industry develops for society, society feeds academia<\/li>\n<li>Thus, capstone experience is vital in practitioner based programs<\/li>\n<li>Academia must take direction from industry needs<\/li>\n<\/ul>\n<p><strong><u>Twenty-Third Principle of Cyber Defense<br \/>\n<\/u><\/strong><strong>Attack prediction is quantifiable and measurable<\/strong><\/p>\n<ul>\n<li>Calculate a two or three-day moving average of all events reported per day<\/li>\n<li>Predict the future through statistics, but only with monitoring<\/li>\n<li>A positive attack prediction factor may indicate premeditation if it can be traced to the same attacker or source address<\/li>\n<li>May be necessary for legal prosecution<\/li>\n<\/ul>\n<p><strong><u>Twenty-Fourth Principle of Cyber Defense<\/u><\/strong><strong><br \/>\nSocial engineering is hacking the biological system<\/strong><\/p>\n<ul>\n<li>Don\u2019t be a Tool! Succumbing to false authority, fear, or a pretty face attack makes you one<\/li>\n<li>Adhere to adequate and tested policies and procedures<\/li>\n<li>Security Awareness &#8211; for all employees<\/li>\n<li>Exercising due diligence is a mitigating factor<\/li>\n<\/ul>\n<p><strong><u>Twenty-Fifth Principle of Cyber Defense<br \/>\n<\/u><\/strong><strong>The bad guys are getting smarter! (Or at least more devious!)<\/strong><\/p>\n<ul>\n<li>IDS evasion techniques<\/li>\n<li>Hidden storage in toys and devices<\/li>\n<li>Social engineering<\/li>\n<li>Neuro-linguistic programming<\/li>\n<li>Crafting zero day exploit tools<\/li>\n<li>Mobile device techniques<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Most if not all professions have basic principles that make those individuals working in those professions effective. Some of the basic principles of the medical profession are to never intentionally cause harm and help individuals with their medical care.\u00a0 Some &hellip; <a href=\"https:\/\/cyberdefenseresearch.com\/?page_id=162\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-162","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/cyberdefenseresearch.com\/index.php?rest_route=\/wp\/v2\/pages\/162","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyberdefenseresearch.com\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/cyberdefenseresearch.com\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/cyberdefenseresearch.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberdefenseresearch.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=162"}],"version-history":[{"count":0,"href":"https:\/\/cyberdefenseresearch.com\/index.php?rest_route=\/wp\/v2\/pages\/162\/revisions"}],"wp:attachment":[{"href":"https:\/\/cyberdefenseresearch.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=162"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}