WEBVTT 1 00:00:00.120 --> 00:00:05.240 Imagine a multinational corporation drops like ten million dollars on 2 00:00:05.599 --> 00:00:06.919 military grade encryption. 3 00:00:07.040 --> 00:00:09.519 Oh easily. People spend that without blinking, right. 4 00:00:09.640 --> 00:00:13.480 So they buy the next generation zero trust architecture, the 5 00:00:13.519 --> 00:00:18.399 most sophisticated firewalls money can buy. They feel completely. 6 00:00:17.839 --> 00:00:21.239 Invincible, invincible until reality actually hits. 7 00:00:21.039 --> 00:00:24.839 Them exactly because then their entire network just goes dark. 8 00:00:25.480 --> 00:00:28.480 And it's not some superhacker. It's because an accountant on 9 00:00:28.519 --> 00:00:30.920 the third floor tripped over a power cable in the 10 00:00:30.960 --> 00:00:32.799 server room while looking for a stapler. 11 00:00:32.880 --> 00:00:35.679 It's funny, but it completely shatters the illusion of what 12 00:00:35.759 --> 00:00:36.880 we think of as security. 13 00:00:36.960 --> 00:00:37.560 It really does. 14 00:00:38.039 --> 00:00:41.439 We get so hyper focused on the shadowy adversaries writing 15 00:00:41.439 --> 00:00:46.159 malicious code that we just forget the physical, mundane realities 16 00:00:46.159 --> 00:00:47.560 where these systems actually live. 17 00:00:48.039 --> 00:00:51.159 Welcome to today's Deep Dive. I'm your host and today's Saturday, 18 00:00:51.280 --> 00:00:54.600 April eighteenth, twenty twenty six. Glad to be here for you, 19 00:00:54.679 --> 00:00:57.600 our listener. You're navigating a world where the boundary between 20 00:00:57.600 --> 00:01:00.240 the digital and the physical isn't just blurry, I mean 21 00:01:00.320 --> 00:01:01.960 it is entirely non existent. 22 00:01:02.039 --> 00:01:03.840 Yeah, the line is just completely gone. 23 00:01:03.600 --> 00:01:06.120 Today, and that's why today we are looking at why 24 00:01:06.200 --> 00:01:11.079 true cybersecurity is less about hooded hackers and much more 25 00:01:11.079 --> 00:01:15.319 about human nature, law and wealth foundational architecture, which is. 26 00:01:15.280 --> 00:01:16.840 Such a crucial shift in perspective. 27 00:01:17.599 --> 00:01:20.959 We're diving into a really monumental document published back in 28 00:01:21.040 --> 00:01:25.159 October twenty nineteen. It's called the Cybersecurity Body of Knowledge 29 00:01:25.519 --> 00:01:28.760 Version one point zero or Cybook for Sure cybock. 30 00:01:28.840 --> 00:01:31.719 Yeah, funded by the UK National Cybersecurity. 31 00:01:31.040 --> 00:01:34.959 Program exactly, and this was the moment top minds tried 32 00:01:35.000 --> 00:01:39.560 to wrangle a completely chaotic Wild West industry into a mature, 33 00:01:39.879 --> 00:01:41.079 codified discipline. 34 00:01:41.120 --> 00:01:45.680 Because that transition from a chaotic trade into a mature discipline, 35 00:01:45.959 --> 00:01:48.439 it requires a bedrock of agreed upon. 36 00:01:48.359 --> 00:01:51.519 Knowledge, like how doctors all agree on basic anatomy right? 37 00:01:51.640 --> 00:01:53.599 Or civil engineering, We don't just guess how to build 38 00:01:53.599 --> 00:01:56.799 a bridge, right, We have established physics and material sciences. 39 00:01:56.840 --> 00:01:59.120 Swebook did that for software engineering too, exactly. 40 00:01:59.159 --> 00:02:03.480 Software Engineer had similar awakening with SWEVIK their codified standard. 41 00:02:03.560 --> 00:02:03.840 Yeah. 42 00:02:03.840 --> 00:02:07.519 But for the longest time, cybersecurity education was just incredibly fragmented. 43 00:02:07.640 --> 00:02:08.639 It was all over the place. 44 00:02:08.919 --> 00:02:13.080 You had university degrees teaching one thing, vendor specific certifications 45 00:02:13.080 --> 00:02:17.360 teaching another, and literally no global consensus on what a 46 00:02:17.400 --> 00:02:18.879 professional actually needed to know. 47 00:02:19.199 --> 00:02:21.000 So my first thought when I was reading this was, 48 00:02:21.599 --> 00:02:24.319 how on earth do you decide what goes into a 49 00:02:24.360 --> 00:02:28.599 foundational blueprint without it just devolving into a massive shouting 50 00:02:28.639 --> 00:02:30.879 match between international. 