We were invited to speak at the "2019 tabGeeks IT Hero Conference" in Long Beach, CA at The Maya Hotel on March 6th-8th 2019. We had some stellar talks and panels throughout the weekend with some seriously talented people and a most wonderful tabGeeks staff. They took such good care of us and are a most outstanding group of people. Thank you so very much for letting us be part of it.
This talk's theme is understanding some key parts of the Human Infrastructure. Side Note: I wrote this talk and built this presentation to be enjoyable. If I get bored presenting then it has to be even more so on the receiving end. I feel like this talk colors outside of the lines a bit in relation to the generally accepted IT talk standards. So this slide deck is clear full of entertaining media. I hope you enjoy it.
The Slide Deck can be found here: https://www.evernote.com/l/AsWEKJBTR-pAB4EVBjw33QoKRfYPP1IT4hA/
====INTRO====
SLIDE 1 Today’s theme is Configuring the Human Firewall and the Human API. We’ll discuss a range of topics starting with the Human API, behavioral science, some philosophy, neuroscience, and then the primary topic of End Users, Security and Business, then we’ll end with the Prime Directive.
SLIDE 2 The Logo
SLIDE 3 The Disclaimer
SLIDE 4 The Bio
SLIDE 6 The Plan of Attack
SLIDE 6 You can’t organize your perception without a hierarchical structure and you can’t organize people in terms or pursuing a valuable goal. You can’t even say a goal is valuable without a hierarchical structure. This Project is a frame refresh of some aspects of the Security structure. Refreshing what Security means and what we suggest to maximize ability to capitalize on opportunity.
====HUMAN API/PRINCIPLE====
SLIDE 7 <HumanAPI> Fundamental opposition exist in all things. [INSERT Cyanide and Happiness: Opposite Day Bits] Opposition in all things. Active and Static. Order or Chaos. Fight or Flight. Conformity and Rebellion. Innocence and Understanding. Justice and Mercy. Strength and Beauty. Heart and Mind. Sympathy and Utility. Liberal and Conservative. The list is endless. You can't have one without the other. They are not enemies, only opposites. All things come into being through opposition and all are in like flux. This division of two usually contradictory parts or opinions, a partition of a whole into two parts that must be. All things must needs be a compound in one. This provides us Agency. Choice. The ability to Choose.
How do we navigate the difference between the two in order to achieve maximal desired outcome? If you’re going to have a distinction of value between things then you have to have a competency-based hierarchy. Let’s take a look at Chaos and Order because they are two of the most fundamental elements of lived experience - two of the most basic subdivisions of Being itself and readily understood. Chaos and Order are fundamental elements because every (conceivable) lived situation is made up of both. Chaos is danger. Chaos is unexplored territory. Order is our comfort zone. Order is explored territory.
SLIDE 7 – Final Image The world to which our brains are adapted is actually the world of Order and Chaos. Two different modes of looking at the world are necessary for survival. That is real. This is where the physical and Meta physical unite. These two principles seem impossibly different and yet, simultaneously necessary to reconcile. It is critical to steel man the opposing arguments and even amplify its power so when you formulate a rejoinder, the rejoinder is as powerful as it possibly can be. Fortunately for us, the human API comes with some pre-programmed, out of the box features that seem to have been designed to help us do exactly that.
SLIDE 8 Brain Science. [INSERT Weird Science https://www.youtube.com/watch?v=Jm-upHSP9KU] The lateralization of brain function is the tendency for some neural functions or processes to be specialized to one side of the brain or the other. The medial longitudinal fissure separates the human brain into two distinct cerebral hemispheres, connected by the corpus callosum. The corpus callosum (Latin for "tough body"), is a wide, thick, nerve tract consisting of a flat bundle of commissural fibers, beneath the cerebral cortex in the brain.
Let’s learn how they talk to each other. [INSERT Weird Science https://www.youtube.com/watch?v=Jm-upHSP9KU] More Brain Science.
SLIDE 9 The Left Brain favors Order and the Right Brain favors Chaos, combined in the appropriate amounts can create balance which leads to greater meaning and fulfillment. Chaos and Order are not weighed equally and require different amounts of each at different times to reach equilibrium. Like the cerebral hemispheres of our brains, these contrary forces are actually complementary, interconnected, and interdependent in the natural world. They give rise to each other as they interrelate to one another. So, when problem solving, one side of the brain kind of takes the lead but not exclusively. Separate but Together.
