great learning & information security - english edition
DESCRIPTION
How ancient Chinese Classics, Great Learning, remains relevant in modern information security profession. This presentation will show side by side of what was true back in 400 BC, can also apply to modern day 21st Century. It is also the first book on MaaS (Management as a Service).TRANSCRIPT
Great Learning & Information
Securityhow ancient Chinese Classic remains relevant
in modern information security
Chuan Lin, CISSP
Great Learning Background
Who Wrote it• Zengzi, a disciple of
Confucius, wrote Great Learning.
What is it• It is the first self-help book
that withstood the test of time and the first Management as a Service (MaaS) to others.
Great Learning Background II
When was it written• It was written sometime
between 445 – 436 BC during the Spring and Autumn Period of Chinese history when China was in a feudal sovereignty that consisted of a hundred city states which owed loyalty to the Zhou Dynasty.
Where was it flourish?• At the time it was written,
Great Learning was just another school of thought that contended with hundreds of other ideas. Later, it became one of three main core philosophies of China.
Great Learning Background III
Why is it matter?• Its opening statement is no different than the mission statement from
(ISC)2 and SAN Code of Ethics.
• While the knowledge of 10 domains and technical information are necessary for the information security professional, a person’s ethical standard is expected but not much direction is given other than to follow various laws/ruling like HIPAA, SOX, GLBA, Safe Harbor, etc.
• I believe Great Learning can be a useful guide for the Information Security (InfoSec) Professional ethic.
Goals of Great Learning/InfoSec
What do we want to accomplish with our lives and our career?
“
”大學之道,在明明德,在親民,在止於至善。
The Dao of Great Learning is to illustrate illustrious virtues, to renovate the people, and to rest in the highest excellence.
Safety of the commonwealth, duty to our principals, and to each other requires that we adhere,
and be seen to adhere, to the highest ethical standards of behavior.
- (ISC)2 Code of Ethics
The Dao of the Great Learning is to illustrate illustrious virtues, to renovate the people, and to rest
in the highest excellence.
GAIC Code of Ethic• Respect for the Public
• Respect for the Certification
• Respect for my Employer
• Respect for Myself
SANS Code of Ethic• I will strive to know myself and be
honest about my capability
• I will conduct my business in manner that assures the IT profession is considered one of integrity and professionalism.
• I respect privacy and confidentiality.
7 Steps to IllustratingIllustrious VirtuesSeeking Self Improvement First
“
”知,止,定,靜,安,慮,得
knowing, ceasing, steadying, calming, quieting, pondering, obtaining
7 Steps of Acquiring Illustrious Virtues
How can these seven internal self improvement have an impact
on oneself and one’s InfoSec career in modern time?
知Knowing
Self Improvement• In a corporate world, we are trained to
exploit the company’s strategic strengths while shoring up the company’s weakness.
• In an engineering environment, we are trained to find and rectify any product defects before they go to market.
• Shouldn’t we train ourselves to find weakness within ourselves before we or someone else initiates a zero-day attack against us?
InfoSec Professional• I have to know a company’s security
status; where are its strengths; where are its weaknesses.
• I have to know the company's business goal, its chain of command, its culture, its behaviors, and its processes.
• I have to know their defenses-in-layers structure, their logs control, their state of readiness, their state of responsiveness, and etc.
止Ceasing
Self Improvement• Ceasing is to prevent the breach of
trust.
• To Cease one’s vices through gradual reduction, redirect attention to healthier alternatives, or going through cold turkey.
• To Cease through forming new habits, rewarding for achieving milestones, and attending support groups.
InfoSec Professional• Ceasing is to prevent the breach of trust.
• To Cease internal risks through reduction, mitigation, avoidance, or elimination.
• To Cease through log controls, separation of duty, enforcement of least privilege, secured software development lifecycle, and make employees more security aware.
定Steadying
Self Improvement• We know our strengths and
weaknesses.
• We curb our indulgences and capitalize on our strengths.
