The Alchemy of Information Protection: A Cybersecurity Druid's Spell Book

By Rich Owen

Cybersecurity is not a one size fits all solution; therefore, security must be tailored to the needs of the individual. The purpose of this book is to provide readers with rational business processes by which they can understand what information is important, and why. "The Alchemy of Information Protection" was specifically written for:
1. The non-cybersecurity executive or business owner who wants to gain an understanding of their role in the protection of the company's information assets.
2. The person in the company who is tasked with creating and maintaining a cost-effective program to protect the company's information assets.
3. The Chief Information Security Officer who may be reminded of some points where they can improve their programs.

• Language: English
• Publisher: BookBaby
• Release date: Jun 14, 2022
• ISBN: 9781667851143

Book preview

cover.jpg

© 2022 Rich Owen All rights reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher, except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law.

ISBN 978-1-66785-113-6 eBook 978-1-66785-114-3

Dedication

This book is dedicated to fellow business executives and Cybersecurity Druids who are focused on the governance of data in cyberspace and its protection from all enemies, foreign and domestic.

Preface

Cybersecurity is not rocket science. I should know. I was the rocket scientist who was tasked with creating the computer security program for Mission Operations at Johnson Space Center, NASA. Ok, technically, I was an Aerospace Technologist. After having been a contractor on the team that designed and installed the first local area network in the Mission Control Center, I joined NASA as a manager of small projects for Mission Operations. That was in 1986, after the Challenger incident. There were no laws or standards, just the guidance from the Director of Mission Operations, Gene Kranz, that Failure is Not an Option.¹ In an early discussion that I had with my Branch Chief, he agreed that with my experience, as an NSA and NASA contractor and training from the U.S. Army Security Agency, that I should create the program. His concern was that he did not want a Cop on every corner and he was not sure that he wanted the responsibility for that function in his branch. As I grew the program, it later became a directorate-level support function.

The next question that people ask is, Why is Druid in the title? The idea behind the title came from a budget meeting of the Mission Operations Directorate. We had projects listed on the whiteboard with their associated costs. We put them in priority order. One of the information security projects (computer security at the time) was above the line and to be funded. One of the projects below the line was from the Flight Directors. The Chief of the Flight Directors said to me Where do you and your Druids dream up this Stuff (maybe a different word was used) in the middle of the night? The label stuck. In the end, it only seemed fitting as Druidism is an ancient religion and I have been surprised with the number of ministers and religious people in this profession. In both cases, it requires a lot of faith.

In keeping with the Druid theme, I have incorporated variations of two Druid symbols on the title page. The first symbol is a variation of the Vesica Piscis, with the letters C, I and A inserted. This symbol represents the union of many things such as between humans and earth. It is often used to represent unity with the land we walk upon and a sacred promise or pact between the individuals and the land they serve. I particularly like this symbol and what it represents because although the Chief Information Security Officer (CISO) may have the calling and may be a priest in orchestrating spells to protect the company, he or she cannot do it alone. It requires everyone from user, to customer, developer and executive to protect the Confidentiality, Integrity and Availability of our data. The second symbol is the Awen, which carries profound energy of creative awakening and divine inspiration. With the three rays of light, the Awen reminds us of the all-important sacred number of three in Druidry. In our case, it reminds us that to protect our WATER, we need EARTH, WIND and FIRE. This symbol is particularly good when you need creativity to flow. Needless to say, we certainly need a continuous flow of creative energy to protect our information, data and systems.

Cybersecurity profession is huge and growing. There are enough books and articles that provide you with the FUD (Fear, Uncertainty and Doubt) of our ability to protect our data. This book is intended to provide you with a historical reference of the growth in our industry and a path for the creation of a cost-effective cybersecurity program. I do not believe that one person has all of the answers nor that there is one way to create a program. This book gives examples of how I did it, several times, and things that I learned as the industry matured.

