Don’t underestimate the power of simple diagrams to shine light on a problem. They can show how something should have worked or was broken. As our information systems become more complicated, and the threats to them more complex, we need coping mechanisms to understand and communicate what is happening especially when things go wrong. Reviewing security designs during or after an incident is often more difficult than it needs to be. Very often there is a lack of alignment between parts of the business concerning what should have happened and why it hasn’t. If someone can’t draw a diagram of what they are dealing with, I am never sure that they understand it themselves.
For me, diagrams express models of the situation and they can be simple or complex. We use hand-drawn diagrams in meetings and notes. Less frequently, we use tools to produce the images that appear in documents and presentations. On occasion, we are able to generate diagrams as part of a complex architecture (security or otherwise). Crucially, good diagrams will be as simple as they need to be for the job in hand. The acid test is whether they are useful to the people involved at the time at which they need them.
Good diagrams require investment to do them well. Diagramming has its own conventions which can immediately orient the user; think of the indication of North, or a scale, on a map. In the cyber security business, there is an added complication because the picture of what can or has gone wrong needs to be overlaid on the view of how it was intended to work.
Imagine you are in an unfamiliar city and are a little bit lost. You don’t speak the local language well and two locals are trying to help you get to your destination. One draws a map and the other writes a list of instructions. Which do you think will help the most?
The collaborative production of models, diagrams, and supporting text by diverse teams can overcome inherent difficulties in the exchange of ideas. There is evidence that this collaboration helps develop more trusting relationships within teams. This needs effort to bring design and security together by using similar types of models in co-operative working. Beside the diagrams showing how the system will work, teams should work together to draw alternative versions showing scenarios where the system is being attacked or misused. Diagramming well is a capability that should be core to those responsible for securing our information.
Diagrams needn’t be confined to technology. In complex, multi-layered systems that connect a broad range of users, knowing who will be impacted, or indeed liable, in an incident is often unclear. The breadth of possible users, including the threat actors, when a system is in use is often matched by the diversity of the supply chain and responsibilities of different commercial partners. Mapping out the players in different scenarios will provide an understanding of where things might go wrong. From a systems security viewpoint, this will identify potential weak spots. Thinking through the threats and user security journeys will result in simpler and more resilient designs because vulnerabilities are pre-empted.
By using and reusing common and agreed formats to share ideas, the representation of cyber security will become part of the design. This results in better and earlier integration of security concepts. This part is very much about shutting the stable door before the horse has bolted.
This shouldn’t be a one-off activity. The continuous development of attacks presents a significant departure from more mainstream design methods. Cyber security requires its own lifecycle. Attackers may develop, by trial and error, a sophisticated view of the workings of a system. New technology and the discovery of new or modified attacks renders systems vulnerable in ways that may not, or could not, have been considered at project initiation. This supports the need to design the monitoring and control aspects that will be required when the system is in service as well as at the beginning of the project. A defensive, and defending, mindset is required to sustain security.
So, learn how to use diagrams when explaining how your systems work and are secured. Share these views with your wider team to make sure your systems are understood simply because this will flush out weaknesses. Should something go wrong, and I think there is less risk of this for those who have prepared well, this skill will help you put things right faster and with less cost.