SLIDE 10 How do we reconcile these two diametrically opposed and yet, simultaneously necessary principles? An incredibly old philosophy maps directly onto this concept and will perhaps help guide us to potential solutions with accompanying fantastic visualizations. Just like our brains, Yin and yang transform each other: Give and Take. Every advance is complemented by a retreat, and every rise transforms into a fall. This narrow path through the center has been dubbed the ChaOrd path. Making choices that keep us on this path is where meaning is found and fulfillment is achieved. This path is Truth. [INSERT Dio: Between the velvet lies, there's a truth that's hard as steel. The vision never dies like some never-ending wheel! 2:43 https://www.youtube.com/watch?v=i7_OEh9oHPY]
Because we make mistakes it is unlikely that we will walk straight down this path so we make course corrections and cross the path as often as possible. Try and keep on trying until that which seems difficult becomes possible. We summon the best parts from each side of the dichotomy to build our lives with. Meaning emerges from the interplay between the possibilities of the world and the value structure within that world. [INSERT Bill and Ted's Meaning of Life: https://www.youtube.com/watch?v=p-eXUtoDH4g] Meaning and balance are crucial to avoiding unnecessary suffering and disaster as well as necessarily rumbling with suffering and pain. We need meaning to fortify us against the catastrophe.
SLIDE 11 Too far down the Chaos path and we end up at Anarchy and Nihilism too far down the Order path and we get to Tyranny and Totalitarianism. Order alone is not enough. You can't just be stable, and secure, and unchanging, because there are still vital and important new things to be learned. There is no growth in the comfort zone. Nonetheless, chaos can be too much. You can't long tolerate being swamped and overwhelmed beyond your capacity to cope while you are learning what you still need to know. This is not a linear slide model or a scale where balance is in the middle.
We seem to generally live in the Order side and occasionally or as necessary venture into or are thrust into Chaos. Thus, you need to put one foot in what you have mastered and understood and the other in what you are learning what you are currently exploring and mastering. Then you have positioned yourself where the terror of existence is under control and you are secure, but where you are also alert and engaged. That is where there is something new to master and some way that you can be improved. That is where meaning is to be found. To straddle that fundamental duality is to be balanced: to have one foot firmly planted in order and security, and the other in chaos, possibility, growth, and adventure. That is where we end up drawing up our ideals, consciously or not, from one side or the other that tips us out of balance and the foundation that we are building our lives on is weakened. If it is weakened too much, it will fall. When life suddenly reveals itself as intense, gripping, and meaningful; when time passes and you're so engrossed in what you're doing you don't notice - it is there and then that you are located precisely on the border between order and chaos.
SLIDE 12 ChaOrd example. House of Order, House of Chaos, and House of the Fresh Prince.
SLIDE 13 What happens if we don’t have that ACC connection? [INSERT ACC is a nothing part captain. It’s a nothing part until you don’t got one.] Counterexample: Parker Ann’s story.
This eternal principle is so fundamental to our existence and our ability to find meaning that life will find a way no matter what, albeit, a long or rough way, even without a working corpus callosum. [INSERT: Jurassic Park Life Finds a Way https://www.youtube.com/watch?v=oijEsqT2QKQ]
APPLICATION TO US: Even though (so far) we cannot regrow a corpus callosum physically, we can be the tough body, brain matter, the axonal projections in our organizations that enable communications between our various organizational silos and dichotomies. Our ability to identify these dichotomies and develop ways to happily reconcile the two will do more to enhance our quality of life than almost any other. </HumanAPI>
====SECURITY DOCTRINE/FRAME REFRESH====
SLIDE 14 It is not necessarily reality that shapes us. It is the lens through which our brain views the world that shapes our reality. [INSERT Weird Science https://www.youtube.com/watch?v=Jm-upHSP9KU] More Brain Science. Which is great news because if we can change our lens not only can we change our fulfillment but we can change every single education and business outcome at the same time. Let's define the value and the hierarchy that will get us down this path. The first dichotomy we're going to focus on is Information Security and Business.
SLIDE 15
“Security exists to protect and enable the organization to succeed.
The word 'secure' is derived from Latin 'securus' meaning freedom from anxiety.
