Cyber games, p.1
Cyber Games, page 1
PRAISE FOR
THE CYBERSECURITY MINDSET
“The Cybersecurity Mindset provides a comprehensive view into practical day to day cybersecurity work. Dewayne introduces a conceptual model for creating a cybersecurity culture that offers an increased value proposition for organizations, customers, vs cybersecurity professionals alike. The Cybersecurity Mindset and a recommended read for seasoned veterans, new cybersecurity professionals, and those aspiring to join the ranks of cybersecurity. The book offers a roadmap for CISOs to introduce a cultural shift toward a cyber security-minded workforce.”
—JASON LAWRENCE, MSISA, CISSP, CISA, Associate Director-Cybersecurity, Managed Threat Detection and Response (MTDR) AT&T Cybersecurity
THE
CYBER
SECURITY
MINDSET
A VIRTUAL AND
TRANSFORMATIONAL
THINKING MODE
DEWAYNE HART
The Cybersecurity Mindset:
A Virtual and Transformational Thinking Mode
by Dewayne Hart
© Copyright 2022 Dewayne Hart
ISBN 978-1-64663-872-7
All rights reserved. No part of this publication may be
reproduced, stored in a retrieval system, or transmitted in any form or by any means—electronic, mechanical, photocopy, recording, or any other—except for brief quotations in printed reviews, without the prior written permission of the author.
Published by
3705 Shore Drive
Virginia Beach, VA 23455
800-435-4811
www.koehlerbooks.com
TABLE OF CONTENTS
Introduction
How Did We Get Here?
IT Security 101
Human Interaction and Cybersecurity
Now, Why Such a Book?
Virtualized Path
Inclusive Culture
Chapter One: Images of an Inclusive Culture?
Chapter Two: Growth Mindset Culture
Chapter Three: Embracing Organization Changes
Chapter Four: Branding a Training and Awareness Profile
Chapter Five: Inclusive Culture Toolkit
Virtualized Path: Situational Awareness
Chapter Six: Environmental Knowledge
Chapter Seven: Mental Focus and Alertness
Chapter Eight: Trust Your Cyber Senses
Chapter Nine: Information Sharing for Situational Awareness
Chapter Ten: Situational Awareness Assessment
Virtualized Path: Risk-Based Thinking
Chapter Eleven: Extending a Compliance Mentality
Chapter Twelve: Risk Discovery and Opportunities
Chapter Thirteen: Proactive and Reactive Measures
Chapter Fourteen: Responsible Actions and Ownership Model
Chapter Fifteen: Assessing Risk Management Programs
Transforming the Mindset
Chapter Sixteen: Value Proposition Mentality
Chapter Seventeen: Thinking Digital Modernization
Chapter Eighteen: Modernizing a Workforce
Chapter Nineteen: Wearing a Hacker’s Hat
Cybersecurity Thinking Mode
Chapter Twenty: Adaptive Mindset
CONCLUSION
APPENDIX A—ACRONYMS
APPENDIX B—KEY TERMS
REFERENCES
INTRODUCTION
HOW DID WE GET HERE?
Today’s technology has survived many milestones and challenges. In the 1980s, IBM created the first personal computer during the microcomputer revolution. Before this era, mainframe computers only supported data manipulation. The IBM Model number 5150 surfaced on August 12, 1981, and created a new technology environment. During the same period, the UK introduced the Sinclair Zx81 computer, and Microsoft channeled the market with MS-DOS as the premier operating system supporting IBM-PC compatible computers. According to Microsoft, in 1994, MS-DOS was operating on 100 million computers worldwide.
In 1995, I started my post-sea-duty career or shore-duty at MacDill AFB, which was where the experience and exposure to the PC market surfaced. From 1995 to 2000, Microsoft software products and technology controlled the IT market. During this time, many government agencies transitioned to newer technologies that were Windows-based. The internet began to surface during this trend, and as an IT professional, my technology engagement advanced. The internet became a viable source for linking these computers and a vehicle to support data transactions and multiple communication technologies—such as cell phones, modems, and military tactical systems.
In 1995, Wells Fargo became the first US bank to offer online banking, with other banks quickly following suit. Here is where my professional career in technology and security surfaced. I remember speaking to several military friends about securing data and protection standards and how computer viruses would dominate data protection and internet safety. Since the concept was new, I visualized technology encountering many challenges. Today, professionals are multi-challenged to defend and protect systems.
From the early 2000s to 2010, I saw many organizations develop data protection standards. This massive growth onboarded a new culture and supporting technologies, and cybersecurity became a premier concern for IT managers. Organizations integrated safe practices to protect data and monetary loss. The online banking industry exploded, and so did social media—Facebook, Instagram, and Twitter. The industry saturated the market and created a chain of protection standards, frameworks, and social-behavioral issues. The result forced technology to grasp more understanding and meaning for security.
