writing for cybersecurity
TRANSCRIPT
Intelligent Information SecurityANIT IAN
WRITING FOR CYBERSECURITY
A N I T I A N
Intelligent Information SecurityANIT IAN
Meet the Speaker – Andrew Plato• President / CEO of Anitian • Principal at TrueBit CyberPartners• 20+ years of experience in security• Authored gigatons of content• Discovered SQL injection in 1995• Helped develop first in-line IPS engine
(BlackICE)
Intelligent Information SecurityANIT IAN
Vision: Security is essential to growth, innovation, and prosperity. Mission: Build great security leaders.
ANITIAN
Rapid Risk Assessment Compliance Assessment & Audit
Full-Spectrum Security Testing Managed Threat Intelligence
Intelligent Information Security
Intelligent Information SecurityANIT IAN
OverviewIntent • Help you become a better cybersecurity writer• Improve your security program • Demonstrate Anitian’s value
Outline1. Communicating Complexity to the Masses 2. Sins of Bad Policy Writing3. Ten Steps to Better Policy Writing4. Final Thoughts
Intelligent Information SecurityANIT IAN
AssumptionsPeople do not read policies because they are:• Non-existent • Distant, dull, stiff, and formal • Inconsistent• Angry, aggressive, punitive • About security, not people
To improve this, we must: • Increase ownership of the content• Simultaneously communicate to different kinds of readers • Hyper-simplify complexity
Intelligent Information SecurityANIT IAN
COMMUNICATING COMPLEXITY
TO THE MASSES
Intelligent Information SecurityANIT IAN
THIS IS HOW YOU THINK
Intelligent Information SecurityANIT IAN
THIS IS HOW YOU MUST WRITE
duh
Intelligent Information SecurityANIT IAN
THIS IS THE VOICEINFOSEC WRITERS HAVE
IN THEIR HEAD
Nobody listens to
me
Intelligent Information SecurityANIT IAN
THIS IS THE VOICE INFOSEC WRITERS USE IN THEIR POLICIES
JerkSCREECH!
Intelligent Information SecurityANIT IAN
AND THIS IS WHAT YOUR READER HEARS
Intelligent Information SecurityANIT IAN
IT DOES NOT MATTER HOW RIGHT YOU ARE
IF NOBODY READS YOUR POLICY
Intelligent Information SecurityANIT IAN
USE THIS VOICE
Intelligent Information SecurityANIT IAN
OR THIS ONE
Intelligent Information SecurityANIT IAN
OR THIS ONE
Only Nixon can go to BlackHat
Intelligent Information SecurityANIT IAN
How We LearnAuditory• Sounds, tone, vocalizations, volume• “Leadership has voiced concern with our endpoint security.”
Visual • Images, designs, graphics, layout, structure of works• “Look at the improvements we have made?”
Doing (Kinesthetic) • Action-oriented words• “Install the software and scan the network.”
Intelligent Information SecurityANIT IAN
Persuasion BasicsLogic: reason, data, proof• Weak, lacks stickiness• “Data shows a steady increase compromised hosts. It follows
that our security controls are ineffective.”
Ethics: appeal to what is right and wrong• Balanced, preachy• “Protecting patient data is the right thing to do.”
Emotions: love, hate, fear, disgust• Strong, illogical• “If we don’t patch, the hackers will steal everything and we
will lose our jobs.”
Intelligent Information SecurityANIT IAN
WHO IS RESPONSIBLE FOR
EFFECTIVE COMMUNICATION?
Intelligent Information SecurityANIT IAN
ARE RESPONSIBLE FOR EFFECTIVE COMMUNICATION
YOU
Intelligent Information SecurityANIT IAN
Great Communicators of Complexity
Neil deGrasse Tyson James Burke Bill Nye
Jane Goodall Stephen Hawking Carl Sagan
They render complexity into simplicityto motivate, inspire, and educate
Intelligent Information SecurityANIT IAN
THE SINS OF BAD POLICY WRITERS
Intelligent Information SecurityANIT IAN
What Are You Writing?Document What it saysPolicy: You must do thisStandard: You must conform to this.Procedure: Do these exact stepsGuideline: Here are some good ideas you can ignore Methodology: Do it this way, or elseReport: Idea, data, conclusions
• If you don’t know, how can the reader? • Likewise, you may know, but the reader does not.
EXAMPLEThis document describes our risk assessment approach at XYZ company.
