The most elegant and beautiful of the basic forms of lightsaber combat was form II. This form emphasizes clean moves, parries, and thrusts rather than the blocking and slashing of other forms. There is a discipline within information security that can claim the title of being so beautiful and so difficult to master: risk management.
A master of risk management meticulously calculates the probability of some event happening, the damage that can be done from that event, and how much effort the organization must put into mitigating that threat. No wasted movements, no throwing money at the problem to make it go away. If some event manages to do damage to his information, he can rest assured that he put precisely the right amount of effort into stopping that event and go on with life. Practitioners of other forms might beat themselves up for not preventing it from happening.
There are several hallmarks of form II information security combat. The form II practitioner is more likely to develop and use metrics to measure the effectiveness of the controls that have been put in place. This person is also likely to use finance and statistic tools like normal curves and Net Present Value to estimate what must be done to protect the network. Although regulatory compliance is not strictly related to risk management, you will often find that masters of form II are well versed in PCI, HIPPA, Sarbox, GLBA, and other regulations that affect their organization.
Form II is not without its weaknesses. Principle among them is that there is little focus on developing a deep bench of security controls. Once your numbers have justified a control to mitigate some risk, it is difficult to justify more money to mitigate that same risk. This is typically the domain of form III lightsaber combat.
Practitioners of form II are typically senior manager types or security professionasl that come from an accounting or finance background. The accounting and finance field lends itself to the deep analysis required for mastering form II.
As an information security Padawan, I feel that I haven't come close to mastering any of the basic forms of combat. However, I feel that I am strongest in form III. I have only recently become aware of the power and elegance that comes from form II. I intend to study form II more carefully and start trying to incorporate form II into my combat style and possible even master the form.
Showing posts with label jedi. Show all posts
Showing posts with label jedi. Show all posts
Tuesday, August 19, 2008
Wednesday, August 13, 2008
Information Security Jedi: Form 0 Lightsaber Combat
I'm going to put my Star Wars nerd cap back on and talk about the parallels between information security and the star wars universe. In previous posts on the topic I introduced the concept that in our world, information is like the Force. Our tool kits become our lightsabers and how we choose to use those lightsabers can be compared to the various forms of combat used by the Jedi.
We cannot neatly tie each form of lightsaber combat to a discipline in the information security field, but there are a couple that do fit nicely that I'd like to point out. In this post, I'm going to talk about Form 0 lightsaber combat.
For the Jedi, Form 0 was not a form of lightsaber combat in the typical sense of the word. It has no attack forms because Form 0 is a term used for the defensive techniques a Jedi used to avoid lightsaber combat. It was the art of finding alternate means of solving a problem.
This is a very noble and important skill for a Jedi to have, but it doesn't really have any place in the world of information security. I mean, if someone is going to steal your data you're not likely to have an opportunity to talk them out of it. What do we call it when someone doesn't secure a system and instead tries to prevent anyone from attacking it to maintain security? Well I call it Security by Obscurity, and it is the bane of information security professionals everywhere.
I'm not going to spend any time talking about Form 0 in the information security world because it is completely useless to us. It doesn't help us to meet any regulatory compliance, it certainly doesn't help to keep anything secure (since by nature it is a lack of security mechanisms) and it isn't very effective since it is pretty much assured that someone is going to work their way through your obfuscation. It was the same way for the Jedi. Form 0 was great for avoiding conflict, but if someone swung a blaster around to a Jedi, he or she would quickly pull out their lightsaber and use a different form.
In the toolkit of a Form 0 practitioner expect to find lawyers that will sue anyone trying to research their product. Form 0 masters might use defensive techniques such as running services on non-standard ports, or changing file extensions so that it isn't obvious what the file is for.
We cannot neatly tie each form of lightsaber combat to a discipline in the information security field, but there are a couple that do fit nicely that I'd like to point out. In this post, I'm going to talk about Form 0 lightsaber combat.
For the Jedi, Form 0 was not a form of lightsaber combat in the typical sense of the word. It has no attack forms because Form 0 is a term used for the defensive techniques a Jedi used to avoid lightsaber combat. It was the art of finding alternate means of solving a problem.
This is a very noble and important skill for a Jedi to have, but it doesn't really have any place in the world of information security. I mean, if someone is going to steal your data you're not likely to have an opportunity to talk them out of it. What do we call it when someone doesn't secure a system and instead tries to prevent anyone from attacking it to maintain security? Well I call it Security by Obscurity, and it is the bane of information security professionals everywhere.
I'm not going to spend any time talking about Form 0 in the information security world because it is completely useless to us. It doesn't help us to meet any regulatory compliance, it certainly doesn't help to keep anything secure (since by nature it is a lack of security mechanisms) and it isn't very effective since it is pretty much assured that someone is going to work their way through your obfuscation. It was the same way for the Jedi. Form 0 was great for avoiding conflict, but if someone swung a blaster around to a Jedi, he or she would quickly pull out their lightsaber and use a different form.
In the toolkit of a Form 0 practitioner expect to find lawyers that will sue anyone trying to research their product. Form 0 masters might use defensive techniques such as running services on non-standard ports, or changing file extensions so that it isn't obvious what the file is for.
Tuesday, August 5, 2008
Information Security Jedi: Lightsaber combat
It's been a while since I wrote about my observations comparing information security to the Force and its practitioners to the Jedi and Sith. I've talked about the information that we protect and how that can be likened to the Force and how the toolkit that we use to protect or exploit information can be thought of as our lightsabers. So now we should take a moment to talk about lightsaber combat. This introduction will kick off a series of posts about the various forms of lightsaber combat.
The Jedi and Sith both mastered different styles of lightsaber combat. Their chosen style was a reflection of their teaching, their physiology, and their personalities. All Jedi were trained in the basic forms of lightsaber combat but very few of them mastered each form. I believe that it is the same for the information security practitioners of today. There are several ways of defending information and exploiting information, but few people have mastered all of them.
This is a realization that came to me when I was reading about the various forms of lightsaber combat. I saw that some of the forms were similar to some of the disciplines in the information security field. I've mentioned before that I am a lowly Padawan in the world of information security, and I confess to sometimes feeling overwhelmed by the various ways that things can go wrong. Sometimes it seems like there are a million things that you need to know if you're going to be an information security professional. But then I realized that even the Jedi Masters were not masters of every form of lightsaber combat. Surely I cannot be expected to master risk management, penetration testing, forensics & IR, and industry compliance. Much like the Jedi Masters of old, I will attempt to learn each discipline of the information security industry, but I will only attempt to master two, possibly three.
I will not attempt to draw a direct comparison between each form of lightsaber combat and a discipline in the information security field, but there are a few interesting parallels that I will explore in future posts.