51 00:02:30.240 --> 00:02:31.719 Experts or the ego in the room. 52 00:02:31.840 --> 00:02:35.360 Right, Yeah, I imagine everyone has their own pet theory 53 00:02:35.400 --> 00:02:37.759 on what is quote unquote essential. 54 00:02:37.919 --> 00:02:40.319 Well, you take the human bias out of the initial sweep. 55 00:02:40.599 --> 00:02:43.199 Wait, really, how the editors. 56 00:02:42.840 --> 00:02:45.000 Didn't just lock themselves in a room and start writing. 57 00:02:45.319 --> 00:02:48.759 Starting in twenty seventeen, they used natural language processing in 58 00:02:49.520 --> 00:02:51.159 automatic text clustering. 59 00:02:50.759 --> 00:02:52.800 So they brought in algorithms from the start. 60 00:02:52.840 --> 00:02:56.240 Exactly. They essentially fed existing gold standards into a text 61 00:02:56.319 --> 00:02:59.800 mining engine. We're talking about the CISSP. 62 00:02:59.080 --> 00:03:02.520 Which is practically the bar exam for security professionals. 63 00:03:02.159 --> 00:03:05.919 Right along with the ACM's Global Curriculum guidelines for universities 64 00:03:06.240 --> 00:03:09.039 and international standards like ISO two seven zero three to two. 65 00:03:09.400 --> 00:03:14.120 Okay, so they algorithmically clustered the entire global curriculum to 66 00:03:14.199 --> 00:03:16.800 see what topics organically grouped together. 67 00:03:16.919 --> 00:03:20.479 That is wild it is, And only after the algorithms 68 00:03:20.479 --> 00:03:22.919 map the landscape did they bring in the humans. 69 00:03:23.360 --> 00:03:25.280 Ah, there's the human element. 70 00:03:25.039 --> 00:03:29.240 Right, they held eleven community workshops and conducted deep dive 71 00:03:29.280 --> 00:03:31.840 interviews with experts across the globe, just. 72 00:03:31.719 --> 00:03:34.039 To refine those algorithmic clusters. 73 00:03:33.639 --> 00:03:36.479 Yeah, into what they called straw man proposals, and then 74 00:03:36.520 --> 00:03:38.800 those were fiercely debated and publicly reviewed. 75 00:03:38.800 --> 00:03:41.599 Okay, let's unpack this because while that methodology is brilliant, 76 00:03:41.960 --> 00:03:44.199 it raises a massive red flag for me. 77 00:03:44.319 --> 00:03:45.439 Oo, what's up? 78 00:03:45.560 --> 00:03:47.759 It sounds like trying to write a dictionary for a 79 00:03:47.840 --> 00:03:50.280 language that people are literally making up as they speak. 80 00:03:50.400 --> 00:03:51.439 That's a great analogy. 81 00:03:51.680 --> 00:03:54.199 I mean, if a new zero day exploit is discovered 82 00:03:54.199 --> 00:03:57.599 this morning and an entirely new class of IoT devices 83 00:03:57.680 --> 00:04:01.680 is released this afternoon, how does a printed codified book 84 00:04:01.960 --> 00:04:05.000 not become entirely obsolete the second it hits the server? 85 00:04:05.280 --> 00:04:09.680 By drawing a very harsh, strict line between transient technological 86 00:04:09.719 --> 00:04:12.439 trends and enduring principles. 87 00:04:11.960 --> 00:04:13.840 So they just ignore the new shiny stuff. 88 00:04:14.039 --> 00:04:19.519 Basically, yeah, Sybok deliberately ignores the latest gadget or this 89 00:04:19.759 --> 00:04:24.360 specific signature of yesterday's ransomware. Instead, it maps the mechanisms 90 00:04:24.360 --> 00:04:26.879 that make the technology function at a structural level. 91 00:04:27.040 --> 00:04:29.160 Give me an example of what that looks like. In practice, 92 00:04:29.199 --> 00:04:31.720 how do you separate the trend from the principle. 93 00:04:32.160 --> 00:04:36.399 Well, take operating system security. The specific code used to 94 00:04:36.480 --> 00:04:40.360 exploit a buffer overflow in Windows eleven. It might look 95 00:04:40.399 --> 00:04:43.079 completely different than an exploit in Linux, and both will 96 00:04:43.079 --> 00:04:46.560 be patched eventually. CYBAC doesn't care about the patch. 97 00:04:46.720 --> 00:04:47.839 What does it care about. 98 00:04:47.879 --> 00:04:52.120 Sybock cares about the mechanism of memory isolation. How does 99 00:04:52.160 --> 00:04:56.399 a system mathematically and architecturally assign a specific block of 100 00:04:56.560 --> 00:04:58.319 RAM to your web browser and. 101 00:04:58.279 --> 00:05:01.360 Then physically prevent a background application from reading that same 102 00:05:01.439 --> 00:05:02.079 block of RAM? 103 00:05:02.240 --> 00:05:06.439 Exactly the concept of virtual memory, paging and privilege rings. 