Security: Cyber — Personal. Same Difference?

Connecting the Systems.

As a student/practitioner of Martial Arts and Information/Cyber Security I’ve been thinking of how the two correlate. I’m just entertaining some thoughts and attempting to connect the dots between the two rather attempting to be “revolutionary.”

I began my martial arts journey in a Filipino Martial Art known as Modern Arnis (founded by Professor Remy A Presas) under the tutelage of Datu Kelly Worden; both share the philosophy of making the arts about the individual versus making the individual fit the art. The more I think about it I’m actually surprised that I didn’t make the connections between Cyber Security and Personal Defense beforehand.

Information Security, Cyber Security, IT Security. What’s the difference?
Lucky for you and me, Kimberly Crawley has already written a great article about the differences between the three, in some cases the terminology can be used interchangeably in other cases there is a difference. In case you are interested here’s the link and it’s aptly titled:
Information Security, Cybersecurity, IT Security, Computer Security… What’s the Difference.

I chose to use Cyber Security terminology because I believe terms like Vulnerability, Exploit, Threat and Risk are easier to relate to the human condition; news coverage of recent events about WannaCry, Petya/NotPetya and the Equifax compromise are also bringing the terminology to the forefront of people's news feeds so more people are becoming familiar with Cyber Security along with other terminology like Social Engineering, Hacker(s) and more.

My plan is to use this article to kick off a series of articles based off the Critical Security Controls (CSC) by the Center for Internet Security (CIS) framework and how they could be interpreted and applied to us as humans in terms of personal security.

Into The Matrix!

VULNERABILITY: In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.
 SOURCE
EXPLOIT: An exploit (from the English verb to exploit, meaning “using something to one’s own advantage”) is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something … 
SOURCE
THREAT: In computer security a threat is a possible danger that might exploit a vulnerability to breach security and therefore cause possible harm. A threat can be either “intentional” (i.e. hacking: an individual cracker or a criminal organization) or “accidental” (e.g. the possibility of a computer malfunctioning, or the possibility of a natural disaster such as an earthquake, a fire, or a tornado) or otherwise a circumstance, capability, action, or event.
SOURCE

Although the above terminology applies to securing computers, computer networks and the data stored on said systems it also applies to securing the human computer and the human network. Humans have been hacking and using social engineering on each other long before computers were invented. From a biological point of view we have our own built in anti-virus, intrusion detection/prevention and more; pretty wild right? This is where the fun begins, we could keep it high level and view things from a general perspective, or we could dive deeper and get into the weeds and get into some really interesting topics.

Now that we have the technical jargon out of the way how do we correlate the the terminology above to the individual and personal security.

Example A:
Imagine a person walking but instead of paying attention to their surroundings they are focused on their mobile device and unaware (vulnerability) of someone following them (threat) waiting for the opportunity to exploit the vulnerability.

Real World Example:
Crowbar Attack Caught on Camera Thwarted by UPS Workers.

Example B:
Imagine a person is walking but instead of paying attention to their surroundings they are focused on their mobile device, unaware of the abrupt edge \ level change in the sidewalk, causing them to trip and injure themselves, injure others or be the cause of an accident while stumbling in front of a moving vehicle. Anyone remember the craze that was Pokemon Go?

Real World Example:
CCTV captures moment woman distracted by phone tumbles six foot down open cellar

What are the chances?

Let’s talk about risk. What is Risk? The Cyber Security definition of risk is:

A combination of the likelihood that a threat will occur, the likelihood that a threat occurrence will result in an adverse impact, and the severity of the resulting impact
https://en.wikipedia.org/wiki/IT_risk

In other words what are the chances that an attacker (threat) will take advantage (exploit) of the distracted (vulnerability) pedestrian and how much damage will it cause(adverse impact)? The environment in which the vulnerability exists comes into play and can raise or lower the level of risk.

In Example A IF the person was walking in a work related space the chance of being attacked and robbed are pretty low therefore the risk is low. However a change the environment and even a public space may not be so safe due to other variables.

Real World Example:
Crowbar Attack Caught on Camera Thwarted by UPS Workers.

In Example B chances of an unintentional injury are pretty high regardless of the environment therefore the risk is high but the severity of the injury is another variable.

Real World Example
CCTV captures moment woman distracted by phone tumbles six foot down open cellar (YouTube is filled with plenty of examples!)

Bodyguards 24/7

One of the concepts that my instructor Datu Worden emphasizes is that we are bodyguards 24/7; by protecting ourselves we are also protecting our family. In the current political climate we may unexpectedly be called upon to provide protection for others that are outside of our personal circle just by being in the right place and the wrong time.

The formulation of personal defense is a ‘self-realized’ reality, not a one art fits all. Personal defense — yes not self-defense — because you are a bodyguard 24/7 for not just yourself but your family, friends, and possibly anyone else who needs help. ~Datu Kelly S. Worden

In the examples above the threat occurred, vulnerabilities were exploited and the person was physically compromised as an adverse impact. The severity of the impact depends on how well we are prepared. Do you have enough vacation or sick leave to cover days of work lost due to physician appointments or time needed? Sometimes a violent attack leaves a person with psychological distress especially for a martial artist or any individual who considers themselves to be who prides themselves on self-reliant.

We could go on and on with the “what ifs” or go in a variety of directions with the above scenarios; whether or not these outcomes are possibilities or highly probable. We could address Vulnerability Management and Risk Management. Do we avoid the risk? Do we accept the risk? Do we transfer the risk? How do we answer those questions? What does it all mean? How does it even correlate to personal defense?

As I stated earlier I’m just sharing thoughts, hoping to stimulate some conversation with like minded people and/or inspire people to assess their personal defense and develop their own personal layered defence strategy.

#beyourownbodyguard #bodyguard24/7