Over the past ten years, I have paid a lot of attention to technology and cyberspace security. I was motivated to create a more inclusive and safer world. In 2019 I embarked on a slightly different journey. Although I am always motivated in the field of safety, this time I focused on the physical aspect and started training in Brazilian Jiu-Jitsu (BJJ).
If you have never practiced martial arts before, you may be surprised how important it is to listen to your body and know your personal limits. Cybersecurity is the same. Find your strengths, continuously test your approach and find those who have a different approach to doing table exercises and improving your skills. OK.
At BJJ you will find the approach you prefer and constantly confirm the time you have spent preparing and renting a carpet with different people to test your skills. An additional advantage is that self-testing, increasing strength, everything plays a wonderful role in the development of self-confidence.
One of the best decisions I ever made was to establish BJJ, and even if that wasn’t the goal from the beginning, I think we can learn a lot from BJJ and apply it to our cyber security practices:
1. Close the distance: Fool, can you believe that leaving your attacker will protect you? In Brazilian Jiu-Jitsu (BJJ) and self-defense, however, you learn that distance is the enemy. The best way to keep the gap between you and your abuser is to bridge it.
Advantage of the defenders: You decide the battlefield. @secvalve #2017acsc
– Zoë Rose (@RoseSecOps) 15. March 2017.
How can we isolate ourselves from the invaders and protect ourselves from them? Stratification! That is, by filling the gaps in our infrastructure with multi-level control, by applying the least privilege principle and by adding segmentation to limit network bypass. We can reduce the distance a malicious actor has, limit his movements and, in some more innovative environments, force him to take the actions we want.
It is important to note that this does not require new sexual solutions and expensive tools. While the most advanced software can provide significant resources and even reduce search time, they are actually useless if your team is not trained in the field or if your organization cannot afford the licensing costs or implementation time. It is better to use what needs constant improvement, to reduce false alarms and negative messages.
2. Keep your friends close, but keep your elbows tighter: When you roll over or compete with someone, you learn that elbows and arms are vulnerable and can be used against you. This can lead to ideas such as locks and bracelets for shoulders and wrists.
Don’t let your infrastructure betray you. An excellent example is the recent publication of the CVE-2020-5902, a loophole discovered by security researcher Mikhail Klyuchnikov and privately announced by F5. During the operation, an unauthorized attacker has access to the parameters of the tools that allow him to move through the directory, gather information and implement both the commands and the system code. This bug ended with a CVSS score of 10, the highest score a vulnerability can get. Read here what NIST has written about this vulnerability.
Preserving the environment requires not only the configuration of alerts and controls, but also the monitoring of intelligence channels to ensure that these tools prevent access to intruders. Often the best protection against this is a strong patch management program. This program includes a structured validation and implementation process to ensure that all systems are regularly updated, that firmware is kept up to date, and that tests are performed to ensure that users do not disrupt workflows to force them to find alternatives.
3. Size doesn’t matter: It is interesting to note that the person who deserves the foundation of the Brazilian Jiu-Jitsu, Mitsuyo maeda (nicknamed Count Coma, or simply Coma), actually had an average height of 164 cm and 64 kg. Koma was a valuable judo wrestler and one of the first mixed martial arts fighters of modern times. From my personal experience, from the lessons of Mariusz instructors Grzywiński, Sergio Malibu Jardim, Mickey Musumachi and Cayo Terra, I realized that size fortunately does not matter. The most important thing is the technique you use and how you apply it. The most important thing is to feel the enemy’s movements and anticipate his steps before he takes them – just like in chess.
Just as size doesn’t matter in a BJJ, with an unlimited budget or team members, your security team isn’t something you protect. A strong cybersecurity program is the way you intelligently and correctly protect the attack surface against potential threats and scenarios.
For smaller teams and budgets, a hybrid approach to security and understanding your environment is essential. You must ensure that your internal team is adequately trained and resourced to manage third parties and carry out their tasks.
4. If you know how to defend yourself, you know how to attack: Coach Mariusz Grzywiński says he didn’t focus on the attack when he had a white belt. She has to protect, just to survive. In this way he could learn and feel how his opponent reacts to different things and eventually he learned about weaknesses and vulnerabilities that can be exploited.
If you know what Intruder Processors are, you can use them. @secvalve #2017acsc
– Zoë Rose (@RoseSecOps) 15. March 2017.
Just like in the first lesson, as a defender you know the system and you understand how everything is connected. If you understand how things work, you can identify gaps, errors and workarounds.
Hacker thought: Don’t look at what it’s supposed to do, but at what you can do for it.
If Mariusz fought off attacks until his opponent was tired, he was able to recognize the weak points of the defense and bypass them. In your environment, you can continuously improve your controls and protection by finding ways to bypass them. In order to continuously improve, a vulnerability management program is needed. This includes automated tools and scanners as well as a practice-oriented inspection and investigation team that receives the reports. When you define a vulnerability in your environment, use this view to solve potential problems before the malicious subject exploits it.
5. Things change in life, but jiu-jitsu remains the same: No matter which school you go to, the trainers you have, even your personal style, the basis of Brazilian Jiu-Jitsu remains the same. Fill in the hole, keep your body ready and under control so it doesn’t betray you, plan your attack and how to defend yourself in advance and put your watch on the mat.
Whatever your position and resources, the principles of cyber security remain the same. The funds are so large that they are the least attractive target.
As the Verizon Data Breach Investigations Report 2020 indicates, attackers are looking for attacks that can be carried out in fewer steps. Adding additional controls, such as multi-factor authentication in case of data theft, will significantly reduce your threats. Let’s look at PoLP or terminal firewalls and network segmentation. All these elements constitute an additional barrier to unauthorised access to systems and services.