Introduction to SABSA

I am not going to reinvest the wheel, so I will redirect you to the SABSA Institute website which have 3 parts of the history of SABSA. Links here below https://sabsa.org/category/chief-architects-blog/

Part 1: https://sabsa.org/the-chief-architects-blog-a-brief-history-of-sabsa-21-years-old-this-year/

As SABSA reaches it’s 21st birthday, it’s worth taking a few moments to look back over its birth and development. The very first publication of SABSA was in October 1996 at the COMPSEC conference:
John Sherwood: “SALSA: A Method of Developing the Enterprise Security Architecture and Strategy”; COMPSEC 96, London, October 1996.
SALSA? That’s right – SALSA. But, more about that in a bit. So where did that spring from? Was it out of nowhere? No, not quite. The seeds were planted a year earlier. At that time, in autumn 1995, I was working as a consultant at S.W.I.F.T. headquarters in La Hulpe, Belgium.
S.W.I.F.T. had recently been reorganised to create a new department called Global Information Security (GIS) to address some issues raised by the then external auditors. Although there had been an Inspection Department for many years (effectively an internal audit function), there had been no explicit and proactive security function. The new department was created to fix that omission.
It will tell you a lot about the cultural status and popularity of ‘Information Security’ at the time that many people would say that ‘GIS’ was short for ‘get it stopped’. That was the reputation that ‘Information Security’ had gathered over three decades since its emergence in the late 1960s. The corporate information security team was seen (often for good reason) as the ‘business prevention department’. “No, you can’t do that, it’s not secure” was the catch phrase that had earned that reputation in many organisations.
The newly appointed Director of GIS at S.W.I.F.T. (Erik Guldentops, previously the Chief Inspector) was keen to make sure that this poor reputation was dispelled, and that Information Security was seen as adding a positive contribution to the business of S.W.I.F.T. That business was, and still is, the transfer on a global scale of several trillion dollars per day between the world’s largest banks. (Yes, that eye-watering number is correct).

Erik’s mandate in his new appointment was to create a five-year information security strategy and get the S.W.I.F.T. Board to approve a significant budget to achieve this objective. The currency at the time (pre-Euro) was the Belgian Franc (BEF), which had a low exchange rate versus the dollar or the pound sterling. Thus the budget numbers tended to be large ones, quoted in millions of BEFs (MBEFs) or mega-BEFS as we affectionately referred to them. Erik needed to justify a multi-mega-BEF budget, for which he needed a plan that could be shown to the Board.
One grey, drizzly November afternoon in 1995 I was working in my office at La Hulpe and Erik came in to see me. “Hello John. What do you know about security architecture?” he said. “Well”, I said “I know there is an ISO standard 7498-2 that talks about OSI (open systems interconnection) security architecture. ISO 7498-1 is the well-known description of the 7-layer OSI network architecture model, but part 2, about OSI security architecture, is less well known. And that’s about it”. So Erik says to me: “Please dig around and see what you can find because I need to develop an information security architecture for S.W.I.F.T.”
Those of you who are relatively new to the game of research will be thinking “Why didn’t they just Google it?” The answer is: because there was no such thing as Google in those days, or HTTP, or WWW. There was a public internet-searching tool called gopher, which pre-dated HTTP and the World Wide Web as the document-structuring platform. Using gopher, I managed to find no other useful references to ‘security architecture’. You people today don’t know how lucky you all are with the tools now available.
So we had a starting point: ISO 7498-2: OSI Security Architecture. What’s amazing about that is that it was an outstandingly sound conceptual model from which to build a full-scale security architecture model and framework. It may have been the only document we could find, but it was the best possible. It forms the heart of the SABSA layered stack even today.
Of course, at this stage we were working on a security architecture model for S.W.I.F.T. It was only a year later, when I published the paper at COMPSEC in London, that this work was presented outside of S.W.I.F.T. under the name SALSA. Yes, the first publication was called SALSA, which stood for Sherwood Associates Limited Security Architecture. It was Andy Clark’s (a co-author, along with David Lynas, of Enterprise Security Architecture: A Business-Driven Approach) idea to use that name and we liked it. The original paper was published by Elsevier Science in their Computers and Security journal, as: “SALSA: A Method of Developing the Enterprise Security Architecture and Strategy”; Computers & Security, Volume 15 No. 6, 1996. Apparently that article is still available today.