Form 0
Form II
The Jedi and Sith both mastered different styles of lightsaber combat. Their chosen style was a reflection of their teaching, their physiology, and their personalities. All Jedi were trained in the basic forms of lightsaber combat but very few of them mastered each form. I believe that it is the same for the information security practitioners of today. There are several ways of defending information and exploiting information, but few people have mastered all of them.
This is a realization that came to me when I was reading about the various forms of lightsaber combat. I saw that some of the forms were similar to some of the disciplines in the information security field. I've mentioned before that I am a lowly Padawan in the world of information security, and I confess to sometimes feeling overwhelmed by the various ways that things can go wrong. Sometimes it seems like there are a million things that you need to know if you're going to be an information security professional. But then I realized that even the Jedi Masters were not masters of every form of lightsaber combat. Surely I cannot be expected to master risk management, penetration testing, forensics & IR, and industry compliance. Much like the Jedi Masters of old, I will attempt to learn each discipline of the information security industry, but I will only attempt to master two, possibly three.
I will not attempt to draw a direct comparison between each form of lightsaber combat and a discipline in the information security field, but there are a few interesting parallels that I will explore in future posts.
Form 0
Form II
Tuesday, July 15, 2008
Symantec Antivirus: the Jar Jar Binks of Information Security
Earlier this week I published a post where I talked about an adventure I had once with a worm that was spreading around my organization and how we dealt with it. In that post I made a comment about Symantec Antivirus being able to detect the virus and tell you that you were infected, but it wasn't doing anything to stop the spread of the infection. This leads me to this post.
I firmly believe that antivirus technology vendors are the Gungans of the information security world. They talk funny and they're really only good for distracting an attacker while you do something worthwhile. And if antivirus technology vendors are Gungans, then Symantec Antivirus is Jar Jar Binks! You know how much any self-respecting Star Wars fan hates Jar Jar Binks? Well that's how much I hate Symantec Antivirus. Much like Jar Jar Binks it takes up a lot of space, makes a lot of useless statements, annoys the shit out of you, and makes you wonder why anyone would intentionally put it on their computer (or in their movie).
Recently a bunch of my coworkers were bitching about Symantec Antivirus, and how each version of it is heavier than the last and just as useless. This lead me to create Black Fist's First Law of Symantec Antivirus:
Consider this as an excersize. If you do not run antivirus software on your computer, what is the probability that you will become infected with malware? I would say for the average user the answer is .8. So we can say that in a five year period, that average unprotected user would contract malware four times. Each time you have to clean up the infection, which probably costs $50. Norton 360 costs about $80 right now, plus you have to pay for a subscription so in five years you'll probably spend $120 on protection. Here is where you get the breakdown in value, I believe that even with antivirus installed, you still have only reduce the probability from .8 to .5 maybe? By that math, you're going to spend $120 to get $75 of savings.
I know that I'm not the only one out there that believes that antivirus is not very effective. I'd like to know if my analysis is too extreme, or if you think I'm spot on. Remember, I'm still learning about information security, and whenever I buck conventional wisdom I feel like I should be open to the fact that I might be wrong. I'll revise my opinion when suficient evidence comes to my attention.
EDIT: Here is a link to an article that shows at least one group of people agree with me on this one. The article makes the claim that using a whitelist of approved applications rather than a blacklist is more effective, and I agree with that. It also says that whitelisting hasn't caught on because it is relatively new technology which I believe is not true. http://www.darkreading.com/document.asp?doc_id=158750&WT.svl=news1_5
I firmly believe that antivirus technology vendors are the Gungans of the information security world. They talk funny and they're really only good for distracting an attacker while you do something worthwhile. And if antivirus technology vendors are Gungans, then Symantec Antivirus is Jar Jar Binks! You know how much any self-respecting Star Wars fan hates Jar Jar Binks? Well that's how much I hate Symantec Antivirus. Much like Jar Jar Binks it takes up a lot of space, makes a lot of useless statements, annoys the shit out of you, and makes you wonder why anyone would intentionally put it on their computer (or in their movie).
Recently a bunch of my coworkers were bitching about Symantec Antivirus, and how each version of it is heavier than the last and just as useless. This lead me to create Black Fist's First Law of Symantec Antivirus:
For any version of Symantec Antivirus, X: Symantec Antivirus X-1 was better.Someone else followed this logic all the way back and discovered this great truth:
Symantec Antivirus Version 0 (meaning no Symantec Antivirus at all) is best.The problem with antivirus software is that there is so much malware in the world that they can't possibly keep up. They regularly purge their signatures of old malware that has become rare on the Internet, which leaves you exposed to a certain degree. The really nasty stuff is the zero day malware that they wont have signatures developed for yet. When slammer came out in 2003, it spread around the Internet in 30 minutes! How can a reactive software package hope to protect you from that? In fact, the only reason I even run antivirus at my organization is because if we didn't someone would probably accuse me of being negligent. I honestly do not believe that it provides me with value anywhere near the cost of the safeguard.
Consider this as an excersize. If you do not run antivirus software on your computer, what is the probability that you will become infected with malware? I would say for the average user the answer is .8. So we can say that in a five year period, that average unprotected user would contract malware four times. Each time you have to clean up the infection, which probably costs $50. Norton 360 costs about $80 right now, plus you have to pay for a subscription so in five years you'll probably spend $120 on protection. Here is where you get the breakdown in value, I believe that even with antivirus installed, you still have only reduce the probability from .8 to .5 maybe? By that math, you're going to spend $120 to get $75 of savings.
I know that I'm not the only one out there that believes that antivirus is not very effective. I'd like to know if my analysis is too extreme, or if you think I'm spot on. Remember, I'm still learning about information security, and whenever I buck conventional wisdom I feel like I should be open to the fact that I might be wrong. I'll revise my opinion when suficient evidence comes to my attention.
EDIT: Here is a link to an article that shows at least one group of people agree with me on this one. The article makes the claim that using a whitelist of approved applications rather than a blacklist is more effective, and I agree with that. It also says that whitelisting hasn't caught on because it is relatively new technology which I believe is not true. http://www.darkreading.com/document.asp?doc_id=158750&WT.svl=news1_5
Thursday, July 10, 2008
Information Security Jedi: Lightsabers
Over the last couple of weeks I've been making comparisons of the information security profession and the Jedi of the Star Wars Universe. I've talked about the Force, the Jedi, and the Sith. Today I'd like to talk about the primary weapon of the Jedi and the Sith, the lightsaber.
A lightsaber is essentially a laser sword that will pass cleanly through almost anything except for another lightsaber and certain exotic metals. It was used almost exclusively by people that were sensitive to the force because it was not very easy to use. Without proper training the lightsaber could be fatal to the person using it. And even if the person was able to use a lightsaber without killing himself it is hard to use it effectively unless you have the reflexes of someone strong with the Force. With all of these limitations, you might wonder why anyone would use this weapon. Well, in the hands of someone who is well trained and strong with the force, there is no finer weapon. It can slice through almost all melee weapons with no effort whatsoever, and it can be used to deflect blaster shots. A skilled Jedi could even throw the lightsaber short distances making it into a ranged attack weapon. It was elegant, small, lightweight, and became the very symbol of the Jedi order.
