This is an event reporting format I played with at EnergySec. It’s meant to capture specific detail while at the same time clearly conveying areas of concern quickly and to less technical audiences. It is a non-standard format and does not attempt to play with other efforts at all, but I thought maybe readers might get something out of it.
So, since several people who haven’t had a chance to hear me go on about it in person have asked (in concern) about my “Hey, I’m going to be indefinitely and intentionally homeless starting in August, yay!” posts (most notably my dad heh), I thought I’d explain a little (if still not enough) here:
By August 1 I will, for all intents and purposes and unless something WILDLY unexpected blows up, have absolutely no obligations whatsoever beyond my job, which will by then be location-independent (for awhile). I’ve never actually, as an adult, not had obligations. Most people haven’t and it’s kind of a neat opportunity. I’d be terribly remiss (and a bit chicken!) if I didn’t take advantage of the freedom while I have it, so I’m going to. I’ve mentioned several possible scenarios, but the main point is that I’ll really, with the exception of August, leave absolutely every possibility open until the last minute. For example, I REALLY want to go back to Phnom Penh in Cambodia. I Loved that city. But I also want to bike/hike/camp around for a bit. I’ve been meaning to for years, I had SOME plans last year which fell through because of gout primarily, so why not now? Etc. Etc. Etc. What would YOU do if you didn’t have to be anywhere in particular for a year or longer? Not “sit in a perfectly typical looking apartment in a city you’ve lived in for 10 years” probably. Well, I wouldn’t. I won’t! But I won’t know what that looks like till I get there. :)
I also want to take some time to develop some of my art and explore some other potential career options…I’ve developed some skills that could turn into an actual NON-computer career if properly nurtured…and god knows I’m sick of looking at freaking computers. But, that said, within my career space – specifically cybersecurity – I’ll not only still be running workshops, training, and writing for Energysec (who are awesome) but I’ll also be VERY MUCH AVAILABLE for independent strategic cybersecurity consulting, workshop participation & conference speaking, training, and writing gigs that fall outside of Energysec’s scope. I can travel to you. :) Email me? My quality is high, my rates will be low <smile>.
I realize that there are plenty of cliche’s about “going to find yourself”, but this is significantly more concretely and specifically driven than that. For example, I genuinely don’t like living in one place, in one apartment. It’s claustrophobic for me. So, I’m not going to if I don’t have to. At least until I get bored or something external forces me to stop. I might write up something longer about the internal motivations, but for now I think you get the idea.
Sooo..that all said, what are my concrete plans? Here’s a schedule of what I know:
- Aug 1: My apartment lease ends, I get in the car with everything I own and drive to Las Vegas
- Aug 4-11: I’ll be at the hacker conference Defcon and B-SidesLV. This year, because of the health/safety/internet of things focuses, it’ll be particularly interesting to me. I have hotel booked already.
- Aug 11-21: Phoenix! A couple I am friends with wants me to make some art for their new house, so I’m going to guest-room crash for a week and a half there.
- Aug 22-24: Reno, Nevada prepping for Burning Man. I have a cool artsy hotel booked already. From there, I’ll either hitchhike into Burning Man, charter a flight, or drive. I haven’t decided. I considered biking, but fark that distance in the desert when I already will be spending a week there…
- Aug 24-Sept 1: Burning Man! I’ll be basically camping in the desert for 7 days in the middle of a 50,000 person (???) 5 square mile temporary surreal art city (and, unfortunately, still without alcohol. ouch). If you’re not familiar with Burning Man, watch this video. https://www.youtube.com/watch?v=xxRAg9Pcpm4
- Sept 1: I. Have. No. Idea. My current plan is to either fly out of Reno to Cambodia OR, if I meet any people interesting I hit it off with at Burning Man, store my car and stuff in Reno and hitch a ride with them to wherever the hell they are going…
I don’t know when I’ll be back in DC after that. Fun times.