104 00:05:06.920 --> 00:05:08.959 That is the foundational physics of computing. 105 00:05:09.120 --> 00:05:12.759 And those mechanisms don't change just because of new smartphone drugs. 106 00:05:12.879 --> 00:05:15.480 Right. What's fascinating here is that it's focusing on the 107 00:05:15.480 --> 00:05:17.720 physics of the digital world rather than the weather of 108 00:05:17.720 --> 00:05:18.319 the day. 109 00:05:18.319 --> 00:05:19.920 The physics instead of the weather. 110 00:05:20.279 --> 00:05:20.800 I like that. 111 00:05:21.519 --> 00:05:24.199 That completely shifts the perspective. It really does, and that 112 00:05:24.240 --> 00:05:27.000 shift really becomes obvious when you look at how CYBOC 113 00:05:27.079 --> 00:05:31.759 actually defines cybersecurity. They pull their definition from the UK 114 00:05:32.120 --> 00:05:36.120 National Cybersecurity Strategy and it completely moves away from what 115 00:05:36.120 --> 00:05:38.360 we traditionally call information security. 116 00:05:38.600 --> 00:05:43.160 Yeah, because information security is historically bound by the CIA triad. 117 00:05:42.920 --> 00:05:47.600 Right, preserving the confidentiality, integrity, and availability of data Exactly. 118 00:05:47.639 --> 00:05:51.040 It's a very data centric view. But cyberspace is no 119 00:05:51.120 --> 00:05:53.439 longer just a digital filing cabinet. 120 00:05:53.560 --> 00:05:57.240 No, not at all. It's a sociotechnical reality. It's a 121 00:05:57.240 --> 00:06:00.879 place where we conduct diplomacy, manage power, grip, and perform 122 00:06:00.959 --> 00:06:02.439 remote surgeries. 123 00:06:02.040 --> 00:06:06.079 Which means the scope of protection must expand radically. Cybock 124 00:06:06.160 --> 00:06:11.120 defines cybersecurity as protecting information systems, so the hardware, the software, 125 00:06:11.199 --> 00:06:14.000 the infrastructure, as well as the services they provide. 126 00:06:14.040 --> 00:06:15.720 The services, that's the keyword there. 127 00:06:15.839 --> 00:06:19.199 Yes, if a ransomware attack hits a hospital network, the 128 00:06:19.240 --> 00:06:23.439 primary crisis isn't that the patient records lack availability. 129 00:06:22.839 --> 00:06:25.079 Right, It's that people are in danger exactly. 130 00:06:25.240 --> 00:06:27.839 The priceis is that the eneri machines won't turn on 131 00:06:28.399 --> 00:06:32.600 and the blood bank inventory is frozen. The service itself, 132 00:06:32.839 --> 00:06:35.319 the real world impact is under threat. 133 00:06:35.959 --> 00:06:38.600 So what does this all mean for the actual definition. 134 00:06:38.920 --> 00:06:43.120 What's fascinating to me is how that definition explicitly includes 135 00:06:43.160 --> 00:06:44.399 the word accidental. 136 00:06:44.600 --> 00:06:45.879 Yes, that's a huge shift. 137 00:06:46.000 --> 00:06:49.519 It states we are protecting these services from unauthorized access, 138 00:06:49.639 --> 00:06:53.879 harm or misuse, whether caused intentionally by an operator or 139 00:06:54.000 --> 00:06:56.759 accidentally by failing to follow procedures. 140 00:06:56.319 --> 00:06:58.680 Which brings us right back to the account tripping over 141 00:06:58.720 --> 00:06:59.959 the server cable exactly. 142 00:07:00.519 --> 00:07:03.360 We always picture a cyber threat as a shadowy hacker 143 00:07:03.360 --> 00:07:06.720 and a hoodie, but according to this definition, sometimes the 144 00:07:06.720 --> 00:07:09.680 biggest threat to an organization is just someone accidentally hitting 145 00:07:09.720 --> 00:07:12.079 reply all or tripping over a cable. 146 00:07:12.360 --> 00:07:15.480 Or you know, a tired systems administrator who accidentally leaves 147 00:07:15.480 --> 00:07:18.600 a cloud storage bucket configure to public instead of private. 148 00:07:18.360 --> 00:07:20.519 Oh Man exposing fifty million records. 149 00:07:20.519 --> 00:07:24.360 Okay, the damage to the organization is mathematically identical whether 150 00:07:24.399 --> 00:07:27.439 it was a nation state hacker or just a sleepy employee. 