Kodama the Chameleon

Threat Intelligence and Other Contemplations…

   ___       __  _     __   
  / _ | ____/ /_(_)___/ /__ 
 / __ |/ __/ __/ / __/ / -_)
/_/ |_/_/  \__/_/\__/_/\__/

Information Security Policies

kodama

|

If you read my OMSCS CS6035 review and surmised that the subsequent one would arrive in August, kudos to you – your intuition was spot on! An all-star cadre of Milton Mueller, Andreas Kuehn, and Beau Sommerville lead this introduction into Information Security Policies, PUBP 6725. The course is one of the two core classes (excluding flex-core) so buckle up and let’s dig in, but first a bit of full disclosure.

For a chameleon that lives in many skin shades, I guess my thinking is more binary. Writing papers with subjective grading criteria gave me serious flashbacks to undergrad. When an instructor’s feedback reads more like a rebuttal to your key arguments, one can only wonder what your grade would have been if you had taken the position of the other side. Needless to say, my performance flourishes in domains where technical sciences prevail, offering unequivocal delineation between correct and incorrect solutions.

Taking PUBP 6725 in the summer, I completed a total of four assignments, two of which were group projects. Did some body say GROUP?! You mean I might have to work with that guy?

Ok, don’t freak out! As much of a pain as it can be to have your grade tied to the performance of others, there were some unconsidered benefits as well. Online programs can make it rather difficult to network professionally with others in the course. Being forced to work together, I actually got to meet some really cool people! So, cast aside the solitary chameleon persona and harmonize with the idea that everybody needs “somebody to lean on.” 🎶 Rest in peace, Bill.

The first group assignment involved phishing an assigned teacher’s assistant (TA). Kind of a pleasant surprise from a policy course. The TA really does make a huge difference in this course and this is especially true of the phishing assignment. It took some prodding to get better clarification of the rules of engagement (ROE), but, spoiler alert, it’s fairly restrictive. Our reconnaissance turned up some pretty interesting vectors which were all out-of-bounds. Such is life, I guess! One final tip though before moving on from this assignment, give yourself plenty of time to test your delivery. Infrastructure can make a world of a difference, so if you wait too late, you may find yourself locked in without enough time to try setting up something else.

The other group assignment involved writing a ransomware policy for Georgia Tech. So just read some of GA Tech’s policies and write something of similar format, length, and style covering ransomware. Easy-peazy, right? Eh (nervous laugh), let’s just say that the exemplary submissions read more like technical reports with a policy template attached. I’ve seen a lot of policy documents in my day from various organizations and never seen the level of technical detail in a policy as in the exemplary submissions. Treat it more like another term paper and you should be fine.

The core of the course, the term paper, is what you make of it. Your instructor and TAs understandably caution against picking too new of an incident, but as long as you can find sufficient and varied sources to fully explore the Diamond Model analysis, you should be good to go. You can read my submission at Move Over, MOVEit, for Open-Source. What’s the Diamond Model? It’s really the main theme of this course. I can see how it might be useful; however, there is a reason that the Cyber Kill Chain or Mitre Att&Ck frameworks are more widely used. The Diamond Model’s strength is also it’s greatest weakness, the ability to oversimplify.

The course’s final assignment involved posting an initial statement regarding the European Union’s proposed Cyber Resiliency Act (CRA) and then discussing/debating the act’s merits with your classmates in an online chat forum. The assignment started off ok, but after so many opinions spouted…

Well, if you are keeping score, that’s the four assignments. There are open book quizzes. They are not too terribly difficult, but take your time and read the questions thoroughly. Some of them read a bit like CISSP questions which seem to relish the opportunity to trip you up on verbiage. No disrespect to my CISSP holders, but if you wanted to practice law, why not become a lawyer? Hey, am I right?

Until next time then, fellow crawlers…

“You just call on me brother
When you need a hand
We all need somebody to lean on

I just might have a problem that you’ll understand
We all need somebody to lean on” 🎶🎶🎶

, , , ,