great learning & information security - chinese edition
DESCRIPTION
How ancient Chinese Classics, Great Learning, remains relevant in modern information security profession. This presentation will show side by side of what was true back in 400 BC, can also apply to modern day 21st Century. It is also the first book on MaaS (Management as a Service).TRANSCRIPT
大學 & 資訊安全
Great Learning & Information Security
how ancient Chinese Classic remains relevant in modern information security
Chuan Lin, CISSP
Great Learning Background
Who Wrote it• Zengzi, a disciple of Confucius, wrote Great
Learning back around 450 BC – 436 BC.
• And in Song Dynasty (960 AD – 1270 AD), Cheng Brothers and their student, Zhu Xi corrupted the original text and its meaning.
• In recent times, Master Nan Huai Jin and Captain Chang Teh-Kuang (ret.) are among recent Chinese scholars attempted to bring Great Learning back to lost Chinese generation.
What is it• It is the first self-help book
that withstood the test of time and the first book on Management as a Service (MaaS).
Great Learning Background II
When was it written• It was written sometime
between 450 – 436 BC during the Spring and Autumn Period of Chinese history when China was in a feudal sovereignty that consisted of hundred city states owned loyalty to Zhou Dynasty.
Where was it flourish?• At the time it was written,
Great Learning was just another school of thought that contended with hundred others ideas. Later, it has became one of three main core philosophies of China.
Great Learning Background III
Why is it matter?• Its opening statement is no different than the mission statement
from (ISC)2 and SAN Code of Ethics.
• While the knowledge of 10 domains and technical information are necessary for the information security professional (InfoSec Pro), a person’s ethical standard is expected but not much direction is given other than to follow various laws/ruling like HIPAA, SOX, GLBA, Safe Harbor, etc.
• I believe Great Learning can be a useful guide for InfoSec Pro ethic.
大學和資訊安全專業的目標Goals of Great Learning/InfoSec
Pro
What do we want to accomplish with our lives and our career?
“
”大學之道、在明明德、在親民、在止於至善。
The Dao of Great Learning is to illustrate illustrious virtues, to renovate the people, and to rest in the highest excellence.
Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere,
to the highest ethical standards of behavior. - (ISC)2 Code of Ethics
大學之道、在明明德、在親民、在止於至善。The Dao of the Great Learning is to illustrate illustrious virtues, to renovate the
people, and to rest in the highest excellence.
GAIC Code of Ethic• Respect for the Public
• Respect for the Certification
• Respect for my Employer
• Respect for Myself
SANS Code of Ethic• I will strive to know myself and be
honest about my capability
• I will conduct my business in manner that assures the IT profession is considered one of integrity and professionalism.
• I respect privacy and confidentiality.
明明德的七證7 Steps to Illustrating Illustrious Virtues
Seeking Self Improvement First
“
”知 止 定 靜 安 慮 得
to know to cease to s t i l l to ca lm to qu iet to ponder to obta in
7 Steps to Illustrating Illustrious Virtues
How can these seven internal self improvement have impacts
on oneself and one’s InfoSec career in modern time?
知to know
Self Improvement• 在商業世界、我們培訓、以利用該公
司的戰略優勢同時和糾正該公司的弱點。
• 在工程的環境、我們培訓、以查找和糾正任何產品缺陷在上去市場之前。
• 我們不是應該要在別人或自己啟動零天攻擊之前找出和糾正自己的弱點嗎?
InfoSec Professional• To know a company’s security status;
where are its strengths; where are its weaknesses.
• To know the company's business goal, its chain of command, its culture, its behaviors, and its processes.
• To know their defenses-in-layers structure, their logs control, their state of readiness, their state of responsiveness, and etc.
止to cease
Self Improvement• 止是為了防止丟失個人控制。• 止個人的惡習以通過逐漸減少、重定
方向到更健康的代替、或通過恆心的切斷方法。
• 止個人的惡習以通過形成新的習慣,自我獎勵、和參加支援組。
InfoSec Professional• To Cease is to prevent the lost of
control.