IT SECURITY 101
The three pillars of IT security are Confidentiality, Integrity, and Availability—commonly called the CIA. Confidentiality is a principle that describes a need-to-know basis. For instance, not everyone should have access to your bank account. That’s why access requires a separate username. The creation of shared accounts can break the confidentiality scheme. Integrity is defined as free from modification. That means data transmitted and received should mirror the same format. If you transfer $1,000 to your significant other for Valentine’s Day, their account should increase by $1,000, not by $10,000. Of course, they may like the digits—but sorry for you! You cannot take it back. Here is where integrity comes active. Our last principle is availability. Availability ensures that resources are available, such as a secure communication channel when executing the banking transfer, and your passwords are encrypted. Encryption enables confidentiality. It’s a secret representation of your password. When you type a password such as “SDER%$&JHV) *;jh,” it is converted into a possible 1,024 character with unique codes. Let’s not get too technical—but you see the point. There are various forms of availability, such as logging onto a system during specific periods. Some key areas are uptime, storage access, or accessing social media sites.
In the realm of IT, security vulnerabilities and threats exist. A vulnerability is a weakness or loophole, such as a password structure. If an organization requires employee accounts to use fifteen-character passwords, and a user can successfully create a four-digit password—that’s a vulnerability. Threats exploit vulnerabilities—this would be a hacker (threat agent). The hacker could have prior knowledge of the password complexity requirements and gain access to confidential information—such as an employee email message: “I have a four-character password!”
IT systems utilize logical rules to counter the risk, such as a fifteen-character password. A hacker can use various password-guessing methodologies. One is to execute a dictionary attack by generating common dictionary words using hacking tools. If the tool discoverable password matches the system password, hackers can gain access! Another method is called a brute force attack, which requires a combination of different characters. It executes through utilizing a hacking program! Risk is the probability of occurrence that vulnerabilities or threats will exist. A professional security role is to minimize risk to an acceptable level, a function of risk management. Learning Point: Threat X Vulnerabilities = Risks.
HUMAN INTERACTION AND CYBERSECURITY
Historically, culture and technology have evolved into single entities and created environments where humans, culture, and technology interact. Humans are the end users that utilize technology. Culture identifies the social behavior and norms found in human groups and societies. These groups instill practices, influence ideas, hold unique verbal languages or perceptions, and promote management strategies to navigate technology.
Technology encompasses technical resources to perform professional or personal tasks—such as projects, online banking, educational, or entertainment activities. Through cultural practices and organizational standards, humans may interact differently and use different technical approaches. For instance, Company A may operate a cybersecurity culture as the premier practice—while Company B may operate cybersecurity as a program, which demonstrates the cultural approach, decisions, and work-related tasks are performed differently.
While working on various federal and DoD projects, I noticed that IT and non-IT personnel would disclaim cybersecurity. To further complicate the issue, the integration and practices were defined as a dark society. Was this the culture of choice? Often, we would have security awareness training, but to embrace security as a culture was of no concern. Could this be a result of compliance serving more importance than ri sk?
Corporations have historically separated security as another entity. When daily challenges and issues surface, many professionals state, “Call the security folks—it’s not my problem.” I never bought into this concept but believed a culture shift was required.
As a team, IT personnel work within different skill-related areas and share the same vision: reduce risks and protect the system. In the US Navy, this was the culture required to keep “the ship afloat.” As I transitioned from the military, the same approach applied across many technical teams. We were successful at embracing a technological culture that served to protect data assets and information. Many projects did not adopt the concept, and ultimately, they failed.
While working as a security analyst, I spent hours analyzing reports and creating defensive measures for various systems and applications. As always, I embraced the cybersecurity blueprint for success—Think Like a Hacker—and as I began to obtain cybersecurity certifications, the same concept applied across the Certified Information System Security Certification (CISSP) examination that lasted for six hours, totaling two hundred fifty questions. This blueprint for success transitioned into The Cybersecurity Mindset and provided a career path that advanced beyond my expectations.
NOW, WHY SUCH A BOOK?
As a cybersecurity professional, I have first-hand experience concerning cybersecurity disconnections, challenges, and its blueprint. This book provides a common-sense approach toward the thinking process, mental involvement, and strategies to embrace cybersecurity. Whether your career path is directly or indirectly involved with technology, the Cybersecurity Mindset aligns with typical engagements you experience. We are all involved somewhere, someway, or somehow.
A reader will find various terms and examples of real-world explanations built upon previous knowledge and information shared. As a reader, one will master a structured approach to understanding the cybersecurity mentality and think “defensively” within the digital culture. Also, one will engage in familiar terms, processes, and experiences that highlight relevant situations where society and technology users are cyber-connected.
This book structure and information helps to articulate risks and technology as a learning vehicle versus distant details. The book title, The Cybersecurity Mindset: A Virtual and Transformational Thinking Mode, outlines a three-layer concept throughout the chapters. Each chapter strategizes and outlines the “cybersecurity thinking” mode. In essence, it emulates proper security practices.
If you are a professional, student, or intrigued by the word “cybersecurity,” The Cybersecurity Mindset: A Virtual and Transformational Thinking Mode will enhance your overall knowledge-base and promote cyber awareness. The layout builds a virtual pathway to the Cybersecurity Mindset and best practices. Some may regard the methodologies as human behavior and a Cybersecurity 101 course, which is true. To fully understand people’s Cybersecurity Mindset requires in-depth thinking and a technology engagement. Let’s began the journey and dissect The Cybersecurity Mindset: A Virtual and Transformational Thinking Mode.
• VIRTUALIZED PATH •
INCLUSIVE CULTURE
The most challenging aspect of technology is cultural development—as it provides the opportunity to shape security teams, staff, and non-technical professionals. The term defines how technology professionals bond and exhibit similar characteristics through their working relationships, cybersecurity engagement, and cohesion. The process can take some time and requires buy-in from managers, supervisors, and subject-matter experts (SMEs). Despite the challenges, the IT industry has developed some of the brightest talent and problem solvers. In common, everyone analyzes information and speaks a particular language. It’s somewhat a programming code that grows over time and becomes intact. Before individuals communicate a specific term or security-related information, the recipient already knows what’s being said and starts their engagement or response stage. It’s not a negative effect to be programmed unless you are a non-cultural involver. These are merely functional teams that have no interest in cybersecurity—such as non-IT professionals. Some non-IT professionals engage and must involve themselves with cybersecurity. As history provides the best facts and evidence, non-IT professionals grasp technology as time progresses and become a cultural partner. By default, non-IT professionals are married into a technology culture driven through working relationships and curiosity. Despite which avenue constructs the cultural connection, the end-state builds a security culture and mindset that unilaterally operates.
A culture is a set of shared attitudes, values, goals, and practices that characterizes an institution or organization. Family history, college institutions, religion, and geographical backgrounds contribute to its developmental process. How a culture responds to situations and engagements represents their thinking and mental state—as they organize their social or professional lifestyles the same. Each culture can be easily identified since people display the same attributes, language, food, music, or communication style. A further definition implies that culture promotes learned behavior patterns. By default, each member behaves and promotes social norms. Once a cyber-dude, always a cyber-dude!
The technology industry constitutes a large and very complex culture. There are penetration testers, administrators, developers, or client-service professionals. Each segment shares commonality in IT—help resolve problems and advance business operations. In our personal lives, we have been culturally shaped, and within IT, the same occurs. Through a repetitive connection, IT personnel become culturally intact and harness an inclusive culture.
The term “inclusive” defines all the attributes and security requirements that encompass a particular culture. The over-arching strategy describes how the corporate security personnel and program should operate through a comprehensive security image. For instance, when a security analyst starts a job, they are new to the IT environment. The onboarding process and initial team meeting profile the culture. After a defined period, the security analyst can “fit right in.” Here is where the transition occurs, and they learn the IT practices, roles, responsibilities, and vision principles, which are all-inclusive to the culture. Later, the security analyst transitions to using language, terms, or security-related discussions that are culture-specific. Each is a result of learned behavioral patterns and work-related practices. These norms later become a security analyst’s survival tactic—as they must fit the cultural image!
CHAPTER ONE
IMAGES OF AN INCLUSIVE CULTURE?
Technology provides distinctive elements and processes that affect our security engagements, task objectives, and team interactions. As a security steward navigates their career path, they encounter different people, methods, and techniques to sustain security. The steward may perform various tasks that require the same or modified policies as they develop many skillsets and transfer between employers, different approaches, and thinking models. The outcome provides many ideas, policies, and working relationships that describe the organizational cybersecurity profile, leading to many cultural ideas and approaches. At first, it may become confusing, but after years of experience, they become culturally prone. Having a placement in many cultures can sometimes be beneficial. The knowledge gained can sharpen technology skillsets, develop the best career path, and provide growth and value as an employee, employer, or manager, and this is where the image circulates.
Every enterprise has goals, policies, and regulations that describe its security operations and plans. The images are just that, a descriptive statement or required practice that represents its security objectives. The standard definition for an image is a visual representation or photo of something. In the context of technology, the photos are profile statements and operational procedures that position a company to gain security success. Throughout the business lifecycle, the images are related to its core practices and operating procedures. In the cybersecurity arena, the photos serve as standards and best practices. For instance, a risk management program may require every manager to follow organizational policies for submitting a detailed report—and this serves as the business’s “image” or operational profile. If there are deviations or individual reporting standards, the reporting system would be useless. Alternatively, individual reporting becomes counterproductive and misrepresents the policies and standards. So do not destroy the image—it represents a direction and standard. As once stated, standards are developed for a reason!
