Information Systems – Code and Gavel Dot Com

This entry is an attempt to summarize George Finney’s book Well Aware. Finney relates accounts about business and people that provide support for the larger security framework he proposes. Finney relates accounts about business and people I had not heard that are interesting and provide support for the larger security framework he proposes.

The author relates that the behaviors or habits of security that form the framework are like rungs on a ladder. “There are nine different cybersecurity habits, and they all build on one another like rungs on a ladder. You can still use the ladder even if an individual rung on the ladder is weak, or even missing. But the stronger the ladder, the greater the heights that safely reached.” (Finney G., 2020, pg. 7)

Throughout the book Finney emphasizes that security is not a technology problem but a people problem. Developing habits among the team is the main idea. Finney builds on and each chapter is dedicated to a specific habit the people can develop to become more digitally secure. The last sentence of each chapter introduces the security habit described in the next chapter. The bibliography is interesting in that each entry includes some part of the text it references. This made the references more accessible by reducing the amount of flipping back and forth between pages.

Introduction

“Security professionals will tell you that are three parts to security: people, processes and technology. But people are the ones who write and employ processes. People are the ones who create and use technology. I should not be surprising to learn, then, that people are the cause of 95 percent of all cybersecurity incidents, according to a recent Verizon Data Breach Report. I would go further and say that people are the cause of 100 percent of cyber security breaches. These statistics have led many security practitioners to want to write off people as the weakest link in security. I would argue people are the only link in security. And if there were a way to improve human security, even by just a small amount, say 20 to 30 percent, the outlook for the cybersecurity would be radically changed. “(Finney G., 2020, pg. 6) That is a lot to quote from the text, however it emphasizes Finney’s premise that people can be key to an organizations security.

Finney continues “Security is a people problem, and people can become adept at cybersecurity by implementing certain habits and behaviors.” (Finney G., 2020, pg. 6)

Also, Finney relates “This is one of the most important insights I can provide: As humans we have the unique ability to understand how our own minds work and then we can change our own minds form the outside in. (Finney G., 2020, pgs. 5-6) Finney relates that having a list of tips or rules to govern a person’s behavior is not as useful as understanding people’s behavior and working to change habits to increase security.

Habit One: Literacy

“An element of security involves understanding your environment. This involves continuous learning. You need to know how your alarm system works how to set privacy settings, and what kinds of scams to be on the lookout for. Literacy also means being aware and making informed decisions.” (Finney G., 2020, pg. 7)

In Chapter One Finney explores the concept of Fearless Learning. The idea is that an environment of trust is developed within the organization so that training can be administered to members where they are physically located, where they are in their own cyber security learning curve and build on that foundation in a similar fashion to what a college subject major might be developed. The text also suggests developing methods of measuring outcomes not scores on an exit exam or attendance as metrics for training successes.

Self-Awareness is a subject addressed in Chapter One. Knowing yourself is part of self-awareness. Finney suggests taking a digital inventory for your organization and yourself. What accounts or systems do you have access to and what level of access do you have? Examine social media accounts and audit what information is shared on those platforms. Inventory and audit digital files and applications on your devices. This idea then feeds into knowing your enemy. Threat actors may use LinkedIn profiles or data from company web sites to build a profile and use it as part of a targeted attack. If you know what information you have and where it is stored, you may be able to develop a security plan before a breach and help stop an attack if one starts.

Tactical Literacy. In this section, Finney gives examples from philosophy and chess. The main idea expressed is “It’s not what you know about cybersecurity that matters so much as it’s your commitment to learning new things just at the time you need to know them.” (Finney G., 2020, pg. 23) Emphasis on a framework for learning is key to becoming tactically literate. As technology and attack methods change, so must we also be ready to learn new methods and technologies and respond to the changing landscape.

Establishing a framework of knowledge and response is part of the Literacy habit. Finney suggests the following:

Develop a list of people to call in case of an incident. The Federal Trade Commission web site is suggested for information about your liability if banking and credit card is compromised.
Review the rules of contracts or terms and conditions. Try and determine if the terms are reasonable or if they are negotiable. Are your best interests served?
Review the company’s information security policies. I think here he may mean the policies of a social media service, network design firm or computer programs that are purchased.
Create a map of the information you store and who has access to that information. Audit the devices and software data on hand.
Subscribe to news feeds to find out when your organization is mentioned on the internet. Follow associates, vendors, or others in your space on social media. (Finney G., 2020, pg. 27-28)

Secure your brain.

