Great Learning & Information

Securityhow ancient Chinese Classic remains relevant

in modern information security

Chuan Lin, CISSP

Great Learning Background

Who Wrote it• Zengzi, a disciple of

Confucius, wrote Great Learning.

What is it• It is the first self-help book

that withstood the test of time and the first Management as a Service (MaaS) to others.

Great Learning Background II

When was it written• It was written sometime

between 445 – 436 BC during the Spring and Autumn Period of Chinese history when China was in a feudal sovereignty that consisted of a hundred city states which owed loyalty to the Zhou Dynasty.

Where was it flourish?• At the time it was written,

Great Learning was just another school of thought that contended with hundreds of other ideas. Later, it became one of three main core philosophies of China.

Great Learning Background III

Why is it matter?• Its opening statement is no different than the mission statement from

(ISC)2 and SAN Code of Ethics.

• While the knowledge of 10 domains and technical information are necessary for the information security professional, a person’s ethical standard is expected but not much direction is given other than to follow various laws/ruling like HIPAA, SOX, GLBA, Safe Harbor, etc.

• I believe Great Learning can be a useful guide for the Information Security (InfoSec) Professional ethic.

Goals of Great Learning/InfoSec

What do we want to accomplish with our lives and our career?

“

”大學之道，在明明德，在親民，在止於至善。

The Dao of Great Learning is to illustrate illustrious virtues, to renovate the people, and to rest in the highest excellence.

Safety of the commonwealth, duty to our principals, and to each other requires that we adhere,

and be seen to adhere, to the highest ethical standards of behavior.

- (ISC)2 Code of Ethics

The Dao of the Great Learning is to illustrate illustrious virtues, to renovate the people, and to rest

in the highest excellence.

GAIC Code of Ethic• Respect for the Public

• Respect for the Certification

• Respect for my Employer

• Respect for Myself

SANS Code of Ethic• I will strive to know myself and be

honest about my capability

• I will conduct my business in manner that assures the IT profession is considered one of integrity and professionalism.

• I respect privacy and confidentiality.

7 Steps to IllustratingIllustrious VirtuesSeeking Self Improvement First

“

”知，止，定，靜，安，慮，得

knowing, ceasing, steadying, calming, quieting, pondering, obtaining

7 Steps of Acquiring Illustrious Virtues

How can these seven internal self improvement have an impact

on oneself and one’s InfoSec career in modern time?

知Knowing

Self Improvement• In a corporate world, we are trained to

exploit the company’s strategic strengths while shoring up the company’s weakness.

• In an engineering environment, we are trained to find and rectify any product defects before they go to market.

• Shouldn’t we train ourselves to find weakness within ourselves before we or someone else initiates a zero-day attack against us?

InfoSec Professional• I have to know a company’s security

status; where are its strengths; where are its weaknesses.

• I have to know the company's business goal, its chain of command, its culture, its behaviors, and its processes.

• I have to know their defenses-in-layers structure, their logs control, their state of readiness, their state of responsiveness, and etc.

止Ceasing

Self Improvement• Ceasing is to prevent the breach of

trust.

• To Cease one’s vices through gradual reduction, redirect attention to healthier alternatives, or going through cold turkey.

• To Cease through forming new habits, rewarding for achieving milestones, and attending support groups.

InfoSec Professional• Ceasing is to prevent the breach of trust.

• To Cease internal risks through reduction, mitigation, avoidance, or elimination.

• To Cease through log controls, separation of duty, enforcement of least privilege, secured software development lifecycle, and make employees more security aware.

定Steadying

Self Improvement• We know our strengths and

weaknesses.

• We curb our indulgences and capitalize on our strengths.

• These will give us the confidence against external pressures and attacks.

InfoSec Professional• We know our company’s

security status.

• We have reduced our company’s risk level.

• This will give us the confidence to remain level headed when external threats appear.

靜Calming

Self Improvement• You’re only able to maintain

calmness after patching your flaws because you don’t have to worry about them been exploited.

• A peace of mind leads to a healthy body.

InfoSec Profession• Calming comes when the

company is safe from internal and external threats.

• Calming allows the company to plan its business strategy.

安Quieting

Self Improvement• Quieting is the result of

Calming. While Quieting allows you to think clearly, Calming allows you to act without disruption.

• Quieting allows you to focus on the task at hand without distraction.

InfoSec Profession• The company that is secured and

well defended is free to focus on pursuing its objectives.

• Security awareness has become a part of the business culture or norm that employees are able to sharpen their security mindfulness without intruding or interrupting to day-to-day work function.

慮Pondering

Self Improvement• Without worry, without stress, you

are free to digest information to determine how it improves your health, your social/family life, and your career.

• You are able to plan ahead of where you want to be in 6 months, 1 year, 5 years, or even 10 years.

InfoSec Profession• Pondering allows a company to analyze

its business or marketing objectives, to review its information technology, and to anticipate future trends/threats.

• Previously in Ceasing and Steadying states, the company is focused on managing immediate risks. At Pondering, the company now has the luxury to look ahead to anticipate new risks and be prepared for them.

得Obtaining

Self Improvement• Peak virtuous state:

Stress free from fear of personal flaws

Have an actionable life plan

Achieving equilibrium of body and mind

InfoSec Profession• Peak security awareness

state: COBIT’s Optimizing Process

ITIL’s Optimized Maturity Assessment Level

Security Awareness Roadmap: Metrics Framework

Internal Sagacity, External Sovereignty

How To Renovate People and Rest at Highest Excellence

Or How to Manage Self Before Managing Others

內聖

外王

格物，致知，誠意，正心，脩身Investigation of Things, Knowledge, Sincerity, Rectification, Self

Cultivation

• Before managing others, first make sure you have successfully managed yourself.

