Thursday, September 29, 2016

The skills of a cybersecurity technical writer

According to Wikipedia, "Technical writers are professional writers who design, create, maintain and update many types of technical documentation, online help, user guides, white papers, design specifications, and other documents." Technical writers put technical information into easily understandable language. They prepare operating and maintenance manuals, catalogs, parts lists, assembly instructions, sales promotion materials, and project proposals. Many technical writers work with engineers on technical subject matters to prepare written interpretations of engineering and design specifications and other information for a general readership. Technical writers also may serve as part of a team conducting usability studies to help improve the design of a product that still is in the prototype stage. They plan and edit technical materials and oversee the preparation of illustrations, photographs, diagrams, and charts." From our own experience we can expand that to include security policy, security awareness posters, press releases, blog posts, blog post comments and refutations, memos to management on technical issues, executive summaries of reports, technical analysis of news stories, courseware, help files, how-to's, and presentations.

Often, a technical writer must first research the topic they are writing about so strong research skills are also important. This ranges from power searching on Google, to knowing how to leverage expert sites such as the writers write. There are more online resources than ever before, here are a few worth trying:

  • Onelook has a reverse dictionary feature, if you can't think of a word, simply enter its definition and Onelook gives you a list.
  • Wordspy tries to track the new words being used in publications. Such things should be used sparingly, but when you are trying to establish a perception of being "with it" or when targeting a younger crowd, this can be helpful.
  • SANS Reading Room, contains the largest collection of security research papers on the Internet
  • Argumentative Essays, a primer on argumentation (a persuasive research paper)
  • Most colleges and universities provide students with a large number of research tools. As a writer, it may be worth considering taking courses to maintain access, or potentially working part time for an educational institution. For instance, here are the tools available to University of Washington students.
  • Wise Old Sayings is a source for opening statements.
If you are trying to hire a technical writer, expect to see people that want to be paid as much as, or more than system administrators or even software programmers. If you are trying to hire a technical writer, make sure there is an escape clause if things do not work out. Also, the interview process is very important. Job-Interview.net lists the following as a few questions to ask a potential technical writer:

  • How would you style a document to address a technical audience?
  • Describe your experience with network infrastructures.
  • Have you ever created any online help?
In general, organizations will favor readability and clarity over perfect grammar. In fact, the more technical the material is, the less important the grammar is while the ability to convey the thought to the reader accurately becomes very important. Nevertheless, correct spelling, avoiding the common errors of writing in English and compliance with the organization's style guide is crucial. Some useful web resources:

How do you learn to be a technical writer? There are many programs, but the short answer is that you have to write, a lot, and your work needs to be reviewed by someone qualified to review technical security material. I have written several technical books, but the first book was the most important. I was blessed with a great developmental editor. Later in life, I worked with bad editors it wasn't that much of an issue since I was seasoned by that time, but it really helped me understand how important good review is to the writing process. Before you put your money down to learn to improve your technical writing, be certain that you understand the quality and quantity of review you can expect from the program.

Wednesday, September 21, 2016

The GIAC Advisory Board and its relationship to Linkedin

The GIAC Advisory Board is a mailing list. The price of admission is to score 90 or higher on a GIAC exam. In other words, it is a meritocracy.

It was created 15 years ago because the founder of the Global Incident Analysis Center, (er, uh, that too), but actually the Global Information Assurance Certification, realized that certification is hard and that GIAC would need a lot of help and advice to succeed and grow.

Over the years a number of things have happened. GIAC has grown. It is not the largest body of cybersecurity certifications in terms of credentials awarded; that is either ISC2 or CompTia depending on which reference source you use. GIAC is certainly the most comprehensive body of cybersecurity certifications and it is known for technical rigor, so scoring a 90 or above on one of the exams is a significant achievement.

The mailing list is private, to join members sign a Non-Disclosure Agreement. They help each other in a number of ways. In addition to commentary about SANS and GIAC processes, they share exam practice tests, help with insights to hard problems and even discuss security vendor products.

