The Alchemy of Information Protection: A Cybersecurity Druid's Spell Book
By Rich Owen
()
About this ebook
1. The non-cybersecurity executive or business owner who wants to gain an understanding of their role in the protection of the company's information assets.
2. The person in the company who is tasked with creating and maintaining a cost-effective program to protect the company's information assets.
3. The Chief Information Security Officer who may be reminded of some points where they can improve their programs.
Read more from Rich Owen
Cyber Security Sam Book 3: Rosie I'm Home Rating: 0 out of 5 stars0 ratingsThe Continuing Adventures of Cyber Security Sam: Time Out Rating: 0 out of 5 stars0 ratingsCyber Security Sam Book 2: The Invisible Man Rating: 0 out of 5 stars0 ratingsYour Personal Information Is At Risk: A Guide For Protecting Yourself Rating: 0 out of 5 stars0 ratings
Related to The Alchemy of Information Protection
Related ebooks
Barnahus Quality Standards: Summary Rating: 0 out of 5 stars0 ratingsFight Fire with Fire: Proactive Cybersecurity Strategies for Today's Leaders Rating: 0 out of 5 stars0 ratingsImplementing Insider Threat Prevention Cyber Security: The Psychology of Insider Threat Prevention, #3 Rating: 0 out of 5 stars0 ratingsIT risk Second Edition Rating: 0 out of 5 stars0 ratingsCyber-security regulation Third Edition Rating: 0 out of 5 stars0 ratingsInformation Security Governance: A Practical Development and Implementation Approach Rating: 0 out of 5 stars0 ratingsDuplicity and Duress: Snap Factories in the Making Rating: 0 out of 5 stars0 ratingsSarbanes-Oxley Compliance Using COBIT and Open Source Tools Rating: 4 out of 5 stars4/5The Philosophy of Health (Vol. 1&2): Illustrated Edition Rating: 0 out of 5 stars0 ratingsCybersecurity Regulations A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsInformation Security Risk Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsFinancial Cybersecurity Risk Management: Leadership Perspectives and Guidance for Systems and Institutions Rating: 0 out of 5 stars0 ratingsThirdParty Cybersecurity Risk Management A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsThe Simulator: A Dream Within a Dream Rating: 0 out of 5 stars0 ratingsHow to Write an Investment Policy Statement Rating: 0 out of 5 stars0 ratingsInformation Security Breaches: Avoidance and Treatment based on ISO27001 Rating: 0 out of 5 stars0 ratingsCWSP Certified Wireless Security Professional Study Guide: Exam CWSP-205 Rating: 0 out of 5 stars0 ratingsCybersecurity Charter Standard Requirements Rating: 0 out of 5 stars0 ratingsDictionary of Information Security Rating: 1 out of 5 stars1/5OSINT Cracking Tools: Maltego, Shodan, Aircrack-Ng, Recon-Ng Rating: 0 out of 5 stars0 ratingsCybersecurity and Infrastructure Protection Rating: 0 out of 5 stars0 ratingsCybersecurity Policy A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCybersecurity Fundamentals Explained Rating: 0 out of 5 stars0 ratingsMy Conversations With God AI Rating: 0 out of 5 stars0 ratingsSecurity Operations: CISSP, #7 Rating: 0 out of 5 stars0 ratings
Business For You
Law of Connection: Lesson 10 from The 21 Irrefutable Laws of Leadership Rating: 4 out of 5 stars4/5Becoming Bulletproof: Protect Yourself, Read People, Influence Situations, and Live Fearlessly Rating: 4 out of 5 stars4/5Set for Life: An All-Out Approach to Early Financial Freedom Rating: 4 out of 5 stars4/5Collaborating with the Enemy: How to Work with People You Don't Agree with or Like or Trust Rating: 4 out of 5 stars4/5The Richest Man in Babylon: The most inspiring book on wealth ever written Rating: 5 out of 5 stars5/5Nickel and Dimed: On (Not) Getting By in America Rating: 4 out of 5 stars4/5Crucial Conversations Tools for Talking When Stakes Are High, Second Edition Rating: 4 out of 5 stars4/5Capitalism and Freedom Rating: 4 out of 5 stars4/5Summary of J.L. Collins's The Simple Path to Wealth Rating: 5 out of 5 stars5/5Crucial Conversations: Tools for Talking When Stakes are High, Third Edition Rating: 4 out of 5 stars4/5Lying Rating: 4 out of 5 stars4/5The Intelligent Investor, Rev. Ed: The Definitive Book on Value Investing Rating: 4 out of 5 stars4/5How to Get Ideas Rating: 5 out of 5 stars5/5Your Next Five Moves: Master the Art of Business Strategy Rating: 5 out of 5 stars5/5Robert's Rules Of Order Rating: 5 out of 5 stars5/5Buy, Rehab, Rent, Refinance, Repeat: The BRRRR Rental Property Investment Strategy Made Simple Rating: 5 out of 5 stars5/5The Five