The lightsaber was as much ceremonial as it was functional. One of the major tasks of a Jedi or Sith apprentice was to construct a lightsaber. The apprentice would spend a significant amount of time building the lightsaber hilt, selecting the perfect crystal, and using the Force to improve the efficiency of the device. The shape, size, and weight were often determined by the species of the owner, and the style of lightsaber combat favored by the owner. I'm going to spend some time in the upcoming weeks talking about forms of lightsaber combat because that was what really sparked my interest in comparing the Jedi to information security professionals. For now, lets just say that there are different ways to use a lightsaber depending on your strengths, weaknesses, and goals.
For the information security professional, it is the tool kit that becomes his lightsaber. Think about it, you spend a great deal of time selecting which tools you want to assemble. Some of them are pretty standard, like nmap or nessus, and others are more specific to the work you do, such as the sleuth kit. An information security professional carefully decides which tools he is going to master, which ones he will keep a working knowledge of, and which ones to discard. This becomes the lightsaber of the information security professional. It is this toolkit that will be used to defend the information of the organization.
Using the lightsaber of information security, our Jedi can redirect attacks that are aimed at them, and in some cases, prevent attacks from occuring just by making his or her presence felt. An information securty Jedi will spend as much time practicing with his or her lightsaber as any Jedi did in the Star Wars Universe.
How does this comparison help you with your career? Remember that the set of tools that you use is the very weapon of your trade. Work hard to master the utilities in your toolkit, and remember that you probably don't have room for everything. If you become a master with your lightsaber, you will find that you don't have to use it as much, which will help you to advance in your career, and when you do have to use it you will be able to put down problems much more quickly.
As an example, I would point to my early days as a security Padawan. We had a worm spreading around our campus and we needed to eliminate it. As with most malware, Symantec antivirus was able to detect it, but wasn't doing anything to prevent machines from getting infected. I had one individual working with me who is much more experienced with the tools of information security, although IT security is not his full time job. I attaked the problem by gathering a sample of the malware, and installing it in an isolated virtual machine. I then used tools like filemon, regmon, and wireshark to find out what the program was doing on the wire. I discovered that after a machine was infected, it would make a DNS request for a particular host. I then set up a rule in snort to look for any DNS requests for that host and used the alerts to identify machines that were infected. My co-worker examined packet captures and looked for common elements among the machines. He determined that the worm was making use of a bug in VNC that was just under 1 year old. He then used nmap to scan our entire IP space for machines listening on the VNC port, and then ran the results through Nessus to find out which machines were vulnerable so they could be updated.
We each took a different approach to solving the problem, and while both were effective, his mastery of tools allowed him to put down the problem much faster and in a more proactive way. We were able to patch machines that hadn't been infected yet, which is always the best way to fix a problem. Thus his mastery of the lightsaber allowed him to eliminate an attack more quickly and was also able to prevent some attacks from happening at all.
A lightsaber is essentially a laser sword that will pass cleanly through almost anything except for another lightsaber and certain exotic metals. It was used almost exclusively by people that were sensitive to the force because it was not very easy to use. Without proper training the lightsaber could be fatal to the person using it. And even if the person was able to use a lightsaber without killing himself it is hard to use it effectively unless you have the reflexes of someone strong with the Force. With all of these limitations, you might wonder why anyone would use this weapon. Well, in the hands of someone who is well trained and strong with the force, there is no finer weapon. It can slice through almost all melee weapons with no effort whatsoever, and it can be used to deflect blaster shots. A skilled Jedi could even throw the lightsaber short distances making it into a ranged attack weapon. It was elegant, small, lightweight, and became the very symbol of the Jedi order.
The lightsaber was as much ceremonial as it was functional. One of the major tasks of a Jedi or Sith apprentice was to construct a lightsaber. The apprentice would spend a significant amount of time building the lightsaber hilt, selecting the perfect crystal, and using the Force to improve the efficiency of the device. The shape, size, and weight were often determined by the species of the owner, and the style of lightsaber combat favored by the owner. I'm going to spend some time in the upcoming weeks talking about forms of lightsaber combat because that was what really sparked my interest in comparing the Jedi to information security professionals. For now, lets just say that there are different ways to use a lightsaber depending on your strengths, weaknesses, and goals.
For the information security professional, it is the tool kit that becomes his lightsaber. Think about it, you spend a great deal of time selecting which tools you want to assemble. Some of them are pretty standard, like nmap or nessus, and others are more specific to the work you do, such as the sleuth kit. An information security professional carefully decides which tools he is going to master, which ones he will keep a working knowledge of, and which ones to discard. This becomes the lightsaber of the information security professional. It is this toolkit that will be used to defend the information of the organization.
Using the lightsaber of information security, our Jedi can redirect attacks that are aimed at them, and in some cases, prevent attacks from occuring just by making his or her presence felt. An information securty Jedi will spend as much time practicing with his or her lightsaber as any Jedi did in the Star Wars Universe.
How does this comparison help you with your career? Remember that the set of tools that you use is the very weapon of your trade. Work hard to master the utilities in your toolkit, and remember that you probably don't have room for everything. If you become a master with your lightsaber, you will find that you don't have to use it as much, which will help you to advance in your career, and when you do have to use it you will be able to put down problems much more quickly.
As an example, I would point to my early days as a security Padawan. We had a worm spreading around our campus and we needed to eliminate it. As with most malware, Symantec antivirus was able to detect it, but wasn't doing anything to prevent machines from getting infected. I had one individual working with me who is much more experienced with the tools of information security, although IT security is not his full time job. I attaked the problem by gathering a sample of the malware, and installing it in an isolated virtual machine. I then used tools like filemon, regmon, and wireshark to find out what the program was doing on the wire. I discovered that after a machine was infected, it would make a DNS request for a particular host. I then set up a rule in snort to look for any DNS requests for that host and used the alerts to identify machines that were infected. My co-worker examined packet captures and looked for common elements among the machines. He determined that the worm was making use of a bug in VNC that was just under 1 year old. He then used nmap to scan our entire IP space for machines listening on the VNC port, and then ran the results through Nessus to find out which machines were vulnerable so they could be updated.
We each took a different approach to solving the problem, and while both were effective, his mastery of tools allowed him to put down the problem much faster and in a more proactive way. We were able to patch machines that hadn't been infected yet, which is always the best way to fix a problem. Thus his mastery of the lightsaber allowed him to eliminate an attack more quickly and was also able to prevent some attacks from happening at all.
Wednesday, July 2, 2008
Information Security Jedi: Has Black Fist gone to the Dark Side?