The list can get quite chatty when an interesting thread comes up, so many of the members use the digest mode, (which has its own issues). However, the members that remain on the list feel that the value is worth the trillions of electrons that laid down their life for the cause.

Through most of its life, the list has been both private and obscure, however in October 2015, it had a "coming out" party of sorts primarily on the LinkedIn social network. That state change led to the creation of this blog post, if you are looking at a profile and wonder: "What is the GIAC Advisory Board", here is the answer.

Linkedin is social media designed for professionals to interact. Many people have an account, but most don't use their account actively.  A common use is to find and apply for jobs. Recruiters, including technical recruiters also use Linkedin extensively to find talent. As the original author of MGT 512 and MGT 514, I have moved more away from being a packet ninja
to more of a management speaker. I try to stay in touch with my former students and help them when they need to find a new job, (that is a tough road to hoe when you are a middle aged middle manager). I have found Linkedin is the most effective tool for that task that I have in my toolbox.

One aspect of Linkedin is that it records the state of conversations over years. This provides a potential release from the "Dunbar number", (that you can only maintain about 150 relationships). Over the years, I have found Malcom Gladwell's Tipping Point to be a useful thought model. Brad Hunter explains the Law of the Few as well as I have ever seen it:

"The law of the few is a law about the structure of our social network and how messages are passed through word of mouth. It attempts to classify three important types of people who affect the rapid spread of messages through the network. These three types of people are connectors, mavens, and salesmen."

Word of mouth? Social media has really changed that concept. Word of keyboard? I am trying to collect examples of "perceptors", things that influence or attempt to influence our thinking and beliefs. You can't spend much time on Facebook or Linkedin without seeing something obviously fake like the story of Sgt. Gregory Hayes. I ignore such things on Facebook, I guess that is what it is there for, and unfollow people that post racist untruths on Linkedin. I still remember the first time I met someone that actually believed the photo of President Obama doing the pledge with the wrong hand. The man was convinced, even when I showed him the Snopes writeup.  This give me hope that the things we post will help shape a positive, more secure future.

I am going to try to explain how Linkedin can be used, (with a little elbow grease), for each role, (connectors, mavens, and salesmen).

     "Connectors are the socialites. They are people with many friends and acquaintances who spend time maintaining these connections. From the network perspective, these are the most central nodes in the social network. Gladwell devised a simple test which allowed him to determine that the number of connections a person has is measured by a power law. This means that connectors are rare in society, but they maintain many more times the number of relationships than the average person does. Because of their ability to spread a message to a huge number of people quickly, connectors are central to understanding how tipping points are reached."

Gladwell asserts connectors can exceed the Dunbar number and maintain over 150 active relationships. Every Thursday, I receive an email with the details of persons that scored over 85 on their GIAC exams and are being invited to the SANS Mentor program, (I created this program 16 years ago to help reduce the SANS Instructor shortage problem).

I look up each name on Linkedin. If they are a 3rd level connection, I use inmail congratulate them on their score and ask them to consider linking to me. If they are a second level connection, (we have at least one 1st level connection in common), I write to a common 1st level connection and ask for an introduction. If they are a 1st level connection I try to write and congratulate. This is very manual and takes about two hours a week, but in 2016, I crossed the 10k 1st connection milestone. They aren't all my Best Friends Forever and I am sure I am linked to a few fictitious persons, but this fuels my efforts to serve the community as a maven.

     Mavens are the information gatherers of the social network. They evaluate the messages that come through the network and they pass their evaluations on to others, along with the messages. We can view mavens as regulators of the network because they have the power to control what flows through the network. We trust mavens, and this is especially important because their assessments can often make or break the tipping of an epidemic. Mavens drive many of our social institutions. They are the people who inform the better business bureau, regulate prices, write letters to senators, etc. in order that the rest of us don't have to. Though Gladwell does not argue this explicitly, his description of mavens suggests that mavens can be specialized in areas of expertise and thus many of us may be mavens in our particular areas of interest.