151 00:07:27.600 --> 00:07:31.519 And because human error and real world consequences are baked 152 00:07:31.519 --> 00:07:34.519 into the very definition of the field, it creates this 153 00:07:34.800 --> 00:07:38.519 massive structural pivot in the blueprint itself. 154 00:07:38.560 --> 00:07:40.800 It really does dictate the whole flow of the document. 155 00:07:40.920 --> 00:07:43.680 Yeah, because when I first opened sidebox, I expected chapter 156 00:07:43.720 --> 00:07:47.680 one to be about like deep cryptography or firewall configuration. 157 00:07:47.879 --> 00:07:48.519 Most people do. 158 00:07:48.639 --> 00:07:52.079 But the very first grouping of knowledge areas is entirely 159 00:07:52.120 --> 00:07:58.160 devoid of code. It's the human Organizational and Regulatory Aspects category, because. 160 00:07:57.879 --> 00:08:00.720 Before you can defend a system, you have to understand 161 00:08:00.720 --> 00:08:02.759 the environment in which it operates. 162 00:08:02.439 --> 00:08:05.360 And that environment is governed by laws and inhabited by 163 00:08:05.439 --> 00:08:06.639 humans exactly. 164 00:08:06.920 --> 00:08:09.959 The Law and Regulation Knowledge area tackles this head on, 165 00:08:10.560 --> 00:08:14.720 specifically the nightmare of applying geography based laws to a 166 00:08:14.879 --> 00:08:16.439 borderless digital vacuum. 167 00:08:16.800 --> 00:08:19.360 The jurisdictional conflicts there blew my mind. 168 00:08:19.439 --> 00:08:21.040 It gets really complicated, it does. 169 00:08:21.360 --> 00:08:25.879 Sybock highlights the friction between territorial jurisdiction, which is the 170 00:08:25.959 --> 00:08:28.639 right of a country to govern what happens physically inside 171 00:08:28.680 --> 00:08:32.600 its borders, and prescriptive jurisdiction, the right of a country 172 00:08:32.639 --> 00:08:35.240 to apply its laws to its citizens no matter where 173 00:08:35.240 --> 00:08:35.639 they are. 174 00:08:35.879 --> 00:08:39.919 This raises an important question, though. Consider a scenario where 175 00:08:39.960 --> 00:08:42.919 a server farm is physically located in Russia. Okay, so 176 00:08:43.000 --> 00:08:46.200 Russian territory, but it's storing the personal data of a 177 00:08:46.200 --> 00:08:47.000 German citizen. 178 00:08:47.240 --> 00:08:50.519 Ah, so European GDPR protections. 179 00:08:49.919 --> 00:08:53.679 Apply, yes, And then that data is suddenly accessed and 180 00:08:53.759 --> 00:08:56.879 manipulated by a hacker sitting in an Internet cafe in 181 00:08:56.879 --> 00:08:57.679 the United States. 182 00:08:57.879 --> 00:09:01.519 That is a mess. Who investigates who's privacy laws were violated. 183 00:09:01.639 --> 00:09:04.279 Right, If the US wants to seize that server, they 184 00:09:04.320 --> 00:09:08.320 are violating Russian territorial sovereignty, even though the data belongs 185 00:09:08.360 --> 00:09:10.360 to a European under GDPR. 186 00:09:10.679 --> 00:09:14.159 It's just a legal Rubik's cube, and security architects have 187 00:09:14.200 --> 00:09:17.240 to build systems that somehow comply with all of those 188 00:09:17.279 --> 00:09:19.200 overlapping mandates simultaneously. 189 00:09:19.279 --> 00:09:20.360 It is incredibly daunting. 190 00:09:20.519 --> 00:09:23.000 But as complex as the international law is, the knowledge 191 00:09:23.039 --> 00:09:25.159 area that I think our listeners will relate to the 192 00:09:25.200 --> 00:09:26.600 most is human factors. 193 00:09:26.639 --> 00:09:30.720 Oh, absolutely, human factors is essentially the science of usable security. 194 00:09:31.000 --> 00:09:32.960 Usable security, I love that term. 195 00:09:33.159 --> 00:09:37.440 For decades, the industry operated under a massive misconception that 196 00:09:37.559 --> 00:09:42.159 security systems should be designed by engineers for engineers. 197 00:09:42.000 --> 00:09:44.919 And that regular users just needed to be trained to 198 00:09:45.039 --> 00:09:48.159 comply with whatever rigid policies were thrown at them. 199 00:09:48.320 --> 00:09:50.159 Exactly, just comply and don't complain. 200 00:09:50.440 --> 00:09:53.200 Right. If you are listening to this on a company 201 00:09:53.279 --> 00:09:56.720 laptop right now, think about how often you delay forced 202 00:09:56.799 --> 00:09:59.440 software updates because you're right in the middle of a 203 00:09:59.480 --> 00:10:00.919 massive or how. 204 00:10:00.840 --> 00:10:03.759 Many times you've had to invent a twenty character password 205 00:10:04.039 --> 00:10:06.120 with a mix of hieroglyphics. 