As I've mentioned before, in the world of Information Security I consider myself to be a Padawan: a learner who has not yet reached Jedi status. One of the things that is necessary for a young Padawan is constant guidance from the Jedi Masters to ensure that he or she does not start down the dark path. After all, you might think that what you're doing is right, but in fact you may be wrong. Consider the words of Master Yoda: "Difficult to see, the Dark Side is."
I'm spending the day beating myself up because I used my Jedi powers in a way that I'm not sure was right. The situation involves a Dark Jedi, meaning someone that has knowledge of computer systems and security that has turned to the Dark Side. Luckily for me, this Dark Jedi was not an Information Security professional or I might have had an even more difficult time defeating him in combat. The thing is, the whole time I was trying to zero in on him and gather the evidence required by my employer, he was able to stop me at every turn. Pretty good considering that he didn't even know I was trying to get into his computer. And so when my other options had failed, I turned to something I call the Jedi Mind Trick, Social Engineering. I'll write a more detailed post about the Jedi Mind Trick another time, suffice to say that it is a powerful force and can be easily misused. And that's where I find myself today, wondering if I misused the Jedi Mind Trick.
I wish that I could explain the situation in more detail, but of course I cannot because of the confidential nature of my work. To boil it down, I was asked to install software on a computer without being detected. I want to make it clear that I was authorized by my employer to install monitoring software purchased by my employer on a computer that is owned by my employer. I guess I just feel bad because I shook the guys hand and smiled in his face while I stabbed him in the back. I prefer to do these things without looking at the target or getting to know the target. That way I can keep it all business in my head. When I figured out that this was going to take more of a personal touch, I even devised a plan to get someone else to do the face to face part. However, that isn't how it worked out and in the end I lied to this dude so that I could start gathering information that may affect his employment. So I guess the question I'm wrestling with is whether or not I did something that was of the Dark Side?
My first inclination is to say no. After all, I was just doing my job. And if he hadn't done the things that he did I wouldn't have had to do any of this. I guess you could say that he made me lie to him. There are a couple of problems with this line of thinking. For one thing, whenever I say that someone made me do something that I feel bad about, I'm usually trying to rationalize some behavior that I know is wrong. The other concern I have with my approach is that I might have taken the quick and easy path, in other words the dark path, when there was a better solution available. Did I take enough time to search for a solution before I resorted to using the Jedi Mind Trick to blind him? I do believe that I had to get my hands on the computer to install the software. There were too many roadblocks to do this remotely. I also believe that it was imperative that he not know that the monitoring software was put in place. Most importantly, I don't believe that I had patience as an option. I could have waited for him to get sloppy and leave his computer at work, but I didn't have that kind of time.
I guess in the end I'm going to judge that what I did was right. I didn't go vigilante and install this monitoring software, and I only resorted to the Jedi Mind Trick after exhausting my other options. Sometimes even a Jedi has to kill people. What makes it acceptable is that the Jedi neither enjoys it, nor seeks out opportunities to do it. I didn't go looking for this guy, but when he crossed my path I did what I had to do. Now I am meditating on the days events to ensure that I haven't taken any steps toward the Dark Side. I guess I just wish that I had someone else to validate my decision and tell me that what I did was right. I know that there are some Jedi powers that are used by both Light Side and Dark Side beings, and the Jedi Mind Trick is one of them. So I think the lesson to be learned here is that one should always take a long look in the mirror after using a power that could have a Dark Side use and make sure that you haven't started down the path of corruption.
I'm spending the day beating myself up because I used my Jedi powers in a way that I'm not sure was right. The situation involves a Dark Jedi, meaning someone that has knowledge of computer systems and security that has turned to the Dark Side. Luckily for me, this Dark Jedi was not an Information Security professional or I might have had an even more difficult time defeating him in combat. The thing is, the whole time I was trying to zero in on him and gather the evidence required by my employer, he was able to stop me at every turn. Pretty good considering that he didn't even know I was trying to get into his computer. And so when my other options had failed, I turned to something I call the Jedi Mind Trick, Social Engineering. I'll write a more detailed post about the Jedi Mind Trick another time, suffice to say that it is a powerful force and can be easily misused. And that's where I find myself today, wondering if I misused the Jedi Mind Trick.
I wish that I could explain the situation in more detail, but of course I cannot because of the confidential nature of my work. To boil it down, I was asked to install software on a computer without being detected. I want to make it clear that I was authorized by my employer to install monitoring software purchased by my employer on a computer that is owned by my employer. I guess I just feel bad because I shook the guys hand and smiled in his face while I stabbed him in the back. I prefer to do these things without looking at the target or getting to know the target. That way I can keep it all business in my head. When I figured out that this was going to take more of a personal touch, I even devised a plan to get someone else to do the face to face part. However, that isn't how it worked out and in the end I lied to this dude so that I could start gathering information that may affect his employment. So I guess the question I'm wrestling with is whether or not I did something that was of the Dark Side?
My first inclination is to say no. After all, I was just doing my job. And if he hadn't done the things that he did I wouldn't have had to do any of this. I guess you could say that he made me lie to him. There are a couple of problems with this line of thinking. For one thing, whenever I say that someone made me do something that I feel bad about, I'm usually trying to rationalize some behavior that I know is wrong. The other concern I have with my approach is that I might have taken the quick and easy path, in other words the dark path, when there was a better solution available. Did I take enough time to search for a solution before I resorted to using the Jedi Mind Trick to blind him? I do believe that I had to get my hands on the computer to install the software. There were too many roadblocks to do this remotely. I also believe that it was imperative that he not know that the monitoring software was put in place. Most importantly, I don't believe that I had patience as an option. I could have waited for him to get sloppy and leave his computer at work, but I didn't have that kind of time.
I guess in the end I'm going to judge that what I did was right. I didn't go vigilante and install this monitoring software, and I only resorted to the Jedi Mind Trick after exhausting my other options. Sometimes even a Jedi has to kill people. What makes it acceptable is that the Jedi neither enjoys it, nor seeks out opportunities to do it. I didn't go looking for this guy, but when he crossed my path I did what I had to do. Now I am meditating on the days events to ensure that I haven't taken any steps toward the Dark Side. I guess I just wish that I had someone else to validate my decision and tell me that what I did was right. I know that there are some Jedi powers that are used by both Light Side and Dark Side beings, and the Jedi Mind Trick is one of them. So I think the lesson to be learned here is that one should always take a long look in the mirror after using a power that could have a Dark Side use and make sure that you haven't started down the path of corruption.
Wednesday, June 25, 2008
Information Security Jedi: Dark Side Beings
I've been running a series of blog entries comparing the practice of information security in our world to the Jedi order of the Star Wars Universe. In my previous post I talked about the light side beings of the Star Wars Universe, namely the various ranks of the Jedi order. This time I'd like to talk more about the dark side of the Force and the beings that make use of it.