Most people do not use Linkedin actively outside of job searching and recruiting and doing some Facebook style scanning. I try to use my account to share information and ask for information. I have been doing this for years. It has taken a lot of patience but I am finally escaping from the "land of small numbers".

If you have ever blogged, Facebooked, Tweeted etc, you probably notice that you commonly get 30 or maybe even 100 pageviews. That can be disheartening when you think about the hours of research and writing. Fifteen years ago when I was writing books like Network Intrusion Detection, (my co-author Judy Novak was the real reason for the success of that project), ten of thousands of people would read my posts and I was dumb enough to think it would always be that way.

If I write a blogpost on Yogi's training log an average of 18 people will read it. That doesn't bother me, I have to keep this as a record since he is actively in training as a service dog. If I post something on Facebook, I might get two dozen likes. This is what I call the land of small numbers. But Linkedin, for whatever reason, has more firepower. Last year I broke a thousand pageviews, (for a single post), for the first time. Now, with my larger network, it is not uncommon at all for a post or update; "word of keyboard". I try to post useful information, but I am also committed to using my network as a sales and marketing tool.

     "Salesmen are what the name implies. They are persuaders who are capable of propagating messages through the force of their character. Thus, regardless of the message content or their expertise in the area, they have a certain ability to sell which helps them move messages which may be of importance to them. This ability to persuade strangers to accept a message is why salesmen are important in tipping epidemics."

There is a section about sales in MGT 512. The point I try to make is that security does not sell itself, so we have to sell it. If we are going to sell then we need to understand the sales cycle. SANS has been kind enough to allow me to chair a conference, (hope to see you at Rocky Mountain 2017 :), each year. This allows me to keep working on these skills. Direct paper mail and email advertising are only so effective, we know, we measure everything. Linkedin word of keyboard lets me reduce my reliance on these tools.

The GIAC Advisory Board is another tool that I am very thankful for. I have asked for help many times and have tried to give help as well. We suggest that new members post their Linkedin URL and hope they will be open to linking with other Advisory Board members. For myself, for all the reasons I have mentioned this is synergistic. For other people, especially those who don't use Linkedin this is a distraction. Two suggestions:

  • Turn on digest mode if you haven't. This way, during a "Linkedin flurry", you can easily see which posts you want to look at. SANS really can't filter out Linkedin URLs because some people want to see them.
  • Think a bit about the connector, maven, salesperson model. There is no need to be in a hurry to build a Linkedin network, but it is a good idea to do BEFORE you are looking for your next career opportunity.
If you read this far, bless you! Don't be shy about asking to use my network, that is what it is here for. If you are having a hard time filling a job position, I would like to help you get the word out. If you took the time to research something and wrote a blogpost, I would love to put out an update with the URL. And if you are on Linkedin and on the GIAC Advisory Board, please put that in your profile. We aren't Jedi knights or any such thing, but it is something to be proud of; every month or so I get a note from someone saying, "durn it, I scored an 88".


Tuesday, September 20, 2016

How to select a cybersecurity graduate school

Upfront disclaimer, I am biased. I am the chair for SANS Rocky Mountain 2017 and Director of Academic Advising for the SANS Technology Institute. That said, I am going to try to offer a range of thoughts from many sources.


This all started when I received an email from the Senior Editor: at (www.cybersecuritymastersdegree.org), recommending their website as a resource.

I went to their website and it looks pretty good and seems to be balanced. But it got me thinking. What if I enter the search string "how to select a cybersecurity graduate school" into Google.

The top ranked, non-ad, site for that query is the University of San Diego.  They offer commonsense advice, There are a number of factors to consider, including school reputation, teacher caliber, cost and curriculum that can help you narrow down your options.

And they ask an important question, (that I do not think they really answer), So how do you determine what schools have the best reputation in your field?

The number two hit was bestschools.org listing the 25 best online programs. According to them the top three are Penn State, Northeastern, and Boston University. This is clearly proof that the Northeast coast rules the cybersecurity roost. BZZT.

Next up, Cyberdegrees.org, with Regis, Capella and Syracuse. They look even less believable. Sigh.