Some time later I received a ‘cease and desist’ letter from an aggressive firm of New York lawyers that claimed I was abusing the trademark of their client. The client had a general business software package of the same name. I wrote back and politely pointed out that there was no conflict, but an even more aggressive letter threatening court action followed. I spoke to Andy and we decided we had two choices: spend the rest of our lives defending the action or change the name. Guess what we did. At least it showed that the published article was being read. And so, SALSA became SABSA.
Right from the very first synthesis of the SABSA framework, security services have been one of the most important central concepts of the work. The reference to the relevant standard is:
ISO 7498-2:1989: Information Processing Systems – Open Systems Interconnection – Basic Reference Model – Part 2: Security Architecture.
ISO 7498-2 introduces the concept of security services, security mechanisms and security management. More importantly, it makes clear differentiations and relationships between these three concepts. The core conceptual relationships described in ISO 7498-2, as extracted for the original SABSA layered security architecture framework, are summarised in Figure 1.

Figure 1 – Core ISO 7498-2 Conceptual Relationships

We extended the ISO 7498-2 model by adding a business layer and a strategic layer above the services layer, added a products and technologies layer below the mechanisms, and extended the management both up and down to indicate that it is required at every layer of the model. Thus, was born the first SABSA architecture model. This was developed further in subsequent iterations, but more of that later on.

Figure 2 – Original SABSA Layered Model from 1996 Publication

The SABSA story now spans 21 years and has had many pivotal turning points along the way. What you see today is the result of much work and input from many different sources. In the next blog article, I shall track that development path that took SABSA from these early beginnings to the present day. Figure 3 shows just how far this original model had evolved, with multiple backplanes of overlaid additional models and frameworks. The layers are now considered as ‘views’ according to the roles and ‘viewpoints’ of the leading role-players at each layer.

Figure 3 – The Modern SABSA Meta Model

Want to buy a new security appliance? Is it aligning to business objectives?

Often technical support professional in the organisations i.e. IT, they tend to fall in love in buying new shiny toys, this can be a new firewall, IDS, or anything that is promised to thwart attacks. But the really questions to be asked is whether the new toy is there to protect business and align with the business objectives or it is just another tool, going to be bought and sitting there idle after 1 year of use?

Business Information Security

In most situation cyber security consultants tends to recommend technological solutions to problems, that can be a new firewall, new IDs, new WAF, new OS etc the list is endless. What most people tends to ignore that we are not in the business of information security or cyber security, rather we are in the business to support the businesses, realising their objectives securely. That is where the term business information security comes into play and welcome to the world of SABSA.

While many of you, may you not even heard of SABSA, in a nutsell, it is a framework of delivering business focused information security. This framework/ methodology is ideally if you want to make sure you are in the right business of supporting the business achieving its goals/objectives securely.

To explore your knowledge go here https://sabsa.org/ and I will catchup with you later.

Disclosure: I am a qualified SABSA Security Architect.

What I am reading at the moment?

Updated list as if 30th Nov 2019

Beyond Cybersecurity

Becoming a global CISO

Atomic Habits by James Clear

So Good They Can’t Ignore by Cal Newport

Ultra learning by Scott Young.

—/—/—

I read alot of books across different genres, the below are the list of books I have read since January this year.

PS: Some of the books got nothing to do with InfoSec, but I tend to focus on topics such as productivity, emotion intelligence/fitness, personal development, and other interesting topics I pick up from podcasts and books.

Book List

5 AM Club – Robin Sharma

What Got you here, Wont get you there

Tools of Titans

Power

The Leader who has no title

The Art of Learning

80/20 Your Life

The Effective Executive

Tribe of Mentors

CCSK

CCSP

What do I listen to?

The following are the list of podcasts /mini series that I do listen to on frequent basis.

Cyber Security podcasts

Tim Ferriss Show

  • tim.blog/podcast

Robin Sharma

Tom Bilyeu

https://impacttheory.com/

https://impacttheory.com/

https://impacttheory.com/

https://impacttheory.com/

London Real – Brian Rose

Dandapani

Tony Robbins

Understand what need to be protected i.e Information and Information Assets

For the new cyber security consultants, either your internal or providing consulting services to clients. Speaking this from GRC point of view, most consultant may ignore the fact that for one being effectively in providing sound advice to clients, especially in this modern era of cyber security, one need to at least understand what need to be protected i.e information asset.

Information can be physical or digital/electronic. Information has its life cycle, and go through phases such as creation, processing, and storage. There is a famous data cycle – refer to this blog as https://www.securosis.com/blog/data-security-lifecycle-2.0 . All the phases information will need to be protected.

Data Security Lifecycle

Diagram: The data security life cycle.

Through this life cycle, when considering digital form of information, it will touch different layers such as Computing, storage, network, and well all these things they just don’t live in the vacuum (cloud), they need to physically hosted, that’s where physical security comes into play.

I believe in deconstructing things to its core or the basic bare. I think the areas below, a cyber security consultant should at least have some high level understanding on how things work and how they are built. (architecture)

  • Application and Software: Programming
  • Computing
  • Storage
  • Network
  • Virtualisation (plus containers)
  • Cloud anyone (understand the top four first)?

Building Competence

As a Cyber Security Consultant, whether you choose technical or non technical track, you will need to build competence in understand the following areas. Computing including OS, Virtualisation + Containers, Cloud, Database, Application / Software- Programming, Networking, Storage and physical at the very basic level. These areas form the basic of what you are going to protect, as they relates to information / data lifecyle.

My approach in building competence in the areas, is based on pursuing certification on each of the area or use the curriculum of those areas for self study, including reading books, webinars, seminars or litetarute aroudn the area. My go to place for this is to look at the Comptia IT Certification Roadmap – https://certification.comptia.org/docs/default-source/downloadablefiles/it-certification-roadmap.pdf

Hint: You dont have to do any the certification however you need a structural way for reading and master the topic / competence area. My approach as always been a self-study, others prefer boot-camps if they have resources (money and time) to do so.

To be continued.

Person of Interest

On fortnightly I tend to follow work of interesting individuals, these can be cyber security professional or other professional e.g. motivation speakers, human genuine pigs, peak performance coaches etc. So below is my list of person of interest and the work they did / do.

Tim (othy) Ferriss – Author of Tool of Titans, Tribe of Mentors, The 4 hours work week, and many other books – http://www.tim.blog

Robin Sharma – 5 am Club, The Monk who sold his ferrari, the leader without title

Tony Robins

Josh Waitzkin – The Art of Learning, Peak Perfomance Coach

James Clear – Atomic Habits

Damon Zahariades

To be continued ….

Staying Productive

Being a cyber security consultant, requires high discipline of self motivation, and stay on top of the task that you need to delivery to the client. Why this is assumed that everyone should behave and play the part, most of the consultants they have trouble doing this. I have a few tips and tools to stay on the task.

Tracking time – Toggl

Planning and Scheduling – Calendar (Schedule everything and put this as calendar entry – things that are scheduled are the things that get done)

Pomodoro Technique – Set timer for 25 mins work, 5 minutes break. You can use an app (mobile / WebApp) — I use Mobile/desktop App Focus To-Do and Garmin Watch. I should add during the break apart from doing tea, do anything physical like 10 pushups, wall-sits, a quick sprint or go out for a fresh air walk.

