KF: Tell me who you are and what you do… and how did you get into cyber and where you are now?
ND: I’m Nick Drage, and I’m currently a “cybersecurity strategist” of a sort, but spending time in game design as well. My career has been very unplanned, evolving through system and network administration into security operations and then penetration testing; I’m now more openly being a generalist and seeing where I can make a difference.
KF: SAM / ITAM people see Info sec as a key stakeholder… but I don’t think the feeling is reciprocated! Why are you different from so many other info sec people I work with?!
ND: Because the info sec industry generally appeals to people, and rewards people, who specialise and who like detail – and it demands continual effort and education. That means its a very insular profession, where looking outside the discipline is often seen as a waste of study time.
It would be easier if I fitted into that box too, because the career paths and progression are easier – but I’m unavoidably drawn to concepts and abstractions and metaphorical connections, which is more difficult to do, and harder to define, but it can be a lot more rewarding in terms of problem solving.
KF: Is there a difference between cybersecurity and information security? Is this a new thing? Or is it just that the terminology is shifting in the way any language tends to?
ND: There’s kind of difference, but out of the two “cybersecurity” in-particular isn’t that well defined… we all kind of know what we mean by it as long as you don’t ask too many questions. I don’t think it’s a new thing, relatively, at least a couple of decades old – and I think the term “cybersecurity” has become popular because it implies more interesting and exciting situations than “information security”.
KF: I’ve noticed you use a lot of military analogies, what drives that? In what way is cybersecurity like a theatre of war?
ND: I think military practice is really useful to learn from because they’ve faced the same kind of issues in logistics, people management, planning, and conflict that we all face, but for far longer than cyber security has – and so at an abstract level war fighters have learnt lessons for the kind of situations that cybersecurity faces, so why not save time and resource and use the military’s lessons?
At the highest level of abstraction, cyber security is like a theatre of war because you have a thinking and malicious opponent, with their own limits and failings.
KF: While we were chatting, I mentioned the sort of data that we have available as a side product of our work e.g., information about the browsers deployed on the estate and who is using them… why is this information so exciting?
ND: That’s exciting because of my history in penetration testing. So as someone emulating an attacker – but with the assistance of the customer to get the most out of the available time – having an available list of the customer’s software means a penetration tester can emulate the level of attacker who has spent weeks or months mapping out their target, therefore giving the customer a much higher level of assurance. It’s the difference between being asked to navigate a journey in an unfamiliar country with some idea of the language and compass directions, and someone handing you a map.
KF: You mentioned that the sort of data we have is interesting to intruders, but probably not high value for them (canary in the coalmine!)… what do you mean by that and is there anything we should do to protect our sensitive asset data?
ND: As with the answer to the previous question, if an intruder accessed a software inventory it gives the intruder a trove of useful information to further their attack, and protects the attacker from the risk of obtaining that data using other means. Considering the evolution of Crime as a Service, meaning the general industrialisation of cyber crime, I take back what I said – some attackers might obtain that information for its own sake, just to sell it on to other criminal groups who can use it.
As for protecting that data, just use all the recommended practices for protecting data that you or your customer already use… but maybe with more alerting around suspected intrusions. That way your customers are forewarned about attacks before they reach their actual systems, because who else would attack an asset repository except an attacker with bigger plans?
KF: In your experience, what is the high value data that intruders are really interested in and what are you trying to protect us from – we hear a lot about DoS attacks, worms, viruses etc… what else?
ND: “It depends”. Really, it’s an obtuse answer, but it’s the best one. What is the “high value data” depends on who you are, what you do and don’t protect, and who your intruders are. All environments should be “threat modelled”, and you can build your answers from there.
KF: What drives the security mindset of focusing on threats rather than net benefits?
NG: I think the discipline attracts that kind of mindset, especially if you’re mindful of threats and vulnerabilities and how they can be connected together – there’s relatively few other opportunities for legal employment. Thinking about that mindset… on the one hand, it’s frustrating because it makes the discipline so pessimistic and literal, but on the other hand, it’s an understandable counter to general business practice, which seems to be to ignore problems until they’re on top of you.
KF: What language should we be using to communicate effectively with Info sec / cyber security?
ND: Just use your own language, and meet them half-way. Don’t be afraid to ask them to explain their terms, and if they’re overly dismissive of your lack of knowledge, it’s not you, it’s them.
KF: What reports should we run / conversations should we have to open meaningful engagement with info sec / cyber security?
ND: I think ask them what they want to know, or what information would make their job easier, and from there you’ll have a better idea of what direction to take. Cyber security is a relatively insular profession, so they simply might not know what you have access to, information that could save them time and effort. Oh, and ask them if they want a coffee, it’s not just a stereotype that it appears to be a caffeine driven profession….