You are currently browsing the monthly archive for February 2015.
Edit: This class has *significantly* changed, expanded, and improved since i posted this. Ask me about it.
As I may have mentioned…a lot…in several forums….including my previous post here…I’ll be teaching a cybersecurity framework class this year around the United States. It will use the NIST Framework and ES-C2M2 as foils, but it won’t be “training” for them. What it will REALLY be about is using a structured approach to scope out what cybersecurity means from a business perspective and how to apply existing practices and thoughts to actually reducing security risk, instead of just building the same old security program over again and hoping for the increasingly unlikely “best”. Anyway, find dates and sign up at the following link and see the Class Abstract and Outline below. (Also, at the very end, find two of the key custom models I’ll be using): http://www.energysec.org/upcoming-live-events/
Practical Cybersecurity Frameworks Applied to Real World Problems
OVERVIEW This 2-day class – the first of several throughout the U.S. in 2015 – is intended for those leaders, decisions makers, and technologists who feel that they are lacking a usable bridge between the technology and business aspects of cybersecurity and wish to do more than simply build a standard security program and hope for the best.
A three-part class, students will begin by exploring the theory behind using structured information to create value and the theory behind cybersecurity as a business problem and discipline.
With that theory as a foundation, the class will then use two existing frameworks – the new NIST-Facilitated Cybersecurity Framework and the Department of Energy’s Capability Maturity Model (C2M2) – as foils for discussing how best to build framework bridges between “Security Programs”, “Risk Management”, and “Business Value Management”.
The final day of the class will be used as a facilitated workshop in which the class will either solve “conceptualized” real world problems or, if appropriate, bring their own existing problems to the table to work through.
We hope that students will, at the end, feel they have gained a deeper understanding of cybersecurity and frameworks as they pertain to their own fields than they would have received in more traditional “Training” in products, technologies, and frameworks and will be able to apply these new perspectives to enhance the job they do in the real world.
More than anything else, we hope students will find value in spending two days considering cybersecurity in ways they might not have before.
Students should also be aware that, despite some use of jargon, no technical experience or security expertise is assumed and each class will be tailored to the experience levels of those in attendance wherever possible.
- WELCOME AND INTRODUCTION
- Ice Breaking Exercise
- FRAMEWORK THEORY: Structuring Information to Enhance Value
- Defining Frameworks
- Four Framework Design Principles
- Label Awareness: Types of words and meanings
- Protocol Stacks: Using Layers to Abstract Common Framings
- Model/View/Controller: Humans are Systems, Too
- Stages of Value: The Means Can Be As Important as the End
- SECURITY THEORY: Creating a Consensus Model
- Defining Cybersecurity as a Problem: A Parasitic Model
- Scoping Cybersecurity as a Discipline: Contrasting Perspectives
- COMPARISON #1: VULNERABILITY INTRODUCTION VS. EXPLOITATION
- COMPARISON #2: QUALITY MANAGEMENT VS. RISK RESPONSE
- COMPARISON #3: HUMANS VS. TECHNOLOGY
- COMPARISON #4: STRATEGY VS. TACTICS
- COMPARISON #5: RISKS FROM VS. RISKS TO (CIA)
- COMPARISON #6: ENABLEMENT VS. PROTECTION
- COMPARISON #7: DEFENDING VS. IMPROVING
- COMPARISON #8: ONE-TIME VS. CONSISTENT BEHAVIOR
- COMPARISON #9: INCIDENT VS. EXPOSURE MANAGEMENT
- COMPARISON #10: ERROR VS. DEFAULT HANDLING
- COMPARISON #11: PERCEPTION VS. FACT
- COMPARISON #12: EMERGENT VS. PREDICTABLE STATE
- COMPARISON #13: CYBER VS. PHYSICAL SPACE
- COMPARISON #14: EFFICACY VS. COMPLIANCE
- FURTHER STRUCTURAL CONSIDERATIONS: Helpful Linking Concepts
- Common Terms & Parenthetical Comparisons
- Kill Chains
- Metrics Defined
- Control Convergence
- Development Lifecycles
- “Capabilities” Defined
- Risk Management
- CONNECTING FRAMEWORK THEORY TO SECURITY THEORY
- Demonstrate a <Model> containing elements of both the framework and security discussions to be used as a Reasoning Aid throughout the remainder of the class
- Adjust the Model
- EVALUATING THE NIST FRAMEWORK AND C2M2
- Using the domain models discussed earlier, the class will evaluate the structure and content of both the NIST Framework and the C2M2. We will describe use cases, dependencies, how they can be linked together, and how our own class models can be used to fill the shared gaps in both frameworks. The intent of this section is not to critique other work, but to understand the concepts and work needed to build custom integration approaches and frameworks that will help students more effectively utilize existing work to reduce overall risk in their own environments.
- DAY-LONG FACILITATED WORKSHOP
- We will scope a theoretically-real security problem, use framework design principles, and eventually (hopefully!) arrive at successful risk reduction approaches over the course of the day. This workshop may flex according to student need and desire.