Se (without) + cura (care, anxiety)
Security literally means "Without Worry"
Security is a desired state of mind as opposed to a set preventative measure. The only approach is to abandon the pure play of prevention and move to a more mature model of resilience.
Resilience is powerful precisely because it gets us to the true definition of security - being okay no matter what. This is the future of security. "
-Daniel Miessler
"We believe that when Security is viewed through this lens, we focus on the things that matter most.
Security exists for the people and for the organization. Everyone can be secure.
Operational Security is a preparedness mind-set.
Our mission is to spread this kind of Security to all who will listen and learn.
We are here to help you, your organization, and your mission succeed."
-FullMetal CyberSecurity
SLIDE 16 'Being Okay No Matter What' means accepting the notion that it is no longer possible to keep the bad guys out of your networks entirely.
"Anytime we see a colossal intrusion go undetected for long periods of time, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised." - Brian Krebs
“There are only two types of companies—those that know they’ve been compromised, and those that don’t know." - Dmitri Alperovitch
This doesn’t mean abandoning all tenets of traditional defense, such as quickly applying software patches and using technologies to block or at least detect malware infections. It means accepting that despite how many resources you expend trying to keep malware and miscreants out, all of this can be undone in a flash when users click on malicious links or fall for phishing attacks. Or a previously unknown security flaw gets exploited before it can be patched. Or any one of myriads of ways’ attackers can win by being right once, when defenders need to be right 100 percent of the time.
Dichotomy: Security and Business.
SLIDE 17 Security is an infinite game as opposed to a finite game. There is no static goal to cybersecurity, no finish line, no final buzzer, no ultimate destination. There is no Cyber Nirvana. [INSERT: Crossed out Nirvana picture] Until there are no longer people who use the cyber domain for bad things, companies must understand this and resolve to be fully engaged in this battle. Whether that day will ever come, who knows, but until then we all have our work cut out for us.
*Lesson 1: Security is not optional. Security of network and information is now a critical part of business and a failure to do so is not an IT problem, it is a business problem.
If the last few years have taught us anything, it has proven – hopefully for good! – that cybersecurity is not optional. Cybersecurity is mandatory for businesses that do business online or are connected to the Internet in any way. It does not matter what industry your company is in, whether it is high-tech, low-tech, or even no-tech.
If an organization is connected to the internet and holds any type of data, it's almost inevitable that it's going to end up in the sights of hackers.
Cybersecurity is understood to involve three primary objectives, called the CIA Triad. The three objectives are protecting the network and data to ensure (1) confidentiality, (2) integrity, and (3) availability.
The types of potential attacks are also broader than ever. Some large organizations will need to have the ability to fight off skilled cyber-criminal gangs and nation-state backed hacking campaigns. Not all threat models will be like that, it’s likely that those attempting to breach an organization won't be the most advanced attackers in the world, especially now that many cyber-criminal marketplaces sell do-it-yourself kits. Strategies and hacking techniques that may have once required specialist expertise are now sold in easy-to-use bundles, complete with tutorials for the non-tech savvy.
"There's an entire as-a-service ecosystem and it's really everywhere. It started as malware as-a-service, but now there's also phishing as-a-service, exploit kits as-a-service, botnets as-a-service. Anyone can mix-and-match their own attacks, almost without knowing anything," says Maya Horowtiz, director of threat intelligence and research at security company Check Point Software. Targeted Attacks vs Attacks of opportunity.
Operator of eight DDoS-for-hire services pleads guilty: https://www.zdnet.com/google-amp/article/operator-of-eight-ddos-for-hire-services-pleads-guilty/?__twitter_impression=true
*Lesson 2: If your company has a computer or data, it is a target for attackers, even if you do not think your data is “valuable.” Ransomware has proved this for us.
Over the last few years we have seen cyber criminals evolve their tactics to not just monetize hacking through stealing and selling data, but through extortion – taking away the availability of your data and your customer’s data.
While we have been seeing the impact and effectiveness of ransomware in our work for quite some time, the first half of 2017 has seen two ransomware attacks that had a significant global impact: WannaCry and Petya/Notpetya.
*Lesson 3: Install patches / security updates quickly and do not use outdated operating systems.
On March 14, 2017, after learning of the vulnerability used by the EternalBlue exploit, Microsoft released a security patch that fixed the vulnerability for the operating systems that it continued to support. As with all security patches however, there is a critical step required for them to be successful: getting installed on the computers!