206 00:10:05.679 --> 00:10:07.759 Only to be forced to change it thirty days later. 207 00:10:08.200 --> 00:10:09.600 It's exhausting, It really is. 208 00:10:09.720 --> 00:10:11.320 Yeah, but let me play Devil's advocate here. 209 00:10:11.360 --> 00:10:12.039 Sure, go for it. 210 00:10:12.639 --> 00:10:16.120 If human error is such a massive liability, why don't 211 00:10:16.159 --> 00:10:18.799 system architects just try to automate everything and take the 212 00:10:18.879 --> 00:10:22.279 human completely out of the loop. Whoa why bother making 213 00:10:22.320 --> 00:10:25.360 security usable if you can just make it mandatory, lock 214 00:10:25.399 --> 00:10:28.519 the system down, automate the compliance at the hardware level. 215 00:10:28.840 --> 00:10:31.600 If we connect this to the bigger picture, taking the 216 00:10:31.679 --> 00:10:33.919 human out of the loop is an arrogant. 217 00:10:33.600 --> 00:10:35.960 Illusion, really an illusion. 218 00:10:35.919 --> 00:10:40.159 Yes, because security is almost never a person's primary task. 219 00:10:40.919 --> 00:10:44.519 People are hired to process invoices, to treat patients, to 220 00:10:44.679 --> 00:10:46.000 code applications, right. 221 00:10:46.039 --> 00:10:47.879 They just want to get their work done exactly. 222 00:10:48.240 --> 00:10:50.799 So, if a security control is so draconian that it 223 00:10:50.840 --> 00:10:54.480 creates immense friction preventing people from doing the very jobs 224 00:10:54.480 --> 00:10:57.559 they were hired to do, the humans will not just complain. 225 00:10:57.679 --> 00:10:58.759 I'll find a way around it. 226 00:10:58.799 --> 00:11:01.919 They will actively engine your ways to bypass your security. 227 00:11:02.000 --> 00:11:05.480 Wow. They basically become the adversary inside your. 228 00:11:05.320 --> 00:11:09.200 Own network unintentionally. Yes, this is the root cause of shadow. 229 00:11:09.200 --> 00:11:11.440 I t ah shadow I T Yeah. 230 00:11:11.879 --> 00:11:14.679 If the corporate VPN is too slow, to transfer massive 231 00:11:14.759 --> 00:11:18.480 video files. An employee will just upload those proprietary files 232 00:11:18.480 --> 00:11:20.799 to their personal dropbox to get the project. 233 00:11:20.440 --> 00:11:22.240 Done on time, because they have a deadline. 234 00:11:22.320 --> 00:11:26.519 Right if the password requirements exceed human cognitive limits, they 235 00:11:26.519 --> 00:11:28.799 will write the password on a sticky note and stick 236 00:11:28.840 --> 00:11:29.799 it right to their monitor. 237 00:11:29.919 --> 00:11:31.960 We've all seen the sticky notes exactly. 238 00:11:32.559 --> 00:11:38.360 Unusable security actively breeds insecurity. The human Factors area codifies 239 00:11:38.399 --> 00:11:39.840 this psychological reality. 240 00:11:40.120 --> 00:11:42.480 So if you don't fit the security task to the 241 00:11:42.559 --> 00:11:46.480 human's cognitive load, your technical controls are practically. 242 00:11:46.039 --> 00:11:47.840 Useless, completely useless. 243 00:11:47.879 --> 00:11:50.320 But you know, humans aren't perfect, no matter how well 244 00:11:50.360 --> 00:11:51.360 you design the interface. 245 00:11:51.600 --> 00:11:52.080 No, they're not. 246 00:11:52.480 --> 00:11:55.679 Eventually someone will be tired, they will get tricked, and 247 00:11:55.759 --> 00:11:58.679 they will click the wrong link in a phishing email. 248 00:11:58.919 --> 00:12:00.320 And that's when things get real. 249 00:12:00.679 --> 00:12:04.679 Right when that human perimeter fails, the threat slams right 250 00:12:04.720 --> 00:12:07.960 into the technical architecture. And that is exactly where the 251 00:12:08.000 --> 00:12:13.120 cybox transitions us from human behaviors into the technical front lines, 252 00:12:13.159 --> 00:12:14.759 the attacks and defenses category. 253 00:12:14.919 --> 00:12:16.759 This is where we move from the boardroom and the 254 00:12:16.840 --> 00:12:18.440 legal department into the trenches. 