The Cyber CIA Triad

A graphic depicting the key elements of Cybersecurity defenses

Recently I completed a Master’s Degree in Cybersecurity. I pursued the degree simply to learn more about what Cyber was all about. I didn't have a plan for what I was going to do in the Cyberworld. I just enjoyed the challenge of learning about it.

What I (really) learned

• A little about a lot, it is all learnable
• It is definable, there are easily defined branches or knowledge areas related to cybersecurity, my focus was Information Assurance
• It is not simple, there are many elements and layers to cybersecurity and one can go very deep into each facet
• One can acquire the knowledge to understand it, acquiring the skills to use that knowledge is a bit more challenging
• We/you/me — we’re the real vulnerability, not the tools or systems themselves
• The tools and protocols exist, 1st we have to have them, 2nd we have to use them.
• There is no shortcut, defense needs to be in-depth

• Pay me now or pay me later, “the-elephant-is-in-the-room”, it is not a matter of if you are going to be adversely affected by a cyber bad actor, but when
• Our educational systems are teaching students yesterday’s problems and solutions

What I did not learn

• A lot about a little, we just scratched the surface
• Now what? I didn’t really end up with a roadmap, it was like throwing a bunch of darts on the wall and seeing what stuck
• How to get a job in Cyber
• Where cyber is going (I learned where cyber is, or more specifically was)
• How to “eat-an-elephant”

Next Steps

• Pick an area (such as packet analysis with Wireshark, cryptology and data encryption, or data analysis with R) and start digging
• “One-bite-at-a-time”, not looking to eat the whole elephant, just contain or control it such to use it to my advantage, without doing damage

Go back and look at the elephant picture near the start of this article, see the two birds riding on top, that is us — one is me, one is the adversary, we’re both riding the same elephant (cybersecurity). The goal is to keep cyber in balance, we cannot spend or devote unlimited resources to the problem, we must make choices, way options, and dedicate deliberate actions. We must be proactive. If one is simply reactive and running away when the elephant comes charging you’re at a significant disadvantage.

An interesting and revealing event and story occurred locally whereby the city of Oldsmar in Florida had its Water Treatment Plant Cyber Hacked. A bad actor got remote access to the water plant and changed the concentration of lye that goes into the drinking water by a factor of over 100.

One of the scariest and most revealing points made in the article was “…the attack…didn’t showcase a high level of hacking skill” and “It was the equivalent of walking through an unlocked front door.” In other words, it was easy for the hacker to do it and steps were not in place to prevent it.

This was a case of both the “C” and the “I” of CIA being compromised. First, the system was not Confidential in that an unintended user gained access to see the system. Secondly, that user affected the Integrity of the system by changing data. Both compromises were preventable. Unfortunately, those steps are often not taken until after the damage is done.

Another lesson learned.