Dysfunctions of a Team: A Leadership Fable, 20th Anniversary Edition Rating: 4 out of 5 stars4/5Carol Dweck's Mindset The New Psychology of Success: Summary and Analysis Rating: 4 out of 5 stars4/5The Catalyst: How to Change Anyone's Mind Rating: 4 out of 5 stars4/5The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers Rating: 4 out of 5 stars4/5Just Listen: Discover the Secret to Getting Through to Absolutely Anyone Rating: 4 out of 5 stars4/5Confessions of an Economic Hit Man, 3rd Edition Rating: 5 out of 5 stars5/5The 12 Week Year (Review and Analysis of Moran and Lennington's Book) Rating: 5 out of 5 stars5/5The Everything Guide To Being A Paralegal: Winning Secrets to a Successful Career! Rating: 5 out of 5 stars5/5Red Notice: A True Story of High Finance, Murder, and One Man's Fight for Justice Rating: 4 out of 5 stars4/5
Reviews for The Alchemy of Information Protection
0 ratings0 reviews
Book preview
The Alchemy of Information Protection - Rich Owen
© 2022 Rich Owen All rights reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher, except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law.
ISBN 978-1-66785-113-6 eBook 978-1-66785-114-3
Dedication
This book is dedicated to fellow business executives and Cybersecurity Druids who are focused on the governance of data in cyberspace and its protection from all enemies, foreign and domestic.
Preface
Cybersecurity is not rocket science. I should know. I was the rocket scientist who was tasked with creating the computer security program for Mission Operations at Johnson Space Center, NASA. Ok, technically, I was an Aerospace Technologist. After having been a contractor on the team that designed and installed the first local area network in the Mission Control Center, I joined NASA as a manager of small projects for Mission Operations. That was in 1986, after the Challenger incident. There were no laws or standards, just the guidance from the Director of Mission Operations, Gene Kranz, that Failure is Not an Option
.¹ In an early discussion that I had with my Branch Chief, he agreed that with my experience, as an NSA and NASA contractor and training from the U.S. Army Security Agency, that I should create the program. His concern was that he did not want a Cop on every corner and he was not sure that he wanted the responsibility for that function in his branch. As I grew the program, it later became a directorate-level support function.
The next question that people ask is, Why is Druid in the title?
The idea behind the title came from a budget meeting of the Mission Operations Directorate. We had projects listed on the whiteboard with their associated costs. We put them in priority order. One of the information security projects (computer security at the time) was above the line and to be funded. One of the projects below the line was from the Flight Directors. The Chief of the Flight Directors said to me Where do you and your Druids dream up this Stuff (maybe a different word was used) in the middle of the night?
The label stuck. In the end, it only seemed fitting as Druidism is an ancient religion and I have been surprised with the number of ministers and religious people in this profession. In both cases, it requires a lot of faith.
In keeping with the Druid theme, I have incorporated variations of two Druid symbols on the title page. The first symbol is a variation of the Vesica Piscis, with the letters C, I and A inserted. This symbol represents the union of many things such as between humans and earth. It is often used to represent unity with the land we walk upon and a sacred promise or pact between the individuals and the land they serve. I particularly like this symbol and what it represents because although the Chief Information Security Officer (CISO) may have the calling and may be a priest in orchestrating spells to protect the company, he or she cannot do it alone. It requires everyone from user, to customer, developer and executive to protect the Confidentiality, Integrity and Availability of our data. The second symbol is the Awen, which carries profound energy of creative awakening and divine inspiration. With the three rays of light, the Awen reminds us of the all-important sacred number of three in Druidry. In our case, it reminds us that to protect our WATER, we need EARTH, WIND and FIRE. This symbol is particularly good when you need creativity to flow. Needless to say, we certainly need a continuous flow of creative energy to protect our information, data and systems.