PS: Make sure you spend your weekend wisely so to minimise burnout 🙂

I will expand this post more…

I want to be a PCI QSA? How can I get started?

This a place holder, I will expand this post when I get time to write.

I have been a QSA since 2013, and before that I worked for a multi-national bank from 2007 to 2009, which had a programme to secure card payments, hence my early involvement of PCI World.

so what do PCI stands for ? Payment Card Industry, and maybe your next question will be what is PCI DSS and what is the security council SSC ( Payment Card Industry Security Standards Council )? and ofcourse what is PCI QSA? I will answer these questions in an expanded post. For now, a quick reference go to the PCI SSC website here

https://www.pcisecuritystandards.org

My Book Library

The say a typical CEO reads about 60 books per year. That is roughly around one book a week. I try to keep up with that pace, but sometimes I fall short. I tend to read one book every 2 weeks, and this covers different categories including self-help, autobio,business, cyber security among many other categories. What I would advise to new entrants to cyber security, to make sure to read different business books to complement your technical knowledge, because if you cannot translate your security knowledge to help the business, then it becomes useless.

So for the this year, I have been reading the following books:

Non-Security Books

  • The Effective Executive
  • Fast Focus – Damon Zahariades
  • 80/20 Your Life – Damon Zahariades
  • Tools of Titans – Timothy Ferris
  • 5 AM Club – Robin Sharma
  • The Art of Learning – Josh Waitzkin
  • Tribe of Mentors – Timothy Ferriss
  • Power – Jeffrey Pfeffer
  • The 4-hour Work Week (Audiobook) – Tim Ferriss
  • The 7 Habits of Highly Effective People – Stephen R. Covey
  • What Got You Here Won’t Get You There – Marshall Goldsmith

Security Books:

  • Certified Cloud Security Profession – CCSP
  • CCSK

to be continued

How to get into InfoSec Career

I have been asked this question a few many times, on how can i get started or get into infosec / cyber security? My answer it depends 🙂

It depends what path you want to travel through to your destionation – technical or non-technical.

Technical

I will start with technical path, there are couple of field for technical path including penetration tester, appplication security SME, and sec ops, just naming a few.

For example to be a pentester, you will need to have basics in Networking, Operating System (*nix, Windows, Mobile,) Database, Application, etc. This role need to have breath knowledge in order to understand how the technology is made, operate and then one can go deeper intp specific area of testing e.g. application testing or infrastructure testing. So my advice to start or to get into this field, one need to get understand of the technologies mentioned for started.

on the next post, I will speak on the other technical path.

The quick about me

This blog is a rebirth of a longtime blog once hosted at blog.kinyoka.com and mkombozi blogs (Google Blogs) which both blogs got deprecated (i stopped blogging as entered infosec and i had a period of 10 years immersing myself in deep learning of infosec).

This blog will cover some advice on how to start your career in infosec / cyber security, giving out what I learned and continue to learn and the best way to make it alive in this crazy world of defenders vs malicious attackers (best of lucky,because you will need it).

About Me.

I was born and raised in Dar es salaam, Tanzania. My childhood spent in area next to the Tanzania national stadium (Uwanja wa Taifa) in Temeke District and I went to Chang’ombe Primary School and I had a chance to meet some bright minds there, who managed to do well in later life. I think the most important thing of all, I was introduced to the world of basketball at the age of 10 years old, and I have never stopped playing ever since.

After my primary school years, I went on and studied secondary school education at Forodhani Sec. School and High school at Mzumbe Secondary School (where I did HGL – which is History, Geography and English – well I didn’t do science subjects :)).

I had a thingy for computers since I was at Forodhani Sec (1997-2000), and a good friend of mine Ajelandro Sindano (who at the time had PC at home – Pentium 1, I think), which I manage to befriend him and had opportunity to use the computer at least 3 times a week. I met Ajelandro at Zanaki – Vijana Basketball Club’s courts, and this place is where I met most of my role models (Mkuki Bgoya, Martin Warioba, Bahati Mgunda, Abdullatif and a lot of long term friends).

