Security Warrior: Cyber & Personal Security P2

English: Information Security Components layering the Information Assurance at three levels: Physical security, Personal Security, Organizational security. These layers protect the value of the information by ensuring Confidentiality, Integrity and Availability. (Photo credit: Wikipedia)

OK. In the previous post “Cyber Security how does it correlate to personal Self-Defense?” we left off at attempting the correlation of the following Cyber Security Controls into Personal Security Controls.

CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software

Now in relation to Cyber Security these two controls are primary about controlling your computer environment; we don’t want rogue (unauthorized) devices or software  in our environment because they introduce vulnerabilities that could be exploited.

Just in case you are unfamiliar with the terms vulnerability and exploit here are the definitions:

In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assuranceVulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.
Vulnerability (computing) – Wikipedia, the free encyclopedia

An exploit (from the English verb to exploit, meaning “using something to one’s own advantage”) is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something …

Exploit (computer security) – Wikipedia, the free encyclopedia

In human terms a vulnerability is leaving yourself open so that someone can take advantage \ exploit and put you in a compromising position.

A common scenario is people walking around and focusing on their phone or tablet instead of being aware of their surroundings (vulnerability) and allows a bad-guy (threat) to exploit (mugging) the vulnerability (lack of awareness)

OK now that we have the technical jargon out of the way how do we relate that to personal self-defense and the individual practitioner.  When looking at the terms “Authorized / Unauthorized Software and Devices” what exactly does that mean?  Does it have something to do to with alien abductions, rear-end inspections and then forcing you to slow dance to Lady in Red?  Simply put, no.

How do we relate these terms of unauthorized hardware and software to what and who we are? When you wake up and get dressed are you unknowingly putting on un-authorized items of clothing? Does that ugly sweater that Aunty Carol gave leave you vulnerable in such a way so that others can exploit you and then make you do things like try and eat that un-edible Christmas tradition called a fruitcake?  Worse yet, would they be able to remote control you like a Zombie and force you stand under the mistletoe and kiss appalling people?

Does that piece clothing that sticks to you via static clinic considered a rogue piece of clothing?  Possibly.

How about, substituting unauthorized with unaware or un-validated?

Have you validated the techniques you learned by training with a resistant partner?

The tool or tools you carry for self-defense:
Do you practice with it?
Do you practice with drawing that tool from it’s concealed location?
Have you attended appropriate training for your chosen firearms and the potential scenarios?

Do you know anything about your local self-defense laws?
[ Defense of Personal Property ] § RCW 9A.16.020 The use, attempt, or offer to use force upon or toward the person of another is not unlawful in the following cases: [You can use reasonable force to defend your property, but not deadly force.] . . . (3) Whenever used by a party about to be injured, or by another lawfully aiding him or her, in preventing or attempting to prevent an offense against his or her person, or a malicious trespass, or other malicious interference with real or personal property lawfully in his or her possession, in case the force is not more than is necessary; (4) Whenever reasonably used by a person to detain someone who enters or remains unlawfully in a building or on real property lawfully in the possession of such person, so long as such detention is reasonable in duration and manner to investigate the reason for the detained person’s presence on the premises, and so long as the premises in question did not reasonably appear to be intended to be open to members of the public; . . . “One of the defenses to a charge of assault is that the act was committed in the defense of property of the actor, or of one whom he is under a legal duty to protect. It is the generally accepted rule that a person owning, or lawfully in possession of, property may use such force as is reasonably necessary under the circumstances in order to protect that property, and for the exertion of such force he is not liable either criminally or civilly” State v. Bland, 116 P.3d 428 (2005) fn3. (citing Peasley v. Puget Sound Tug & Barge Co., 125 P.2d 681 (1942)). [ You can even assault someone to prevent damage to or the taking of property. But you cannot use more force than is necessary, and certainly not deadly force. ]

Vilos, Evan; Vilos, Attorney Mitch (2010-06-01). Self-Defense Laws of All 50 States (pp. 415-416). Guns West Publishing, Inc.. Kindle Edition.

Are there thoughts / actions leaving you vulnerable in ways that others can exploit?; aka Situational Awareness
When attending an event do you know where the exits are?

Do you maintain an appearance of confidence? Bad guys often prey on the unaware or those who appear vulnerable.

When someone enters your or is on the edge of your personal bubble are you aware of what they are doing?
Are their hands in their pocket?
Are they demonstrating any signs of aggression verbally or physically?

When attending large public events with family, friends or partner, do you:
Have a rallying point in case of separation?
Have an exit plan in case of a violent event?

I think you get the idea or ideas presented; I’m not trying to break new ground here or reinvent the wheel.  I’m just an information security nerd exploring the correlation of Cyber Security and Martial Arts or as Datu Worden says “Connecting  The Systems” virtually and physically.


Cyber Security how does it correlate to personal Self-Defense?

(even when online!)

We live in a new age and now have a new front to have situational awareness of as well as defend ourselves and loved ones from. My primary job is working as an Information Security Engineer. Often times I find myself wondering if I could correlate Cyber Security with Self-Defense / Personal Security.  This will be my attempt at the correlation.

Cyber Security has a couple of strategies that are similar in nature called Defense In Depth, Layered Defense which is all about layering your defense so that if  something makes it past one layer the next layer is able to detect or prevent the  intrusion to the attempt to penetrate, infiltrate and cause a disruption or remain hidden and exfiltrate data.  If you would like to read more then here is a nice article that briefly discusses the strategies.

We also have the Critical Security Controls created by the Center for Internet Security that work along side of the Defense In Depth / Layered Security strategies which finally gets me to what Ive been wanting to actually talk about but first lets take a look at this list.

CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 5: Controlled Use of Administrative Privileges
CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
CSC 7: Email and Web Browser Protections
CSC 8: Malware Defenses
CSC 9: Limitation and Control of Network Ports, Protocols, and Services
CSC 10: Data Recovery Capability
CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
CSC 12: Boundary Defense
CSC 13: Data Protection
CSC 14: Controlled Access Based on the Need to Know
CSC 15: Wireless Access Control
CSC 16: Account Monitoring and Control
CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 18: Application Software Security
CSC 19: Incident Response and Management
CSC 20: Penetration Tests and Red Team Exercises

Wow… thats a lot to take in, can some of it even be correlated? I would love to hear your opinion.  The next article will take a look at the first two controls:
CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software

Can they be correlated to the individual? What about beyond the individual?