Cybersecurity profession is huge and growing. There are enough books and articles that provide you with the FUD (Fear, Uncertainty and Doubt) of our ability to protect our data. This book is intended to provide you with a historical reference of the growth in our industry and a path for the creation of a cost-effective cybersecurity program. I do not believe that one person has all of the answers nor that there is one way to create a program. This book gives examples of how I did it, several times, and things that I learned as the industry matured.
Governance of data is the future of this effort. It is concerned with the protection of the data not only within the system, but also the quality and protection of data entering and created by the system. To some, governance of data is all about the science and technology to make it happen. To others, it is about the art of managing technology and leading people. It is said that belief by one is a value and belief by many is a religion. I hope this book will help you understand that it is a Science, Art, Religion and more.
This book is written in first person because it is based on a collection of notes that I have acquired over the years. These notes came from education, training, certification and especially from experience. In some cases, solutions were just inspired, in those quiet moments of the day. Gene used to call these, Thoughts while shaving.
In my case, I usually woke up at 3 a.m. with thoughts.
WARNING
This book is NOT a checklist of steps for you to take to create a cybersecurity or governance program. It is not a textbook. It is a collection of items, events and stories that hopefully will help you think about how to protect your information assets and help guide you to build, maintain and improve an effective cybersecurity program.
This book can be read at a very high and non-engaging manner, or it could drive you to consider if you are doing all that you could be doing. Either way, I suspect that this will be the least or most significant business book that you will read this year, all depending on you.
Contents
Hacked
Introduction
WATER (Information/Data)
Elements of Protection
EARTH (Physical & Virtual Technology)
Physical and Virtual Threats to you Information
Identification
Protection
Detection
Response
Recovery
WIND (Policy & Procedures)
Policy
The Program
Procedures & Plans
FIRE (People)
External People
Internal Non-Technical/Security People
Internal Technical/Non-Security People
Information Security Team
Master Cybersecurity Druid (CISO)
Conjuring: The Process of Creation & Maintenance
of the Program
Spell of Why
Spell of What
Spell of How
Spell of When
The Complete Program
Conclusions
Endnotes
Hacked
Yes, Hacked. I was mentally hacked! As I came close to the final edit of this book, I attended a Cloud Security Alliance meeting in Phoenix, where Michael Manrod, CISO of Grand Canyon University, gave a presentation on Cognitive Malware and Misinformation
. I was then reminded that people not only hack the machines that we use, but they hack the people as well.
In the presentations that I give to social groups and schools on Security and Privacy
, I remind them of Stranger Danger.
This was illustrated in the movie Kindergarten Cop
where we remind our children not to take candy from, or talk to strangers. Yet, all of us accept email from strangers every day, many of whom are offering us Free Candy
. In my presentations, I remind people that Numbers don’t lie, but Liars figure!
I also point out how my seventh grade teacher taught me how to read a newspaper. Yes, I knew how to read way before then, but Mrs. Hopkins taught me to look closely at the words to try and understand what the writer’s viewpoint was. What are they trying to tell you and why? What do they want you to think or do? Those are the important questions each of us needs to be thinking about with every email or message that we get. This is especially true with social media.
With social media, the platforms are gathering data, via our likes
, so that they can carefully craft articles, emails and messages that target our biases. To paraphrase a comment from Mike’s presentation, If you like tacos, a message could be created to have you salivating like one of Pavlov’s dogs before you even question if the message makes sense.
All of the above is how people can use the machines and our human weaknesses to hack the person. But wait, There is more!
(to quote an old RonCo commercial). These same humans, with their flaws and biases, created these machines. As a reminder here, when the internet was created, security was not a consideration
. As with many operating systems, security of the systems and data in them were an added feature. So what are we doing with this technology that is inherently unsecure? We are throwing more data at it and becoming more dependent on its results.
In the TV series Supernatural
the main characters attend a Supernatural Conference
and meet the writer of the Supernatural
series of books. This is the person that is writing their story. They later refer to him as God. I mention that because anyone who has ever created or managed a system or network, knows that they are God of their domain. The only thing more powerful than them, is the God Command
, turning the damned thing off. That power exists in every system/application/network. There has been more than one movie or TV show that has been written about the embedded back door. There have been many examples where these backdoors have been exploited, in the real world, thankfully on a more limited scope. This is all possible because people, often unchecked, are creating