{"id":966,"date":"2013-01-25T00:00:50","date_gmt":"2013-01-25T05:00:50","guid":{"rendered":"http:\/\/jlg.name\/blog\/?p=966"},"modified":"2013-09-01T23:48:09","modified_gmt":"2013-09-02T03:48:09","slug":"the-5-ps-of-cybersecurity","status":"publish","type":"post","link":"http:\/\/jlg.name\/blog\/2013\/01\/the-5-ps-of-cybersecurity\/","title":{"rendered":"The 5 P&#8217;s of cybersecurity"},"content":{"rendered":"<p>Earlier this month I had the privilege of speaking at\u00a0<a href=\"http:\/\/som.gmu.edu\/cyber-security-degree\/\">George Mason University\u2019s cybersecurity innovation forum<\/a>.\u00a0 The venue was a \u201cseries of ten-minute presentations by cybersecurity experts and technology innovators from throughout the region. Presentations will be followed by a panel discussion with plenty of opportunity for discussion and discovery. The focus of the evening will be on cybersecurity innovations that address current and evolving challenges and have had a real, measurable impact.\u201d<\/p>\n<p>(How does one prepare for a 10-minute talk? \u00a0The Woodrow Wilson quote came to mind: \u201cIf I am to speak ten minutes, I need a week for preparation; if fifteen minutes, three days; if half an hour, two days; if an hour, I am ready now.\u201d)<\/p>\n<p>Given my experience with network security job training here at TCS, I decided to talk about the approach we take to prepare students for military cybersecurity missions.\u00a0 It turned out to be a good choice:\u00a0 The topic was well received by the audience and provided a nice complement to the other speakers\u2019 subjects (botnet research, security governance, and security economics).<\/p>\n<p>My talk had the tongue-in-cheek title\u00a0<i>The 5 P\u2019s of cybersecurity: Preparing students for careers as cybersecurity practitioners<\/i>.\u00a0 I first learned of the 5 P\u2019s from my college roommate who captained the\u00a0<a href=\"http:\/\/wp.auburn.edu\/rowing\/\">Auburn University rowing team<\/a>.\u00a0 He used the 5 P\u2019s (a reduction of the\u00a0<a href=\"http:\/\/en.wikipedia.org\/wiki\/7_Ps_(military_adage)\">7 P\u2019s of the military<\/a>) to motivate his team:<\/p>\n<p style=\"text-align: center;\"><i><span style=\"text-decoration: underline;\">P<\/span>oor\u00a0<span style=\"text-decoration: underline;\">P<\/span>reparation =\u00a0<span style=\"text-decoration: underline;\">P<\/span>iss\u00a0<span style=\"text-decoration: underline;\">P<\/span>oor\u00a0<span style=\"text-decoration: underline;\">P<\/span>erformance<\/i><\/p>\n<p>In the talk I asserted that this equation holds equally true for network security jobs as it does for rowing clubs.\u00a0 A cybersecurity practitioner who is not well prepared\u2014in particular who does not understand the \u201c<i>why\u201d<\/i>\u00a0of things happening on their network\u2014will perform neither effectively nor efficiently at their job.\u00a0 And as with rowing, network security is often a team sport:\u00a0 One ill-prepared team member will often drag down the rest of the team.<\/p>\n<p>I mentioned how my colleagues at TCS (and many of our competitors and partners in the broad field of \u201cadvanced network security job training\u201d) also believe in the equation, perhaps even moreso given that many of them are former or current practitioners themselves.\u00a0 I have enjoyed working alongside instructors who are passionate about the importance of doing the best job they can.\u00a0 Many subscribe to an axiom that my father originally used to describe his work as a high-school teacher:<\/p>\n<p style=\"text-align: center;\"><i>\u201cIf my student has failed to learn, then I have failed to teach.\u201d<\/i><\/p>\n<p>After presenting this axiom I discussed several principles TCS has adopted to guide our advanced technical instruction, including:<\/p>\n<ol>\n<li><i>Create mission-derived course material with up-to-date exercises and tools.<\/i>\u00a0 We hire former military computer network operators to develop our course content, in part to ensure that what we teach in the classroom matches what\u2019s currently being used in the field.\u00a0 When new tools are published, or new attacks are put in the news, our content-creators immediately start modifying our course content\u2014not simply to replace the old content with the new, but rather to highlight trends in the attack space &amp; to involve students in speculating on what they will encounter in the future.<\/li>\n<li><i>Engage students with hands-on cyber exercises.