Finney relates information in this section regarding the human brain and how it works. The idea of bias and being skeptical are themes in this section. Finally, Finney quotes Daniel Khaneman’s book Thinking Fast and Slow. “What you see is all there is.” (Finney G., 2020, pg. 31) I think the idea is that to be secure one has to think about what may not be apparent and not let bias get in the way of information security.

Habit Two: Skepticism

The main idea is be skeptical, listen to skeptics, listen to your instincts, and use good judgment. Listening to others with different personality types is advised because if a person is prone to be a risk taker, they might make better decisions if those decisions are tempered with insights from someone with a different point of view on risk.

Finney relates, listen to the skeptics. He uses the example of the NASA Space Shuttle Challenger disaster as an example. Some engineers had an instinct the Challenger was headed toward a disaster but did not have studies or data to back up their claim. Other engineers gave in to pressure from NASA to continue the launch which resulted in disaster.

Establish credibility before trusting a source and be patient. (Finney G., 2020, pg. 7) The concept of Zero Trust Model of Cybersecurity is part of the text discussion. Trust no person or inputs from inside the organization or outside the organization is the idea of the Zero Trust Model. (Finney G., 2020, pg. 34)

Habit Three: Vigilance

“This state of mind is about keeping watch so that when you see something, you are ready to recognize it and act.” (Finney G., 2020, pg. 7)

Actions related in the Chapter Three include:

Frowning while scanning emails.
Reducing distractions in your office.
Avoid creating an environment where normal tasks are given a false sense of urgency.
Develop a sense of vigilance in the afternoon as more cyber threats occur in that time frame.
Security departments should avoid creating an adversarial relationship with the members or the organization. Communicate network testing to the organization so they have a sense they are part of the security team.

The idea of Chapter Three is: pay attention to detail, developing the definition of vigilance and developing the idea in the above bullet points as a low-cost way of enhancing the network security of your organization.

Habit Four: Secrecy

“Secrecy is a natural barrier between that which public and that which is private.” (Finney G., 2020, pg. 7)

The author relates in this chapter that classifying data by developing project portfolios and employing the principle of least privilege help keep information secret.

By classifying projects into portfolios managers can keep information secure by granting access to information based on membership in a particular workgroup only to personnel within that project.

Utilizing the principle of least privilege allows access to processes or programs based on the need a person may have to that process or program. For example, if a person needs access to an employee directory, the member will have access to directory information but not access to employee payroll information.

Deleting old information may play a part in an organization’s overall security strategy. Finney suggests developing a data retention schedule and deleting digital files, shredding documents and securing hardware through data destruction technology. (Finney G., 2020, pg. 79)

Perhaps the best part of the book is where Finney relates the best time to start working on security controls for your organization is now. “There is an ancient Chinese proverb that says, ‘The best time to plant a tree is twenty years ago. The second-best time is right now.’” (Finney G., 2020, pg. 77)

Habit Five: Culture

“When groups of people form, norms are established. Sometimes these norms are antithetical to security. In these cases, one person changing their behavior will not change the whole company. A culture of cybersecurity embraced at tall levels of a company, government, or community is needed.” (Finney G., 2020, pg. 8)

The Culture section of the book contains a lot of good information about groups of people and the strengths and limits of their interaction. Culture is like the shell on a hermit crab, Finney explains. The shell is greater that the crab and the shell helps protect the crab. We humans have spheres we operate in that help move us through society. Finney relates that it may take as little as twenty percent of group to engage or disengage an activity before the group starts to mimic the behavior. (Finney G., 2020, pg. 93) I think the idea of the chapter is that human relations are complicated and have limitations. However, if just a modest group of people in the organization adopt the habits in Well Aware a more secure culture will result.

The final pages of Chapter five focus on specific idea that may help improve network security. Baked in security, described has having a security team member present in project teams to act as consultants. Competitions, gamify security, having competitions to identify phishing emails. Clean desk policy. Have team members clean off their desks before they leave for the day. (Finney G., 2020, pg. 99)

Habit Six: Diligence

“Once you have developed security routines, you need to have a plan for orchestrating how these routines work together. After you have experienced an incident, you must have plans and protocols for handling the way you respond.” (Finney G., 2020, pg. 8)

“Diligence is the habit of taking time to think.” (Finney G., 2020, pg. 116) Thinking ahead and planning what to do when a security event occurs is part of the thinking that the habit of Diligence entails. Leading the organization to become proactive instead of reactive.

