Re: What does Cyber Security mean to you?

cbkihong · ‎12-30-2017

Not sure if I am ignorant or else. Would appreciate some enlightenment.

Recently I was approached by somebody from a social network that whether I have experience in "cyber security". I didn't know exactly what he was talking about, so I asked him to check out my professional profile which is published somewhere that includes description on what kinds of security related work I did and am doing. But he only slightly re-asked the question to add two words "in attacks". So I told him as CISSP I don't engage in attacks nor do I engage myself in "offensive security".

Maybe I am confused, but I think in everyday language "Cyber Security" has been just a too vague term that could literally mean different things security as referred by different parties. Note that that guy did not even talk about "Cyber Warfare" here. So, is there a true and established definition of "Cyber Security" that I might not have been aware of, thus rendering that question incomprehensible to me?

Badfilemagic · ‎12-30-2017

"Cyber" is an umbrella term encompassing both offensive and defensive security aspects which is primarily used in goverment/military in the US, and in the MD/DC/VA area. I've had the title "Sr. Cybersecurity Specialist" at an insurance company, for instance. The roots are military, to draw distinction from the physical or "kinetic" world. In terms of warfare, a "cyber response" would be hacking back or something like Stuxnet. A "kinetic response" would be dropping a bomb.

Much like how APT (asia-pacific threat) was coopted by marketers (advanced persistent threat), cyber has also been coopted by marketers trying to sell into the government and military space. saying you're in "cyber" and not "network security" is the ticket, like claiming to be a "cryptocurrency" company when you're really selling ice tea. Stretching the term causes it to lose meaning, and that sews the confusion you're feeling. So, if you do "network security," "computer security", "information security," "information assurance," "offensive security," "penetration testing", or "ethical hacking" you're doing "cyber" whether you know it or not. But if you don't live in or around the DC area and aren't looking to work for the military industrial complex you can probably just not worry about it. I moved to Austin earlier this year, and people mostly say cyber ironically.

This all may be different in other countries, though.

-- wdf//CISSP, CSSLP

cbkihong · ‎12-30-2017

No, I don't work for military, governments or companies that provide services to them.

Thanks. If a big company is recruiting for somebody in "cyber security" (like your case, insurance companies tend to be big), what does that typically entail? Is "hacking back" or taking a more offensive position part of the agenda or actually not necessarily the case, and it could just mean literally anything? Of course, if a JD is available hopefully that would be a bit more clear, but assume that it is not (yet) available.

Badfilemagic · ‎12-30-2017

Hacking back by civilian entities is stupid and illegal, so beyond penetration testing or security research the offensive part is almost certainly not a major part. That doesn’t mean you don’t benefit from knowing how to do it, though. That’s just a separate issue. In the government world, you may see job titles with TLAs like CNE (computer network exploitation) or CNO (computer network operations) and these mean offensive, red team type stuff as opposed to CND (computer network defense) which is obviously blue team.

Barring a job description, it is difficult to say. Like i said, it is a catch-all term that originated in the dod/fed space and was picked up by marketers. You’ll read articles about a cyber skills shortage or the number of openings in cyber security, and they’re lumping malware analysis jobs in with PCI auditing. Frankly, it is difficult not to be at least a little bit cynical about it or recalling all the other uses of cyber in the 1980s and 1990s. Putting my non-cybical pants on for a minute, I’d argue that generally if a position can be defined in terms of red team or blue team, i.e., it is a technically-oriented, operationally focused role within the broader category of information security, then it is “cyber,” for lack of a better term. (How to refer to what we do, taxonomicly, seems to be the perennial debate in this industry). Also, for better or worse, if you can label what you do cyber, you can pretty much print your own ticket. Those skills make bank. However, you’ll probably get looked at cross-wise id you say cyber too much too far away from the beltway.

At least, this is my $0.02.

-- wdf//CISSP, CSSLP

Early_Adopter · ‎01-01-2018

Completely agree with WDF on his first point, hack back's etc are not within the competencies(legal rather than technical) of anyone other than those duly authorized by governments, and frankly that is up for debate - legal for/by whom against which target? Opinions differ radically...

The biggest challenge I see with it is how do you know who you are attacking? Attribution is very difficult - Even at the top their level it's all too easy to stage a false flag operation, and these things can escalate at wire speed.

For me I guess It boils down into the offensive and defensive, but the real magic is in intelligence, timely, accurate an actionable - cyber deception is probably the most interesting defensive art right now - tying up the adversary in networks you control and finding out their intent as well as exhausting their resources seems like the closest you can get to safe active defenses. Of course if an attacker finds out they may not be so happy, so make sure your tar baby is authentic looking, and you can throttle/pull the plug so quickly so your network doesn't find itself running a DDOS against a state actor.

Badfilemagic · ‎01-01-2018

A lot of what passes for threat intelligence these days in the commercial space is not intelligence. It is glorified reputation feeds, or reports on threat actors most orgs don’t have the maturity to ingest and act on.

Deception and active honeypotting are for sure vert cool though, but again, organizational maturity is key to be able to take advantage of them. A good book on this topic, and “threat intelligence” more broadly is ‘Reverse Deception: Organized Cyber Threat Counter-Exploitation’ by Bodmer. I read that a few years ago and learned a good bit from it.

-- wdf//CISSP, CSSLP

CISOScott · ‎01-02-2018

Cyber security in attacks can mean several things also. Experience defending against attacks or doing the attacking? Does the experience, if it is defending them, revolve around detection, mitigation, prevention, reverse analysis, source attribution. damage repair, etc? If it is in performing attacks, is it malware creation, penetration testing (both blue, red and purple teaming), hacking back (mentioned above)?

If someone were to send me such a short response I would ask if they could send over the job description so I could verify if my experience fit the job. The brevity of their responses leads me to question how good they would be to work for.

JunkBond · ‎05-08-2019

I am glad you enjoyed our book.

Shannon · ‎05-10-2019

I'm responsible for tailoring and maintaining our organization's Information Security policies, & with the main regulatory authority here mandating compliance with its Cybersecurity requirements, I have to ensure that our policies adequately cover these.

Information Security & Cybersecurity often overlap. While the ultimate goal of both is to ensure the CIA (Confidentiality, Integrity & Availability) of information, Cybersecurity focuses on securing electronic / digital information against Cyber threats.

The way I see it, Information Security should encompass Cybersecurity, since just about all information today is digitized, & almost everything is connected, courtesy of the IoT.

If a prospective employer poses this question, what's ultimately going to matter is not what it means to you, but to him / her. Given that it can refer to Offensive and / or Defensive Security, and being skilled in one isn't going to guarantee competency in the other, there should be a clear definition of requirements.

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz