Knowing and Understanding

I learned very early the difference between knowing the name of something and knowing something -Richard Feynman

This past week I had an interview with an engineer from a rather prolific company. I was asked two questions about topics in IT, while I could answer them, I felt my answers were subpar.

It became apparent to me that while I knew the answers to the questions, I did not KNOW them well enough to explain them to a child. That epiphany, that hit me in the middle of the interview led me to restart my education in the realm of IT.

Most of the time when people learn they do not learn deliberately. Let me explain. Most people learn something from a book and regurgitate it to pass some kind of exam, to make more money. I have done it too, I am not picking on you if you feel that way. (CompTIA we’re all looking at you).

So I am sure you are wondering what the questions were that led to my relearning of everything I know. I’ll tell you. You can laugh, it feels embarrassing but what is there to be embarrassed of?

I was asked two questions:

1. What is the difference between a vulnerability, threat and risk?

2. Define a Policy, Standard and Guideline.

Simple questions right? Do me a favor, answer them right now as if you were speaking to a child. Do not use industry words unless you define them (and define them with simple words as well), you will quickly realize it can be a bit harder to convey the meaning of these topics.

The truth is, the questions are simple, but why is it something people struggle with? My belief is we do not practice deliberate learning, for the most part we just memory dump and regurgitate something we read once.

Cybersecurity is not hard, but there is a veil of mystery surrounding the industry because it sounds “sexy”. In full transparency, if you did not understand a topic that was conveyed to you, they did not explain it, and likely it is because they do not actually know it. A book called “A Leader’s Guide to Cybersecurity” goes a bit deeper on this idea if you are interested.

A better way of learning is utilizing the Richard Feynman Technique.

1. Pretend to teach a concept you want to learn about to a student

2. identify gaps in your explanation. Go back to the source material to better understand it.

3. Organize and simplify

4. Transmit

Now, it is my turn to answer these questions in a way that I would have been proud of in the interview.

1. A vulnerability is a weakness in a system. Vulnerabilities have several flavors: human, physical, technological and process.

   • Human vulnerabilities can derive from people having too much access or control in a system. Or human vulnerabilities can stem from people being too trusting of others.

   • Physical vulnerabilities develop from buildings or equipment. For example, the building may not have locked doors (equipment) to prevent an intruder from accessing a server room.

   • Technology vulnerabilities are possible if equipment is installed within a company network and has its own vulnerability. This flaw can allow easier access for an attacker if they can reach the device.

   • Process based vulnerabilities can originate from a process such as patching. If there is a discovery of a weakness within a version of software and a patch is not provided by the vendor, it can be taken advantage of by an attacker.

   • Exploit - ( I know this was not asked) An exploit is a successful attack on the weakness or flaw in a system.

2. Policies, Standards, Procedures & Guidelines

   • Policies are high level documents that explain what needs to be accomplished within an organization and what will happen if those needs are not met.

   • Standards are a set of rules or regulations that the company decides to follow such as NIST standards. A standard defines WHAT needs to be done.

   • Procedures are a granular set of tasks to accomplish the goals of a policy. These tasks are detailed step by step so people are able to understand HOW it is required to be done.

   • Guidelines, these are a set of best practices and are recommendations for employees on how to deal with a set of problems.

Now, I would like to express a vulnerability of my own. I realize going through this that these topics are not difficult but I want to be better and be able to explain any topic I am asked about. I will be writing blogs on all the simple topics. I may even make it a goal to post twice a week following the format of the CISSP since it is basically high level management knowledge anyway.

And to the interviewer, we will call him “K” I appreciate you asking me those questions. You have helped me realize how much I truly have to learn and I thank you.

References:

https://fs.blog/feynman-learning-technique/ (Richard Feynman Technique)

A Leader’s Guide to Cybersecurity by Thomas J. Parenty & Jack J. Domet