The dark side of the Force is basically the evil side. It is the side of the force that is associated with anger, aggression, fear, and suffering. The powers of the dark side are typically attack oriented. For example, a Jedi might master battle techniques that focus on rallying the troops, healing people, or enhancing their own physical abilities. A dark side being might master battle techniques such as choking an opponent, shooting lightning at an opponent, or literally draining the life from an opponent.
So who were the dark side beings in the Star Wars Universe? Well there were several. The dark side equivalent of the Jedi order would be Sith, which has many parallels with the Jedi. But if you thought the Jedi were few in number, then you'll be shocked at the small number of Sith. Most of the time there were only two of them because of the Rule of Two. It turns out that when Sith really enjoy killing the hell out of each other, so when you get Sith in sufficient numbers they start killing each other and they can't focus on killing Jedi. So a bad dude named Darth Bane made up a rule that there would only be two Sith at a time. The Master and the Apprentice. That way they could focus on killing Jedi and they wouldn't spend as much time killing each other.
There were other dark side users that a Jedi had to fear besides just the Sith. The dark side of the Force tempts everyone that is sensitive to the Force, and the stronger you are with the Force, the stronger the call of the dark side will become. So one thing the Jedi had to deal with were other Jedi that fell to the dark side. They didn't formally join the Sith, but they did become corrupted and became a threat to the galaxy.
You see, the thing you have to know about the dark side is that if you give in to the temptation to use the dark side, then the call of the dark side becomes even stronger. Since you gave in to the dark side at the previous level of temptation, you now face an even greater probability of falling to the temptation a second time. And a third, and a fourth and so on. Eventually, a person can become addicted to the power of the dark side. Then some Jedi has to say "hey man, that's not cool! You need to quit with all the dark side stuff." The the corrupted Jedi says "hey screw you man, you don't know me!" Then they fight, and one of them dies.
Then there were people that were sensitive to the Force but had never been formally trained in the ways of the Force. So they usually developed a few powers that made them a threat to other beings in the galaxy and the Jedi would have to come in and deal with them.
Now that we've talked about the dark side users in the Star Wars Universe, let's talk about the dark side users in the information security field. I think it's best to work from the bottom up on this one, so lets look at the force sensitive dark side users that have not been formally trained. I think it's not a stretch to compare these to the script kiddies that we have to deal with today. Script kiddies discovered that they have some interest in information security, but without guidance they have turned to the dark side of the Force to learn more about information security. Another untrained dark side user is the curious user on your network. They go snooping around and might damage systems in the process. For the most part, a well trained Jedi or Padawan should be able handle a script kiddie, but it would be foolish and arrogant to stop seeing them as a threat. A script kiddie can and will hurt you. They will develop more skills and because they are addicted to the dark side, they will destroy your networks just to prove to themselves that they can.
What about the dark Jedi; the ones that were once followers of the light and became corrupted? I think this is the information security professional that starts using the dark side to police the networks that he was assigned to protect. Have you ever been tempted to search a users private folders for contraband without following proper procedure? Maybe that worked for you, so now you start gathering tcpdumps of people's computers without permission (which is an illegal wiretap). Soon you've become a security threat that needs to be dealt with. Sometimes a dark Jedi can be redeemed, other times they have to be fired.
Now we start talking about the really serious threats, the Sith. In the Star Wars Universe there were only two of them at a time, but in our world there is an army of them. I like to think of the Sith Apprentices as the professional hackers that create malware, run botnets, and steal identities. They are only interested in gaining more power and money, just like a Sith lord, and they are very powerful. They will use elements of the Force not used by the dark Jedi and they will use every avenue of attack available to them. They will destroy your network if they believe that they can make more money doing so. Also, don't let yourself be fooled into thinking that a Sith Apprentice is less of a threat than a Sith Master. A well trained Sith Apprentice can be nearly as powerful as his Master, and should be dealt with as carefully as the master.
Sith Masters are rare in our world, but not as rare as they are in the Star Wars Universe. A Sith Master is probably the most dangerous black hat hacker you will ever come across in your information security career. So what makes a Master? Well, much like being a Master Jedi, I think a Sith Master is basically a Sith Apprentice that has amassed so much power that he is recognized by Jedi and Sith alike as a Master of his trade. These are truly evil people that will steal the identities of millions of people and sell them for his own personal profit. He builds giant botnets that spew spam across the Internet, threatening to eliminate the utility of this network, just to put more money in his pockets. Just like a Sith Apprentice, these Masters will use any technique available to them to increase their power. The only difference is that they already have incredible power that they can bring to bear. I would like to also point out a particular kind of Sith Master that you should be particularly fearful of. I have mentioned that Sith Masters are the pinnacle of evil in the information security world. As a Jedi you would do well to remember that evil is a point of view, and sometimes you will be viewed as the evil one. Some Sith Masters are government-sponsored hackers that are not necessarily evil people. These hackers have incredible power because they are immune from prosecution and they have the resources of a government to help them identify vulnerable targets and new avenues of attack. I say that these people are not necessarily evil people because they are attacking your network in service to their government. Most of them would probably not drain the savings accounts of retired people just to put it in their own pocket.
Hopefully this information will help you to know your enemy. You should think carefully about the information that you protect and ask yourself what kind of dark side beings you're likely to encounter. Of course, you can never be sure that the person scanning your network isn't a Sith Master, but maybe you don't need to strip search the exterminator if you're only protecting the church mailing list. Remember the lessons of the Jedi Masters that have come before you, and always heed the warning that once you give in to the dark side of the Force, you have started down a dangerous path.
The dark side of the Force is basically the evil side. It is the side of the force that is associated with anger, aggression, fear, and suffering. The powers of the dark side are typically attack oriented. For example, a Jedi might master battle techniques that focus on rallying the troops, healing people, or enhancing their own physical abilities. A dark side being might master battle techniques such as choking an opponent, shooting lightning at an opponent, or literally draining the life from an opponent.
So who were the dark side beings in the Star Wars Universe? Well there were several. The dark side equivalent of the Jedi order would be Sith, which has many parallels with the Jedi. But if you thought the Jedi were few in number, then you'll be shocked at the small number of Sith. Most of the time there were only two of them because of the Rule of Two. It turns out that when Sith really enjoy killing the hell out of each other, so when you get Sith in sufficient numbers they start killing each other and they can't focus on killing Jedi. So a bad dude named Darth Bane made up a rule that there would only be two Sith at a time. The Master and the Apprentice. That way they could focus on killing Jedi and they wouldn't spend as much time killing each other.
There were other dark side users that a Jedi had to fear besides just the Sith. The dark side of the Force tempts everyone that is sensitive to the Force, and the stronger you are with the Force, the stronger the call of the dark side will become. So one thing the Jedi had to deal with were other Jedi that fell to the dark side. They didn't formally join the Sith, but they did become corrupted and became a threat to the galaxy.