• You must be able to withstand the scrutiny of others.

• Your actions, your behaviors, and your words will be constantly observed and judged.

• This is especially true in theage of Facebook, Twitter, and Instagram where every little transgression will be caught on camera and spread like wildfire.

• There are people who love nothing more than to tear down a public figure.

內聖

格物Investigation of Things

Self Improvement• …to know ten thousand things

around you in order to use them to help Heaven Below…

• Know your stuff outside your work

• All things have a beginning and an end.

• All things have patterns.

• All things have purpose whether you realize it or not.

InfoSec Profession• Information Security is about providing data

availability, confidentially, and integrity.

• Ideally, we like to get involved at the beginning of all projects because of our concern for information security.

• Externally, we need to know what regulations, laws, and audits are required for this project.

• Internally, we need to know what our administrative, technical, and physical constraints are for this project.

致知Knowledge

Self Improvement• Know who you are in relation with all

things around you

• Regardless of your status, you want to be cherished, to be appreciated, and to be respected.

• You will experience the march of time; you are responsible for your actions.

• These things can’t be brought, or negated with money, with power, or with fame.

InfoSec Profession• We share our knowledge with key

consultants, managers, programmers, and other project members.

• They need to take into account our information security concerns in project designs.

• Any data leak will be a detriment to the company image, reputation, confidence, and not to mention, possible lawsuits.

誠意Sincerity

Self Improvement• Sincerity is the best policy. This is a tried

and true cliché that has withstood the test of time.

• And in the age of information society, it is the only policy.

• Why? Everything you’ve done is recorded, saved for posterity, and can be accessible online. When you apply to a highly prestigious, high paying, and/or highly recognized position, you will be scrutinized.

InfoSec Profession• We show the sincerity of our concerns toward

data preservation through sharing our findings with others and advocating security awareness.

• We will be tempted to speed up projects, or not to put too many restrictions into current designs in order to expedite the process, to move things along, or to beat the deadlines.

• But then, we have to realize that the law of consequences is at play here. Our involvement is a series of tradeoffs of short term expedience vs. long term data security.

正心Rectification

Self Improvement• If you are sincere in your beliefs,

then your heart will be in the right place and your actions will be proper.

• Why? Our actions result from our thought process, whether conscious or subconscious.

• And if you can’t be true to yourself, then how can you be true to others?

InfoSec Profession• No matter how many or whichever

elements our projects entail, our heart has to be in the right place.

• Our heart lies in the credo that we upheld upon joining (ISC)2 or GIAC.

• We must apply due diligence in our involvement with all projects. Our actions have to be as true as our words.

脩身Self Cultivation

Self Improvement• Self-cultivation is about straightening

the heart. • Those with anger, their hearts are

not straightened.

• Those with fear, their hearts  are not straightened.

• Those with desire, their hearts are not straightened.

• Those with worry, their hearts are not straightened.

InfoSec Profession• While we ourselves strive to straighten

our hearts, we must watch out for employees who display:• Anger

• Fear

• Desire

• Worry

• These have a higher probability of being a threat.

齊家 治國 平天下Maintain Family, Regulate State (Company), Pacify Heaven Below (the

Gird)

• The Great Learning is the first classic on Management as a Service (MaaS).• Only interested in self improvement?

Stop after Self Cultivation

• Interested in maintaining a household or a department? Stop after Maintain Family

• Interested in running a government agency or a company? Stop after Regulate State

• Interested in doing the greater good, or managing a multi-national corporation? Continue to Pacify Heaven Below

• External Sovereignty is less about utilizing the latest and greatest technology and more about managing people.

• Social Engineering is the battle of hearts and minds that can get passed through the world’s most secured firewalls, IDS, IPS, and defense in layers.

• Social Engineering is another term for spy, grifter, scammer, con artist, and trojan horse.

外王

齊家Maintain Family

Self Improvement• Maintaining a household comes about

after self-cultivation.

• You should avoid creating too much • Favoritism

• Disapproval

• Fear

• A man who doesn’t know about his son’s flaw is like a man doesn’t know about his crop’s health.

InfoSec Profession• Maintaining a department comes

about after self-cultivation.

• It should be free from• Favoritism

• Disapproval

• Fear

• As these will decrease employees security awareness.

治國Regulate State (Company)

Self Improvement• When a family acts humanely, the

entire nation promotes humaneness.

• When a family acts with deference, the entire nation promotes civility.

• When a man is ruthless and corrupt, the entire nation goes rogue.

• Hence, a word can instigate an incident; a man can regulate a nation. 

InfoSec Profession• When a department behaves securely, the

entire company promotes vigilance.

• When a department limits its access, the entire company promotes data control.

• When a man is ruthless and corrupt, the entire company becomes vulnerable.

• Hence, a word can instigate a threat; a man can secure a company. 

平天下Pacify Heaven Below (the Gird)

Self Improvement• A Gentleman practiced the Dao of

Rules & Regulation.

• Follow the Dao (of Great Learning), the crowd and the nation follows. Lose the Dao, lose the people, and lose the nation.

• Speak out contrarily; receive a contrary response. Receive ill gotten wealth; out it will flow with interest.

InfoSec Profession• An InfoSec Professional lives and

breathes the Code of Ethic.

• Practice InfoSec, others engage and company enacts. Disregard InfoSec, others forget, and company neglects.

• Law of Consequence can be found in personal, social, career, financial and political aspects.

Great Learning & InfoSec Recaps

• As the first self-help book, it has withstood the test of time. As the first book on MaaS (Management as a Service), it shows how to serve others by first improving oneself.

• Instructions for management are no different than instructions for self improvement. It is all about Lead by Example.

• Despite advanced technology, people’s heart and soul still remain the same. They can enforce or enfeeble information security.