Governance of data is the future of this effort. It is concerned with the protection of the data not only within the system, but also the quality and protection of data entering and created by the system. To some, governance of data is all about the science and technology to make it happen. To others, it is about the art of managing technology and leading people. It is said that belief by one is a value and belief by many is a religion. I hope this book will help you understand that it is a Science, Art, Religion and more.

This book is written in first person because it is based on a collection of notes that I have acquired over the years. These notes came from education, training, certification and especially from experience. In some cases, solutions were just inspired, in those quiet moments of the day. Gene used to call these, Thoughts while shaving. In my case, I usually woke up at 3 a.m. with thoughts.

WARNING

This book is NOT a checklist of steps for you to take to create a cybersecurity or governance program. It is not a textbook. It is a collection of items, events and stories that hopefully will help you think about how to protect your information assets and help guide you to build, maintain and improve an effective cybersecurity program.

This book can be read at a very high and non-engaging manner, or it could drive you to consider if you are doing all that you could be doing. Either way, I suspect that this will be the least or most significant business book that you will read this year, all depending on you.

Contents

Hacked

Introduction

WATER (Information/Data)

Elements of Protection

EARTH (Physical & Virtual Technology)

Physical and Virtual Threats to you Information

Identification

Protection

Detection

Response

Recovery

WIND (Policy & Procedures)

Policy

The Program

Procedures & Plans

FIRE (People)

External People

Internal Non-Technical/Security People

Internal Technical/Non-Security People

Information Security Team

Master Cybersecurity Druid (CISO)

Conjuring: The Process of Creation & Maintenance

of the Program

Spell of Why

Spell of What

Spell of How

Spell of When

The Complete Program

Conclusions

Endnotes

Hacked

Yes, Hacked. I was mentally hacked! As I came close to the final edit of this book, I attended a Cloud Security Alliance meeting in Phoenix, where Michael Manrod, CISO of Grand Canyon University, gave a presentation on Cognitive Malware and Misinformation. I was then reminded that people not only hack the machines that we use, but they hack the people as well.

In the presentations that I give to social groups and schools on Security and Privacy, I remind them of Stranger Danger. This was illustrated in the movie Kindergarten Cop where we remind our children not to take candy from, or talk to strangers. Yet, all of us accept email from strangers every day, many of whom are offering us Free Candy. In my presentations, I remind people that Numbers don’t lie, but Liars figure! I also point out how my seventh grade teacher taught me how to read a newspaper. Yes, I knew how to read way before then, but Mrs. Hopkins taught me to look closely at the words to try and understand what the writer’s viewpoint was. What are they trying to tell you and why? What do they want you to think or do? Those are the important questions each of us needs to be thinking about with every email or message that we get. This is especially true with social media.

With social media, the platforms are gathering data, via our likes, so that they can carefully craft articles, emails and messages that target our biases. To paraphrase a comment from Mike’s presentation, If you like tacos, a message could be created to have you salivating like one of Pavlov’s dogs before you even question if the message makes sense.

All of the above is how people can use the machines and our human weaknesses to hack the person. But wait, There is more! (to quote an old RonCo commercial). These same humans, with their flaws and biases, created these machines. As a reminder here, when the internet was created, security was not a consideration. As with many operating systems, security of the systems and data in them were an added feature. So what are we doing with this technology that is inherently unsecure? We are throwing more data at it and becoming more dependent on its results.

In the TV series Supernatural the main characters attend a Supernatural Conference and meet the writer of the Supernatural series of books. This is the person that is writing their story. They later refer to him as God. I mention that because anyone who has ever created or managed a system or network, knows that they are God of their domain. The only thing more powerful than them, is the God Command, turning the damned thing off. That power exists in every system/application/network. There has been more than one movie or TV show that has been written about the embedded back door. There have been many examples where these backdoors have been exploited, in the real world, thankfully on a more limited scope. This is all possible because people, often unchecked, are creating