You see, the thing you have to know about the dark side is that if you give in to the temptation to use the dark side, then the call of the dark side becomes even stronger. Since you gave in to the dark side at the previous level of temptation, you now face an even greater probability of falling to the temptation a second time. And a third, and a fourth and so on. Eventually, a person can become addicted to the power of the dark side. Then some Jedi has to say "hey man, that's not cool! You need to quit with all the dark side stuff." The the corrupted Jedi says "hey screw you man, you don't know me!" Then they fight, and one of them dies.
Then there were people that were sensitive to the Force but had never been formally trained in the ways of the Force. So they usually developed a few powers that made them a threat to other beings in the galaxy and the Jedi would have to come in and deal with them.
Now that we've talked about the dark side users in the Star Wars Universe, let's talk about the dark side users in the information security field. I think it's best to work from the bottom up on this one, so lets look at the force sensitive dark side users that have not been formally trained. I think it's not a stretch to compare these to the script kiddies that we have to deal with today. Script kiddies discovered that they have some interest in information security, but without guidance they have turned to the dark side of the Force to learn more about information security. Another untrained dark side user is the curious user on your network. They go snooping around and might damage systems in the process. For the most part, a well trained Jedi or Padawan should be able handle a script kiddie, but it would be foolish and arrogant to stop seeing them as a threat. A script kiddie can and will hurt you. They will develop more skills and because they are addicted to the dark side, they will destroy your networks just to prove to themselves that they can.
What about the dark Jedi; the ones that were once followers of the light and became corrupted? I think this is the information security professional that starts using the dark side to police the networks that he was assigned to protect. Have you ever been tempted to search a users private folders for contraband without following proper procedure? Maybe that worked for you, so now you start gathering tcpdumps of people's computers without permission (which is an illegal wiretap). Soon you've become a security threat that needs to be dealt with. Sometimes a dark Jedi can be redeemed, other times they have to be fired.
Now we start talking about the really serious threats, the Sith. In the Star Wars Universe there were only two of them at a time, but in our world there is an army of them. I like to think of the Sith Apprentices as the professional hackers that create malware, run botnets, and steal identities. They are only interested in gaining more power and money, just like a Sith lord, and they are very powerful. They will use elements of the Force not used by the dark Jedi and they will use every avenue of attack available to them. They will destroy your network if they believe that they can make more money doing so. Also, don't let yourself be fooled into thinking that a Sith Apprentice is less of a threat than a Sith Master. A well trained Sith Apprentice can be nearly as powerful as his Master, and should be dealt with as carefully as the master.
Sith Masters are rare in our world, but not as rare as they are in the Star Wars Universe. A Sith Master is probably the most dangerous black hat hacker you will ever come across in your information security career. So what makes a Master? Well, much like being a Master Jedi, I think a Sith Master is basically a Sith Apprentice that has amassed so much power that he is recognized by Jedi and Sith alike as a Master of his trade. These are truly evil people that will steal the identities of millions of people and sell them for his own personal profit. He builds giant botnets that spew spam across the Internet, threatening to eliminate the utility of this network, just to put more money in his pockets. Just like a Sith Apprentice, these Masters will use any technique available to them to increase their power. The only difference is that they already have incredible power that they can bring to bear. I would like to also point out a particular kind of Sith Master that you should be particularly fearful of. I have mentioned that Sith Masters are the pinnacle of evil in the information security world. As a Jedi you would do well to remember that evil is a point of view, and sometimes you will be viewed as the evil one. Some Sith Masters are government-sponsored hackers that are not necessarily evil people. These hackers have incredible power because they are immune from prosecution and they have the resources of a government to help them identify vulnerable targets and new avenues of attack. I say that these people are not necessarily evil people because they are attacking your network in service to their government. Most of them would probably not drain the savings accounts of retired people just to put it in their own pocket.
Hopefully this information will help you to know your enemy. You should think carefully about the information that you protect and ask yourself what kind of dark side beings you're likely to encounter. Of course, you can never be sure that the person scanning your network isn't a Sith Master, but maybe you don't need to strip search the exterminator if you're only protecting the church mailing list. Remember the lessons of the Jedi Masters that have come before you, and always heed the warning that once you give in to the dark side of the Force, you have started down a dangerous path.
Saturday, June 21, 2008
Information Security Jedi: Light Side beings
In my previous post on this topic I talked about the nature of the Force in the Star Wars Universe and I explained why I feel that in our world the closest thing we have to the Force is information itself. I talked about the ways that being strong with "the Force" in our world makes you more powerful and improves your station in life.
I also mentioned that the Force has a light side (which is typically just called the Force) and a dark side. I'd like to spend some time today talking about the beings that use the light side of the force and how that relates to the information security field.
The foremost users of the Force in the galaxy were the Jedi, the protectors of the galaxy and the Republic. Although they were few in number, they were so good at resolving conflict that they were able to keep peace in the entire galaxy without the need for a standing army. And as the title of these posts probably suggests, I am of the belief that information security professionals are like the Jedi of our world. It is our job to protect the information resources of the whole world and there are relatively few us compared to the total number of Information users out there.
Among the Jedi there were several ranks. There were the Younglings which were children ranging from infants to about 12 or 13 years old. The Younglings were taught the basics of the Force in groups. When they reached the proper age, some of them would be selected by a Jedi to serve as a Jedi apprentice, the rank of Padawan. As a Padawan the being would assist the Jedi who was allowed to have only one Padawan at a time. When the Padawan reached a certain level of maturity and understanding of the Force, the Jedi would recommend the Padawan for "the Trials." If the Padawan successfully completed the Trials, he or she would be granted the title of Jedi knight. This usually occurred when the Padawan was in her early 20's. After many years of dedicated service, and after reaching several milestones the Jedi Council may choose to bestow the title of Jedi Master onto a Jedi.
So how do these ranks compare to the information security professional of today's world? Well, not very well it turns out. For one thing, most of us do not have Masters that take us under their wing and teach us everything they know. There is also no set of widely accepted ranks that apply to the information security professional. OK, but there are still some parallels that we can draw between the Jedi and ourselves. For example, many people in the information security field did not start there. I got my start as a Windows system admin, and then moved into a network engineer career. During this time I learned some of the fundamentals of information security, but I was not an information security professional. At this time in my career, I think you could make a good comparison to the Younglings in the Jedi order. When I got my first job as an information security professional, I became a Jedi Padawan.
Some people do start their careers as information security professionals, and that's OK too. Remember that Anakin Skywalker became a Padawan as soon as he joined the order, he never learned with the other Younglings.