- Cybersecurity is a never-ending chess game
- Your pawns are your cybersecurity capabilities
- Your named pieces are the rest of your business capabilities
- Your infrastructure is only the board and provides no inherent (or strategically relevant) defensive capability
- Your business is controlled by those pieces on your side of the board
- There are many players – nations, criminal gangs, auditors, competitors and others
- Their goal is control of your business by outmaneuvering your pieces, not taking them
- These players’ infrastructure is also part of the board
- You can’t always identify who made which move or whether a move was made at all
- Your competitors cannot lose
- You cannot win, you can only either limit the amount of time your competitors control your side of the board or convince your opponents to invest fewer resources in the cyber game
- All past, present, and future APT1 activity is a single move by a single player
- And this chess game connects to all of the non-cyber games as well
“China: My move is to use my military to employ semi-autonomous actors in an ambiguous way that will look like they’re just going for the 3rd row of the board, but I hope you won’t notice that it’s really to tie up your pawns (security capabilities) and misdirect/abuse your named pieces (business capabilities) in a way that will allow my other pieces to reach your side of the board in 2 moves so that I can influence your business’s behavior in a way that will create LONG TERM economic instability in an area important to the other geopolitical chess games I’m playing”
APT1 is a tactic – a means to a larger end. Whether China breaks in to a given piece of infrastructure on a given day in a given way is irrelevant. Similarly, “regularly and consistently apply patches” is a tactic - a move – with a pawn (the security capability) that may have to move differently later (revamp patching) to counter oppositional moves. This is as independent of a given system/vulnerability combo set as is the Chinese-Ops-Capability when they decide to engage in APT1 activities over time (a single move) to create space for Chinese-Secret-Capability to make a “utilize sabotage activities” move if it needs to. A good question to ask here is what are your named pieces doing? (Your CEO’s, your COO’s, your CFO’s?, your sales teams? your marketing teams?) Are they pro-actively being used to strategically minimize access to your side of the board, or are you relying on the limited tactical strength of your pawns (security capabilities) to do all the work?
It’s worth noting that the competition isn’t trying to break into your infrastructure, it’s trying to strategically create value for itself from your business using your infrastructure over time. Individual attacks (past or potential), attack mechanisms, and even technical vulnerability classes are not meaningful in terms of the kind of risk management required to inform strategy at this level. Here, under these rules, the things we do, both technically and from a risk management perspective, become very different. Instead of saying “Ok, we need to protect against….APT…..and we need to protect against….the possibility of a DDOS attack…”, we should instead be asking “how do we optimize decision making in a way that will minimize the ability of others to manipulate our business in the most sustainable, cost effective way?”
And that leads to…that thing everyone says we need but can’t articulate in concrete terms: sustained strategic resilience :)
Here is the actual slideshow from the #NISTCSF Webinar I did:
Download it here:
The recording of the webinar is here:
If you’re not familiar with #AmtrakResidency, check it out here: http://blog.amtrak.com/amtrakresidency/
It’s basically a new program to give a number of people a chance to ride Amtrak for free and “write”. Since I was in high school I’ve been encouraged to go somewhere and write about my life for awhile (a high school guidance councilor even offered me an empty cabin in the woods once I graduated to do so – but it didn’t work out). I’m not sure I’m what they’re looking for, but maybe? Here’s what I submitted:
Why do you want an #AmtrakResidency?
I am a hacker, an educator, a writer, and an artist. I am a past and future vagabond, a drinker of Unicorn Tears. A high-school drop out, I was recently invited by name to a White House event. I’ve traveled the world, been to a cult gathering, and I just donated my house to charity because I could. An ex-altar boy, I’ve held a government security clearance while in jail in Los Angeles. From mansions to a trashy punk rock hacker compound, my only reliable home has been my backpack. I’ve lived a life ranging from “the pool is on fire” to “absolute corporate monotony” and a childhood coast-to-coast ride on the Amtrak Sunset Limited changed my life. In August, I’m giving up the life I’ve built for awhile to pick up my backpack and get back on the road and write about it all. I think the Amtrak Residency would be a fitting addition to the story and a perfect environment to help make it happen. I’d like to wander on a train again and I appreciate your consideration of my submission.
How would this residency benefit your writing?
While I do have concrete plans to get on the road in August – including a stint at a mega-hacker conference in Vegas, Burning Man, and an art project in Phoenix – those plans do not yet include a specific means of transportation (or even further destinations). I was just going to wing it. If I’m accepted to the Amtrak Residency, it will give me the time and space to collect my thoughts and frame my experiences into something I can share with the world. I have never been confortable too long in one place, but life on the road will offer few opportunities as peaceful, beautiful, and calm as a ride on Amtrak. Further, I think residency would make a compelling bookend to my teenage trip on the Sunset Limited and provide a strong foundation for the story I would like to tell. Moreover, and perhaps most importantly, I have primarily been writing “business” articles and am hoping for stimulation to switch to a more creative outlet.
