You are currently browsing the category archive for the ‘Cybersecurity General’ category.

Since I first posted about my EnergySec class a year ago, it’s evolved quite a bit.  In that time the agenda and topics have evolved as well, so I thought I’d share the present content structure here.  Interested in coming? We only have one more this year, but more are coming next year and Im happy to do custom work in your town!  Check out the current outline here:


Theory, Application, and Frameworks

 Problem Space Definition

  • Cybersecurity Scope & Ecosystem
    • What is “Cyber”?
    • Broad Stroke Scoping of Cybersecurity
      • Risks-To vs. Risks-From
      • Technology vs. Humans
      • Risk Response vs. Quality Management
      • Tactics vs. Strategy
      • Protection vs. Enablement
      • Default Handling vs. Error Handling
      • Doing It Once vs. Doing It Consistently
      • Predictable vs. Emergent State
      • Defending vs. Improving
      • Compliance vs. Efficacy
      • Fact vs. Perception
      • Virtual vs. Physical Space
    • A Parasitic Model of Cybersecurity
      • Value Competition
      • Shared Infrastructure
    • Adversaries
      • Shared Attributes
      • Complex Goals
      • Adversary Classification
      • Attack Mechanics and Architecture
      • “Exploitation Opportunities” & Kill Chains
  • State of the World
    • The Bear Has Eaten Us All
    • Demonstrative Real Life Scenarios
    • Bottom Line and Regaining Control
  • A Problem Space Framework
    • The Forest
    • Thesis
    • History
    • Role of InfoSec
    • Problem Spaces
      • Global
      • Body Politic
      • Business
      • Organizational
      • Individual
      • Nature of Risk

Skills Development 

  • Effective Structured Communication
    • Purpose of Frameworks
    • What is Communication?
    • Perspectives
    • Contexts
    • Lenses
    • Inverse Perspectives
    • Using Intersectionality
    • A House Analogy
    • Conceptual Communication Tools (Summary)
  • Intentional Framework Design
    • What are “Frameworks”?
    • Structure vs. Content
    • Structural Framework Design Principles
      • Labels
      • Relationships (Ontologies)
      • Transformations
      • Modularization & Abstraction
      • Lensing
      • Life-cycles
  • Modeling Exposure
    • How is Exposure Generated?
    • New Concept: “Vulnerability Introduction Point Decisions” (VIP’s)
    • Modeling Vulnerability Introduction Point Decision Trees
    • Comprehensive Model of How Organizations can Introduce Vulnerability
    • Threat Modeling Using VIP’s
    • Technical Threat Modeling Translated to Full System Threat Modeling
  • Increasing Decision Making Capacity
    • REAL Defense in Depth
    • Creating a Defense in Depth Kill Zone
    • The Problem with Likelihood: Supply Chains
    • Kill Zone Management Concepts
      • Success Criteria help define
      • Metrics which apply
      • Levers to create
      • Control Specifications that use
      • Convergence of
      • Parenthetical levels of security to manage the
      • Dissonance of human systems 

Solution Approaches

  • A Framework for Organizing Solutions
    • Environment
    • “How Exposure is Created” & “How Exposure is Exploited”
    • Exposure Management Goals
    • “Exposure Management Approaches” & “Exploitation Handling Approaches”
    • “Exposure Mgt Efficacy Testing” & “Exploitation Mgt Efficacy Testing”
  • Integrating Existing Frameworks
    • Background Definitions
      • Risk Management
      • Capabilities
    • Existing Framework Information
      • NIST CSF
      • ES-C2M2
      • NERC CIP


  • Framework Structure Design
  • Framework Use for Control Specification
  • Pivoting between Risk and Compliance with an ICE

Ill have a longer discussion of SIRACon later, maybe, but for now, you can find my talk slides here:



Some of it is old material, but some of it is new. I really like how it’s fitted together and ordered here.

