Security Warrior: Cyber & Personal Security P2

English: Information Security Components layering the Information Assurance at three levels: Physical security, Personal Security, Organizational security. These layers protect the value of the information by ensuring Confidentiality, Integrity and Availability. (Photo credit: Wikipedia)

OK. In the previous post “Cyber Security how does it correlate to personal Self-Defense?” we left off at attempting the correlation of the following Cyber Security Controls into Personal Security Controls.

CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software

Now in relation to Cyber Security these two controls are primary about controlling your computer environment; we don’t want rogue (unauthorized) devices or software  in our environment because they introduce vulnerabilities that could be exploited.

Just in case you are unfamiliar with the terms vulnerability and exploit here are the definitions:

In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assuranceVulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.
Vulnerability (computing) – Wikipedia, the free encyclopedia

An exploit (from the English verb to exploit, meaning “using something to one’s own advantage”) is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something …

Exploit (computer security) – Wikipedia, the free encyclopedia

In human terms a vulnerability is leaving yourself open so that someone can take advantage \ exploit and put you in a compromising position.

A common scenario is people walking around and focusing on their phone or tablet instead of being aware of their surroundings (vulnerability) and allows a bad-guy (threat) to exploit (mugging) the vulnerability (lack of awareness)

OK now that we have the technical jargon out of the way how do we relate that to personal self-defense and the individual practitioner.  When looking at the terms “Authorized / Unauthorized Software and Devices” what exactly does that mean?  Does it have something to do to with alien abductions, rear-end inspections and then forcing you to slow dance to Lady in Red?  Simply put, no.

How do we relate these terms of unauthorized hardware and software to what and who we are? When you wake up and get dressed are you unknowingly putting on un-authorized items of clothing? Does that ugly sweater that Aunty Carol gave leave you vulnerable in such a way so that others can exploit you and then make you do things like try and eat that un-edible Christmas tradition called a fruitcake?  Worse yet, would they be able to remote control you like a Zombie and force you stand under the mistletoe and kiss appalling people?

Does that piece clothing that sticks to you via static clinic considered a rogue piece of clothing?  Possibly.

How about, substituting unauthorized with unaware or un-validated?

Have you validated the techniques you learned by training with a resistant partner?

The tool or tools you carry for self-defense:
Do you practice with it?
Do you practice with drawing that tool from it’s concealed location?
Have you attended appropriate training for your chosen firearms and the potential scenarios?

Do you know anything about your local self-defense laws?
[ Defense of Personal Property ] § RCW 9A.16.020 The use, attempt, or offer to use force upon or toward the person of another is not unlawful in the following cases: [You can use reasonable force to defend your property, but not deadly force.] . . . (3) Whenever used by a party about to be injured, or by another lawfully aiding him or her, in preventing or attempting to prevent an offense against his or her person, or a malicious trespass, or other malicious interference with real or personal property lawfully in his or her possession, in case the force is not more than is necessary; (4) Whenever reasonably used by a person to detain someone who enters or remains unlawfully in a building or on real property lawfully in the possession of such person, so long as such detention is reasonable in duration and manner to investigate the reason for the detained person’s presence on the premises, and so long as the premises in question did not reasonably appear to be intended to be open to members of the public; . . . “One of the defenses to a charge of assault is that the act was committed in the defense of property of the actor, or of one whom he is under a legal duty to protect. It is the generally accepted rule that a person owning, or lawfully in possession of, property may use such force as is reasonably necessary under the circumstances in order to protect that property, and for the exertion of such force he is not liable either criminally or civilly” State v. Bland, 116 P.3d 428 (2005) fn3. (citing Peasley v. Puget Sound Tug & Barge Co., 125 P.2d 681 (1942)). [ You can even assault someone to prevent damage to or the taking of property. But you cannot use more force than is necessary, and certainly not deadly force. ]

Vilos, Evan; Vilos, Attorney Mitch (2010-06-01). Self-Defense Laws of All 50 States (pp. 415-416). Guns West Publishing, Inc.. Kindle Edition.

Are there thoughts / actions leaving you vulnerable in ways that others can exploit?; aka Situational Awareness
When attending an event do you know where the exits are?

Do you maintain an appearance of confidence? Bad guys often prey on the unaware or those who appear vulnerable.

When someone enters your or is on the edge of your personal bubble are you aware of what they are doing?
Are their hands in their pocket?
Are they demonstrating any signs of aggression verbally or physically?

When attending large public events with family, friends or partner, do you:
Have a rallying point in case of separation?
Have an exit plan in case of a violent event?

I think you get the idea or ideas presented; I’m not trying to break new ground here or reinvent the wheel.  I’m just an information security nerd exploring the correlation of Cyber Security and Martial Arts or as Datu Worden says “Connecting  The Systems” virtually and physically.


What is JKD?

English: JKD logo; appeal of refusal of copyri...

In I prior post I mentioned a great podcast by fellow martial artist Jarlo Ilano with Guro Burton Richardson and in that podcast Burton brought up a short story about Guro Dan Inosanto; one day during class Guro Dan asked “What is JKD?” The class shared their thoughts and then he shared his thoughts “JKD is research and development.” To me, it was like a light bulb went on.  You guys are probably saying “DUH!”

I know it seems obvious but so many people want to make a big fuss out of it and in my opinion it makes so much sense.  The only thing that I would change about it is that in my opinion JKD = Personal Research and Personal Development.

People take the martial arts for a variety reasons; one of the things we are taught is to use martial arts training as a vehicle to being a better person and that we take what we learned in class which can be equated to “problem solving” and apply it to real life situations, not just physical altercations but to how we deal with things when faced with adversity.