A Keystone is the final piece placed at the apex of an arch that locks all the stones into position allowing the arch to bear weight. Think about this in the context of your company and its business. What would you do if all of a sudden you had no more computers, no more data, and you could never get it back—all of a sudden you are doing business like Fred Flintstone back in the Stone Age? Would that have any impact?
Are you willing to risk your company’s future to trusting some hacker who promises that if you pay his extortion demand, he will give you the decryption key to bring your company back to life? What if he doesn’t keep his word? What if you pay the ransom and he can’t undo the problems he has caused because he bought his ransomware kit for $50 and has no idea how it really works? Isn’t your company worth more than this? CyberSecurity is the Keystone in this particular arch in this particular load bearing portion of the business.
*Lesson 4: If you want to keep it, #BackItUp! [INSERT The Rocker Vid: https://www.youtube.com/watch?v=PqpkQOoTB54&list=PLxcvBh6sqwAgl71ZgHmAPkfhY4HyiOrNS 34:19]
Yes, the answer is to back it up. The best way to defeat a successful ransomware attack, whether for your company or for your family computer, is to have backup copies of the data that is being held hostage. Then, you can delete the encrypted data and restore it from the backup copy. For the love of everything cute and fuzzy, #BackItUp
If your company’s data is important (and you better know it is!) #BackItUp – in several places.
*Lesson 5: Constant Vigilance
Cyber risk is always evolving. Companies must continue to evolve and mature their cyber risk management programs.
With cybersecurity there is no single problem that can be fixed because there are human beings to counter and defend against as well. The cyber threat exists because there is an active adversary—other human beings—that is persistently attacking and evolving its methodologies. Until these human beings stop attacking, the threat will not stop. As long as there is money to be made at it, these human beings will not stop attacking. And every time we come up with a new way to stop their attacks, they will adapt and evolve how they attack.
C- and E-suite executives, particularly the CEO, must take the cybersecurity posture of the organization seriously, and make it a priority. Make it a priority, not say that it is and then go back to what they were doing. Hire smart people, listen to, and follow their good counsel. This means that your company must continuously defend itself and must always be evolving its strategy, methodologies, and defenses to counter this active and evolving adversary. Your company must also continually determine where/what your assets are, assess itself in order to understand where your network might be breached or hacked. And fix those vulnerabilities in order of priority. This is how you play the infinite long game. This is a never-ending process; your company must have a cyber risk management program and must continue to mature it by adapting and evolving to continue to be effective against the evolving tactics of the attackers.
Section Wrap Up: Find the ChaOrd solution to Security and Business. If Security is neglected then a business is chaotically vulnerable. If Security is so stringent that business is rendered inoperable then security is drawing up excessive order and has exceeded its utility. Our aim is not to feed the FUD Troll in order to enhance our image of indispensability. Our aim is to be so good at security that it puts the bad guys out of business, so good that the bad guys give up, so that great security becomes so widely implemented and standard that there won’t be such a burning need for End User Security training.
SLIDE 18 Dichotomy: Unfamiliarity and Maturity. [INSERT: George McFly Very Funny Guys. Real Mature. https://www.youtube.com/watch?v=t7uvtazJ1i8]
The ChaOrd Solution to the Ignorance and Maturity dichotomy is Risk Assessment. Threat and Maturity Models will help you assess your current status and will help you determine if the risk level is acceptable.
InfoSec Maturity Models
Laz’s security maturity hierarchy includes five levels:
Level 1 – Information Security processes are unorganized, and may be unstructured. Success is likely to depend on individual efforts and is not considered to be repeatable or scalable. This is because processes would not be sufficiently defined and documented to allow them to be replicated.
Level 2 – Information Security efforts are at a repeatable level where basic project management techniques are established and successes can be repeated. This is due to processes being established, defined, and documented.
Level 3 – Information Security efforts have greater attention to documentation, standardization, and maintenance support.
Level 4 – At this level, an organization monitors and controls its own Information Security processes through data collection and analysis.
Level 5 – This is an optimizing level where Information Security processes are constantly being improved through monitoring feedback from existing processes and introducing new processes to better serve the organization’s particular needs.
