writing for cybersecurity

Intelligent Information SecurityANIT IAN

WRITING FOR CYBERSECURITY

A N I T I A N


Meet the Speaker – Andrew Plato• President / CEO of Anitian • Principal at TrueBit CyberPartners• 20+ years of experience in security• Authored gigatons of content• Discovered SQL injection in 1995• Helped develop first in-line IPS engine

(BlackICE)


Vision: Security is essential to growth, innovation, and prosperity. Mission: Build great security leaders.

ANITIAN

Rapid Risk Assessment Compliance Assessment & Audit

Full-Spectrum Security Testing Managed Threat Intelligence

Intelligent Information Security


OverviewIntent • Help you become a better cybersecurity writer• Improve your security program • Demonstrate Anitian’s value

Outline1. Communicating Complexity to the Masses 2. Sins of Bad Policy Writing3. Ten Steps to Better Policy Writing4. Final Thoughts


AssumptionsPeople do not read policies because they are:• Non-existent • Distant, dull, stiff, and formal • Inconsistent• Angry, aggressive, punitive • About security, not people

To improve this, we must: • Increase ownership of the content• Simultaneously communicate to different kinds of readers • Hyper-simplify complexity


COMMUNICATING COMPLEXITY

TO THE MASSES


THIS IS HOW YOU THINK


THIS IS HOW YOU MUST WRITE

duh


THIS IS THE VOICEINFOSEC WRITERS HAVE

IN THEIR HEAD

Nobody listens to

me


THIS IS THE VOICE INFOSEC WRITERS USE IN THEIR POLICIES

JerkSCREECH!


AND THIS IS WHAT YOUR READER HEARS


IT DOES NOT MATTER HOW RIGHT YOU ARE

IF NOBODY READS YOUR POLICY


USE THIS VOICE


OR THIS ONE


OR THIS ONE

Only Nixon can go to BlackHat


How We LearnAuditory• Sounds, tone, vocalizations, volume• “Leadership has voiced concern with our endpoint security.”

Visual • Images, designs, graphics, layout, structure of works• “Look at the improvements we have made?”

Doing (Kinesthetic) • Action-oriented words• “Install the software and scan the network.”


Persuasion BasicsLogic: reason, data, proof• Weak, lacks stickiness• “Data shows a steady increase compromised hosts. It follows

that our security controls are ineffective.”

Ethics: appeal to what is right and wrong• Balanced, preachy• “Protecting patient data is the right thing to do.”

Emotions: love, hate, fear, disgust• Strong, illogical• “If we don’t patch, the hackers will steal everything and we

will lose our jobs.”


WHO IS RESPONSIBLE FOR

EFFECTIVE COMMUNICATION?


ARE RESPONSIBLE FOR EFFECTIVE COMMUNICATION

YOU


Great Communicators of Complexity

Neil deGrasse Tyson James Burke Bill Nye

Jane Goodall Stephen Hawking Carl Sagan

They render complexity into simplicityto motivate, inspire, and educate


THE SINS OF BAD POLICY WRITERS


What Are You Writing?Document What it saysPolicy: You must do thisStandard: You must conform to this.Procedure: Do these exact stepsGuideline: Here are some good ideas you can ignore Methodology: Do it this way, or elseReport: Idea, data, conclusions

• If you don’t know, how can the reader? • Likewise, you may know, but the reader does not.

EXAMPLEThis document describes our risk assessment approach at XYZ company.


Why Am I Reading This? • Begin every document with:

1. A clear statement of intent2. Scope of the document3. Definitions of words or concepts4. Who is responsible for writing this document

• Be painfully clear• Use simple sentences. Avoid gerunds and dependent clauses.

EXAMPLEThis document describes our risk assessment approach. It is intended to help you do your job better and minimize our risk. This document applies to all IT personnel. The ISO is the author.


Insecurity Writing• It is not about you• Cut out the big impressive sounding blather• Do not show off how much you know, shows weakness• Delete the CYA text, it sounds weak• Be friendly, conversational, and direct

BADAt the request of the cybersecurity committee this policy has been generated for the communication of organizational expectations for the alignment of employees to a common set of practices. Also because the Board has authorized only a fraction of the resources necessary for continued operations, this policy will be interim until the required team has….

BETTERThis policy describes security practices all employees must follow. It may be updated at any time as our business needs change.


LOL, Whut?• Be precise with your words and explanations• Avoid wandering around the point• Avoid emotional words or obvious complaining • Get to the point, fast

BADThis policy is for designated for all full-time, regionally managed, and employees without the necessary access to obtain data from the application systems. The organizational committee on the use of portable electronical devices has convened these ISO 27001 aligned practices which every employee should familiarize themselves with to properly engage their responsibilities for protection of personally identifiable information which can limit our financial growth. Management has elected to oppress the expression of security control alignment.

BETTERYou need mobile devices for work. This policy outlines the rules for using your mobile device. The rules are intended to protect data. They also ensure our company meets the proper regulations.


Ugh, Clichés • Next-generation, envelope pushing, pigs with lipstick• Synergizing, viral win-wins • Rising boats with heuristically big data blind spots

BADWe are not a target. But we must get our ducks in a row and think outside the box. We must push the envelope and shift the paradigm. We need a next-generation thinking to align our synergies to create viral low-hanging fruit. The ball is in your court, development. Let’s touch base after we have socialized this among the team. I expect 110%. This is a real win-win situation, on steroids. Ping me when your ready for a deep-dive.

REALITYI am a clueless idiot. Just ignore me.


