Re: [Smart] When we say 'cyber'...

Bret Jordan <> Fri, 05 October 2018 19:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 11CF7130DFF for <>; Fri, 5 Oct 2018 12:02:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7WT1oijSGOsQ for <>; Fri, 5 Oct 2018 12:02:20 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4DD2D130F07 for <>; Fri, 5 Oct 2018 12:01:42 -0700 (PDT)
Received: by with SMTP id u34-v6so14929465qth.3 for <>; Fri, 05 Oct 2018 12:01:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=QAK+5xkK6P4u2lg9lMEQ9TN0lW7Hpzy3nuo4BAmdJsw=; b=GU8mptqmdBHLuRbIymeXVFYLj/kw7GxJv9ZCP2p6BTVNnAqbPaLxgqGimY/j0rLEOQ 3yO5SeVIhvdOBH2wFS5VrEQuFQvur+xytdiJr2y25eT2evau93Wu4zNrRDv6zNpUSOT4 C+Wiv5PkxcpYrJ+UOpFdU62Ona2urXnNxOkWzNpNDzpcwVQY/yKslh5nmwzu/67puD4a 0yQ2GIlT3XcFiMEC8GVmEpNCwmK45+9MrWgUxRcSUIgliLUBp3H0pUjB0qEqrawmFpgb B8/Xh7YRmghNpQWS4jxbBVYtxpTPXr3CBEaeKIZO3k1YZoEkfu6vwv/1BLAML9OMYuXf 2J4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=QAK+5xkK6P4u2lg9lMEQ9TN0lW7Hpzy3nuo4BAmdJsw=; b=nk6P+cREjUF17qauZsQR6AGhyFpjunkptSPXko8hbdv7HJiWlcBnKw8rTPFmljOIIy QPLfYGjaxkzg6w8o0taI7cUc1B4omOYdShh0/H/ptDNrvRFfBHAeIEAj2p1Zz1Cr3nfg ALn/NPTthRbsfBJeC31LMGZFVS1d0SgmPi9iMAPKjKktUNs6CrQGqZ2go09dBMyv+o0v LfbBq2/19DjJEGZzZgh7YeqWj74vRRKiSLgvg0XY6AAjdbkGi9KiwQQwGXBAmk+RYB5E L4F0n4DbYnwqJa0+8eE+VgSlI6lGEfO4R9jhK1eyKwwPRSUnDq0rNipNx2xT9FYUKct7 menQ==
X-Gm-Message-State: ABuFfohe8+m3cPdpsY9N7tuRcKTwpOHfyiIRfz/wJiyfTd26StfljoP8 FqvGXY52egahVFlKI3HlESc=
X-Google-Smtp-Source: ACcGV62zNdnT69SicIPEWdRr4EvtYG0jgutNxccsRlhG+qgYVQpex6ZLFr8GCpe7xtS8C8vnEXG6vg==
X-Received: by 2002:a0c:b346:: with SMTP id a6-v6mr10659948qvf.160.1538766101398; Fri, 05 Oct 2018 12:01:41 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id w22-v6sm5217268qtb.8.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Oct 2018 12:01:39 -0700 (PDT)
From: Bret Jordan <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_43723414-0AD2-44A2-A589-B79E8FAE34E2"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Fri, 05 Oct 2018 15:01:52 -0400
In-Reply-To: <LOXP123MB14168BB24E88B846C5055842D3EA0@LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM>
Cc: "" <>
To: Mark O <>
References: <LOXP123MB14168BB24E88B846C5055842D3EA0@LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <>
Subject: Re: [Smart] When we say 'cyber'...
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Stopping Malware And Researching Threats <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 05 Oct 2018 19:02:24 -0000


Thanks for the email and clarification. I for one do not have a problem with the term cyber security or cyber defense. It is so common and well understood in practice from the enterprise SoC, ISAC, ISAO, and IC etc. I think some might take issue with the differences between:

Data Security
Information Security 
Cyber Security

I have also looked at the ENISA work before and really like what they have done.  There are also a lot of taxonomy elements that are defined in STIX for some of these things as well.  But we should not get hung up on this minor stuff, we should be focused on doing the work that this research group needs to do.

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

> On Oct 4, 2018, at 11:44 AM, Mark O <> wrote:
> There’s been some discussion on the list about what to call the main topic of our research. We settled on the name ‘SMART’ – Stopping Malware And Researching Threats - for the list because it covered a couple of our major aims and made for a handy acronym. But it’s not the whole of our ambition.
> When we first mooted the possibility of a research group at the SAAG open meeting in Montreal, we referred to ‘Cyber Defence’. That’s [part of] what we do at the National Cyber Security Centre – we have an Active Cyber Defence <> programme, aimed at improving the resistance of UK infrastructure to cyber attacks. So the word ‘cyber’ trips easily off our tongues. It’s not just us – large parts of industry and academia refer to ‘cyber security’ and ‘cyber attacks’, as do the media. But we’re also aware that ‘cyber’ means different things to different people, it’s a buzzword, it’s generic, and it can raise hackles in some. Earlier versions of the draft charter referred to ‘cyber security’, ‘cyber defence’, ‘security operations’, and the current version refers to the rather plain ‘attack defence’. Hopefully without getting side-tracked – what speaks best to most people?
> Ultimately, we don’t have a strong view on what phrase is used – the important point is that it’s clear and obvious what type of threats we’re trying to defend against (without being prescriptive). So it’s probably more helpful to try and build a list of the kind of threats we’re meaning.
> As a general theme, the threats we’re considering:
> have malicious intent – as opposed to accidental threats (e.g. hardware failure causing data loss);
> involve active interference with data, users or the network – as opposed to passive wiretapping and offline attacks; and
> result in harm.
> We probably will need to reference a taxonomy of threats, and we needn’t reinvent the wheel here – that work has been done before. ENISA has produced one such threat taxonomy <> which I’ve used to construct the list below. This is just a starting point – there will be some things I’ve missed off, and I certainly can’t promise that we’ll be able to address all of them:
> Unsolicited e-mail – spam and infected e-mails; links to malicious websites
> Identity theft – stealing credentials
> Denial of service – DDoS, network and application layer, amplification attacks
> Malware, worms, trojans, rootkits, injection attacks, viruses, exploits
> Spyware, scareware, ransomware
> Social engineering – phishing, spear-phishing
> Fake certificates, MITM, signed malware
> Manipulation of hardware and software
> Manipulation of information – hijacking, routing table manipulation, DNS poisoning
> Misuse of audit tools to discover security weaknesses
> Unauthorised access, network intrusion 
> Unauthorised installation of software, web/browser-based attacks, drive-by downloads
> Data breach
> Remote execution, botnets
> Advanced Persistent Threats
> Note that ‘cyber’ doesn’t appear in the list once – and that’s OK.
> Is that what everyone’s expecting? This is still up for grabs and we’d like everyone to have the same, clear view of what we’re trying to achieve.
> -- Mark
> This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to <> -- 
> Smart mailing list
> <>
> <>