Upload
jack-whitsitt
View
633
Download
0
Tags:
Embed Size (px)
Citation preview
Effective “Cyber” Security Communication
Jack WhitsittEnergySec |@sintixerr | [email protected]
3/6/2015 1
While developing this presentation, I realized I needed to clearly explain “Cybersecurity” a bit before we could
learn to talk about it.
So, I started looking up “Cyber” in Google images.
A picture is worth 1000 words, right?
So, “Cybersecurity”…what is it?
3/6/2015 3
Why does this noise matter?At some point, “Cybersecurity” will make its way into your life and, when it does, you will likely have to talk about it - to each other, to people you will never know, and to people who you
might not know you’re communicating with.
…And the present confusion creates skeletons and land mines…For Everyone.
3/6/2015 12
Skeletons and Landmines??
Cybersecurity is also a new discipline– It’s not even a discipline– We can’t even spell it the same way every time– Combination of multiple disciplines glued together by
marketing, myth, culture, and media– There are few common terms, perspectives, and
definitions, even among “experts”– Even “Expert” is a tricky word….
Cybersecurity is exciting! Everyone wants in!
That makes it a very noisy, confusing topic with misleading information as
well as over and under reactions.
3/6/2015 13
Cybersecurity Experts (Really)
• System Administrators
• Malware Analysts
• Incident Responders
• Lawyers
• CISO’s
• Procurement Officials
• Chairmen of the Senate Whatever Committee
• Heads of the NSA
• Senior Sales Engineers for Security Companies
• Hackers
• Children
• Criminals
• Terrorists
• Journalists
• Developers
• Activists
• Evolutionary Biology PhD’s
• Diplomats
• Control Systems Engineers
• Civil Liberties Advocates
• Regulators and Auditors
• Emergency Managers
• Citizens
• Operations Staff
3/6/2015 14
And this is why it matters to you…
Clearly, cybersecurity is *never* just an IT issue –you have a role to play
Whether you are IT security or an Emergency manager or a Lawyer:
– You will need to have a basic B.S. filter, at a minimum– Customers and constituents are going to ask you questions– There will be physical consequences of “cyber” activities– You will be in mixed teams– Legislation will affect you personally and professionally– The media always wants its next cyber-high
Silence is often worse than poor communication
3/6/2015 15
So, what kind of an expert am I?
• Open Source: Development Team: Hackers!
• Commercial Security Company: Data Geek: Fake News!
• INL/ICS-CERT: National Cyber Incident Response: Heh
• TSA: Transportation SSA: Train Communications Wreck
• Non-Profit: Energy Industry: NIST/Class
• Independent: International, Twitter, Here!
3/6/2015 16
Why does it matter who we are?
Grudge Holders Motivations, Goals, Resources, Partners, Enemies
Fire Setters Vulnerabilities, Tools, Infrastructure, Tactics, Employer
Fire Fighters Vulnerabilities, Tools, Infrastructure, Tactics, Employer
Fire Code Writers Controls, Risks, Standards, Metrics, Maturity, Process
Fire Code Inspectors Auditing, Controls, Metrics, Compliance
Victims Privacy, Consequence, Compensation, Protection, Law, Emotion
Asset Owners Risk, Likelihood, Compliance, Reputation, Cost
Equipment Vendors Features, Controls, Reliability, Solutions
Government Partnership, Assurance, Protection, Regulation
Reporters Are they going to shut down the power grid like in that movie?
Understanding Cybersecurity starts with Perspective
3/6/2015 17
But perspective needs contexts……or lenses
...otherwise communication can go wildly sideways…
3/6/2015 18
First, what is “Communication”?
• The imparting or exchanging of information or news.
• The successful conveying or sharing of ideas and feelings.
• The discipline of communication focuses on how people use messages to generate meanings within and across various contexts, cultures, channels, and media.
• Two-way process of reaching mutual understanding, in which participants not only exchange (encode-decode) information, news, ideas and feelings but also create and share meaning. In general, communication is a means of connecting people or places.
3/6/2015 19
Communication Failures
• Poorly Formed Message• Unexpected Message• Wrong Language• Fear• Inundation• Mismatched Need• Poor Timing
They both needed to be more aware of the context at the intersection of their perspectives.
Let’s call this context awareness “Lensing”
3/6/2015 21
Lensing?