Writing Samples (They were better formatted in the actual submission!)
As I look
from this god’s eye view
I can feel the tides that pull at you
that tease your skin
the way they make you run
and crawl a million years
Angles fraught in silence
kisses on the edge of violence
weeping copper tears
delicate wrought past tense
I can feel the tides that pull at you
that break your bones
the way they leave you jagged
sharp to cut men open
As we fall
From this god’s eye view
(Written looking out at the U.S. Southwest Desert from a plane)
|Turning around and aroundwith light steps happy smiles
that cover the walls
and that plaster the doors
with a cracked-white-mask
that has fallen to the floor
staring up and around
with its cut-broken-eyes
looking up to the ceiling
that wants to be free
to dance and to twirl
and to smiile so sweetly
and to hope and to pray
and to believe! but not really
a cup of sugar
but I disagreed
as I spoke to the angel
who had risen above
from a crook in the wall
to the toys down below
burning for vengeance
they were never at all
said the horse to the mask
with his grin into pieces
rest never in (heh) peace
but laugh all you can
|he saida pinch of nirvana
closed in your hand
twisted and pouring
as the alligators ran
from three mirror windows
all shattered and burning
emerges a picture
of the world slowly turning
Today is the day of the rainbow bend
Where the months come to gather…
And the seasons share friends.
(Written while trying to graduate from high school after dropping out)
Not long ago, after a night of drinking, I came home and tried to throw my bed – both mattress and box springs – into the dumpster. I wanted them gone. I wanted to sleep on the floor. I needed the minimalism.
Luckily, I passed out before I could do any damage and a cooler perspective prevailed in the am. Still, this was part of a longer trend and a real enough impulse that if I had remained conscious, I really would be sleeping on memory foam alone now.
I can’t say when it started, but I have been shedding material possessions for some time and lately it’s reached a frenetic pace. At this point, in a two bedroom apartment, the only furniture I own includes:
1 mattress and box spring, 1 loveseat, 1 bookshelf, 1 small side table, 2 metal tv stands from IKEA, 1 small metal stand of drawers, a foldable chair, a treadmill, a treadmill desk, and a bowflex.
My kitchen pots and pans aren’t even that. I have one pot, one pan, a rice cooker, 2 spatulas, 2 cutting knives, and disposable utensils. I do not own a microwave.
My book collection has been reduced from “a hundred” to “tenish”.
The point is, I don’t have much stuff. Other than the exercise equipment, it could all conceivably fit into a studio apartment.
And I am having an absolutely outright panic attack over it. Still. After giving or throwing away thousands of dollars and thousands of pounds of stuff.
As my spring “event” approaches, I realize more and more that I’ve failed to control my environment and let it control me. I have abdicated throughout my life, whether through intent, accident, biology, or character flaws, control of myself. As I’ve allowed myself to be shuffled down the path of least resistance (perhaps in the manner of L’etranger ), I have put myself in a corner that I do not know how to get out of. And, in a nonsensical attempt to reduce this complexity enough to claw my way out of the corner, I’ve given myself a sort of Phobia of Stuff.
This might seen shrug-worthy to some, but it’s really not. Not to me. It’s just hard to explain the tight burning horrible ball of bunched up mental and emotional stress that “owning things” creates in me – or what it feels like.
I keep thinking that if I can get to a point where I can name, from memory, every single object I own, then maybe I’ll no longer feel crushed. At least not by the weight of this one aspect of my environment. My life choices at any given juncture will not be constrained by physical baggage. I will be more free.
Right now, though, I have a conundrum. I’m sitting on that 1 love seat (a beautiful white leather one) surveying my apartment and mentally listing all those things I must have vs those I merely think I want and it’s HARD. I mean, what the fuck do I really need with that ripped paper lantern I picked up in Vietnam? Or an electronic keyboard I’ve played 3 times in 5 years? I don’t. I have no need. But still, here we sit staring each other down.
It strikes me as curious that, although I’d been willing to give up these things to real death earlier on in my life, I’m still clinging to them now as I march on toward another kind of end. I don’t know why that is. But I do know that eventually I will let them go. If I can’t bear to give them, sell them, or trash them, then I will burn them. The detritus of my life will not be left to litter the future.
