Wednesday, April 28, 2021

InfoSec vs CyberSec vs ITSec vs CompSec vs NetSec vs AppSec

Since I am relatively new to the area of "security", I decided to look up the definitions of the terms that I often read or hear in the community. I took the definitions from CSRC-NIST, SANS, and ACM.

Information Security (INFOSEC)
  • "The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability."[1]
  • "Information Security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption."[2]
Cybersecurity (CYBERSEC)
  • "Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation."[1]
    • (Aside: Cyber/Cyberspace - "The interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries."[1].  Cyberspace can be considered a "realm" or "domain" like land, sea, air, and space where war can happen.)
  • "Computer and network security, or cybersecurity.."[8]
  • In Education - “computing-based discipline involving technology, people, information, and processes to enable assured operations.  It involves the creation, operation, analysis, and testing of secure computer systems. It is an interdisciplinary course of study, including aspects of law, policy, human factors, ethics, and risk management in the context of adversaries.”[7]
Information Technology Security (ITSEC)
  • "technological discipline concerned with ensuring that IT systems perform as expected and do nothing more; that information is provided adequate protection for confidentiality; that system, data and software integrity is maintained; and that information and system resources are protected against unplanned disruptions of processing that could seriously impact mission accomplishment. Synonymous with Automated Information System Security, Computer Security and Information Systems Security."[1]
    • (Aside: Information Technology - computing and/or communications hardware and/or software components and related resources that can collect, store, process, maintain, share, transmit, or dispose of data. IT components include computers and associated peripheral devices, computer operating systems, utility/support software, and communications hardware and software."[1])
  • "Information Technology Security also known as, IT Security is the process of implementing measures and systems designed to securely protect and safeguard information (business and personal data, voice conversations, still images, motion pictures, multimedia presentations, including those not yet conceived) utilizing various forms of technology developed to create, store, use and exchange such information against any unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby preserving the value, confidentiality, integrity, availability, intended use and its ability to perform their permitted critical functions."[5]
Computer Security (COMPSEC)
  • "Computer Security is concerned with the risks related to computer use, and ensures the availability, integrity and confidentiality of information managed by the computer system, permitting authorized users to carry out legitimate and useful tasks within a secure computing environment."[3]
  • "Measures and controls that ensure confidentiality, integrity, and availability of the information processed and stored by a computer. Rationale: Term has been replaced by the term “cybersecurity”". [1]
  • (Aside: probably used in the days when computer networks were not yet ubiquitous)
Network Security (NETSEC)
  • "Network Security is the process of taking physical and software preventative measures to protect the underlying networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby creating a secure platform for computers, users and programs to perform their permitted critical functions within a secure environment."[4]
Application Security (APPSEC)
  • "Application security describes security measures at the application level that aim to prevent data or code within the app from being stolen or hijacked. It encompasses the security considerations that happen during application development and design, but it also involves systems and approaches to protect apps after they get deployed. "[6]
  • (Aside: any activity designed to protect the usability and integrity of your applications [desktop, web, mobile, cloud, software in general?] and data)
There is obviously an overlap in the definitions above. I came up with a layering, which is shown in the figure below, in an attempt to put things in perspective.  I equate "security" to "protection" and the layering is based on what is being protected, with "information" the outermost layer having the broadest scope. Most people nowadays use "infosec" and "cybersecurity" interchangeably in general conversations and communications which are popular in hashtags. 




To conclude, what term should we use? I've decided to use a different term depending on the context of the conversation or communication. I will use cybersecurity when the context is national security or education. For enterprise, business, or industry contexts, information security seems to be appropriate and accepted in the community. The other terms will be used in more specific technical contexts in education and in practice.


References:

[1] https://csrc.nist.gov/glossary 

Saturday, April 17, 2021

My takeaways from The Productivity Project book



Everyone is probably interested in increasing their productivity. The book by Chris Bailey, The Productivity Project, has given me some ideas on how to do just that. Below are some of the takeaways from the book that I am currently adopting. So far, they have increased my productivity despite the pandemic.

  • Increasing productivity involves managing time, energy, and attention/focus
  • Rule of Threes
    • List three items to do today and within the week
  • Identify your values
    • Know why you want to get something done.
  • Determine your Biological Prime Time (BPT) 
    • This is the time when you have the most energy and focus. Do important tasks during this time. In my case, my BPT is during 10am-11:30am, 3pm-5pm, 9pm-10pm.
  • Limit alcohol and coffee intake
  • Create a procrastination checklist
  • Spend less time on important tasks
    • You create an artificial deadline forcing you to focus your attention and energy
    • Do the important things during your BPT
  • Disconnect from the Internet and social media
  • Balance structured(manager) and unstructured(maker) schedule
  • Define what you need to accomplish, understand how much energy and focus you have
  • Group maintenance tasks(doing the laundry, cleaning, self-care) and schedule them on a weekend
  • Create a project list/notes - next action to move the project
  • Develop a worry list
  • Identify hotspots - portfolio of life: mind, body, emotions, career, finances, relationships, fun
    • I achieve this by creating a mind map
  • Can a task be done in two minutes? Do it if yes.
  • Being busy is not being productive if you don't complete the tasks you set to do
  • Be deliberate when doing your tasks
  • Don't check your email unless you have the energy and focus to reply or act on whatever is in the email