Application Of Science

Welcome to the Science Of Cybersecurity—where we establish the first founding principles of a new science of Information Security.

Some experts are adamant that Cybersecurity can never be established as a science. This is claimed to be so because—any and all social accessibility protections which are put in place will always have human opponents. That is, in this field alone, human antagonists exist—who work constantly to try and break any security measures present. Accordingly, Cybersecurity is not a science—but is more akin to a game, war or political struggle.

Whilst we do acknowledge the existence of vital social elements within the boundaries of the highly technical field of Cybersecurity; it is our belief that application of the scientific method—consisting of a combination of empirical observation and logical reasoning—must always play a significant and foundational role in any Cybersecurity scenario whatsoever. QED.

Our goal is to bring formalism to a field that doesn’t even have one—that is to bring unity, consistency and order—to the field of Information Security. Strangely absent is any kind of top-level theory, and missing are fundamental definitions and/or first-principles etc. Ergo, the system-designer’s job becomes one of—collecting partial formalism(s)—before somehow stitching them together. The net result is—partial truth(s) and/or sub-optimal approaches—or at least major difficulties.

Conversely, we seek to establish a foundational framework for the entire field of: Information Security; and by means of logical, integrated and holistic perspective(s)—combined with use of the scientific method.


A Quest For Insightful Answers

How do data breaches, hacks, system exploits and computer intrusions happen—and why? What occurs when Cybersecurity really works effectively, and can we systemise it? Or will the clever hacker always break into any networked device, sweeping all defences aside?

On a quest for insightful answers in his ground-breaking book and associated website, Dr Alan Radley proceeds to completely deconstruct, rationally analyse, meticulously rebuild and then sanely reassess the entire field of Cybersecurity.

A rigorous scientific methodology is applied to networked system design, leading to a comprehensive new model—and accurate taxonomic tree—of all possible types and classes of cyber-attacks and associated countermeasures. The upshot is a wholly original, astute and fearlessly honest—yet practically oriented—treatise on Cybersecurity.

Outlined here for the first time is a logical explanation of the fundamental theory and principal axioms of Cybersecurity as developed from first principles, and in a format ideally suited to both—the engineering-minded professional—and the less technically-oriented.


Solid Foundation

Our new theory of Cybersecurity is grounded on a set of core principles, as depicted in the Cybersecurity System Access Gateways (CSAG) diagram.

The CSAG diagram teaches that in order for a Datum or Datum-Copy—existing on a networked computer system—to have its inner meaning ‘extracted’ by either a legitimate user or else an illegitimate intruder—then that same party must first possess a means of opening up a PHYSICAL GATEWAY in order to see/touch the physical FORM of the Datum held on a Media of Storage, Transfer or Access (i.e. obtain a physical copy). 

Next on said media the party traverses one or more VIRTUAL GATEWAYS to obtain the Datum’s raw format (i.e open a virtual copy). Finally the party in question—must decode the Datum’s inner meaning or CONTENT by traversing one or more of 3 kinds of MEANING GATEWAYS: named as the Metrical, Selectional and Descriptive layers—which may be nested together, one on top of another, in a russian-doll fashion.

Cybersecurity is then defined simply, and completely, as the continuous processes of PROTECTING (i.e. Locking, Blocking and/or Concealing) all necessary gateway types—that is defending the Datum’s inner meaning from unwarranted disclosure—whilst at the same time ENABLING legitimate users to access said Datum’s inner meaning by means of readily accessible system gateways. QED.

 

Infographic_A7

SCF 1.0 – InfoGraphic A

Cybersecurity System Access Gateways

Source: ‘The Science Of Cybersecurity’ (2017) – by Alan Radley


Your Trusted Source…

A secondary goal of this site is to gather together as much Cybersecurity information as possible—in the process providing comprehensive and pertinent knowledge in the form of theory, books, articles, metrics, solutions etc; plus links to expertise, products, organisations; and pointers to the latest threat-alert intelligence etc.

We are on the lookout for partners/contributors; plus seek details of the very best Cybersecurity resources—so drop us a line!

Dr Alan Radley , Blackpool, UK.