So when I got my infosec job I became a Padawan. How will I know when I'm a Jedi? After all, we don't have anything like the trials do we? Well, sort of. We have certification tests, and there are classes that we can take, and there are techniques that we can master as we specialize in our field. That's probably the closest that we're going to get to the trials. I guess you really become a Jedi when most other professionals view you as a Jedi.
What about the Masters? Keep in mind that there were very few Jedi Masters, and not all Jedi would become Masters. In our field I think the Jedi Masters are those rock stars that provide guidance to us all. People like Paul Asadoorian, Larry Pesce, and Johhny Long. These people are content creators that other Jedi turn to for new techniques and guidance on how to operate. I would say that you become a Master when the other Masters say that you're a Master, just as it was in the Star Wars Universe.
How can you use this metaphor in your information security career? I would say that you should start by considering where you are in your career? Are you a Padawan, a Jedi, a Master, or a Youngling? Then you should think about what the role of each of those position is. As a Padawan, I feel that I need to be focusing on earning the respect of my peers, and I'm likely to do that by learning my craft, taking training classes, passing certification tests, and demonstrating that I have the proper knowledge of the Force and resistance to the Dark Side. Remember that we are all tempted by the Dark Side, but as a Youngling or a Padawan you are at particular risk of being corrupted by the Dark Side by engaging in Black Hat hacking. Other required items in the path to knighthood including building your own lightsaber and learning the basic forms of lightsaber combat. I'll talk more about that in another post. Next time I'm going to talk about the Dark Side of the force and the beings that use it.
I also mentioned that the Force has a light side (which is typically just called the Force) and a dark side. I'd like to spend some time today talking about the beings that use the light side of the force and how that relates to the information security field.
The foremost users of the Force in the galaxy were the Jedi, the protectors of the galaxy and the Republic. Although they were few in number, they were so good at resolving conflict that they were able to keep peace in the entire galaxy without the need for a standing army. And as the title of these posts probably suggests, I am of the belief that information security professionals are like the Jedi of our world. It is our job to protect the information resources of the whole world and there are relatively few us compared to the total number of Information users out there.
Among the Jedi there were several ranks. There were the Younglings which were children ranging from infants to about 12 or 13 years old. The Younglings were taught the basics of the Force in groups. When they reached the proper age, some of them would be selected by a Jedi to serve as a Jedi apprentice, the rank of Padawan. As a Padawan the being would assist the Jedi who was allowed to have only one Padawan at a time. When the Padawan reached a certain level of maturity and understanding of the Force, the Jedi would recommend the Padawan for "the Trials." If the Padawan successfully completed the Trials, he or she would be granted the title of Jedi knight. This usually occurred when the Padawan was in her early 20's. After many years of dedicated service, and after reaching several milestones the Jedi Council may choose to bestow the title of Jedi Master onto a Jedi.
So how do these ranks compare to the information security professional of today's world? Well, not very well it turns out. For one thing, most of us do not have Masters that take us under their wing and teach us everything they know. There is also no set of widely accepted ranks that apply to the information security professional. OK, but there are still some parallels that we can draw between the Jedi and ourselves. For example, many people in the information security field did not start there. I got my start as a Windows system admin, and then moved into a network engineer career. During this time I learned some of the fundamentals of information security, but I was not an information security professional. At this time in my career, I think you could make a good comparison to the Younglings in the Jedi order. When I got my first job as an information security professional, I became a Jedi Padawan.
Some people do start their careers as information security professionals, and that's OK too. Remember that Anakin Skywalker became a Padawan as soon as he joined the order, he never learned with the other Younglings.
So when I got my infosec job I became a Padawan. How will I know when I'm a Jedi? After all, we don't have anything like the trials do we? Well, sort of. We have certification tests, and there are classes that we can take, and there are techniques that we can master as we specialize in our field. That's probably the closest that we're going to get to the trials. I guess you really become a Jedi when most other professionals view you as a Jedi.
What about the Masters? Keep in mind that there were very few Jedi Masters, and not all Jedi would become Masters. In our field I think the Jedi Masters are those rock stars that provide guidance to us all. People like Paul Asadoorian, Larry Pesce, and Johhny Long. These people are content creators that other Jedi turn to for new techniques and guidance on how to operate. I would say that you become a Master when the other Masters say that you're a Master, just as it was in the Star Wars Universe.
How can you use this metaphor in your information security career? I would say that you should start by considering where you are in your career? Are you a Padawan, a Jedi, a Master, or a Youngling? Then you should think about what the role of each of those position is. As a Padawan, I feel that I need to be focusing on earning the respect of my peers, and I'm likely to do that by learning my craft, taking training classes, passing certification tests, and demonstrating that I have the proper knowledge of the Force and resistance to the Dark Side. Remember that we are all tempted by the Dark Side, but as a Youngling or a Padawan you are at particular risk of being corrupted by the Dark Side by engaging in Black Hat hacking. Other required items in the path to knighthood including building your own lightsaber and learning the basic forms of lightsaber combat. I'll talk more about that in another post. Next time I'm going to talk about the Dark Side of the force and the beings that use it.
Wednesday, June 18, 2008
Jedi of Information Security: The Force
Obviously you can't really have a discussion about the Jedi without talking about the Force. In this post I'd like to talk about the nature of the Force and how that compares with the practice of Information Security.
In the Star Wars Universe, the Force is an energy that creates life and is in turn created by life. It surrounds all living things and binds the whole galaxy together. Individuals that are sensitive to the Force are able to tap into this energy to perform various feats, such as gaining knowledge of the future, moving objects, and healing people's bodies.
The Force was known to have two sides: the light side of the Force (which was typically just called the Force) and the dark side of the Force. The Force was associated with being passive, compassionate, and good while the Dark side was associated with aggression, power, anger, and pain.
Obviously in our world there is no such thing as the Force, although there is at least one church that I've heard of where people worship the Force. When we're talking about Information Security we're also not talking about a galaxy and we don't have an energy field that binds us all together. So what would be the equivalent to the Force when we compare the Jedi to Information Security practitioners?
My answer is that information is the Force in our world. Information is something that we all have. It is the one thing I can think of that binds all of our users and computer systems together. Like the Force, information can be used for both good and evil purposes, and if you gather enough of it you can perform incredible feats, even moving objects with your mind.
Like many religious orders, the Jedi were not all in agreement about the nature of the Force. One thing that the Jedi could not agree on was whether or not the Force was a sentient, thinking being, or just an energy field that was part of nature. Make no mistake, all Jedi respected the Force, but not all of them believed that the Force had a will of its own. For the most part, we can say that this is not true of information. I doubt that there are many of us that believe that the information that we hold has it's own agenda and is capable of its own thought, however it should be noted that there are some that believe that information wants to be free, in other words expressing that information is capable of desire at least in a figurative sense.
Another view of the Force that was not agreed upon was the concepts of light side and dark sides. Some Jedi believed that the Force didn't have good and evil powers, there was only the intentions of the practitioner. In this case I think we can again say that information does not have a light side and a dark side. So if we were Jedi of the Old Republic we would have been tossed out for being heretics!
