Search This Blog

Friday, June 12, 2015

Cyber security


I, a total non technical person, initiated and suggested this way back in the early 2000 along with a cyber security specialist, my neighbor, who being a specialized cyber security architect ad auditor and was a trainer on cyber security to top police officials and he also laid the entire cyber security system for Mauritius Government central bank etc along with some other top soft ware professionals.

It was much before mobile and internet banking of this scale started in India.

I even made detailed presentation on this along with these specialists to some professional companies which were doing back office work to leading International Banks but since no one showed any real interest or came forward to invest. We gave up the project, subsequently, recently we have colleges which have churned out post graduates in cyber security with in depth knowledge and are being employed and used by foreign banks.

At least now I think someone must and can think seriously about this.

The beauty is I have forwarded this to some directors of IT departments of big government corporations. All are sitting on it.

I even named it as 6Ms CSS

Monitor, Measure, Map, Make specific architecture, Make the installation and Maintain.



“The most vital systems of our society are all dependent on technology and computers. As a nation, we are only as strong as the security on the weakest link on these interconnected and interoperable systems... If cybersecurity is not a priority, then our economy and our infrastructures are at risk. Government, the private sector, and academia should all work together to develop a culture of security in cyberspace.”
n  Protecting Cyberspace, House of Representatives Committee on Homeland Security


Tech savvy high-tech criminals, using the latest and most sophisticated technologies.


All sectors where systems are used which means our entire life support systems i.e. all activities involved in growth and development of our economy especially the whole gamut of infrastructure these systems support and operate.


All Windows Platform
 & UNIX Platform

Hypertext Transfer Protocol
Application Server Vulnerabilities


Throughout the entire incident timeline; pre-incident (prior to something bad actually happening), during an incident (when all heck is breaking loose) and post-incident (when everyone is sitting around wondering what the hell happened?)


When you can measure what you are speaking about, and express it in numbers, you know something about it. But when you cannot measure it, when you cannot express it in numbers, your knowledge is of a meager and unsatisfactory kind.
— Lord Kelvin (British Physicist)


Honestly if we cannot measure something we cannot  hope to improve it. the yard stick  must be there to evaluate any improvement or development. So security must be measured because with security metrics we can measure adherence to compliance initiatives, provide information on involvement of security in various operational efforts, and get insights that can be used for allocation of resources.

How to measure?

“The only man who behaves sensibly is my tailor; he takes my measurements anew every time he sees me, while all the rest go on with their old measurements and expect me to fit them”
George Bernard Shaw 

It is imperative that the measurement is industry specific, threat specific,vulnerability specific ,technology specific .
there cannot be any universal or static measurement that can be expeced to be valid at all time and for all verticles.


"The scientific method is at base analytic scrutiny, exact measuring, careful recording, and judgment on the basis of observed fact. Science in education is not a body of information, but a method, and its object is to find out and to learn how."
Leonard P. Ayres (1918) History and present status of educational measurements. In G. M. Whipple (Ed.), 17th NSSE Yearbook. Bloomington IL: Public School Pub. Co. p. 14

So after having done the monitoring [i.e. analytic scrutiny] and measuring [i.e. exact measuring] we move on to mapping [i.e. careful recording, and judgment on the basis of observed fact]

Map what?

The areas of vulnerability. Fence the borders of vulnerability from the attackers and protect the territory of our operations with appropriate and adequate security to ensure safe and smooth functioning.

Make specific architecture

Science in education is not a body of information, but a method, and its object is to find out and to learn how."
Leonard P. Ayres (1918)

All science is concerned with the relationship of cause and effect. Each scientific discovery increases man's ability to predict the consequences of his actions and thus his ability to control future events. Lawrence J. Peters

What type of architecture?

It is again industry specific, threat specific, vulnerability specific , technology specific especially with the growing number of focussed attackers as well as frustrated insiders.

It must be compatible to the existing systems and software in operation as you cannot have doors permanently closed just to avoid unwanted guests.

Make the installation

Few will have the greatness to bend history itself; but each of us can work to change a small portion of events, and in the total of all those acts will be written the history of this generation. Robert F. Kennedy

Once the security aspects, threats, failures, vulnerabilities are monitored, measured, mapped and suitable architecture made, then, the appropriate remedial measures must be installed in place to write the history of safe, modern and secured cyber generation driven by information technology and living on internet.


Not everything that is faced can be changed; but nothing can be changed until it is faced.  James Baldwin

Even well researched and authentic installations have to be scrupulously and constantly maintained as attackers and their equipments constantly try to disturb the installations. So only as and when new attacks are faced the modifications and maintenance of installations take place. It requires constant vigil because the time to develop countermeasures is longer than time to attack.

No comments: