Tribe of Hackers, by Marcus J. Carey, collects a wide range of seasoned infosec specialists to discuss the cybersecurity world from an insider’s point of view. My favorite question out of the dozen asked is: What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture? Studying the 60-plus answers, I broke them down into three categories that resonate with the self-defense instructor in me:

Invest in awareness
Assume compromise
Application over theory

There are three common aspects of martial arts all around the world. The basic breakdown of martial arts is competitive (sport), performance (entertainment), and self-defense (mortal danger). Competition can teach you how to fight, but you are always learning to fight with rules. There is a ref, a set time, and a chosen place. Performance is about entertaining a crowd and displaying grace, power, and drama.

The portion of the martial art world we are concerned with here is self-defense. The training one does for surprise attacks. Nothing fancy, first just learn to cover your groin and face. This is a very good reflex around monkeys and big cats.

Boiled down, martial arts is situational awareness and the more time I spend studying the cybersecurity field the more I think of it as an offshoot of martial the world. Hand-to-hand and weapon-based systems each have their context for when they are useful. I like thinking of cyber as the martial art of network conflict.

In the walk-around world, awareness often simply means understand your environment and become conscious of how you make yourself vulnerable. Predators rely on distraction and surprise. The more aware you are, the less of a target you are. Don’t make yourself more vulnerable than you have to be. How big is your threat landscape? The bigger it is, the harder it is to secure and whoever has the weakest perimeter gets eaten first.

These rules of conduct coincide with cyber defense rules, like limit employees’ access and privileges. There is no reason to increase the overall threat landscape any more than necessary. When you give someone access, you put them at risk of being exploited. Every admin privilege is a target on someone’s back. They will be hunted for their access. Actually, I’m the only one mentioning the hunting of people. Nowhere in the interviews does anybody recommend hunting people.

According to the professionals, companies building security-minded cultures should start with the low-hanging fruit: multi-factor authentication, complex password policies, and up-to-date patches go a long way. It’s not full-proof, but covering the basics eats recon time and time is money even for criminals. The longer it takes to get inside the more likely they will move on to an easier target. No one is perfectly secure, but don’t be the only guy without a bulletproof vest in a gunfight. I’m paraphrasing of course. There was no mention of firearms nor discussions about kevlar in the interviews at all.

Investing in awareness also means understanding how your assets are vulnerable. Is it really tech that is vulnerable? Or are people vulnerable? Creating a security culture that captures the attention of employees is essential. All the fancy AI interfaces in the world (which I love) aren’t going to save you from an uninterested or emotionally distracted employee. A narrative (mission) that elicits vigilance (situational awareness) is key. Everyone is seeking a “better way” and people, in general, adopt great standards that lead to personal growth. No one actually said people seek personal growth either. I’m reading between the lines and maybe being a little idealistic, but I stand firm on the idea that people want to be heroes.

The second concept: assume compromise, also illustrates martial principles. As in, you don’t get to pick the fight you want. For companies, it means an attack isn’t an if, it’s a when. And, most likely, you aren’t going to see it coming. Predators like to hit their prey from behind, not head-on. Unfortunately, the first hint of attack is often the sight of your own data leaking out all over the internet. Assume compromise means: “the phone call is coming from inside the house!”, so it’s best to build impact resilience into the system. A panic room, if you will. Again, I’m being a little hyperbolic, but I’m trying to paint a picture.

For an organization, assuming compromise means exploring postures that increase opportunities to fight as you roll and recover to your feet. Remember, this is close-quarters combat. You don’t get to hold them off at arm’s length. They are already inside your defenses and a strategic counter is required. But, before you can counter, you must locate. Check the endpoints, scan the logs, find the beacons, and isolate. Get good at finding the intruder. Too much time is spent on playing wack-a-mole rather than setting honeypots and canary sensors. That’s right, I’m talking about tripwires and tiger pits.

If you have followed the basics from invest in awareness, then the pathways into the system are limited and your team is straight-up tracking the interlopers. There are only so many endpoints probable. You must be able to detect if you are to defend. Imagine Sherlock Holmes presented with Star Trek’s Kobayashi test. Model, model, model. Test, test, test. Invest in failure, because failure brings insight.