The biggest parallel I see between information and the Force is that in both our Universe and the Star Wars Universe having strength with the Force places you in a higher social status than beings who are not. A Jedi was not likely to end up being a Nerf herder in the Star Wars Universe. In our world humans and apes have nearly identical DNA, and we are far weaker than apes in most physical characteristics. However, because we are able to collect, interpret, and create information better than apes my wife doesn't have to pick bugs off of my body and eat them. Even among humans, we mostly agree that being smart is preferable to being dumb.
One mistake that is frequently made when a person uses a metaphor to explain something is attempting to stretch the metaphor too far or force concepts to fit within the metaphor. I want to try to avoid this by pointing out places where my Jedi metaphor of information security doesn't fit. In this case, I don't think it quite fits that Jedi use the Force for knowledge and defense to protect people and the Republic. Information security practitioners use information to protect other information. Jedi do not use the Force to protect the Force. I'm only bringing this up to point out that my comparison of information to the Force is not perfect. For now, this is what I'm going to go with unless I think of a more appropriate comparison. Now that you have an understanding of the Force as it pertains to information security, we can start talking about the people that use the Force, and what the Force is used for.
In the Star Wars Universe, the Force is an energy that creates life and is in turn created by life. It surrounds all living things and binds the whole galaxy together. Individuals that are sensitive to the Force are able to tap into this energy to perform various feats, such as gaining knowledge of the future, moving objects, and healing people's bodies.
The Force was known to have two sides: the light side of the Force (which was typically just called the Force) and the dark side of the Force. The Force was associated with being passive, compassionate, and good while the Dark side was associated with aggression, power, anger, and pain.
Obviously in our world there is no such thing as the Force, although there is at least one church that I've heard of where people worship the Force. When we're talking about Information Security we're also not talking about a galaxy and we don't have an energy field that binds us all together. So what would be the equivalent to the Force when we compare the Jedi to Information Security practitioners?
My answer is that information is the Force in our world. Information is something that we all have. It is the one thing I can think of that binds all of our users and computer systems together. Like the Force, information can be used for both good and evil purposes, and if you gather enough of it you can perform incredible feats, even moving objects with your mind.
Like many religious orders, the Jedi were not all in agreement about the nature of the Force. One thing that the Jedi could not agree on was whether or not the Force was a sentient, thinking being, or just an energy field that was part of nature. Make no mistake, all Jedi respected the Force, but not all of them believed that the Force had a will of its own. For the most part, we can say that this is not true of information. I doubt that there are many of us that believe that the information that we hold has it's own agenda and is capable of its own thought, however it should be noted that there are some that believe that information wants to be free, in other words expressing that information is capable of desire at least in a figurative sense.
Another view of the Force that was not agreed upon was the concepts of light side and dark sides. Some Jedi believed that the Force didn't have good and evil powers, there was only the intentions of the practitioner. In this case I think we can again say that information does not have a light side and a dark side. So if we were Jedi of the Old Republic we would have been tossed out for being heretics!
The biggest parallel I see between information and the Force is that in both our Universe and the Star Wars Universe having strength with the Force places you in a higher social status than beings who are not. A Jedi was not likely to end up being a Nerf herder in the Star Wars Universe. In our world humans and apes have nearly identical DNA, and we are far weaker than apes in most physical characteristics. However, because we are able to collect, interpret, and create information better than apes my wife doesn't have to pick bugs off of my body and eat them. Even among humans, we mostly agree that being smart is preferable to being dumb.
One mistake that is frequently made when a person uses a metaphor to explain something is attempting to stretch the metaphor too far or force concepts to fit within the metaphor. I want to try to avoid this by pointing out places where my Jedi metaphor of information security doesn't fit. In this case, I don't think it quite fits that Jedi use the Force for knowledge and defense to protect people and the Republic. Information security practitioners use information to protect other information. Jedi do not use the Force to protect the Force. I'm only bringing this up to point out that my comparison of information to the Force is not perfect. For now, this is what I'm going to go with unless I think of a more appropriate comparison. Now that you have an understanding of the Force as it pertains to information security, we can start talking about the people that use the Force, and what the Force is used for.
Jedi of Information Security
One of the things that led to the creation of this blog was a discussion I had with someone a couple weeks ago about the various fighting styles of the Jedi. Yes, I'm talking about the same Jedi from the Star Wars Universe.
It occurred to me that just as the Jedi had different fighting styles and preferences, so to is the case for Information Security professionals. I started trying to categorize the fighting styles of the Information Security professional and I found that some of the styles even match up to the various forms of lightsaber combat.
As I kept thinking about this over the next few days I started to discover more similarities between the Jedi and the contemporary Information Security professional. For example, each Jedi Padawan goes on a mission to find the right pieces and construct his or her own lightsaber much in the same way that a security professional assembles the tool set that he or she will use in the battle to protect information. In the Star Wars Universe there are good and evil practitioners of the force, just as we in the security field have white hat and black hat hackers.
Finally, I thought that there might just be enough material here that I could put it all together into a blog and combine it with some of the other thoughts that I've had as I chronicle my own growth and understanding of information security. In the word of information security I consider myself to be a Padawan learner and as I've compared the practice of information security with the practices of the Jedi I've found that it has led to a greater understanding of the former. It has helped me to accept that even though there is so much that I have yet to learn about information security, there is also quite a bit that I have learned already and even the masters are still learning and improving their craft. I hope my thoughts on the comparison of Jedi and information security practitioners proves to be insightful, entertaining, and light hearted.
It occurred to me that just as the Jedi had different fighting styles and preferences, so to is the case for Information Security professionals. I started trying to categorize the fighting styles of the Information Security professional and I found that some of the styles even match up to the various forms of lightsaber combat.
As I kept thinking about this over the next few days I started to discover more similarities between the Jedi and the contemporary Information Security professional. For example, each Jedi Padawan goes on a mission to find the right pieces and construct his or her own lightsaber much in the same way that a security professional assembles the tool set that he or she will use in the battle to protect information. In the Star Wars Universe there are good and evil practitioners of the force, just as we in the security field have white hat and black hat hackers.
Finally, I thought that there might just be enough material here that I could put it all together into a blog and combine it with some of the other thoughts that I've had as I chronicle my own growth and understanding of information security. In the word of information security I consider myself to be a Padawan learner and as I've compared the practice of information security with the practices of the Jedi I've found that it has led to a greater understanding of the former. It has helped me to accept that even though there is so much that I have yet to learn about information security, there is also quite a bit that I have learned already and even the masters are still learning and improving their craft. I hope my thoughts on the comparison of Jedi and information security practitioners proves to be insightful, entertaining, and light hearted.
Subscribe to:
Posts (Atom)