Let's change the search string to simply "cybersecurity graduate school".

The top ranked, non-ad, site for that query is gradschools.com, they have a filter system and run a number of scripts on your browser, the rank is Kaplan, Syracuse, University of Delaware.

The number two hit was a CSO article and their top three were: American Military University, Carnegie Mellon, and Fordham. At this point, I am fairly sure that everyone but the University of San Diego is making this stuff up.

OK, let's try for some ground truth, for each top 3 school let's Google the name of the school and the word cybersecurity and put them in rank order. I am also going to add Norwich and Purdue because I am familiar with their programs and SANS.

American Military University 1.26M
University of San Diego 980k
University of Delaware 829k
Boston University 770k
Penn State 598k
Northeaster 372k
Purdue 321k
SANS Technology Institute 312k
Carnegie Mellon 302k
Kaplan 262k
Syracuse 224k
Norwich 181k
Regis 137k
Fordham 121k
Capella 71.4k


My next step is to reply back to Shaun McKay, Senior Editor and ask for his take.

Monday, September 19, 2016

Robert Maughan's tips for briefing senior executives

When I asked for help with What does it mean to brief at the CIO level, I got this note by email. I think it is worth reading in entirety. Thank you Robert!

I did a three day how to deal with CXOs course where we were presenting to actual FTSE 100 executives.  It was from the point of view of consultants coming into pitch to the board so not all of it would be relevant to an internal team.  After the course I pulled together a list for reviewing before going into a top level meeting.  After some discussion with other people on the course we ended up with the following.

I have this printed out on a single side of A4 paper for review and read it before any top level meeting.

The single most important of thing to remember is "What is the benefit for the company?"  Stop talking about features of the solution and focus on what it will deliver.

Kind regards

Rob

The only thing you can ever really sell is yourself
  • People do business with people they trust and preferably like


Proper Planning and Preparation Prevents Poor Performance
  • Anticipate objections and prepare to rebut them
  • Empathise with the client and understand their needs

Set an Agenda in advance
  • Be specific
  • Be prepared to go in a different direction if they want to


Benefits Driven
  • Deliverables are features, CXOs buy benefits
  • Talk about what it does for the business and when
  • Where have we done this before and what they got out of it?


Credibility
  • Have case studies
  • Know the benefit delivered by the study


Be Bold
  • There are no shy CXOs
  • Act as an equal if you want to be treated as an equal


Start with an icebreaker
  • This lets everyone settle down before business
  • Helps to build the relationship
  • Let them move things to Business


Always do introductions
  • Yourself.  You may remember them but they see a lot of people
  • Company.  They have talked to a lot of companies since you were last here

Pay attention to their cues
  • Listen for verbal indicators of interest or disinterest
  • Watch for body language indicators as well
  • Did they just hint at information you should dig for?
  • Did they just reference an opportunity you were not aware of?


Always summarize
  • Make sure you both had the same meeting
  • Confirm follow up action for both sides

Send a thank you
  • Courtesy cost nothing and increases chance you will be remembered
  • A chance to confirm the next steps in writing

A pair works better than someone flying solo
  • One to talk and one to listen/watch
  • Someone to help you recover if you fumble


Saturday, September 17, 2016

What does it mean to give a security presentation on Cyber Threat Intelligence at the CIO level?

A team of cybersecurity experts was recently asked to explain the results of their research in Cyber Threat Intelligence to a CIO panel. Thirty minutes was set aside in a meeting for the presentation and Q&A. They spent seven of the minutes running a simulation of a scan. The CIO asked them to terminate the presentation and leave the room. She turned to the director for cybersecurity and said, reschedule, but only after you have explained how to give a presentation to executives.

Problems should always be categorized as common cause, (happens a lot), or special cause, (once in a lifetime). Sadly, poor security briefings are common cause. 

As toolbox puts it:
During my career I've seen security presentations evolve from symbols chiseled on rocks, to puppet shows, to large paper pads on easels, to vector-graphic infested Powerpoint presentations to cinematic-quality 720p slideshows.

And they still stink.