A couple of people have asked me to clarify what I mean by Sieges (and parasites) in terms of the first Siege post and the subsequent strategy/problem space framework post. Here’s a quick email I wrote that might help:

Sieges and Parasites:

From a collective non-aggressor entity perspective, cybersecurity “conflict” is functionally a siege of the collective environment: Non-combatants trying to maintain a minimum level of survivability while they’re surrounded, being drained of resources, and lack sufficient environmental influence/position to make effective risk decisions.

Compare/Contrast Siege and Parasitic Environment as conflict types to: crime, espionage, battlefield warfare, natural events.  These latter tend to be incident/event driven, where the risk and responses to a siege are more environmental over time, with incidents to individuals happening but being largely irrelevant except as they contribute to the overall lack of stability/freedom to operate.

This though process got kicked off for me while reading about the siege of Sarajevo in particular. Imagine  – you (a private org standing in as a citizen for this narrative) are in a city surrounded by artillery and snipers and you have to decide how best to keep getting water, which involves cross several streets through town. Some streets are vaguely safer than others, usually, but not necessarily.  You occasionally can see or have insight into the people on the hills, but not usually.  There are dedicated defenders around, but theyre not well positioned and lack the capacity to defend everyone all the time. Your resources are limited and your freedom to operate is constrained further over time as resources diminish. You can be hit at any time once you move from a standstill from your base/home (and even then, without change, you are at some risk).  You sort of make up criteria for decisions that help you feel safer (has anyone crossed that street recently? Were they shot at?) but aren’t really indicative of actual risk.

In this case, trying to decide how and when to get water as a risk based decision is almost a nonsensical proposition: You don’t control your environment, you have a lot of exposure, and you lack relevant information that would change your situation significantly (this isn’t the same as lacking data, just helpful data).

This scenario is substantially different from how we look at cybersecurity and infosec today: Individual defenders, with sufficient skill and competency, access to resources indefinitely and as needed, on a relatively level playing field, trying to prevent, manage, or mitigate individual events on their own.

Ultimately, right now, we’re asking a bunch of non-combatants (you know, most businesses) to have the capacity to effectively and sustainable participate in what is becoming a low level global conflict (inclusive of state to state, criminal, hacktivist, etc activity) while under siege.

This is a broken model and will never, ever get us where we want to be (for more reasons than I’ll lay out here).  We have to break the siege (thoughts on that being out of scope for the moment), which involves a level of strategic cooperation and unity that present culture, politics, business realities, and law do not allow.

(The Parasitic environment analogy is more specific to single-organizations, as it allows for specific targeting: )

Aside: Interestingly, though, from an aggressor standpoint, it might or *might not* look like either a siege or a parasitic environment – ie, aggressors acting individually and *without* coordination are contributing to creating a separate conflict type for defenders (Siege).

I’ve been known, now and again, to mouth off sarcastically that we don’t have any idea what “Cybersecurity” is, strategically – that we have no real concept of what “it” is.  So, as a preface to my upcoming talks, I’ve sketched out a very, very draft and incomplete framework off the top of my head that is, I think, STILL more complete than anything else out there. It’s done in terms of “Environments” that must be managed or that pose describable, discernible, solvable problem spaces that pertain to cybersecurity risk.  Note how different this looks than the NIST Framework, NERC CIP, SANS guidance, what you hear panels talk about, etc. Just remember, I have a lot to add here, which I’ll do after my upcoming talks have been given.


Conflict Environment

  1. Sieges & Unity (Defense problem of community siege-breaking, not incidents)
    1. Game Theory & International Relations
    2. Norms, Stabilization, and Confidence Building Measures
  2. Parasite Management
    1. Single Organization Value Control
    2. Competition for use of shared, not owned infrastructure
  3. Information vs Kinetic Warfare
    1. Long term abuse of misplaced cultural, political, and legal redlines

Technical Environment

  1. Complexity (exposure rising directly and infinitely with complexity)
  2. Competency (technical competency required by all, who cannot maintain)
  3. Security Express-ability (lower layers are approximating upper layer expressions)

Physical Environment 

  1. Geography & Power Delegation (Targets are Geography, cannot insert gov between industry and adversary)
  2. Geography & Proximity (Everyone is a Neighbor)