Intelligent Information SecurityANIT IAN
Why Am I Reading This? • Begin every document with:
1. A clear statement of intent2. Scope of the document3. Definitions of words or concepts4. Who is responsible for writing this document
• Be painfully clear• Use simple sentences. Avoid gerunds and dependent clauses.
EXAMPLEThis document describes our risk assessment approach. It is intended to help you do your job better and minimize our risk. This document applies to all IT personnel. The ISO is the author.
Intelligent Information SecurityANIT IAN
Insecurity Writing• It is not about you• Cut out the big impressive sounding blather• Do not show off how much you know, shows weakness• Delete the CYA text, it sounds weak• Be friendly, conversational, and direct
BADAt the request of the cybersecurity committee this policy has been generated for the communication of organizational expectations for the alignment of employees to a common set of practices. Also because the Board has authorized only a fraction of the resources necessary for continued operations, this policy will be interim until the required team has….
BETTERThis policy describes security practices all employees must follow. It may be updated at any time as our business needs change.
Intelligent Information SecurityANIT IAN
LOL, Whut?• Be precise with your words and explanations• Avoid wandering around the point• Avoid emotional words or obvious complaining • Get to the point, fast
BADThis policy is for designated for all full-time, regionally managed, and employees without the necessary access to obtain data from the application systems. The organizational committee on the use of portable electronical devices has convened these ISO 27001 aligned practices which every employee should familiarize themselves with to properly engage their responsibilities for protection of personally identifiable information which can limit our financial growth. Management has elected to oppress the expression of security control alignment.
BETTERYou need mobile devices for work. This policy outlines the rules for using your mobile device. The rules are intended to protect data. They also ensure our company meets the proper regulations.
Intelligent Information SecurityANIT IAN
Ugh, Clichés • Next-generation, envelope pushing, pigs with lipstick• Synergizing, viral win-wins • Rising boats with heuristically big data blind spots
BADWe are not a target. But we must get our ducks in a row and think outside the box. We must push the envelope and shift the paradigm. We need a next-generation thinking to align our synergies to create viral low-hanging fruit. The ball is in your court, development. Let’s touch base after we have socialized this among the team. I expect 110%. This is a real win-win situation, on steroids. Ping me when your ready for a deep-dive.
REALITYI am a clueless idiot. Just ignore me.
Intelligent Information SecurityANIT IAN
TL;DR• The Great Wall of Text • Shows weakness, insecurity, and lack of knowledge• Less is more
BADSample Company has leveraged SOAP and XML based repositories which are deployed in the Kent data center on a high-availability platform that has been used for security controls and data storage within the confines of the current security plan which requires key rotation on an annual basis. This platform which has multiple data repositories must be secured in a manner compliant with PCI DSS 3.1. Requirement 3.6. This requirement states: Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following:Note: Numerous industry standards for key management are available from various resources including NIST, which can be found at http://csrc.nist.gov.Our team has assessed the key management policies set forth in the Key Management Policy D292929038 and found there is a misalignment with requirements in the nature of cryptographic management. Annual cryptographic renewal is not being performed as stated in the guidelines.
BETTERThe web application is not PCI compliant. It does not rotate encryption keys annual.
Intelligent Information SecurityANIT IAN
The Third Person • Third person allows the readers to disassociate themselves from
the content (This applies to THEM not ME)• It is awkward to read, but feels right when writing• Address the reader directly, put them in the document• Makes it more personal, encourages ownership • Use the word YOU• Millennials like this, its authentic, and inclusive
BADEmployees are required to meet strict password complexity guidelines. Each employee will familiarize themselves with the password rules. Individuals will be audited to ensure compliance and alignment with organizational requirements.
BETTEROur security is important. You need to use complex passwords so hackers cannot guess them. Review the rules below. Make sure your passwords meet these rules.
Intelligent Information SecurityANIT IAN
10 STEPS TO BETTER WRITING
Intelligent Information SecurityANIT IAN
1. THE TIME IS NOW
• Write as if it is happening right at this very second• Use action words: do, implement, install, apply, distribute, etc. • Minimize past and future tenses
EXAMPLEImplement the key rotation policy. Notify the project manager when complete.
Intelligent Information SecurityANIT IAN
2. GO ALL IN
• Never express any doubt• There is no debate, your words are the infallible words of the
almighty• Better to be strong and wrong• Watch out for could, should, might, try, and hope
EXAMPLEThe network is scanned for vulnerabilities each night. Developers must fix critical vulnerabilities in 72 hours or less.