<\/i>\u00a0<a href=\"http:\/\/www.slideshare.net\/thecroaker\/death-by-powerpoint\">Death by PowerPoint<\/a>\u00a0is useless for teaching technical skills.\u00a0 Even worse for technical skills (in my opinion, not necessarily shared by TCS) is\u00a0<a href=\"http:\/\/en.wikipedia.org\/wiki\/E-learning#Computer-based_training\">computer-based training (CBT)<\/a>.\u00a0 Our\u00a0<a href=\"http:\/\/artofexploitation.com\/\">Art of Exploitation training<\/a>\u00a0is effective because we mix brief instructor-led discussions with guided but open-ended hands-on exercises using real attacks and real defensive methodologies on real systems.\u00a0 The only way to become a master programmer is to author a large and diverse series of software; the only way to become a master cybersecurity practitioner is to encounter scenarios, work through them, and be debriefed on your performance and what you overlooked.<\/li>\n<li><i>Training makes a practitioner better, and practitioners make training better.<\/i>\u00a0 A critical aspect of our training program is that our instructors aren\u2019t simply instructors who teach fixed topics.\u00a0 Our staff regularly rotate between jobs where they\u00a0<i>perform<\/i>\u00a0the cybersecurity mission\u2014for example, by participating in our\u00a0<a href=\"http:\/\/www.telecomsys.com\/services\/cyber-solutions\/default.aspx\">penetration test and our malicious software analysis teams<\/a>\u2014and jobs where they\u00a0<i>train<\/i>\u00a0the mission using the skills they maintain on the first job.\u00a0 Between our mission-relevant instructors and our training environment set up to emulate on-the-job activities, our students experience in the classroom builds to what they will experience months later on the job.<\/li>\n<\/ol>\n<p>The audience turned out to be mostly non-technical but I still threw in an example of the\u00a0<i>\u201cwhy\u201d-oriented questions<\/i>\u00a0that I\u2019ve encouraged our instructors to ask:<\/p>\n<p style=\"padding-left: 30px;\">The first half of an IPv6 address is like a ZIP code.\u00a0 The address simply tells other Inetrnet computers where to deliver IPv6 messages.\u00a0 So the IPv6 address\/ZIP code for George Mason might be 12345.<\/p>\n<p style=\"padding-left: 30px;\">Your IPv6 address is typically based on your Internet service provider (ISP)\u2019s address.\u00a0 In this example, George Mason\u2019s ISP\u2019s IPv6 address is 1234.\u00a0 (Continuing the example, another business in Fairfax, Virginia, served by the same ISP might have address 12341; another might have 12342; et cetera.)<\/p>\n<p style=\"padding-left: 30px;\">However, there is a special kind of address\u2014a\u00a0<a href=\"http:\/\/en.wikipedia.org\/wiki\/Provider-independent_address_space\">provider-independent\u00a0address<\/a>\u2014that is not based on the ISP.\u00a0 George Mason could request the provider-independent address 99999.\u00a0 Under this scheme GMU would still use the same ISP (1234), they would just use an odd-duck address (99999 instead of 12345).<\/p>\n<p style=\"padding-left: 30px;\">Question A:\u00a0\u00a0<i>Why<\/i>\u00a0is provider-independent addressing good for George Mason?<\/p>\n<p style=\"padding-left: 30px;\">Question B: \u00a0<i>Why<\/i>\u00a0is provider-independent addressing hard for the Internet to support?<\/p>\n<p>Overall I had a great evening in Virginia and I am thankful to the staff at George Mason for having extended an invitation to speak.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Earlier this month I had the privilege of speaking at\u00a0George Mason University\u2019s cybersecurity innovation forum.\u00a0 The venue was a \u201cseries of ten-minute presentations by cybersecurity experts and technology innovators from throughout the region. Presentations will be followed by a panel discussion with plenty of opportunity for discussion and discovery. The focus of the evening will [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[5,7],"tags":[],"_links":{"self":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/966"}],"collection":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/comments?post=966"}],"version-history":[{"count":2,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/966\/revisions"}],"predecessor-version":[{"id":986,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/966\/revisions\/986"}],"wp:attachment":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/media?parent=966"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/categories?post=966"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/tags?post=966"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}