• To Cease internal risks through reduction, mitigation, avoidance, or elimination.
• To Cease through log controls, separation of duty, enforcement of least privilege, secured software development lifecycle, and employees security awareness.
定to still
Self Improvement• 定能讓我們知道自己的長處和
弱點• 定能讓我們制止自己的積習和
增強自己的特長• 定能給我們信心對抗外來的壓
力和打擊。
InfoSec Professional• To know about a company’s
security status.
• To cease a company’s risks.
• This will give InfoSec Pro the confidence to remain level headed when external threats appear.
靜to calm
Self Improvement
• 心靜因為你不必擔心你的缺點被別人利用。• 心靜能過濾你的心思。• 心靜通向身體健康。
InfoSec Profession• To calm is when a company
does not have to worry about its information been misused.
• To calm allows a company to plan its business strategy.
• To calm allows a company to become healthy.
安to quiet
Self Improvement• 靜才能安。心亂則身不能安。
社會動亂則國不能安。• 心輕安、身輕安。• 靜能讓你想清楚、安能讓你做
事不受干擾。
InfoSec Profession• To Calm allows to be quiet. When
information is exposed, then a company can not maintain Quiet.
• Management desires Quiet; employees desire Quiet.
• Stillness allows a company to plan; Quietness allows a company to carry out its plan without disruption.
慮to ponder
Self Improvement• 慮、謂處事精詳。
慮、謂精思。• 想、謂頭腦裡粗淺現象。
思、謂頭腦裡細緻現象。• 慮能讓你計畫人生大事。
InfoSec Profession• Pondering is planning InfoSec carefully.
Pondering is to have InfoSec awareness at the back of employees mind.
• Thought about current InfoSec need.Pondering about future InfoSec need.
• Pondering allows both a company and an InfoSec Pro to plan out long range strategy.
得Obtaining
Self Improvement
• 高峰耀德狀態:無于恐懼個人缺陷有一個可操作的生活計畫實現身體和心靈的平衡
InfoSec Profession• Peak security awareness
state: COBIT’s Optimizing Process
ITIL’s Optimized Maturity Assessment Level
Security Awareness Roadmap: Metrics Framework
內聖外王I n t e r n a l S a g a c i t y, E x t e r n a l S o v e r e i g n t y
How To Renovate People and Rest at Highest Excellences
Or How to Manage Self Before Managing Others
格物 致知 誠意 正心 脩身Investigation of Things Knowledge Sincerity Rectification Self
Cultivation
• Before managing others, first make sure you have successfully managed yourself.
• You must be able to withstand the scrutiny of others.
• Your actions, your behaviors, and your words will be constantly observed and judged.
• This is especially true in theage of Facebook, Twitter, and Instagram where every little transgression will be caught on recording devices and spread like fire through media.
• There are people who love nothing more than to tear down a hypocrite.
格物Investigation of Things
Self Improvement• 與天地相似、故不違。
知周乎萬物、而道濟天下、故不過。旁行而不流、樂天知命、故不憂。安土敦乎仁、故能愛。
• 範圍天地之化而不過、曲成萬物而不遺,通乎晝夜之道而知、故神無方、而易無體。
• 顯諸仁、藏諸用、鼓萬物而不與聖人同憂、盛德大業、至矣哉!
InfoSec Profession• Information Security (InfoSec) is about providing
data availability, confidentially, and integrity.
• Ideally, InfoSec Professional (InfoSec Pro) needs to get involve at the start of all projects because of information security concern .
• Externally, InfoSec Pro needs to know what regulations, laws, and audits are required for a project.
• Internally, InfoSec Pro needs to know what technical, administrative, and physical constraints required for a project.
致知Knowledge
Self Improvement• 知幾其神乎 ! 窮神知化、德之
盛也。• 和順於道德而理於義。窮理、
盡性、以至於命。• 將以順性命之理。
InfoSec Profession• InfoSec Pro shares risk and
vulnerability assessment with key consultants, managers, programmers, and other project members.