Finney suggests keeping a journal and preparing lessons learned documentation to help prepare for computer and learn from security events. What would you do if your computer were breached? Who would you call? (Finney G., 2020, pg. 118)

The rest of chapter looks at best practices at an organizational level. One example Finney relates is the Tylenol poisoning crisis in 1982. Tylenol capsules were obtained, and the medication switched with cyanide. Seven people died as a result. Johnson and Johnson, makers of Tylenol, made the decision to issue a nationwide recall of Tylenol. This cost the company market share of a popular product line. Tylenol entered the market again successfully. CEO James Burke related in an interview the decisions made “had splendid consistency and that was that the public was going to be served first.” (Interview on YouTube, linked below in References) I think the idea Finney proposes is that making the right decisions will be difficult but, in the end, if we all hold to the truth and each other, preferred results will follow. Finney relates. “Thinking ahead, practicing, and diligently focusing on its values led Johnson and Johnson to keep and even increase its market share.” (Finney G., 2020, pg. 129)

Habit Seven: Community

“You need help to be secure. We work together to solve problems. We share information to protect others and unite in a common defense. We must look for help not just from law enforcement or inside our companies but from peers in our industry or in similar roles across industries.” (Finney G., 2020, pg. 8)

Finney writes, “The unique thing about security is that it is, by necessity a community activity. Security is a collective process. You may be the biggest and strongest caveman in the world, but if you are alone, you may get eaten by a tiger in your sleep or have your possessions stolen by another caveman.” (Finney G., 2020, pg. 133)

Some key points of chapter seven are, Learn from your mistakes. Work together, even among your competition. Communicate.

Habit Eight: Mirroring

“An element of curiosity is involved in mirroring. You want to be able to see yourself and what you look like from someone else’s perspective. Penetration testing is this habit put into practice, but so is looking at your social media profiles from different perspectives or googling your own name.” (Finney G., 2020, pg. 8)

Finney relates in this chapter that using mirroring we try to view ourselves through the perspective of others. He suggests keeping a journal of observations that people make about us during the day. (Finney G., 2020, pg. 156) There are other tools Finney suggests, the main idea is to attempt to look at yourself from others point of view and make changes from there.

Habit Nine: Deception

“Deception can be both a preventative and detective habit” (Finney G., 2020, pg. 8) Finney describes examples from history, party etiquette and cell phone technology to illustrate techniques for security. (Finney G., 2020, pg. 167-170)

Creating a lie as a challenge question in documents or for a caller to see if they are part of your organization is an example of securing an organization using deception. (Finney G., 2020, pg. 171-172)

Conclusion

Being part of a community, sharing and discussion are part of the Conclusion chapter. Finney says “Community is the most important of the nine habits. The more openly you discuss security the greater impact you will make.” (Finney G., 2020, pg. 179-180)

Commentary

Reviewing the book and writing notes there are kernels of thought Finney relates that stand out. They could be thought of as self-evident truths.

Optimism. “Optimism is a prerequisite for success.” (Finney G., 2020, pg. 3). General Colin Powell related in an interview “Optimism is a force multiplier.” Self-reflection on optimism is something we should all keep in mind and remind ourselves of daily. Maintaining a positive mind set toward security could be part of a greater defense framework.

Slow down. Be alert and use good judgment in your daily digital travails. Slowing down and thinking about a phone call or source of a file may help keep networks secure. One of my teachers related to our class: “the quickest way to speed up is to slow down.” The idea being if you slow down you may avoid a mistake. In production and manufacturing the earlier a mistake is discovered the less expensive the solution. In computer networks the same could be said, taking time to think may avoid a costly mistake. Double check the file source, verify the sender, closely examine a file name, or web address.

“If you do not have time to do a job right when will you have time to do it over?” Performing tasks correctly eliminates the need for editing or additional production runs. Someone else thought of that quote so I will have to give them credit, but I cannot remember who. Thank you, anonymous wise person!

Category: Information Systems

We are all intelligence officers now – Dan Geer

Well Aware by George Finney