Cybersecurity for Normal People

Cybersecurity for Normal People

Thanks for clicking on Cybersecurity for Normal People! I believe that technology touches everything we do, everywhere – so Cybersecurity is everyone’s responsibility. I hope this lexicon of jargon, vernacular, and acronyms might help normal people decode what security nerds like me are talking about? Please don’t take this as cyber-mansplaining or under-simplifying; we all have diverse specialties, and it is super dangerous to assume that things which might appear obvious to some, might not be obvious at all!

Most of these definitions are mine, rattled off for a couple presentations delivered in 2020. If you want authoritative definitions head to Oxford, Merriam-Webster, ISO, NIST, ASIS, ISACA, or (ISC)2. If you have things you think I should add or update, I’m happy to hear your thoughts!

Risk:
– ISO 31000 definition: “the effect of uncertainty on objectives” – can be both negative AND positive.
– (ISC)2 definition: the intersection of an asset, a vulnerability, an exposure, and a threat.

Asset:
– According to NIST IR 7693 – pretty much any device that can become responsible for electrons at rest, in transit, or in use, can become classified as an asset. Your organization has to classify their own asset groups responsible for delivering business objectives, your mileage with any classification scheme may vary.

Vulnerability:
– A weakness or feature that allows unexpected performance of people, processes, or technology.

Exposure:
– The availability of a vulnerability to be taken advantage of by a threat or attacker.

Threat / Attacker:
– A person or process that has the means, motive, or opportunity to take advantage of an exposure.
(Special note: if a vulnerability exists, but there is no exposure, how do you rate that risk? See! It’s tricky and fun!)

Risk Treatment Options:
– Reduce: minimize the vulnerability or exposure (zero-risk isn’t a thing)
– Avoid: cease the operation of the identified risk.
– Accept: say “yeah, we’re ok with this”. (if you say “defer”, don’t kid yourself! That just means “fancy accept”)
– Transfer: engage a third party to own the risk, maybe grab some insurance.

CIA Triad:
– assessing technology risk through the lenses of confidentiality, integrity, or availability of systems or information.

Confidentiality:
– Keep our secret data secret.

Availability:
– The system or data should be available when we want it to be.

Integrity:
– The data should be within tolerance of precision and accuracy. What if the speedometer said you were going 50kmh, but you were actually going 75 kmh?

People:
– Humans; authorized and unauthorized, intended and unintended.

Processes:
– Algorithms and techniques used to access information. The people and technology can be secure, but the process can fail, eg: the right person with the right database can still print something confidential and leave it on the public printer for hours.

Technology:
– This is what most people think about with Cybersecurity, but it’s so much more!

Data in use:
– Information that a person, process, or technology is actively working with.

Data at rest:
– The information we put in storage for later retrieval.

Data in motion:
– The mechanisms we use to move information from use to rest, rest to use, use to use, rest to rest.

Assessments:
– Threat Assessment – addresses actors
– Vulnerability Assessment – addresses assets
– Risk Assessment – addresses the intersection of probability and impact of threats exploiting vulnerabilities

Scoped Penetration Tests:
– Whitebox – the attacker is inside, knows everything
– Blackbox – the attacker knows nothing but the location of the target, or maybe not even that much
– Greybox – the attacker is parallel, knows some things (think of it like a black box with cheat codes)

Measurements: (My humble opinion: you need to know how you’re intending to measure success for “security design” before you try to deliver it. You can’t just declare “security” and have it magically happen.)
– NIST CSF: National Institute of Standards in Technology, Cybersecurity Framework. NIST 800-53 is the control set. An American standard, but free to download.
– ISO 27001: similar to the NIST CSF (with ISO 27002 as the control set). An international standard, but pay-to-play.
– CIS: a simpler version of all this stuff. I like to view ISO and NIST as top-down frameworks because otherwise you’ll get buried very quick CIS by comparison works just fine as a bottom-up solution with bite-size implementation groups.

IAAA; Identification, authentication, authorization, auditing:
– Identification: a claim that names an entity such as a person or process (eg: a username).
– Authentication: proof that the identified entity is who they claim (eg: a password or biometric).
– Authorization: an agreed-upon set of things the entity can do.
– Auditing (sometimes called Accounting or other things): a trail indicating the actions taken by the entity.

CVE; Common Vulnerabilities and Exposures:
– Maintained by Mitre Corporation, an ever-growing list of known problems in technology systems.

Design for Operations:
– Buying the car is fun, but ensure there’s a plan to CHANGE THE OIL from the birth to death of every system. If you don’t build a system that can be maintained easily, it won’t be maintained, and will become vulnerable very quickly. Blow your mind, go look at the CVE list by year; it becomes clear quite quickly that if you’re standing still in technology, you’re actually screaming backwards at an alarming pace. PATCH YOUR STUFF.

Breach
– A failure to meet a government legislation, regulatory obligation, or corporate policy. A breach is not the root cause of the problem, a breach is the symptom of a problem or problems.

Factors of Authentication:
– Something you know, like a password.
– Something you have, like a debit card, a constantly changing security key, a usb smart-stick.
– Something you are, like a biometric.

MFA; Multi-factor Authentication:
– Using two or more factors of authentication.

Two-Step Verification:
– Sometimes the same as MFA, but could instead be a dual-step single factor authentication, (eg: using a system password and a personal password, which is not as secure as MFA).

Law:
– the stuff a government expects you to do, such as the Personal Information Protection and Electronic Documents Act, the Health Information Act, or the Security Services and Investigators Act.

Industry Regulation:
– the stuff an industry expects you to do, such as Payment Card Industry Data Security Standard. Oddly enough… an industry regulation might actually be a source of higher dollar-value risk than a law; a privacy breach might cost you a couple thousand dollars in fines or reputation damage, loss of credit-card processing capability could jeopardize an org’s entire revenue stream.

Privacy:
– Privacy is best considered a legal term encompassing Personal Information. Security is a non-legal term for everything else, including financial information, intellectual property, gramma’s recipes, etc.

PI; Personal Information:
– PI is the Canadian Legal Term (Federal: PIPEDA / Privacy Act, Alberta: PIPA / FOIP) indicating that information that can identify an individual belongs to the individual, the organization taking custody of this information must comply with legal obligations.
– PII – personally identifying information: a wider/broader term used worldwide and outside Canadian legalities.

White Hat Hacker:
– a media term for a security researcher, someone who loves taking things apart in a responsible manner.

Black Hat Hacker:
– a media term for a naughty computer expert that wants to see the world burn.

Bug Bounty:
– A service that can be purchased by a company to reward white-hat hackers for performing penetration tests on your production systems within a particular scope, and letting you know in a responsible manner instead of leakin’ your junk or holding you ransom.

IoC; Indicators of compromise:
– Data that identifies potentially malicious activity.

TTP: Tools, Techniques, and Procedures:
– Representations of behaviours used by threat agents to carry out attacks.

Threat Intelligence:
– IoCs and TTPs delivered as a service.

OSINT; Open Source Intelligence:
– Using open source or free tools to uncover information about individuals, organizations, systems, or other entities.

Doxxing:
– Being naughty with your OSINT and putting Personal Information online without the owner’s consent.

Cybersecurity:
– The 2018+ name for Information Security

Information Security
– The 2015+ name for IT Security

IT Security
– The 2010+ name for Information Technology best practices.