• They need to take into account of InfoSec Pro concerns into project designs.
• Any data leak will be detriment to the company image, reputation, confidences, and not to mention, possible lawsuits.
誠意Sincerity
Self Improvement• 所謂誠其意者、毋自欺也、如惡
惡臭、如好好色、此之謂自謙。• 曾子曰 :「十目所視、十手所指、
其嚴乎。」• 湯之盤銘曰 :「苟日新、日日新、又日新。 」
InfoSec Profession• InfoSec Pro shows sincerity toward
data preservation through sharing security knowledge and advocating security awareness.
• Every word and action will affect how employees view Information Security and its Awareness.
• Dao of Hacking Improves, Technology Improves, InfoSec Improves.
正心Rectification
Self Improvement
• 正其心者 :• 身有所忿懥、則不得其正• 有所恐懼、則不得其正• 有所好樂、則不得其正• 有所憂患、則不得其正
InfoSec Profession• InfoSec Pro has to rectify his heart to
prevent preoccupation of the followings:• Anger
• Fear
• Desire
• Worry
• These prevent him from doing his job.
脩身Self Cultivation
Self Improvement
• 人生是一小天地。• 富潤屋、德潤身、心廣體胖• 斐君子、如切如磋、如琢如磨。
InfoSec Profession• A company is its universe.
• Wealth enriches a company, virtues enrich employees, enterprises broaden that expand ventures.
• InfoSec Prof is constantly trimmed and scrubbed; he is frequently been cut and polished
齊家 治國 平天下Maintain Family Regulate State (Company) Pacify Heaven Below (the Gird)
• 大學是第一個管理作為一項服務 (Management as a Service or MaaS) 的經典。• 只對個人修養興趣嗎? 讀完脩身• 只對維持家庭/部門興趣嗎? 讀完齊
家• 只對維持政府/公司興趣嗎? 讀完治
國• 只對維持天下/跨國公司興趣嗎? 讀完平天下
• External Sovereignty is less about utilized latest and greatest technology and more about managing people.
• Social Engineering is the battle of hearts and minds that can get pass through the world most secured firewall, IDS, IPS, and defense in layers.
• Despite advanced technology, people’s heart and soul still remained the same. They can enforce or enfeeble information security.
齊家Maintain Family
Self Improvement• 所謂齊其家在修其身者 :• 人之其所親愛而闢焉• 之其所賤惡而闢焉• 之其所畏敬而闢焉
• 故 :「人莫知其子之惡.莫知其苗之碩。」
InfoSec Profession• Maintaining a department comes
about after self-cultivation.
• It should be free from• Favoritism
• Disapproval
• Fear
• These will decrease employees security awareness.
治國Regulate State (Company)
Self Improvement• 一家仁、一國興仁 ;
• 一家讓、一國興讓 ;
• 一人貪戾、一國作亂 ;
• 其機如此、此謂一言僨事、一人定國。
InfoSec Profession• When a department behaves securely,
entire company promotes vigilance.
• When a department limits its access, entire company promotes data control.
• When a man neglected and corrupted, entire company becomes vulnerable.
• Hence, a word can instigate a threat; a man can secure a company.
平天下Pacify Heaven Below (the Gird)
Self Improvement
• 君子有絜矩之道 • 道得眾則得國、失眾則失
國• 言悖而出者、亦悖而入 ;
貨悖而入者、亦悖而出。
InfoSec Profession• An InfoSec Professional lives and
breathes the Code of Ethic.
• Practice InfoSec, others engages, and company enacts. Disregard InfoSec, others forgets, and company neglects.
• Law of Consequence can be found in personal, social, career, financial and political aspects.
Great Learning & InfoSec Recaps
• As the first self-help book, it has withstood the test of time. As the first book on MaaS (Management as a Service), it shows how to serve others by first improving oneself.
• Instructions for management is no different than instructions for self improvement. It is all about Lead by Example.
• Despite advanced technology, people’s heart and soul still remained the same. They can enforce or enfeeble information security.