Lastly, application over theory. As the great fist-philosopher, Mike Tyson once said, “Everybody’s got a plan until they get punched in the face.” Steps 1 & 2 have been followed. Your situational awareness is high and you’ve created not 1 or 2 plans for possible sneak attacks but a dozen. But does your plan work when it’s not your friend throwing the punches?

Unfortunately, the only way to get comfortable with people trying to hit you is by doing such. It’s not everyone’s favorite pedagogy, but it gets results. Catch a few on the nose, and everybody covers up and starts rolling with the punches. This is another good place to point out, no one discussed punching and kicking people in the interviews.

For organizations, application over theory means regularly attacking their own systems not only internal testing but external testing. It means investing in outside consultants who can give an objective perspective. Test the process and adapt accordingly. Then, test again. This is not a static game of Battleship. The opponent is not waiting for you to come to find them. They don’t have any rules, but they do have limitations. Don’t let experience be your limitation, because experience is the key for both sides. It’s a simple calculation, if you have had more time learning to fight your way out of a corner than your opponent, chances are they make the first mistake when pressured.

To recap and summarize the guidance from the interviews it goes something like this:

1) Awareness = What Matters x Why it Matters

2) Plan for the worse

3) Test the plan objectively

I really enjoyed reading Tribe of Hackers, and I appreciate Mr. Carey putting it together. There is much more wisdom to parse through in the interviews than I have offered here and I hope my violent paraphrasing and comparison (beat a dead horse) to martial arts doesn’t diminish his efforts or their advice. Carey has other books of interviews specific to Blue Team, Red Team, and Security Leaders.

However, before diving into those, I’m headed to Reno for the Wild West Hack’n Fest. This will be the first in-person conference for me (and possibly a whole bunch of people) since Covid. It’s time for me to meet more of the tribe.

Notes on Homo Deus

Homo Deus: A Brief History of the Future by author Yuval Noah Harari makes you reconsider what you think you know about being human.

Here is my quick review of the book: I loved it! Just like his last two. But instead of just reviewing the book, I want to share my thoughts on some of the things that stand out for me in relationship to pain management.

Real quick though, this book isn’t for everyone. If you’re uncomfortable having your political, religious, philosophical, and general concepts of self challenged, then you will find this book disturbing on more levels than the author intends.

This book is a warning. It is trying to get us to pay attention, Like a passenger in car asking the driver to slow the hell down. You can’t take the turn you need at this speed.

I believe it also is a celebration of how far we have come and how far we can go. So let me throw this out there, if you cling to your belief structures like a life vest in an ocean of myths, this book is going to make you very upset, and it is going to deflate the concepts that keep your ego afloat. However, if you are looking for a better understanding of what are real challenges are right now, then buckle up because the twists and turns of history, science, psychology are going to make your head spin.

For those with short attention spans, below is a glimpse at the highlights of the book. For those who would prefer listening, here is a link (Yuval Noah and Steven Pinker) to a conversation with the author and Steven Pinker. My thoughts on how this applies to pain management follow.

-We’ve conquered- War, Plague, and Famine as the major mortality issues for humanity and next on the agenda for we will conquer death or become God-like in the pursuit.

-Spoilers: There is no soul, self, or free will as far as science is concerned and to believe so is to live in a fantasy world where you will be easily manipulated.

-The brain contains more than one mind and none of them knows what the other is thinking or why; and most of what you believe about the world (which includes yourself) is a confabulation (bullshit rationalizations) of these minds independent operations.

-The religion evolution went kinda like this: from nature to gods to a single god to nationalism to humanism and now data. Long live Data! In algorithms we trust!

-All medical science leads to augmentation science. We will be upgraded. Or at least the rich will be.

-Algorithms are everywhere and will rule us and we will like it because we are blind to the deeper realities of our existence.

-The AI of the future will know us better than we know ourselves and we will either be their pets (if we are lucky) or their pests (if we are not lucky).

-The next class system will be based on human and super human.

Part 1:

Why Are We Killing Ourselves?

After reading Homo Sapiens and 21 Lessons for the 21st century, I felt prepared for the author’s diagnosis of the current state of humanity and prognosis for its future. It’s not all doom and gloom by any means, just the end of humanity as we know it. Technically speaking it could be seen more as the continued transformation of humanity.

The book’s opening argument is that humanity has conquered War, Famine, and Plague as the major factors of human mortality. That’s 3 of the 4 horsemen of the apocalypse. Who doesn’t think that’s a good thing? To make its point the book presents some disturbing information on mortality that I had to stop and look into myself.