TL;DR• The Great Wall of Text • Shows weakness, insecurity, and lack of knowledge• Less is more

BADSample Company has leveraged SOAP and XML based repositories which are deployed in the Kent data center on a high-availability platform that has been used for security controls and data storage within the confines of the current security plan which requires key rotation on an annual basis. This platform which has multiple data repositories must be secured in a manner compliant with PCI DSS 3.1. Requirement 3.6. This requirement states: Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following:Note: Numerous industry standards for key management are available from various resources including NIST, which can be found at http://csrc.nist.gov.Our team has assessed the key management policies set forth in the Key Management Policy D292929038 and found there is a misalignment with requirements in the nature of cryptographic management. Annual cryptographic renewal is not being performed as stated in the guidelines.

BETTERThe web application is not PCI compliant. It does not rotate encryption keys annual.

http://csrc.nist.gov/


The Third Person • Third person allows the readers to disassociate themselves from

the content (This applies to THEM not ME)• It is awkward to read, but feels right when writing• Address the reader directly, put them in the document• Makes it more personal, encourages ownership • Use the word YOU• Millennials like this, its authentic, and inclusive

BADEmployees are required to meet strict password complexity guidelines. Each employee will familiarize themselves with the password rules. Individuals will be audited to ensure compliance and alignment with organizational requirements.

BETTEROur security is important. You need to use complex passwords so hackers cannot guess them. Review the rules below. Make sure your passwords meet these rules.


10 STEPS TO BETTER WRITING


1. THE TIME IS NOW

• Write as if it is happening right at this very second• Use action words: do, implement, install, apply, distribute, etc. • Minimize past and future tenses

EXAMPLEImplement the key rotation policy. Notify the project manager when complete.


2. GO ALL IN

• Never express any doubt• There is no debate, your words are the infallible words of the

almighty• Better to be strong and wrong• Watch out for could, should, might, try, and hope

EXAMPLEThe network is scanned for vulnerabilities each night. Developers must fix critical vulnerabilities in 72 hours or less.


3. JUST SAY IT

• What are you trying to say?• Just say it• Get to the point, fast• Avoid any justifications or CYA• This is not for you, its for the reader

EXAMPLEYou may not copy confidential data to any removable media.


4. VISUALIZE A

SPECIFIC PERSON• Visualize your reader• See them in your mind, write to them• The responsibility of communication is on you, not them


5. LESS IS MORE

• Write way less• It works

EXAMPLEYou are responsible for protecting patient data.


6. LEAD THE READER

• Dribble out information slowly• One thought per sentence• One point per paragraph• One topic per section • Put the most important detail as the object

EXAMPLEAll data is encrypted. It is stored in the SQL server at AWS. Access is restricted to developers only.


7. COME OUT SWINGING

• You have three sentences to capture your reader• Put 50% of your effort into the first few sentences• Be bold and decisive • Use a hook-frame: • Hook the reader with a direct statement or anecdote

“You are important to us…” • Revisit this at the end of your document


8. LOVE THE TABLE

• Tables are excellent ways to display relational information

• They are pleasing to the eye as well

• Be careful not to overstyle them

Concept Definition Contrary What to Say Talk Straight Be honest, tell the

truth. Let people know where you stand. Use simple language. Call things as they are.

Lie, deceive. Spin facts into half-truths.

Here is how I see things… I feel strongly about this… I suggest we do the

following. These are the facts as I see

them. The truth here is… I respect your opinion,

here is my perspective on this.

I intend to get to the truth here.

Let me share with you what I have observed?


9. KEEP ORDER

• SUBJECT –> VERB –> OBJECT• Consistency beats perfection • Who/what does what? • Who/what goes where? • Who/what is where?

EXAMPLEThe NOC scans the network. The ISO reviews the results. Help desk may not access the CDE.


10. NUKE BY

• Never use by • I mean never• Seriously• Never• No, not at all


FINAL THOUGHTS


Words & Phrases to AvoidType WordsMeaningless adjectives

very, good, nice, best, most, really,

Weak hope Should, could, maybe, might, tryTouchy Feely Think, feel, embrace, interface, touch, empowerBizspeak Utilize, paradigm, turnkey, value-added, Useless words Just, like, really, utilize, actually, literally,

basically, kind of

Who cares In my opinion, it has been said, as we all know, that I am aware of, guru, common sense says


Use a Consistent Structure Policy1. Purpose2. Premises3. Definitions 4. Scope5. Policies• Policy 1• Policy 2• Policy 3

6. Exceptions 7. References 8. Enforcement

Standard1. Purpose2. Premises3. Definitions 4. Scope5. Standards• S1• S2• S3


Procedure1. Purpose2. Premises3. Definitions 4. Scope5. Procedures• Proc1• Proc2• Proc3



Style Gently


Great Policy Documents AreNot” They ArePerfect ConsistentComprehensive, full of theories

Concise, saying only what needs to be said

Uncertain Decisive, absolute, preciseJust what the auditor wants Realistic, reflect the actual businessCold, distant, stiff, formal In the 2nd person, friendlyConflicted Have a clear intentYour outlet for anger, frustration, or insecurity

Your outlet to be heard and help people

Written for you Written for the reader


GREAT WRITING GETS YOU

WHAT YOU

WANTCATNIP!


Email [email protected] @andrewplato

@AnitianSecurity

Web www.anitian.comBlog blog.anitian.com

Slides bit.ly/anitianCall 888-ANITIAN

THANK YOU

writing for cybersecurity

Technology