Two suggestions that the author makes are:

  • Keep the number of slides to an absolute minimum. I use a "1 for 2" rule (and even that is generous) - one slide for each two minutes of speaking.
  • Sell, baby sell. Sell the message of your presentation. It should be very clear in your last few minutes of your presentation because you used the outline format I recommended, right? Keep your summary clean, clear, and to the point. I always find that ending on a humorous note tends to garner much higher scores on post-presentation scorecards.
NOTE: Keep in mind that the most important thing to sell is yourself; people do business with people they trust and hopefully like.

CIO magazine points out senior executives are concerned with strategic issues and may be irritated by technical and tactical presentations, The article goes on to say:

Just as your message should be succinct, so should the supporting visuals. One common mistake CIOs make is dumping every piece of data they have into a PowerPoint presentation and dragging the board through every bit and byte. 

Stephanie Woiciechowski, a member of the GIAC Advisory Board, has this to say about strategic thinking. Having been a hands on bits + bytes person, the strategic perspective is something I just began to understand a few years ago because "strategy" when you're hands on and focused on your job means something different to you than it does to the C-level types. 

I tried to listen to advice and present a strategic perspective but I didn't know enough about how my team fit in the larger picture and what that larger picture was. It's hard to understand how the details you find fascinating aren't strategic at the C-level and it's hard to understand how to the C-levels can make strategic decisions when they don't understand the details.

Senior executives like the CIO are involved in the organization's strategic planning process. There are many definitions for strategic planning, but a common one is the set of strategies to achieve the organization's vision for two to five years from now. Tactical thinking, which is common for cybersecurity professionals, are the activities to be accomplished between now and and a year from now. It is completely true that the strategies that make up the strategic plan depend on tactical activities. However, senior executives are responsible for more than cybersecurity, they have to lead the entire business. When briefing them about tactical activities, be sure to tie the discussion to the strategies of the business. As Robert Maughan puts it, The single most important of thing to remember is "What is the benefit for the company?"  Stop talking about features of the solution and focus on what it will deliver.

This Harvard Business Review blogpost summarizes all the tips succinctly.

A SANS Reading Room paper by Jeff Hall suggests using the pyramid principle. If you have ever heard me teach, you know that when I start a new section by saying, "let me tell you the bottom line first." The tip of the pyramid is the message or theme to be communicated. Underneath the time are the supporting facts. The further down you go, the more detail is offered. When briefing senior management expect to brief the tip, the first level down and conclude by restating the tip. However, be prepared to answer questions on any part of the pyramid.

Anticipating questions is an important part of presentation preparation, pragmaticcloud suggests:

When preparing for a meeting or presentation it is also beneficial to view things from the senior managers’ perspective and try to anticipate questions they may ask.  For example, if preparing for a presentation ask yourself what questions may be asked about each and every slide, and about the presentation or topic overall.  Then prepare answers, in executive summary form (less is more), for each of the questions.  It is amazing the difference this can make in the level of confidence you will have in yourself, and the executives will have in you in return. 

NOTE: Anticipating questions is extremely important, but don't forget to prepare to address objections as well.

Three weeks later the team of security researchers returned to the boardroom. Their presentation was better, but the question handling was still below par. The CIO's first question was about the business case. So, you’ve identified a problem and devised a solution.  Quantify, or qualify, the risk for me vis-à-vis the cost of fixing it.  Is this worth doing?

The researcher that gave the presentation identified a range of possible motivations and actors, and offered an overall recommendation to configure the system to log and report significant events, followed by analysis and correlation to include a deep dive if indicators are seen.  He proposed only one course of action, with no alternatives (better, quicker, cheaper, more risky, whatever) on offer.  He could not offer any real sense of the cost of the problem vs. the cost of the fix.

The second researcher identified a potential ideology motivation by way of the GIAC Enterprises, the largest provider of fortune cookie sayings in the world, presence in Indonesia.  He also identified potential to modify fortunes to put out a hacktivist message.  His recommendation went down a Cyber Threat Intelligence road, in that he proposed to use this methodology to figure it out and devise an incident response plan.  This offered course of action went into zero detail, didn’t explain what CTI was beyond, apparently, a silver bullet with no cost and no risk.