1. More people die from suicide then violent deaths.

2. More people die from poor eating habits than starving.

3. By 2050, 50% the population of earth will be considered overweight.

Here are some mortality per year (2017) numbers from the CDC.

Heart disease-647,457

Diabetes-83,564

Alcohol related deaths- 72,500

Suicide- 47,085

Overdoses 47,450

Homicides- 19,510

Firearm Homicides- 14,542

Mass shootings- 335

The top half of these numbers are all self inflicted. The CDC website reports: childhood obesity has tripled since 1970; alcohol related deaths have doubled since 1999; suicides have increased by 30% since 1999; and overdoses are up 137% (200% in relation to opioids).

The articles I came across reported that the majority of criminal acts that lead to violent acts involve the sell or pursuit of drugs. That means for the purpose of buying drugs to alleviate pain or making money by selling drugs to people who are in said pain. What about mass shootings? I think the majority of mass shootings are perpetrated by people who are on one level or another mentally ill and suffering from some sort of psychological and emotional pain.

The common denominator for all these fall on spectrum of pain management. Drugs are used for (I am including alcohol here) reducing some kind of pain. Mental (emotional or psychological) and/or physical pain. Sure, lots of people use drugs and alcohol recreationally, but if drugs and alcohol are the recreation or needed to have any recreation, then odds are high that there is a hidden suffering not being addressed. What we are really doing is self medicating.

It would seem that a large number of people are under a daily burden that is inescapable without chemical assistance. Drugs and alcohol for the most part are our escape. So is sugar, or in general bad eating habits.

Why are we so sad, anxious, and disturbed when we live in the least violent and most prosperous age of human existence?

How many cavemen do you think killed themselves? I’ve asked this question to a few people and the answer I get back is none (note none of those people were anthropologist). While not scientific, the question makes a point. When life and death were a daily concern, people were to busy figuring out how to stay alive to consider killing themselves. When purpose was easily defined as don’t die today, people worked hard at staying alive everyday.

It can be argued now that we no longer hunt or are being hunted we are haunted by an inner nature that no longer fits our environment.

The natural state of humans is to be concerned about getting killed, about having enough to eat. So, we naturally worry about things. In fact, its a feature of the brain. When the mind isn’t engaged in a particular task, the Default Mode Network kicks in. This is the part of our brain that has a tendency to ruminate and make us anxious. Its the portion of the brain calmed by meditation and attention training (quick self promotion: this is what I teach).

Worrying is a survival feature. Those who didn’t worry, didn’t live long enough to reproduce. Unfortunately, just because the natural threats no longer stalk us, doesn’t mean this feature for survival is no longer working.

The exterior environment may have changed, but our inner environment hasn’t quite caught up. We were born to solve problems. I mena real concrete problems. As in identifying the best tree to climb to sleep in so your a late night snack. We didn’t evolve to solve math problems or philosophical problems. Those are abstractions made possible by leisure and extreme access to resources. Those are fairly recent add-ons to the humanities skill set. We evolved to solve physical issues.

Our emotional and psychological health is tied more to our physical capacity for adaptation than being able to think your way out of an emotional problem.

In a way, life has become too easy and we have lost our resiliency. Our ability to deal with challenge, discomfort and uncertainty has shriveled like an atrophied muscle. Much like cell deteriorating effect of zero gravity on an astronaut’s physiology, the lack of constant physical strain/challenge has made us mentally and emotionally weaker.

We now suffer from pain that we do not understand how to properly address. We have evolved to solve problems in an environment that no longer exists.

Instead of staying alive as the main function, we now are struggling with staying happy.

Our culture that has provided us a safer world has not prepared us to deal with ourselves. We wrestle and struggle with our thoughts and feelings. This leaves us with deep questions about worth and purpose that need to be addressed.

We are the most resource rich culture in history and we are killing ourselves hand over fist. It would appear that the more prosperous we become, the more likely we are to lose hope. What could possibly save us from ourselves?

This is important to appreciate because Yuval’s argument for humanities next agenda (now that we have conquered war, famine, and plague) is that we are going to conquer Death itself and transform humans into gods.

Considering how bad we are at handling our feelings now, I wonder what kind of gods we will become.

Part 2

Kill The Gods, Long Live Data (continued in a week or so)