IGNORANCE IS BLISS (How cyber risk management succeeds)
I’ve seen people fly, I’ve seen birds fly, I’ve seen a horse fly, I’ve even seen a house fly, but I’ve never seen an organization fly. And, as silly as it might seem, this really does have significant implications for managing cyber risk – especially when we look incredulously at the many public compromises and wonder “why does it keep happening?”.
A good way of approaching that question is to look at where cyber risk management is “succeeding”. Succeeding? Yes! Cyber risk is, in fact, being managed – and quite well! If you doubt this, you might need to ask yourself important questions like “Which risks are being managed?” and, more importantly, “Which risks to *whom*?”
What I mean to say is that, while organizations can have an effect on the world around them, they can’t actually be seen or touched. They’re not tangible and they can’t…”fly”. Instead, they are the conceptual sum of the many varied decisions of individual people. These conceptual sums are inanimate; they cannot – and do not –feel risk. Instead, it is their executives, owners, employees, and customers who feel risk. Their soft squishy human hopes, dreams, passions, fears, biases, moods, and biochemistries ultimately drive organizational “risk tolerance” and we should never forget it. Here, it’s crucial to understand that people almost exclusively put risks to themselves ahead of all others (including an organization’s).
So, then, if the “collective” risks to individuals do trump all else, where do we look for ownership and resolution?
Well, some would say “users”, but do “users” (or “individual performers”) care more about meeting their boss’s expectations or saving the intangible organization from invisible adversaries and hidden costs without direction? Probably the former.
Further, while “the bosses” who set these expectations might see that the cyber problem exists, their primary risks resolve around meeting their own senior leadership’s expectations as well.
Ok, but isn’t IT Security key to cyber risk management? Not really. IT Security, like any other group, must align themselves with their senior leaders’ and executives’ priorities. Without that alignment they hold no sway or effect.
So, then, it’s on Executives. Senior leaders, what drives your risk appetites?
I ask because cyber risk management is a hard problem. Aren’t you safest if you follow best practices and “buy Cisco”? Ultimately, if you do and your organization gets compromised, what happens to you? Most likely very little – you did your best after all. Is it even in your best interest, then, to know cyber is a hard problem? If you’re aware that best practices have been failing like communism, aren’t you then obligated to come up with solutions of your own? Wow. No way. It’s best to believe the hype; best to buy Cisco; best to keep transferring the risk.
Intentional ignorance (or lack of “awareness”) isn’t just bliss, it also reduces risk to those people directing organizations and dictating the priorities of their human building blocks.
This is OVER but you can see the recording HERE: http://www.energysec.org/events/webinars/webinar-interpretations-and-forecasts-looking-beyond-rumors-myths-and-misunderstandings-about-the-new-nist-cybersecurity-framework/
Interested in hearing a more lengthy – and more frank – NIST Framework discussion that also includes both historical context and REAL security discussion? Join me as my employer and I host a webinar March 5, 2014 at 1pm ET.
Registration is HERE.
The official description follows this blurb, but you should also know that in addition to the usual Energysec community, I’m also going to try and aim this webinar at groups like IATC (I Am The Cavalry) and NovaHackers. As such, not only will I run down my written framework assessments in more detail, but I’m also going to try and help these other communities understand the levers the framework uses, the state of dialogue that led to it, and how to get engaged in the ongoing process. Please come prepared to hear more than you will elsewhere. Some pre-reading, if you are so inclined, can be found in my comments on the preliminary draft HERE.
Interpretations and Forecasts: Looking Beyond Rumors, Myths and Misunderstandings About the New NIST Cybersecurity FrameworkOn February 12, 2014 the White House released the first version of the NIST Cybersecurity Framework. NIST was directed to create this framework in response to Executive Order 13636, Improving Critical Infrastructure Cybersecurity. Since the preliminary framework was released last October, many rumors have been going around about what the framework is or is not. Additionally, a number of organizations have been making what we believe will likely turn out to be inaccurate representations about how the framework should be used and what expectations will be surrounding it.
In this webinar, we will explore a number of the more common scenarios we’ve heard recently and attempt to provide educated but unaffiliated realism around the document, its uses, its gaps, and what’s going to happen moving forward.While this will be an editorial webinar, and we cannot claim to represent an official stance on anyone’s behalf, we believe our experience in this area and lack of vested interest will provide attendees with the tools - lenses, if you will – with which to better interpret what you hear from other third parties.