 After they left the room, the CIO turned to the director for cybersecurity and said, can you work with you people to find out  if what you are proposing might be an ideal solution, but is there possibly an easier or cheaper option that could be acceptably effective?  (Alternatively, if they have identified a minimal solution, “How would the ideal solution look and what would it require?”) Please write up a one page paper summarizing the information and send it to me.

The entire ordeal changed the director for cybersecurity's perspective. He began to study the art of presentations to executives. One article he found stated, Executive boards are always looking to answer the question “how secure are we?” So he created a presentation that answered that question, kept it up to date and stayed prepared to address the question in ten minutes or less. When GIAC Enterprises finally grew to a size they were ready to create a CISO position, he was offered the job.


Wednesday, September 14, 2016

SANS MGT 512 Study Questions


Management is doing things right; leadership is doing the _____ things. 
right


With Bobby Fisher's King’s Indian strategy, every ______ was in support of his overall strategy .
move or  tactical decision are both correct answers.


What is the Bias Blind Spot? 
Human beings tend to believe that our self-assessments are always more accurate even when presented with objective data that demonstrates how those assessments may have been biased.
( This may not be in the course yet, And while we can see the bias in other people, we can’t see it in ourselves. )

Define: MoSCoW
 “Must,” “Should,” “Could,” “Won’t”

Define: TL:DR
Too Long: Didn't Read

What is the primary reason for a project charter?

The charter primarily documents the authorization granted or bestowed upon the project manager by the management to accomplish the project.

When a project manager hears the expression While you are at it....” or "That's nice, but" their ears should perk up because the speaker is probably suggesting _____ _____.
scope creep

What is a MAC flooding attack?
A MAC flooding attack seeks to overwhelm the CAM table of a switch, forcing the switch to begin sending all packets to all ports. Macof, part of the dsniff distribution, is an example of an attack tool that facilitates this.

= The notes do not specifically define VLAN tagging attacks.


How do spanning tree election attacks work?
Spanning tree election attacks can be used to create both confidentiality and denial-of-service conditions. If an attacker has access to switch ports that are able to become trunk ports, he can introduce a rogue switch into the network that claims to be "priority 0”, (the best link). The spanning tree protocol reconfigures to favor and cause all traffic to cross through the attacker's switch so he can sniff the traffic and since higher bandwidth links will be diverted to his link it slows the network down. 


512.2

What is a protocol data unit?
It is a logical unit of information. The Layer 2 (Data Link Layer) PDU is the frame. The Layer 3 (Network Layer) PDU is the packet. The Layer 4 (Transport Layer) PDU is the segment, (TCP header plus data), for TCP. In the case of UDP it is the datagram. Some people try to find distinctions for layers 5, 6, 7, but that is less clear cut.

Why do we say your network is almost certainly running IPv6?
Because all modern computers support both IPv4 and IPv6.

What layer protocol is ICMP?
ICMP is NOT layer 4, a transport layer. It is an extension of IP, the network layer, OSI layer 3, for the purpose of troubleshooting and reporting errors.

What is the Microsemi/Actel ProASIC3 backdoor problem?
This USA designed, China manufactured, chip is reported to have a back door with an exploit observed in the wild  in 2012. This is a problem since it is popular for military and industrial control uses. https://www.schneier.com/blog/archives/2012/05/backdoor_found.html

Why is the fact Stuxnet was signed with a legitimate key important?
Many industrial control systems will not execute code that is not signed by a legitimate key. This is also true in the Windows 10 security model, (though there are ways around it).  Stuxnet was signed with a certificate from JMicron Technology Corporation which Verisign revoked as soon as the news broke. Stuxnet drivers were also signed with Realtek's key. Both companies had offices in the Hsinchu Science and Industrial Park in Taiwan. Both companies were issued new certificates after the ones used in Stuxnet were revoked. The lesson is that signed code alone is an insufficient security model.

