One. Two. Three.

Numbers. The world is full of numbers. The first thing we learn is to count to three. How many times do we count to three - - in different situations and scenarios? Math was never my favorite subject. Now, I deal with numbers every single day and enjoy the mathematics of cryptography. Many things are rated on severity or require to be ranked. I often will get asked on a scale of one to ten to rank a threat or vulnerability. Numbers. Again and again and again.

The first time I learned about the lava lamps at Cloudflare, I was intrigued. They use a couple different things to create randomness to create a strong cryptographic key. It was strange to me to think that there was randomness in mathematics. I found the predictability of cryptography almost calming. There was always an answer and I guess it was the same thing that was calming that made the need for randomness. Predictability can be both good and bad. Predictability in system defenses is good, but the predictability of weaknesses is bad. I once heard a saying that the same water that boils the egg, softens the potato. I knew both of those things separately. It was not until I heard them together that the reality hit that something that you think about one way also can be used in another way. 

I started in IT because I wanted to fix things and help people. I moved to cybersecurity because I learned quickly that for every good there is a bad. The one superpower the good side has is that there is the ability to stack their odds. Opportunity to change the odds, make a new number. Human error is a big threat. How do you change that? Tell the humans what can go wrong. Explain the issue and empower the users. It is not an easy task. I think about the wall of lava lamps often when I think of how to help users. The lava lamp wall is beautiful, calming, and a helper for security. I learned a while ago that educating users is quite the same. Users are unpredictable. Chaos at times. However, taking all of that chaos and turning it into security. Explaining what the security risks are and allowing each user to take on their own responsibility for security creates a unique personal ownership. The key to empowering everyone to help with security is showing the numbers. And, continuing to show the numbers. I like to put up statistics. It could be how many phishing emails have been reported or how many people clicked on simulated phishing emails. Those numbers become personal and relatable. It also invokes the competitiveness of people. No one wants to be the weakest link and put their department on the risky users list. This is where the security mindset starts. Looking for phishing emails becomes easier and easier the more that skill is practiced. Then, this is where the randomness comes into play. The security mindset starts to leak to other parts of their jobs. It spreads in different ways like the lava lamps. The more it is practiced, the more security that is implemented and the more habits that are created. 

All this is started with basic numbers. One. Two. Three. Counting numbers or counting on others. 

Comments

Post a Comment

Popular posts from this blog

Understanding Protection (SC)

Understanding Protection (SC) These controls focus on protecting system boundaries, communications, and preventing unauthorized data exposure. Let's break down the key SC controls with examples. SC-1: Policy and Procedures This foundational control requires documented policies and procedures for system and communications protection. Example: SYSTEM AND COMMUNICATIONS PROTECTION POLICY Version: 2.1 Last Updated: 2025-01-02 1. PURPOSE This policy establishes requirements for protecting the organization’s cloud infrastructure and communications. 2. SCOPE Applies to all cloud systems within the authorization boundary. 3. POLICIES 3.1 Encryption Requirements - All data in transit must use TLS 1.2 or higher - All data at rest must use FIPS 140-2 validated encryption - Key rotation required every 365 days 3.2 Network Security - All external connections must traverse a DMZ - Firewall rules follow deny-by-default principle - Monthly review of access control lists 4. PROCEDURES 4.1 Firewall ...
Read more

FedRAMP Moderate Rev 5 SI Controls

  In this post, I'll break down each SI control in FedRAMP Moderate Rev 5 and provide tips.   SI-1: System and Information Integrity Policy and Procedures The key to a strong base is well-documented policies and procedures.  For SI-1, organizations must: - Develop and maintain system and information integrity policies that address purpose, scope, roles, and responsibilities - Define procedures for implementing security controls - Review and update these documents at least annually Example:  Create a System and Information Integrity Policy document that includes: - Malware protection requirements with procedures - System monitoring procedures - Software and firmware update processes - Security alert handling processes and procedures - Error handling protocols  SI-2: Flaw Remediation Flaw remediation is key for maintaining system security.  Organizations must: - Identify, report, and correct system flaws promptly - Test software updates before deployment...
Read more

Security Assessment (SA) Controls

The Security Assessment (SA) family of controls, derived from NIST 800-53 Revision 5, plays a pivotal role in keeping systems secure over time. What Are the Security Assessment (SA) Controls? The SA family of controls focuses on ensuring that security controls are assessed for their effectiveness and are continuously monitored throughout the life of the system. This means checking whether the security measures in place are not only effective but remain effective and up-to-date as time progresses. For FedRAMP Moderate, these controls are crucial because: They ensure security controls are evaluated regularly. They support continuous monitoring for vulnerabilities or weaknesses. They establish corrective actions when necessary. SA-1: Security Assessment and Authorization Policies and Procedures Control Overview SA-1 requires the development of security assessment and authorization (A&A) policies and procedures. These procedures outline the process for conducting security assessm...
Read more