• These will give us the confidence against external pressures and attacks.
InfoSec Professional• We know our company’s
security status.
• We have reduced our company’s risk level.
• This will give us the confidence to remain level headed when external threats appear.
靜Calming
Self Improvement• You’re only able to maintain
calmness after patching your flaws because you don’t have to worry about them been exploited.
• A peace of mind leads to a healthy body.
InfoSec Profession• Calming comes when the
company is safe from internal and external threats.
• Calming allows the company to plan its business strategy.
安Quieting
Self Improvement• Quieting is the result of
Calming. While Quieting allows you to think clearly, Calming allows you to act without disruption.
• Quieting allows you to focus on the task at hand without distraction.
InfoSec Profession• The company that is secured and
well defended is free to focus on pursuing its objectives.
• Security awareness has become a part of the business culture or norm that employees are able to sharpen their security mindfulness without intruding or interrupting to day-to-day work function.
慮Pondering
Self Improvement• Without worry, without stress, you
are free to digest information to determine how it improves your health, your social/family life, and your career.
• You are able to plan ahead of where you want to be in 6 months, 1 year, 5 years, or even 10 years.
InfoSec Profession• Pondering allows a company to analyze
its business or marketing objectives, to review its information technology, and to anticipate future trends/threats.
• Previously in Ceasing and Steadying states, the company is focused on managing immediate risks. At Pondering, the company now has the luxury to look ahead to anticipate new risks and be prepared for them.
得Obtaining
Self Improvement• Peak virtuous state:
Stress free from fear of personal flaws
Have an actionable life plan
Achieving equilibrium of body and mind
InfoSec Profession• Peak security awareness
state: COBIT’s Optimizing Process
ITIL’s Optimized Maturity Assessment Level
Security Awareness Roadmap: Metrics Framework
Internal Sagacity, External Sovereignty
How To Renovate People and Rest at Highest Excellence
Or How to Manage Self Before Managing Others
內聖
外王
格物,致知,誠意,正心,脩身Investigation of Things, Knowledge, Sincerity, Rectification, Self
Cultivation
• Before managing others, first make sure you have successfully managed yourself.
• You must be able to withstand the scrutiny of others.
• Your actions, your behaviors, and your words will be constantly observed and judged.
• This is especially true in theage of Facebook, Twitter, and Instagram where every little transgression will be caught on camera and spread like wildfire.
• There are people who love nothing more than to tear down a public figure.
內聖
格物Investigation of Things
Self Improvement• …to know ten thousand things
around you in order to use them to help Heaven Below…
• Know your stuff outside your work
• All things have a beginning and an end.
• All things have patterns.
• All things have purpose whether you realize it or not.
InfoSec Profession• Information Security is about providing data
availability, confidentially, and integrity.
• Ideally, we like to get involved at the beginning of all projects because of our concern for information security.
• Externally, we need to know what regulations, laws, and audits are required for this project.
• Internally, we need to know what our administrative, technical, and physical constraints are for this project.
致知Knowledge
Self Improvement• Know who you are in relation with all
things around you
• Regardless of your status, you want to be cherished, to be appreciated, and to be respected.
• You will experience the march of time; you are responsible for your actions.
• These things can’t be brought, or negated with money, with power, or with fame.
InfoSec Profession• We share our knowledge with key
consultants, managers, programmers, and other project members.
• They need to take into account our information security concerns in project designs.
• Any data leak will be a detriment to the company image, reputation, confidence, and not to mention, possible lawsuits.
誠意Sincerity
Self Improvement• Sincerity is the best policy. This is a tried
and true cliché that has withstood the test of time.
• And in the age of information society, it is the only policy.
• Why? Everything you’ve done is recorded, saved for posterity, and can be accessible online. When you apply to a highly prestigious, high paying, and/or highly recognized position, you will be scrutinized.
InfoSec Profession• We show the sincerity of our concerns toward
data preservation through sharing our findings with others and advocating security awareness.