Interview with Professor John Walker

Professor John Walker is a fellow of the Royal Society of Arts, and Purveyor Dark Intelligence; he is a CSIRT/SOC/Cyber Threat Intelligence Specialist & Insecurity Professional. He holds visiting professorship at Nottingham Trent University and is a member of the Institute of Certified Forensic Investigation Professionals and is a visiting Lecturer at the University Of Warwick. You can lean more about Professor Walker and his work on LinkedIn here.

Email interview held on 9th September 2017 – as follows between Alan Radley (questioner) and John Walker (relator):

1. What are your thoughts on the current state of cybersecurity, both for organizations and for consumers?

In my opinion, to answer the question relating to the state of cybersecurity inside organisations, one only has to look at the public ‘facts’ – Yahoo, Talk-Talk, Experian, the NHS to mention but a few who have fallen victim to cyber-attack, and/or compromise of sensitive client records. On the other side of the fence, when it comes to what I have observed internal to many big-name Oil and Gas, Financial Houses, and Industrials – I have seen PCI-DSS data left exposed for ‘all’ to view – PCI-DSS and Data Protection Beaches which were not been correctly as mandated, and the loss of assets from an East Midlands based Financial Agency which were holding 35,000 sensitive unencrypted banking records of a third-party bank who they were the custodian of, not to mention one organisation who had a pile of sensitive transactional data left exposed on their web server. So, conclusion here is, can, and ‘must’ do better. In the case of the Public user, they are left seriously wanting – there is still no real point of presence for them to report breaches into, and when they do attempt to report into Law Enforcement they can be met with the face unawareness of cyber-crimes. To further ecacerbate the problem, there would still seem be a complete lack of Security Education and Awareness being pushed out to the public, so again, all in all, a very serious state of affairs which must be radically addressed with some urgency.

2. What – in your estimation – is the percentage of “cybersecurity professionals” that actually know what they are doing?

Good question – and I expect my answer will get me shot (again). However, first of all I know many accomplished security pros’ who are top shelf, and are without doubt high value for any company who engage. However, on the other side, there are more who simply do not understand the real cyber-threat, and commensurate cyber-security mechanics beyond that of the latest hype pushed out from the lacklustre annual Infosecurity Show – One year we can be experts in PCI-DSS, another it may be AET, and of course now it is GDPR. Until such time as the industry gets to grip with the fact that CISSP, CISM, and the rest of those expensive Certifications are only of value when they are underpinned with a wide, and deep awareness of the technical aspects that support awareness, beyond what can be Boot-Camp Driven Certifications based on the box which is selected to tick – another side of Tick-box-Security!

3. Where do you go to find your “science” of cybersecurity?

The Science of cybersecurity may be discovered in the understandings of the historical facts, and the knowledge born from the real players in the past, and current cyber-landscape. Clifford Stoll, Steve Gold, Dark Tangent, Rain Forrest Puppy, Gene Spafford, Bill Cheswick, 2600 and many more, all provide the primer of the real base-coat of knowledge, which you will never find at Infosecurity.

4. Do you recommend a particular cybersecurity blog that our readers could follow?

I like to read Information Security Buzz (http://www.informationsecuritybuzz.com/) and Tripwire State of Security (https://www.tripwire.com/state-of-security/). However, one I avoid at all cost is my least favoured, and outdated – Get Safe OnLine.

5. What keeps you up at night in the context of the cyber environment the world finds itself?

What keeps me up at night is the awareness of all those highly paid people who are presiding over broken and flawed security postures – telling themselves that the route under the ISO/IEC 27001 will secure the enterprise, whilst they know that Nero is in the corridor with a box of matches!

Saturday 9th September 2017.

Thank you kindly Professor Walker for taking the time out of what must be a busy schedule to answer our questions in such an enlightening way.


Cyberthreat Maps – 2017

We have undertaken a review of live cyberthreat mapping visualisation tools (browser-based); and the results are shown below. Perhaps these kinds of maps are more fun than practically useful—but they do act as a salient reminder of  the increasing number, wide-range and sophistication of cyberthreats now faced by us all.

Clicking on an image will bring up the associated visualisation…

map

Kaspersky Cyberthreat Real-Time Map

map2

CheckPoint’s Live Cyber Attack Map

map3

Norse Corp Malware Map