Intelligent Information SecurityANIT IAN
3. JUST SAY IT
• What are you trying to say?• Just say it• Get to the point, fast• Avoid any justifications or CYA• This is not for you, its for the reader
EXAMPLEYou may not copy confidential data to any removable media.
Intelligent Information SecurityANIT IAN
4. VISUALIZE A
SPECIFIC PERSON• Visualize your reader• See them in your mind, write to them• The responsibility of communication is on you, not them
Intelligent Information SecurityANIT IAN
5. LESS IS MORE
• Write way less• It works
EXAMPLEYou are responsible for protecting patient data.
Intelligent Information SecurityANIT IAN
6. LEAD THE READER
• Dribble out information slowly• One thought per sentence• One point per paragraph• One topic per section • Put the most important detail as the object
EXAMPLEAll data is encrypted. It is stored in the SQL server at AWS. Access is restricted to developers only.
Intelligent Information SecurityANIT IAN
7. COME OUT SWINGING
• You have three sentences to capture your reader• Put 50% of your effort into the first few sentences• Be bold and decisive • Use a hook-frame: • Hook the reader with a direct statement or anecdote
“You are important to us…” • Revisit this at the end of your document
Intelligent Information SecurityANIT IAN
8. LOVE THE TABLE
• Tables are excellent ways to display relational information
• They are pleasing to the eye as well
• Be careful not to overstyle them
Concept Definition Contrary What to Say Talk Straight Be honest, tell the
truth. Let people know where you stand. Use simple language. Call things as they are.
Lie, deceive. Spin facts into half-truths.
Here is how I see things… I feel strongly about this… I suggest we do the
following. These are the facts as I see
them. The truth here is… I respect your opinion,
here is my perspective on this.
I intend to get to the truth here.
Let me share with you what I have observed?
Intelligent Information SecurityANIT IAN
9. KEEP ORDER
• SUBJECT –> VERB –> OBJECT• Consistency beats perfection • Who/what does what? • Who/what goes where? • Who/what is where?
EXAMPLEThe NOC scans the network. The ISO reviews the results. Help desk may not access the CDE.
Intelligent Information SecurityANIT IAN
10. NUKE BY
• Never use by • I mean never• Seriously• Never• No, not at all
Intelligent Information SecurityANIT IAN
FINAL THOUGHTS
Intelligent Information SecurityANIT IAN
Words & Phrases to AvoidType WordsMeaningless adjectives
very, good, nice, best, most, really,
Weak hope Should, could, maybe, might, tryTouchy Feely Think, feel, embrace, interface, touch, empowerBizspeak Utilize, paradigm, turnkey, value-added, Useless words Just, like, really, utilize, actually, literally,
basically, kind of
Who cares In my opinion, it has been said, as we all know, that I am aware of, guru, common sense says
Intelligent Information SecurityANIT IAN
Use a Consistent Structure Policy1. Purpose2. Premises3. Definitions 4. Scope5. Policies• Policy 1• Policy 2• Policy 3
6. Exceptions 7. References 8. Enforcement
Standard1. Purpose2. Premises3. Definitions 4. Scope5. Standards• S1• S2• S3
6. Exceptions 7. References 8. Enforcement
Procedure1. Purpose2. Premises3. Definitions 4. Scope5. Procedures• Proc1• Proc2• Proc3
6. Exceptions 7. References 8. Enforcement
Intelligent Information SecurityANIT IAN
Style Gently
Intelligent Information SecurityANIT IAN
Great Policy Documents AreNot” They ArePerfect ConsistentComprehensive, full of theories
Concise, saying only what needs to be said
Uncertain Decisive, absolute, preciseJust what the auditor wants Realistic, reflect the actual businessCold, distant, stiff, formal In the 2nd person, friendlyConflicted Have a clear intentYour outlet for anger, frustration, or insecurity
Your outlet to be heard and help people
Written for you Written for the reader
Intelligent Information SecurityANIT IAN
GREAT WRITING GETS YOU
WHAT YOU
WANTCATNIP!
Intelligent Information SecurityANIT IAN
Email [email protected] @andrewplato
@AnitianSecurity
Web www.anitian.comBlog blog.anitian.com
Slides bit.ly/anitianCall 888-ANITIAN
THANK YOU