What is a Next Generation Firewall, (NGTW)?
Next generation firewalls (NGFWs) go beyond this static inspection by carrying out stateful packet inspection right down to the application layer. This allows them to block packets that are not matched to known active connections, to block unwanted application traffic (rather than traffic on specific ports) and to close network ports all the time unless they are actually in use, which provides some protection against port scanning.
http://www.esecurityplanet.com/network-security/evaluating-a-ngfw-here-is-all-you-need-to-know.html

In the context of computer virtualization what is VMX?
VMX, also called x86 virtualization refers to CPU support of virtualization, (multiple systems sharing x86 processor resources in a safe and efficient manner.) Intel's version is called VT-x and is present on all modern advanced processors. A key security benefit is that it allows functions that used to be done in software, (the hypervisor), to be done in hardware which is presumably safer.

What does Sandboxie do?
In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system.[Wikipedia]. Sandboxie, is a tool to make browsing and email safer as well as provide a mechanism to safely run or test software.

What is the primary purpose of Syslog?
To collect log data sent by applications reporting various events.

What is referential data in the context of logging?
Syslog and Windows event logging are typically "thin" logs. The application send the information that it knows, but that information lacks context. Examples of referential data to "fatten" the log data include:
MAC address history for the IP address as long as it has been active
Physical location, POC for the IP
Was the IP used in a VPN or Wireless mode
Results of security reviews involving that IP
Did this IP ever show up in Dshield, Snort, IPS, syslog or event logs as a victim or attacker?
Did this IP ever show up in a Remedy trouble ticket?







Monday, September 12, 2016

What is a copyright?

The USPTO says, "Copyright is a form of protection provided to the authors of original works of authorship including literary, dramatic, musical, artistic, and certain other intellectual works, both published and unpublished. The 1976 Copyright Act generally gives the owner of copyright the exclusive right to reproduce the copyrighted work, to prepare derivative work, to distribute copies or phonorecords of the copyrighted work, to perform the copyrighted work publicly, or to display the copyrighted work publicly."


Copyrights, like patents and trademarks, are a public claim of ownership and offer limited monopoly power over intellectual property. The copyright protects the form of expression rather than the subject matter of the writing. For example, a description of a machine could be copyrighted, but this would only prevent others from copying the description; it would not prevent others from writing a description of their own or from making and using the machine. Protection is limited to the particular expression of an idea, process, or concept in a specific form. However, copyright protects others from deriving new work based on the original. Fair use provisions of the copyright law allow for the limited use of copyrighted materials without the author's permission for specific purposes.


The Berne Convention
The goals of the Berne Convention provided the basis for mutual recognition of copyright between sovereign nations and promoted the development of international norms in copyright protection. European nations established a mutually satisfactory uniform copyright law to replace the need for separate registration in every country. The treaty has been revised five times since 1886.

Today, the primary law governing copyrights internationally is the WIPO Copyright Treaty, upon which over 50 countries have agreed.

History of copyright
Copyright law started with the 'The Statute of Anne,' the world's first copyright law passed by the British Parliament in 1709. Yet the principle of protecting the rights of artists predates this. 

In the US, "the First Congress implemented the copyright provision of the U.S. Constitution in 1790. The Copyright Act of 1790, An Act for the Encouragement of Learning, by Securing the Copies of Maps, Charts, and Books to the Authors and Proprietors of Such Copies, was modeled on the Statute of Anne (1710). It granted American authors the right to print, re-print, or publish their work for a period of fourteen years and to renew for another fourteen. The law was meant to provide an incentive to authors, artists, and scientists to create original works by providing creators with a monopoly. At the same time, the monopoly was limited in order to stimulate creativity and the advancement of 'science and the useful arts' through wide public access to works in the 'public domain.

Not everything can be copyrighted
Here is a blog about intellectual property in general, but it starts with a discussion about what cannot be copyrighted. It includes topics most of us do not think about such as fan fiction and impromptu dance steps.