• In language, multiple words can be attached to similar objects.• These descriptions are labels. • Labels can be formal, be informal, develop organically, be created
for a purpose, describe behavior, describe features, start out describing features but end up describing categories
• Cybersecurity, as a label, is a bit of all of this and also contains unlimited labels
• Lenses, for our purposes, are informal collections of labels and contexts to focus perspectives on common goals
“Lenses” can be great communication tools
Let’s explore a few Cybersecurity Lenses
3/6/2015 22
The Nature of Cybersecurity: An Attacker Lens
(Source: http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=24d3c229-4f2f-405d-b8db-a3a67f183883 via Lockheed Martin)
3/6/2015 25
The Nature of Cybersecurity: Cybersecurity: A Defender Lens
Source: https://isc.sans.edu/diaryimages/a207889185ca6b4ccbf43d94e017a6633/6/2015 26
The Nature of Cybersecurity: A Government & Policy Lens
Prosecute & Convict? Defend? Listen? Convince?3/6/2015 28
For what it’s worth, what’s my Lens?
• A Secure System is one that does no more or less than we want it to for the amount of effort and resources we’re willing to invest in it.
• Cybersecurity is the enablement of an environment in which business objectives are sustainably achievable in the face of the continuous risk resulting from the use of cyber systems.
• Cyber Risk is the possibility that actors will use our systems as a means of repurposing our value chains to alter the value produced, inhibit the value produced, or produce new value in support of their own value chains.
3/6/2015 35
Essentials of A Structured Cybersecurity Communication Lens
• Who is communicating?
• What is their unstated origin context?
• What context are they communicating with?
• What perspective are they communicating to?
• What are they asserting explicitly?
• What are they implying?
• What are they not asserting?
3/6/2015 37
REMEMBER:Use BOTH Negative and Positive Space• When dealing with a topic that is not fully defined, there can
be unacceptable room for content interpretation
• The use of negative space is helpful– By articulating what is not, we can learn what is
– By articulating what might be and why we believe it is not, we retain control of dialogue about alternatives
– By articulating what we don’t know, bad assumptions of knowledge are avoided
– By articulating both positive and negative space, we increase the odds of the listener receiving the information we think we’re communicating
This is a crucial communication tactic, especially with Media and Incident Response
3/6/2015 38
Perspective intersections can help illuminate
applicable contexts
Being Talked About
Gru
dge
Ho
lder
Fire
Set
ters
Fire
Fig
hte
rs
Fire
Co
de
Wri
ters
Fire
Co
de
Insp
ecto
rs
Vic
tim
s
Ass
et O
wn
ers
Equ
ipm
ent
Ven
do
rs
Go
vern
men
t
Rep
ort
ers
Grudge Holders
Parasites, Business, Attack Architecture, Defense Architecture, Compliance &
Standards, Government Policy, Consequences, People, Skewed
Scale,Broken Metaphor, Attribution, more
Fire Setters
Fire Fighters
Fire Code Writers
Fire Code Inspectors
Victims
Asset Owners
Equipment Vendors
Government
Reporters3/6/2015 39
Parsing Communication: Things to Look for (In Positive & Negative Space)
• Perspectives Represented– Source, Destination, Motivations,
Inhibitors, Constraints
• Directionality Described– Attack, Protect, Avoid, Recover,
Enable, Present, Educate
• Action Levers Requested– Technology, Tech Services, Policy,
Law, Education, Money
• “Real World” Context– Cybersecurity means nothing by
itself
• “Real World” Context– Cybersecurity means nothing by
itself
• Consequences & Audiences of Communication– Intended, Unintended
• Tactics– The actual content itself
• Alternative Theories– ALWAYS provide to recipient,
or to yourself as a receiver, a valid alternate narrative
• Sources– Where is their information
coming from?
3/6/2015 40
Ask “Lensing” and “Perspective” questions of received
information.
Repackage into a structure
Apply Positive and Negative Space
Example: Receiving and Re-Sending Incident &
Vulnerability Information
The original information received was in unstructured, but formal paragraph form.
It should also, but does not, discuss confidence and alternate situations
3/6/2015 41
Remember
• First Principles Still Apply:– Cybersecurity isn’t magic and can *mostly* be
managed like any other emergency– Communication should always be calm, honest,
succinct, factual, and clear
• Clarity, though, in cybersecurity, is difficult right now, for everyone, so remember:– Perspective– Context and Lensing– Positive & Negative Space– Structured Communications
3/6/2015 42
Media Examples (!!!)
• Uncle Sam Wants 10,000 Cyber Warriors!!!• NIST (Voluntary) Cybersecurity Framework will be
Mandatory!!!• Target Security Staff Didn’t look at Security Alerts!!!• Sony was compromised by North Korea and had
Terrible Security!!!• Are Energy Grid is Being Attacked Daily!!!• NSA wants us to give them all our information (Re
Information Sharing Bills)!!!• The Government is hacking my laptop!!!• Secret Obama Executive Order Leaked!!!
3/6/2015 43