This model teaches us that utilizing Maturity/Threat/Risk Modeling, a Proactive and Mature Organization bakes into their culture the attitude that Security is not just an IT problem. It is an everyone problem. From the shipping dock to the C-Suite to the Board of Directors. Each plays a part of this saga and each is responsible for the cybersecurity of a corporation. There is no panacea to securing networks. Successful Security relies on quality Defense in Depth (like Ogres and Onions, they have layers) Maturity Models, Threat Models, and Risk Management Frameworks are excellent tools to give your data structure so you can more accurately represent your state of security and make well informed decisions. Thus, enabling you to practice security at the speed of business.
====APPLICATION TO THE ORGANIZATION AND THE INDIVIDUAL====
Dichotomy: IT and End Users.
SLIDE 19 The Business Unit we're going to shift focus to is End User Training.
8 layers of the OSI Model. 8 = People
End Users!=authorized adversaries
It is far better to render beings in your care competent than to protect them. Do you want to make them safe or smart and strong?
Twitter Snips Teach Principles
SLIDE 20: You can't give a person responsibility and hold them accountable if you're unwilling to provide paid training or dedicated time to learn.
User Training needs to be quality training. Auditing/compliance example. Compliance says we have to have a firewall. Cool, go go gadget firewall. Joe Slowik's example. Look for the ChaOrd Solution. New Boolean operator. Find a way to ChaOrd or reconcile the different ideals in any given problem to achieve maximal desired outcome for the mutual benefit of all.
====LIFE LESSONS FROM BILL AND TED====
SLIDE 21
"Be Excellent to Each Other and Party On Dudes" is the prime directive. [INSERT: Be Excellent to Each Other Future Snip]
Be Excellent to Each Other is restating ancient philosophy. Love thy neighbor as thyself. Do unto others as you would have others do unto you. It means that you help, serve, and sacrifice for others. That’s what being a leader is.
Party on Dudes is more nuanced. I think the sentiment “Work hard, Play hard” is misguided and sounds you’re constantly at Pedal to the Metal, either way, which leads to burnout [INSERT Supra Burnout https://www.youtube.com/watch?v=9ho6-k2U18c]
or blowouts [INSERT Mustang Video 0:42 https://www.youtube.com/watch?v=lvVf8UZJCrU].
I think we would be healthier, more fulfilled, and find we stay on the ChaOrd path longer if we “Work smart and play always.” "Party on Dudes" means that people will look at you and wonder if you are working or playing.
None of these statements simply mean be nice. They are equations rather than injunctions. If I am someone’s friend then I am morally obliged to bargain as hard on their behalf as I would my own. It is much better for a relationship/team when all partners are strong. You are therefore morally obliged to take care of yourself. You should take care of, help, and be good to yourself the same way you would take care of, help, and be good to someone you love and value. Don’t mistreat yourself and don’t mistreat others. That doesn’t mean that we throw away good decision making, blindly trust anything that comes along, and recklessly chase happiness. Happiness is not the same as fulfillment. Giving children candy makes them happy but feeding them nothing but candy is harmful. Opposition permits us to grow toward what which we should become. Adversity, if handled correctly, can be a blessing in our lives. We can learn to love it.
====FINAL ADMONITION====
We suggest an update to the "Don't Be Evil" mantra. If you are working for the destruction of being, for the generation and propagation of unnecessary suffering and pain, then you are making poor choices and working for that which is not good. [INSERT: How I Met Your Mother: You chose huh-poorly https://www.youtube.com/watch?v=5s3nSuFRGfM]
Our highest aim is that we work to constrain malevolence and work to reduce needless suffering. Work for that which is good, for the ennobling of being, for the establishment of paradise. [INSERT: Paradise bit]
That is the inescapable archetypal reality. Consciously, identify, ponder, and execute the best choices using the best of the dichotomies that keep you on the meaningful ChaOrd path. Meaning emerges from chaos and order when impulses are regulated, organized, and unified. Meaning emerges from the interplay between the chaotic possibilities of the world and the ordered value structure within that world. If the value structure is aimed at the betterment of being, the meaning revealed will be life sustaining. It will be the antidote to chaos and suffering. It will make everything matter. It will make everything better.
Do what you must do, faithfully continue to keep the machinery of the world running....and always, [INSERT: Be Excellent to Each Other and… Party on Dudes. https://www.youtube.com/watch?v=S67sDHdhpio&list=RDS67sDHdhpio&start_radio=1]
Comments