Ajelandro had a friend called Mikah, at the time he was studying computer science at IFM, and I think they were taught programming class and he taught me the basics of HTML (in Windows Notepad) and that was the start of my passion for web development. I called on that passion, and follow the good steps of Martin W. at the time studying at LSU and got a few books, e.g. Dreamweaver from Mkuki, which helped me alot in terms of learning.

Around the same time my Forodhani friends Taty Emmanuel and Barnabas “Kizi57” Lukumai, were into the computers, designing, and web development. The only different is these guys at Computers and 24/7 internet connection. At some point we formed a company to try to monetise our passion and make a few Tshs, so the Visual Lab as you know it was born. It was Adam Juma XXL, Kizi, Taty and myself, we tried our best with very little knowledge about business and it wasn’t a great success, so I decided to go to Mzumbe University (so did Taty), joined the same program (BSc Information and Communication Technology Management) which we graduated in 2007.

How did I endup in InfoSec?

After graduating Uni, I joined Barclays Bank Tanzania as Application Support Analyst, which is the user support, server support and deployment etc. Which was a good opportunity given that I have never worked in a corporate environment, so I learned alot in terms of the working culture and how to behave as wage-earning adult. This is a huge change given that my working experience, as all been a developer (working on my own or a group of friends with no boss, and clear defined job roles – funny times, late nights and no social responsibility), the only times I had a boss prior to joining Barclays was when I worked at University of Dar es salaam computing centre (during high school summer break), and university last semester, where I was supposed to intern at a corporate company, instead I chose to go work for a startup CESAI as a web developer (I got paid too, which was funny).

So after working for 3 months as application support (July – October 2007), by-then country information security manager (Irene Rwelamira) was to be promoted to be the country head of information risk), so there were a vacancy, which I took the opportunity and I was mentored by Irene for another six months, before I was official Country Security Manager. So roughly that how my InfoSec (there is a difference between Cyber Security and InfoSecurity, the latter being the big brother of the former) career started and now I have been in the field for about 12 years, filling in different roles as Security Manager and Security consultants working for prestige companies such as Barclays Bank, National Microfinance Bank – NMB (part of Rabobank – Netherlands), InfoAssurax (my own startup), NCC Group (UK) and NTT Security UK (part of NTT Group).

It has been a thrilling and ever-learning journey. I have managed to learn alot during the past few years, moved to a new country, traveled the world, see nice countries such as South Africa, Kenya, Uganda, Canada, Belgium, Netherlands, U.A.E, Scotland, Wales, England, Germany and learn new cultures.

Over the years I have managed to get a few security certification (only way to prove you know something at least 10% as a basic) The following are current and expired certificates (it doesn’t matter if the certificate expired, so long as your knowledge stays current)


Payment Card Industry Qualified Security Assessor (PCI QSA) – 2013 – Present
SABSA Security Architect (SCF) -2016
CREST Technical Security Architect (TSA) -2017
CREST Registered Penetration Tester – 2014 (Expired)
Certified Information Security Manager (CISM) – 2011
ISO 27001 Lead Auditor – 2018
ISO 27001 Implementation – 2011
PCI-DSS Implementation – 2011
Prince2 Foundation – 2012
Ethical Ninja I & II – April 2012
Microsoft Azure Cloud – Networking and Infrastructure- 2017
AWS Cloud Platform – Auditing AWS Environments for Security and Best Practices – 2017

** I had to retake the exam either twice / thrice sometimes to passed one of these exams. Nobody said it would be easy!

Formal Education

M.Sc. Information Security Management – 2009 – 2010 (University of Salford, UK)
B.Sc. Information and Communication Technology Management – 2003 – 2007 (Mzumbe University, Tanzania)