255 00:12:18.559 --> 00:12:19.240 The messy part. 256 00:12:19.360 --> 00:12:22.600 Yeah, when malicious code enters the environment, you have to 257 00:12:22.679 --> 00:12:26.320 understand exactly what you are looking at. The malware and 258 00:12:26.360 --> 00:12:31.080 attack technologies. Knowledge area maps out how analysts actually dissect 259 00:12:31.080 --> 00:12:32.120 these threats. 260 00:12:31.840 --> 00:12:34.399 And they heavily rely on the mechanisms of static and 261 00:12:34.519 --> 00:12:37.919 dynamic analysis they do. Here's where it gets really interesting 262 00:12:37.960 --> 00:12:40.399 for me. Let's break those down because the difference in 263 00:12:40.480 --> 00:12:42.200 how they work is fascinating. 264 00:12:42.480 --> 00:12:47.440 Sure, think of static analysis like examining the architectural blueprints 265 00:12:47.440 --> 00:12:49.759 of a bomb without actually detonating it. 266 00:12:49.840 --> 00:12:51.960 Okay, so you're not running the code, right. 267 00:12:51.919 --> 00:12:54.720 You are looking at the dormant code. You're extracting the 268 00:12:54.720 --> 00:12:58.240 strings of text, looking at the structural hashes, and using 269 00:12:58.279 --> 00:13:03.120 reverse engineering tools to disassemble the program into readable instructions. 270 00:13:03.279 --> 00:13:05.399 You're just trying to guess what it might do based 271 00:13:05.399 --> 00:13:06.919 on how it's built exactly. 272 00:13:07.279 --> 00:13:10.840 But malware authors are smart. They obcuse gate and encrypt 273 00:13:10.840 --> 00:13:13.559 their code. So the blueprint just looks like gibberish. 274 00:13:13.320 --> 00:13:16.240 Which means you can't just rely on static analysis. You 275 00:13:16.240 --> 00:13:19.600 have to use dynamic analysis. To use your analogy, you 276 00:13:19.639 --> 00:13:22.879 have to put the bomb in a blastproof room and 277 00:13:22.960 --> 00:13:23.639 hit the ignition. 278 00:13:24.039 --> 00:13:28.039 That's dynamic analysis. You place the malware into a highly instrumented, 279 00:13:28.200 --> 00:13:31.279 isolated sandbox. Environment and you execute it. 280 00:13:31.519 --> 00:13:33.519 So you aren't just looking at the code anymore. 281 00:13:33.720 --> 00:13:37.320 No, you're monitoring the behavior. What registry keys, is it 282 00:13:37.360 --> 00:13:41.120 trying to modify, what external IP addresses? Is it attempting 283 00:13:41.159 --> 00:13:44.840 to contact? What internal APIs? Is it calling wow? 284 00:13:45.720 --> 00:13:49.600 And by combining the static structure with the dynamic behavior, 285 00:13:49.919 --> 00:13:53.360 defenders can build a complete profile of the attack exactly. 286 00:13:53.480 --> 00:13:56.279 And while the analysts are dissepting the weapon, the incident 287 00:13:56.320 --> 00:13:59.799 responders and forensic investigators are trying to piece together the. 288 00:13:59.759 --> 00:14:02.720 Crime, which is a whole different ballgame it is. 289 00:14:02.879 --> 00:14:06.000 And side Putt gets incredibly rigorous here. It doesn't just 290 00:14:06.159 --> 00:14:09.600 list a bunch of data extraction tools for forensics. It 291 00:14:09.679 --> 00:14:13.320 dives into the cognitive task model of an investigation. 292 00:14:13.519 --> 00:14:16.799 It explores forensics as a sense making loop, which is 293 00:14:16.840 --> 00:14:17.840 a critical distinction. 294 00:14:18.080 --> 00:14:20.360 Yeah, it's not just pulling a hard drive image. 295 00:14:20.480 --> 00:14:23.919 No, it is the cognitive process of an investigator taking 296 00:14:24.000 --> 00:14:27.720 bottom up data like scattered log files and timestamps and 297 00:14:27.840 --> 00:14:31.440 combining it with top down hypotheses like maybe saying I 298 00:14:31.440 --> 00:14:34.600 think the attacker moved latterly through the HVAC system. 299 00:14:34.759 --> 00:14:38.240 Ah, So you're reconstructing a verifiable timeline of reality based 300 00:14:38.279 --> 00:14:40.519 on a theory and the data exactly. But all of 301 00:14:40.559 --> 00:14:45.279 these frontline defenses, I mean the malware analysts the forensic investigators, 302 00:14:45.279 --> 00:14:48.759 that they are entirely dependent on the underlying architecture of 303 00:14:48.799 --> 00:14:51.759 the systems. They are defending the bedrock right, and that 304 00:14:51.759 --> 00:14:54.720 brings us to the deepest technical foundation in the blueprint, 305 00:14:55.200 --> 00:15:00.360 the system's security category. This encompasses cryptography, operating system and 306 00:15:00.519 --> 00:15:01.559 distributed systems. 