Single Organizational Environment

  1. Developing Sustainable Practices without requiring core Competency
  2. Decision Making Capacity Building
  3. Full System (Human) Threat Modeling
    1. Self Awareness
    2. Vulnerability/Exposure Identification & Management
    3. Exploitation Opportunity Identification & Management

Human Environment

  1. Stakeholder psychology requires targeted action to achieve desired behavior change
  2. Exceptional Distance between decisions, actions and risk limits involvement
  3. Ability to Process sufficient incoming knowledge tangential to core

National Environment

  1. Common Problem Space Consensus Development/Socialization
  2. Development and Engagement of Appropriate Regimes
  3. Stabilizing vs Developing managed Environments
  4. Business Value Production is inherently and completely tied to exposure creation/mgt, how does gov manage?

Market Environment

  1. Entrenched Industry is sucking needed resources away uselessly, needs derailment (fail, iterate, improve)
  2. Abstract, tenuous connection between market and risk

Leadership Environment 

  1. We Need Generals: Now Guys with Guns Espousing Tactical Requirements in Place of Strategies to Win (Win = Desired level of risk for desired investment over time)
  2. Formal Roles limiting Routing of Knowledge/Capability into available levers (ie, if you’re not selling something, you’re not participating)

Getting to be a busy fall/winter schedule. If you’re interested in catching up with me, learning, or just discussing security, check me out at one of these venues:

  • Sept 14 | Washington DC | EnergySec Summit
    • Giving workshop on Frameworks and the Discipline of Cybersecurity
  • Sept 28-29 | Krakow, Poland | CYBERSEC EU
    • Panelist in the State Stream
  • Oct 8-9 | Detroit, MI | SIRAcon
    • Speaking on risk: Yours, Anecdotally”
  • Jan | Florida
    • To Be Announced

Cant make these? Interested in having my somewhat unusual viewpoints represented at your security, industry, coffee, hiking, or other event? Let me know so I can get it on the calendar! :)

Pulled from a posting I made to SCADASEC:

Hard to believe that only 54 percent of those surveyed knew who to call in the event of a cyber incident or attack.

Why is this hard to believe? I think it’s not only hard to believe but
also somewhat astounding that we live in a world where we legitimately
expect a substantial percentage of our control systems operators to
have to know this information.  Think about it.  We’re not asking them
to be prepared for a hurricane, we’re asking them – businesses – to
have the knowledge and capability to participate (even if, in some
cases, minimally) in what is becoming global conflict (the delineation
between crime, war, espionage, vandalism, etc is really immaterial to
that statement).  This isn’t a series of potential incidents, it’s an
effective siege environment.  Sieges drain resources, drain morale,
and need a serious strategy to break, or those inside get overwhelmed
eventually. Even with or without actual (public) incidents, the effect
is the same here.

Fifty-three percent of respondents have experienced at least one malicious cyber attack on their control system networks and/or cyber assets— ** that they were aware of- ** within the past 24 months“.  – WOW!

I can’t emphasize enough how…irrelevant….”incident” and “attack”
incidences are when taken individually, or even as concepts that can
be individualized and counted.  The long term damage will be in
environmental predictability, resource allocation, trust, and
increasing cost of doing business.  Maybe something really bad might
happen as an event, but whether it does or not, the foundational
environment can’t sustain this level of conflict and risk indefinitely
without cascading consequences.

Instead of concentrating on managing incidents, responding to
incidents, etc, we should be taking a serious look at what
environmental (technical, legal, social, political) changes we can
make to break the overall siege.  Anything focused on incident
management directly is a two edged sword: It keeps us feeling like
we’re treading water at the cost of resources dedicated to fixing the
long term problems (and incident management capability for individual
organizations is *not* solving a long term problem).

All In My Late Night Humble Opinion.  Take it as you will.

Follow me on Twitter

My Art / Misc. Photo Stream

phoenixhike - 4

phoenixhike - 3

phoenixhike - 2

phoenixhike - 1

phoenixhike - 7

More Photos