Creative Commons
The Berne convention requires that every work is automatically considered copyrighted and receive full copyright protection. That is what created the need for the Creative Commons licences in the first place. If works were not fully protected by default then there would be no need for CC licenses in most cases." Creative Commons is an alternative to traditional copyright, developed by a nonprofit organization of the same name. By default, most original works are protected by copyright, which confers specific rights regarding use and distribution. Creative Commons allows copyright owners to release some of those rights while retaining others, with the goal of increasing access to and sharing of intellectual property. By 2015 there were at least 1 billion works protected by the Creative Commons.

Application of copyright information for an information assurance manager


  • Anything and everything on the Internet is likely to be copied. Strong organizational controls over what information is placed on Internet facing systems is advised
  • Organizations with a vast amount of Internet facing information such as The SANS Institute need to invest in an intellectual property incident handling capability to detect and respond to infringement
  • Adobe pdfs security can be defeated trivially
  • All known ebook implementations can be broken given sufficient time
  • European nations, especially Scandinavian, are beginning to question whether copyright is valid as a concept
  • Within the US, the DMCA yields quick and effective results and polite take down notices work just as well as harsh ones

What is Intellectual Property?

According to WIPO, "Intellectual property refers to creations of the mind: inventions;
literary and artistic works; and symbols, names and images used in commerce"

Intellectual property shares many of the characteristics associated with real and personal property. Intellectual property is an asset and, as such, can be bought, sold, licensed, exchanged, or gratuitously given away like any other form of property. Intellectual property law rewards and encourages innovation by providing limited monopoly rights. US IP law and guidelines are designed to protect "the common purpose of promoting innovation and enhancing consumer welfare.


The intellectual property owner has the right to prevent the unauthorized use or sale of the property. However, unlike physical property, intellectual property (IP) is intangible. It cannot be defined or identified by its own physical parameters. It must be expressed in some discernible way to be protectable. Countries vary in how they regard and protect intellectual property. In some cases, you may need to file for intellectual property protection in multiple countries. Be sure to fully research and understand the intellectual property laws and protections in each country you're involved with.

Intellectual property is at a dynamic tension with antitrust law. Intellectual property law rewards and encourages innovation by providing limited monopoly rights, while antitrust law prohibits monopolization. But ultimately, as US IP Guidelines emphasize, both serve, and are interpreted by U.S. courts and enforcers to further "the common purpose of promoting innovation and enhancing consumer welfare." Because of the "public good" qualities of intellectual property, the essence of intellectual property rights is the right to exclude. This right exists regardless of whether an intellectual property owner, say, a patentee, actually practices and markets her invention. Consistent with this approach, while the antitrust laws generally prohibit certain exclusionary conduct, they "do not negate the patentee's right to exclude others from patent property." Under the IP Guidelines, even if an intellectual property owner is found to have market power, that market power, if not otherwise unlawful, does not "impose on the intellectual property owner an obligation to license the use of that property to others."

Over the past 30 years, our understanding of the importance of intellectual property continues to grow. If the 1970s was the decade of lost innocence about risk, then the 1990s was the decade of lost innocence about IP. Until the early 1980s, decisions about IP captured relatively little public attention.

In the 1990s, intellectual property was increasingly recognized as the defining marketplace advantage. In 1995, the US exported 27 billion in intellectual property while importing 6.3 billion.

On April 11, 2012, the U.S. Commerce Department released a comprehensive report, entitled "Intellectual Property and the U.S. Economy: Industries in Focus," which found that intellectual property (IP)-intensive industries support at least 40 million jobs and contribute more than $5 trillion dollars to, or 34.8 percent of, U.S. gross domestic product (GDP).

Today, most organizations understand the importance of IP, "IP also facilitates the organization in gaining sustainable competitive advantage in the market."

Information centric defense starts with an awareness of the value of each section of information within an organization. Identify the most valuable information and implement controls to prevent non-authorized employees from accessing it. A good starting point is to identify your organization's intellectual property, restrict it to a single section of the network, assign a single group of system administrators to it, mark the data, and thoroughly check for this level of data leaving your network.