307 00:15:02.080 --> 00:15:05.360 To really understand how vital this layer is, you have 308 00:15:05.399 --> 00:15:08.559 to look at the concept of formal methods, which Cybog 309 00:15:08.639 --> 00:15:10.360 highlights as a cross cutting theme. 310 00:15:10.440 --> 00:15:11.600 Okay, formal methods. 311 00:15:11.960 --> 00:15:14.879 In normal software development, how do you know program works? 312 00:15:14.919 --> 00:15:15.960 You test it, right. 313 00:15:15.840 --> 00:15:17.480 You throw a bunch of inputs at it and see 314 00:15:17.519 --> 00:15:18.200 if it crashes. 315 00:15:18.279 --> 00:15:20.840 It's like testing a bridge by driving heavier and heavier 316 00:15:20.879 --> 00:15:21.519 trucks over it. 317 00:15:21.799 --> 00:15:24.200 But testing can only prove the presence of bugs. It 318 00:15:24.200 --> 00:15:26.720 can never prove the absence of them. You might just 319 00:15:26.759 --> 00:15:28.200 not have driven a heavy enough truck. 320 00:15:28.080 --> 00:15:31.480 Yet that is exactly the problem. But formal methods operate 321 00:15:31.519 --> 00:15:36.000 completely differently. It uses mathematical logic to rigorously specify and 322 00:15:36.200 --> 00:15:39.159 verify the behavior of software and hardware. 323 00:15:39.240 --> 00:15:41.320 So instead of driving trucks over the bridge. 324 00:15:41.559 --> 00:15:45.759 You are using physics and mathematics to definitively prove that 325 00:15:45.799 --> 00:15:48.720 the bridge cannot collapse under a specified weight. 326 00:15:49.039 --> 00:15:53.000 Wow, you are proving the structural integrity of the code itself, 327 00:15:53.279 --> 00:15:56.600 which is incredibly resource intensive. So I imagine you only use 328 00:15:56.679 --> 00:16:00.399 it for the absolute bedrock, like the cryptographic algorithm or 329 00:16:00.440 --> 00:16:02.279 the core kernel of the operating system. 330 00:16:02.399 --> 00:16:04.440 Exactly. You wouldn't use it for a simple web app. 331 00:16:04.559 --> 00:16:08.159 And here is where the blueprint concept truly solidifies for me, 332 00:16:08.679 --> 00:16:13.080 because it's structured exactly like modern medicine. What do you mean, Well, 333 00:16:13.159 --> 00:16:16.679 you have your emergency responders handling incident management and forensics 334 00:16:16.679 --> 00:16:18.960 on the front lines. Sure, but you also need the 335 00:16:19.039 --> 00:16:23.120 geneticists and immunologists deep in the lab working on cryptography 336 00:16:23.240 --> 00:16:27.320 and system security to build the vaccines. When you look 337 00:16:27.320 --> 00:16:30.960 at these cross cutting themes, you realize these knowledge areas 338 00:16:31.039 --> 00:16:32.679 cannot exist in silos. 339 00:16:32.799 --> 00:16:35.759 That is so true, they are deeply interwoven. You could 340 00:16:35.799 --> 00:16:40.519 have a brilliant cryptographer design and encryption key using mathematically 341 00:16:40.600 --> 00:16:41.720 verified formal methods. 342 00:16:41.799 --> 00:16:43.960 Okay, so the math is flawless. 343 00:16:43.440 --> 00:16:47.600 Flawless, but if the operating system lacks the memory isolation mechanisms, 344 00:16:47.639 --> 00:16:50.759 we talked about earlier. Oh, then a piece of malware 345 00:16:50.799 --> 00:16:54.360 can simply reach into the adjacent memory space and steal 346 00:16:54.440 --> 00:16:57.519 the cryptographic key while the application is using it. 347 00:16:57.879 --> 00:17:00.519 Man so the math doesn't matter. If the the operating 348 00:17:00.559 --> 00:17:03.039 system leaves the front door off the hinges. 349 00:17:02.759 --> 00:17:06.359 Precisely, And if you scale that up to a distributed system, 350 00:17:06.440 --> 00:17:09.759 say a massive peer to peer cloud infrastructure, oh boy, 351 00:17:09.880 --> 00:17:13.000 you now have to secure the cryptographic keys, enforce the 352 00:17:13.039 --> 00:17:17.240 operating system memory isolation, encrypt the network transit protocols, and 353 00:17:17.319 --> 00:17:21.079 these somehow manage the human factors of the administrators running 354 00:17:21.079 --> 00:17:21.559 the whole. 