• We will be tempted to speed up projects, or not to put too many restrictions into current designs in order to expedite the process, to move things along, or to beat the deadlines.
• But then, we have to realize that the law of consequences is at play here. Our involvement is a series of tradeoffs of short term expedience vs. long term data security.
正心Rectification
Self Improvement• If you are sincere in your beliefs,
then your heart will be in the right place and your actions will be proper.
• Why? Our actions result from our thought process, whether conscious or subconscious.
• And if you can’t be true to yourself, then how can you be true to others?
InfoSec Profession• No matter how many or whichever
elements our projects entail, our heart has to be in the right place.
• Our heart lies in the credo that we upheld upon joining (ISC)2 or GIAC.
• We must apply due diligence in our involvement with all projects. Our actions have to be as true as our words.
脩身Self Cultivation
Self Improvement• Self-cultivation is about straightening
the heart. • Those with anger, their hearts are
not straightened.
• Those with fear, their hearts are not straightened.
• Those with desire, their hearts are not straightened.
• Those with worry, their hearts are not straightened.
InfoSec Profession• While we ourselves strive to straighten
our hearts, we must watch out for employees who display:• Anger
• Fear
• Desire
• Worry
• These have a higher probability of being a threat.
齊家 治國 平天下Maintain Family, Regulate State (Company), Pacify Heaven Below (the
Gird)
• The Great Learning is the first classic on Management as a Service (MaaS).• Only interested in self improvement?
Stop after Self Cultivation
• Interested in maintaining a household or a department? Stop after Maintain Family
• Interested in running a government agency or a company? Stop after Regulate State
• Interested in doing the greater good, or managing a multi-national corporation? Continue to Pacify Heaven Below
• External Sovereignty is less about utilizing the latest and greatest technology and more about managing people.
• Social Engineering is the battle of hearts and minds that can get passed through the world’s most secured firewalls, IDS, IPS, and defense in layers.
• Social Engineering is another term for spy, grifter, scammer, con artist, and trojan horse.
外王
齊家Maintain Family
Self Improvement• Maintaining a household comes about
after self-cultivation.
• You should avoid creating too much • Favoritism
• Disapproval
• Fear
• A man who doesn’t know about his son’s flaw is like a man doesn’t know about his crop’s health.
InfoSec Profession• Maintaining a department comes
about after self-cultivation.
• It should be free from• Favoritism
• Disapproval
• Fear
• As these will decrease employees security awareness.
治國Regulate State (Company)
Self Improvement• When a family acts humanely, the
entire nation promotes humaneness.
• When a family acts with deference, the entire nation promotes civility.
• When a man is ruthless and corrupt, the entire nation goes rogue.
• Hence, a word can instigate an incident; a man can regulate a nation.
InfoSec Profession• When a department behaves securely, the
entire company promotes vigilance.
• When a department limits its access, the entire company promotes data control.
• When a man is ruthless and corrupt, the entire company becomes vulnerable.
• Hence, a word can instigate a threat; a man can secure a company.
平天下Pacify Heaven Below (the Gird)
Self Improvement• A Gentleman practiced the Dao of
Rules & Regulation.
• Follow the Dao (of Great Learning), the crowd and the nation follows. Lose the Dao, lose the people, and lose the nation.
• Speak out contrarily; receive a contrary response. Receive ill gotten wealth; out it will flow with interest.
InfoSec Profession• An InfoSec Professional lives and
breathes the Code of Ethic.
• Practice InfoSec, others engage and company enacts. Disregard InfoSec, others forget, and company neglects.
• Law of Consequence can be found in personal, social, career, financial and political aspects.
Great Learning & InfoSec Recaps
• As the first self-help book, it has withstood the test of time. As the first book on MaaS (Management as a Service), it shows how to serve others by first improving oneself.
• Instructions for management are no different than instructions for self improvement. It is all about Lead by Example.
• Despite advanced technology, people’s heart and soul still remain the same. They can enforce or enfeeble information security.