Comprehend, Intend and Connect the Systems!
Comprehend, Intend and Connect the Systems!
The martial arts is also about self expression, you can stay inside your own little box and be comfortable or you can step outside of your comfort zone and grow; this also applies to being a better husband, a co-worker, a better teammate, a better artists or whatever you choose to apply it to.

Step outside of your self imposed limitations, grow and then share what you have learned with others so that others may grow as well.

Hey, we got that P.M.A!

Don’t care what they may say
We got that attitude!
Don’t care what you may do
We got that attitude!

Hey, we got that P.M.A.!
Hey, we got the P.M.A.!
~Bad Brains

I just finished listening to a great podcast between a good friend Jarlo, highly skilled martial artist and Guro Burton Richardson we both studied under him; not at the same time and Jarlo studied with Guro Richardson for a far longer length of time than I did.  I was fortunate to study with Guro for a little over a year but I learned a lot not just about martial arts but teaching, sharing, being positive and more.

Kawika, Guro Burton and IBurton Richardson

I like to refer to Guro as the “teachers-teacher” because of what I learned and how he taught. My statement is not to disrespect all that I have trained under. I have much respect for them and I try to emulate certain aspects.

Anyway, there are several great topics Guro Burton and Jarlo touch upon in this podcast and the first one is having a positive attitude!

Jarlo: Hey, everybody, this is Jarlo at GMB Fitness, and I’m really happy today on this podcast to be with my teacher, Burton Richardson. Hey, Burton, how you doing?

Burton: I’m fantastic!

Jarlo: Good.

Burton: As usual. How are you, Jarlo?

Jarlo: Yeah, I love your positive attitude all the time. Positive all the time. That’s what we should do, right?

Burton: It’s our choice.

Jarlo: It’s our choice. That’s exactly it.

Burton: Right. You know, when somebody’s asked me, “How are you,” we have to realize that’s actually, the answer is compared to what?

Jarlo: Right.

Burton: We get to choose what we compare it to. Am I going to compare how I am today to the best day I’ve ever had on this earth or I’m going to compare it to my worst day? It’s like, “I’m great, man.”

We can choose to be happy or choose not to be; yeah I know choosing to be happy or positive when we are feeling negative can feel forced; but when we start making that choice on a regular basis it becomes more natural and you don’t sweat the small stuff anymore.

Example: A couple of weeks ago the alternator on my Jeep went out while I driving to work. At the time I didn’t know it was my alternator, I was driving, the battery light came on and the long story short is that I was able to exit I205 quickly, turn around and  make it to garage where the car literally ran out of “juice.” As I was pulling into the parking lot all the lights came on and the car barely made it , whew!  Car problems stress me out the most because I depend on the vehicle to get back and forth to work but instead of being incredibly grump I realized how fortunate I was.

I drove approximately a 100 miles up to Tacoma and back the day before to train with Datu Worden.  Although I was able to complete my trip without issue I did witness two car fires (cue ominous music.) I was a little sore the following day and was in need of a chiropractic adjustment; I already starred the day in a uncomfortable situation.  I could have been really grumpy because I was in pain and I was going to be late for work because of that and  on top of all that the car crapped out on me and on and on.

The positive side is that having to get an adjustment allowed me to miss rush hour traffic; imagine being “THAT GUY.”   You know, the guy created the traffic jam and made everyone else late to work because their car broke down; then the potential of having to be towed (mo money) all the way to a garage to fix the issue (even mo money.)  I was able to miss all that traffic and make it back home and the issue with the car wasn’t as big of an issue as it could have been.  It could have been a lot worse.

There are some other great topics in this podcast that can keep me going on and on but I’ll keep it short and let you enjoy the awesomeness.


Find out more about Burton Richardson: Facebook, Twitter, Web

 Be sure to catch the next episode by subscribing to the GMB Show:

Cyber Security how does it correlate to personal Self-Defense?

(even when online!)

We live in a new age and now have a new front to have situational awareness of as well as defend ourselves and loved ones from. My primary job is working as an Information Security Engineer. Often times I find myself wondering if I could correlate Cyber Security with Self-Defense / Personal Security.  This will be my attempt at the correlation.

Cyber Security has a couple of strategies that are similar in nature called Defense In Depth, Layered Defense which is all about layering your defense so that if  something makes it past one layer the next layer is able to detect or prevent the  intrusion to the attempt to penetrate, infiltrate and cause a disruption or remain hidden and exfiltrate data.  If you would like to read more then here is a nice article that briefly discusses the strategies.

We also have the Critical Security Controls created by the Center for Internet Security that work along side of the Defense In Depth / Layered Security strategies which finally gets me to what Ive been wanting to actually talk about but first lets take a look at this list.

CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 5: Controlled Use of Administrative Privileges
CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
CSC 7: Email and Web Browser Protections
CSC 8: Malware Defenses
CSC 9: Limitation and Control of Network Ports, Protocols, and Services
CSC 10: Data Recovery Capability
CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
CSC 12: Boundary Defense
CSC 13: Data Protection
CSC 14: Controlled Access Based on the Need to Know
CSC 15: Wireless Access Control
CSC 16: Account Monitoring and Control
CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 18: Application Software Security
CSC 19: Incident Response and Management
CSC 20: Penetration Tests and Red Team Exercises

Wow… thats a lot to take in, can some of it even be correlated? I would love to hear your opinion.  The next article will take a look at the first two controls:
CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software

Can they be correlated to the individual? What about beyond the individual?