355 00:17:21.400 --> 00:17:24.960 Thing across multiple legal jurisdictions no less exactly. 356 00:17:25.279 --> 00:17:28.680 A failure in any one of those adjacent disciplines compromises 357 00:17:28.720 --> 00:17:32.480 the entire system. You are never aiming for perfect defense, 358 00:17:32.839 --> 00:17:35.119 You're engineering for systemic resilience. 359 00:17:35.920 --> 00:17:38.559 That fundamentally changes how you view the industry. I mean, 360 00:17:38.640 --> 00:17:42.119 cybersecurity is not an IT problem relegated to the basement, 361 00:17:42.240 --> 00:17:46.000 no about it all. It is an incredibly demanding interdisciplinary science. 362 00:17:46.480 --> 00:17:49.920 And having a codified body of knowledge like CYBUK means 363 00:17:49.960 --> 00:17:52.119 the industry finally has a shared vocabulary. 364 00:17:52.200 --> 00:17:55.279 It sets the benchmark. If a university is designing a 365 00:17:55.319 --> 00:17:58.759 master's program, or global enterprise is building a training matrix 366 00:17:58.799 --> 00:18:01.880 for their engineering teams. They don't have to guess what matters. 367 00:18:02.079 --> 00:18:05.920 They have a mathematically, algorithmically and socially verified map of. 368 00:18:05.880 --> 00:18:10.599 The territory, which completely upgrades your analytical framework. The next 369 00:18:10.640 --> 00:18:13.680 time you hear about a massive corporate data breach, you 370 00:18:13.720 --> 00:18:16.440 aren't just going to ask what kind of malware was used? 371 00:18:16.519 --> 00:18:17.480 Right, You'll dig deeper. 372 00:18:17.599 --> 00:18:19.720 You were going to ask what was the failure in 373 00:18:19.799 --> 00:18:23.400 usable security that caused the employee to bypass the controls? 374 00:18:23.640 --> 00:18:26.720 You will ask what were the latent design conditions in 375 00:18:26.759 --> 00:18:29.880 the operating system that failed to contain the blast radius. 376 00:18:30.079 --> 00:18:35.400 It really elevates the conversation from reactive panic to systemic analysis. 377 00:18:35.640 --> 00:18:37.960 It really does. But you know, we have to leave 378 00:18:37.960 --> 00:18:40.960 you with a final thread to pull Cybuck Version one 379 00:18:40.960 --> 00:18:45.160 point zero mapped nineteen distinct knowledge areas back in October 380 00:18:45.160 --> 00:18:45.839 twenty nineteen. 381 00:18:45.960 --> 00:18:46.759 Yeah, it was a while ago. 382 00:18:46.799 --> 00:18:49.119 Now, it was a snapshot of the foundation at that time. 383 00:18:49.440 --> 00:18:51.839 But building on the very premise of the text that 384 00:18:51.880 --> 00:18:55.799 the discipline is constantly adapting to the sociotechnical reality, we 385 00:18:55.960 --> 00:18:59.480 have to consider our vantage point today right now in 386 00:18:59.519 --> 00:19:00.880 April six. 387 00:19:00.960 --> 00:19:03.720 Well, the sociotechnical reality has fractured in ways that were 388 00:19:03.720 --> 00:19:05.400 really only theoretical seven years ago. 389 00:19:05.759 --> 00:19:10.240 We have seen an absolute explosion in generative AI, hyper 390 00:19:10.359 --> 00:19:15.200 realistic deep fakes, automated disinformation campaigns operating out a global scale. 391 00:19:15.279 --> 00:19:16.240 That's a wolder frontier. 392 00:19:16.319 --> 00:19:18.519 We are looking at threats that don't just compromise a 393 00:19:18.599 --> 00:19:22.119 database or lock a hard drive. They actively compromise the 394 00:19:22.200 --> 00:19:23.920 concept of truth itself. 395 00:19:24.160 --> 00:19:25.480 That's the real threat model. 396 00:19:25.519 --> 00:19:28.799 Now, So what will the twentieth or twenty first knowledge 397 00:19:28.839 --> 00:19:31.480 area look like in the next iteration of this blueprint? 398 00:19:31.559 --> 00:19:35.440 Will something like synthetic reality or algorithmic manipulation become its 399 00:19:35.480 --> 00:19:37.880 own foundational pillar of cybersecurity? 400 00:19:38.000 --> 00:19:38.839 That almost has to be. 401 00:19:38.960 --> 00:19:41.319 When the boundary between the physical and the digital is 402 00:19:41.359 --> 00:19:44.799 completely erased, how do you architect a system to secure 403 00:19:44.880 --> 00:19:47.720 reality itself? Something for you to mull over until our 404 00:19:47.759 --> 00:19:48.720 next deep dive.