Set aside all politics and details for a moment and begin with this premise: are my interests being met? If you take that as your starting point, the fog will begin to clear for you. Of course, reasonable people can have an informed debate over what “correct” interests are, but that is what we try to do in democracies. Interest is the overriding factor here.
In my previous article, I discussed the clash of systems we currently are in. Super quick recap: in one corner, we have the Westphalian nation-state system that’s been around since 1648 and is built on the principles of sovereignty, legal equality and a policy of non-interventionism; in the other corner, we have the Internet, which has no established sovereignty, is marred by legal blurring, and by virtue is interventionist and disruptive in nature.
Ultimately, what we have is a system clash where our original intent – free flow of information but with positive control of the Internet in our lives – has been flipped on its head, where the Internet effectively controls our lives. Continue reading “Before You Declare Your Enemy, Be Sure of Your Interests”
The #CyberAvengers want to make cybersecurity unintimidating. Isn’t it a liberating feeling to know when your mechanic is running a fast one on you? It is. And you do that because you build up your knowledge and are unafraid to say, “why are you trying to get me replace my entire axle when all I need is a control arm?”
We are pointing out the obvious, but the obvious needs to be pointed out these days: How you view the world impacts your decision-making. And equally as important is how you view yourself. Therefore, if you see the world as a relatively benign place and feel for the most part you are well prepared for whatever challenge you will face, it is quite likely you will do little to change your behavior.
But if you view the world as a more hostile place and think of yourself and us as unprepared, chances are you will either wither away into a corner, frightening yourself into hysterical paranoia, or you will do something rational to prepare yourself for whatever challenge comes your way.
Let us start with this basic premise: The internet is inherently vulnerable. It was designed that way because the debate—about 40 plus years ago—focused on open access and free flow of information versus security. The former won, but we are paying the price today. So, if the information highway (the internet) is all banged up and falling apart, it does not matter how safe your car is because the road is still a mess. Continue reading “Explaining Cybersecurity through Cars: Get Yours Inspected or Get It Off the Road”
These are governance issues at their core, not technological ones, meaning that whatever technological steps you take to protect your data, you still may be overlooking the big picture (which will result in a loss of resources and open you up to liability). And because they are governance issues, there is a heavy dose of “human element” challenges associated to them.
Protecting yourself in cyberspace requires multiple solutions working all together.
Be cautious of the cybersecurity vendor that promises you a technical solution that will solve all of your cybersecurity problems. Life, unfortunately, is not that simple and a one-size-fits-all approach is bound to get you in trouble given today’s cyber complexities. Similarly, simply adopting a solution may not be enough. How you implement that solution could be the difference between operating a safer network or, inadvertently, making your network more vulnerable. One such solution is encryption. Continue reading “When it Comes to Cyber Deterrence, One Size Fits…One”
For all the solutions out there, make sure you are packing the right material for you because you only have a finite amount of resources. This is what it means to be situationally aware. And this exercise also helps you prioritize what data you value most.
In previous articles on understanding big data, the need for AI, using encryption and tokenization (including the drawbacks of encryption), and the series on human vulnerabilities, we laid down just some of the building blocks necessary to create a robust cybersecurity strategy. Yet there is a larger problem we often experience: losing the trees for the forest. All the tips we have mentioned thus far are great, but only if you are situationally aware of your own challenges.
If you have legal or regulatory compliance issues, such as European Union’s General Data Protection Regulation (GDPR) or Health Insurance Portability and Accountability Act (HIPPA), you have no choice but to follow them. However, neither of us are big fans of standards and certifications for the simple reason that they rarely meet your specific needs in addition to being a costly undertaking in both time and money. This is why we are fans of frameworks, such as NIST Cybersecurity Framework (updated in January 2017) for the exact reason that a framework allows you to meet your own needs. Continue reading “Situational Awareness: Beware of Your Cyber Surroundings”
Cryptographic systems that are proprietary (those that have not been publicly tested and scrutinized) may very well meet mathematical robustness. The problem is you have no way of knowing, or testing, whether or not the cryptographic system is actually secure unless you have insider information. Therefore, be cautious if somebody is promising you a pot of gold.
In an article we wrote for Tripwire, we discuss the advantages of encryption and tokenization. The premise of our argument is as follows: slow down your adversary by making your data meaningless to them. In other words, make yourself a “goes nowhere” project forcing your adversary to seek out a target that does not cause them the grief you do.
Encryption works precisely because it slows down an actor but it comes with some bad news, as well. Therefore, we wrote this add-on article to explain some of the drawbacks of encryption. Continue reading “Encryption Works Great, But Only When Done Right”
Would you invest time and treasure in a “goes nowhere” project? Probably not. You have better things to do. Therefore, take steps – like encryption, tokenization, and data masking – to make your data so meaningless to an adversary that they will consider you a “goes nowhere” project.
Before we jump in, we need to make clear the following: no single solution will ever offer complete and total security. In fact, even multiple solutions designed to provide overlapping layers of security to your crown jewels will not provide “complete and total” security. But what any reasonably implemented solution should do is the following: slow down your adversary by making their job difficult and eventually forcing them to move on to a more easily accessible target (or, more colloquially, go for the low hanging fruit).
Although this fact should be relatively obvious, both of us still experience – more often than we would like to admit – “experts” professing they can provide “total security” because they have the latest and greatest technology. As we indicated in our previous article (making sense of big data), big numbers are, in fact, hard to make sense of by mere mortals like us. In the same fashion, humans are really bad at understanding probabilities (for those who seek greater understanding of the topic, Nassim Nicholas Taleb, author of The Black Swan and Fooled by Randomness, explains the subject well). “Low” probability is in fact quite different from “zero” probability, but we often make the mistake of equating the two (and such a mistake could be perilous). Continue reading “Make Yourself a “Goes Nowhere” Project for Adversaries”