What is the REAL issue with the SANS data breach…

By Ehden Biber

SANS has been breached and everyone seems to be missing the real issue. The real issue with the data breach is not that it occurred but it’s the way SANS acted afterwards, which makes one wonder… where is the awareness?

So OK, SANS has been hacked, and there was a data breach that included Personal Identifiable Information, impacting various data subjects, perhaps also Europeans.

Pretend you’re shocked. I mean, what’s new in the kingdom of cyberspace?

What really worried me was the way the incident has been communicated so far. SANS train its employees, I am sure, but how does it measure them? How many other attacks that failed took place in the last quarter or the last year? How many of them failed due to measurable improvement in the performance of the individual who stop it? What were the individual cybersecurity awareness metrics of the person that has been hacked, and were they providing any indication? If not, why? And what about the security of the system themselves – why did the people who designed the solution which was used (office365) did not prevent it from happening? Could that incident be prevented based on the current score of the Software Assurance Maturity Model that SANS (I hope) following? Was that a deviant of normal security performance of the individual? Was the vulnerability a result of a failed project, and if so, what is the TRUE root cause of the failure? Was there any privacy impact assessment relating to the service that was being used? If it failed to identify the risk, why? What was the quality of the assessment? Did the risk registrars of both the privacy and the security teams identified it? if so, was the risk measured correctly? was it communicated? at what forum? I can really go on and on and on here…

What the incident so far has demonstrated is that even organisations which provide professional services in the domain of cybersecurity awareness are failing to demonstrate that their own models provides a “good fit for understanding, predicting or changing cyber-security behaviour” (Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity”, ENISA, 2018).

Here is a quote that summarises how I feel about the current approaches:

“Here’s the funny part. Imagine a conference where the world’s top experts on human sexuality are convened. One after another these doctors, and specialists in human behavior, and research psychologists, go to the podium to deliver scholarly lectures on the subject of orgasm. As the conference goes on, it might become obvious that none of these experts have actually experienced orgasm themselves: it’s all intellectual. ‘After long years of arduous research and many austerities I can now tell you that I have finally achieved full orgasm. And I can confirm what all the ancient texts have said: that the very essence of orgasm consists of getting red in the face and screaming, after which you become a perfect person and everybody thinks you’re wonderful.’

Huh? But wait: nobody in the audience has experienced orgasm either, so how would they know that the speakers are all hot air? After all, these specialists are presented as the ‘experts,’ and another ‘expert’ has certified their expertness, and they certainly sound impressive, so… they must be right! So everybody asks questions and takes notes. And later they all sign up for the advanced seminar, in which it is promised that they too (for a few hundred dollars) can learn the disciplines necessary to get red in the face and scream; at which time they will enter the ranks of those who have been certified as having attained full orgasm and become perfect wonderful people.

Of the thousands in attendance at the conference, there are just two people in the back of the hall, with absolutely no scholarly qualifications at all, but with a different kind of knowing; who look at each other, laugh, and walk out.”

From “Perfect Brilliant Stillness”, David Carse, 2006

Or, as I’ve written in 2015:

“What most of us are doing is measuring the surface of awareness, the signals, rather than investigating the real nature of awareness. Our measuring attempts are similar to the way Franz Joseph Gall, who invented phrenology did in the 19th century while trying to solve the mystery of the mind. First named “cranioscopy” by Gall, and later changed to “phrenology” by his followers, this method was supposed to allow the scientist who used it a way of understanding the state of mind by measuring the scalp. Driven from Greek words phrēn (“mind”) and logos (“knowledge”), Phrenology claimed that certain brain areas have localized, specific functions or modules and thus by measuring the scalp one can have an understanding of the performance of the brain and the mind…What we do isn’t measuring awareness at all.”

The good news (at least for me) is that it opens up a space for new ways of approaching this problem. More on that in … my upcoming dissertation. Stay tuned… 😊

Till the next now,

Ehden Biber

© All rights reserved 2020

How a 5½ weeks experiment helped me discover the secret of awareness. Cyber Autism, Redux.

 

By Ehden Biber

 

I have been investigating the nature of awareness ever since Rephael autism took his ability to communicate with us, when he was about 18^th months old. This beautiful boy, the youngest of our 3 siblings was disappearing in front of my eyes and I didn’t know what to do. The impact of his autism on my understanding of how much I cannot perceive what another human being is perceiving came a few years later, when he was still a young boy. One day, when he and his two siblings were at my place, Rephael came to me crying his heart out, but I had no idea why he is crying. That realization, this experience of disconnection between my personal experience and the perception of reality someone else is having was one of the most profound moments of my life. Before that, I was busy trying to fix Rephael. After that, I was busy trying to fix myself. My moment came when I realized there wasn’t anything in my son that prevented him from communicating with met, but it was something in my own perception of reality which prevented me from communicating with my son. I was the root of my own suffering.

Fast forward to summer 2019.

Continue reading →

Don’t trust what makes you feel good, even if that relates to what you think you know about women and men.

By Eh’den Biber

* (Sans means ‘without’ in French)

 

“Nice is dead. Good has a future. Nice doesn’t have a future, because nice ends up with gulags.“
(Eric Weinstein in a recent interview to Lex Fridman from the Articifical Intelligence Podcast)

Continue reading →

Why autism education and Cybersecurity awareness training fails and how to solve it.

By Eh’den Biber

 

“If you think you’re going to solve your cybersecurity awareness problem by technology, you don’t understand your problem, and you don’t understand technology” (paraphrasing Bruce Schneier)

 

Subconscious Cybersecurity

Everyone tries to solve the lack of cybersecurity awareness, and everyone fails. They fail because they don’t understand how our we integrate “information” into what we perceive as an expansion of our perception.

The current approach tries to address the problem via focusing on the #conscious, while the truth of the matter is that we interact with the real world via the #subconscious. As if we are not living in an age of a constant and increasingly intrusive digital distortion of our perception of reality, that is attacking our subconscious and manipulating us by knowing our biases (example: fake news). As if expansion of knowledge changes our core drivers. If knowledge was able to change people perception, people wouldn’t be smoking after they see all the horrific photos on the cover of all tobacco products. We live in a digitized era. The digital world is everywhere, it is part of who “we are”. Your dopamine reward system are being hacked constantly by your mobile phone apps, it is integrated into “your” physical experience. A growth of knowledge on the conscious level does not give you any measurable impact on the subconscious, because… that’s why we call it “subconscious” – we can’t measure it. Knowledge doesn’t change perception, direct experience does. After been given the diagnose of my youngest son extreme autism I was reading and learning everything I could about it, and the impact it might have, but it didn’t allowed me to understand him, nor to influence him. I didn’t feel like he did, so I couldn’t grasp that it means to be autistic.

Continue reading →