Showing posts with label Terminology. Show all posts
Showing posts with label Terminology. Show all posts

Wednesday 21 February 2018

Consultant Bingo - A master class

I love a useless term to baffle the room as much as the next fellow but watching a master in a meeting today:

STRIDE Model is Microsoft's Security/Threat classification model.  I had to look it up and found another acronym.  STRIDE is for Threat modelling as part of risk management.  Acronym for: 
  1. Spoofing a server
  2. Tampering a file
  3. Interlude: Scope and timing
  4. Reputing an order
  5. Information Disclosure
  6. Denial of Service
  7. Elevation of Privilege's
DREAD Model is pretty much the same thing as STRIDE.

CIS framework or MITRE framework - Security framework for benchmarking.  Closely related to SOC (Security Operation Centre).

'RESPECT' for: "I evaluated my DTAP environments cross Federation services using the STRIDE model over the DREAD model because it is simpler.  Of course, all the cross-cutting concerns have been dealt with." 

Three Amigos - Backlog review: PO, SM and Team members get together to discuss design, dev and testing.

YAGNI is an XP principle "You Ain't Gonna Need It", which is basically only create code for requirements not what you feel may be needed later on.  

Pareto Rule - roughly 80% of consequences come from 20% of the causes.  Or 80% of outputs come from 20% of inputs.  So 80% of revenue may come from 20% of your clients.  Also referred to as 80-20 rule. Same principle for 90-10 rule.  Pareto analysis 80% of a projects benefits can be achieved by doing the right 20% of the work.

Rindelmann Effect - Individual members become less effective as the size of the group grows.  I opt for small focused teams even for large programmes as more people does not equa more technology delivery. 

A hockey stick pattern is a chart pattern that shows a rapid increase after a period of relative stability.  For example pizza sales might drastically increase when a pandemic strikes as people no longer go out to eat and people tend to order more delivery pizza.

GIGO - Garbage In Garbage Out.  Same idea as FIFO or LIFO.  

WSJF (Weighted Shortest Job First) is used in Scale-able Agile Framework (SAFe) for prioritizing tasks.  It is pronounce "Wiz-jiff".  I'm not a fan of this technique.

The CIA Triad - Confidentiality, Integrity and Availability of data.

OMGA - (Owner, Member, Guest user, Application Users) is a security structure used to control access.

6 hats/ Six hat thinking - helps with creative thinking within groups making decisions.  

ProActivity Hunt - SOC tries to imaging scenarios/hypothetical situations and using data capture verify if there are security risks.  Only  ever heard this term at Microsoft

Useful Glossary:

Architecture Review Board (ARB) - functions as the governance to ensure IT projects/programs align with the businesses IT Architecture.  Ensure IT initiatives align with the companies IT goals.
Change Advisory Board (CAB) - board of members that evaluate changes and the associated risks to the business.  Has a strong technology influence but not only technical.  Some time CABs in companies are IT focused dealing with IT change requests and are more like a ARB.
ExCo (Executive Committee) - collection of decision makers mainly board members/higher ups that make strategic decisions.
MMSP (Managed Security Service Provider) - People, Process and Technology to protect your business. Outsource service that manages & monitors enterprise security.  Includes IAM, Cloud security, app security, data security, network security.  Includes MXDR - Core monitoring.
Kill Chain - the steps that trace stages of an attack from the early reconnaissance stages to the exfiltration of data.
SOC (Security Operations Centre) - normally the CoE/security team within a business. 
PAM (Privilege Access Management) - CyberArk and Azure have a PAM allows for temporary recorded privilege escalation for users pref. dedicate admin accounts.
Enterprise Architecture - 1 level up from solution architecture, main frameworks are: (TOGAF - I am 9.1 certified), there is also the Zachman framework and Federal Enterprise Architecture Framework (FEAF) also refereed to as FEA.  I have use ArchiMate for modelling within the TOGAF framework to describe the Architecture of a government department, it's okay.

Open Source Software Licencing for dummies/me: 
1. Public Domain Licence: No restrictions, go for it.
Following are Permissive licences from most open to most restricted:
2.1 MIT Licence: Is a common permissive (open too use) licence.  Simple to understand, anyone can reuse and modify code but the creator is no liable for any future use.  MIT is almost identical to a 2.2 BSD licence.  Great as you can freely use and I like to offer my code with MIT licencing.  
2.3.GNU General Public Licence (GPL): nice open source licencing that you can reuse or modify but your work must be open-source and available to all.  If you use GPL must make source code available and anyone can use yours derivative.
2.4 Apache and Apache 2: is also Permissive but more protective than MIT licences.
3. Copyleft: More restrictive, users can reuse but any derivations are bound by the copyleft licence on the originals.
4. Proprietary: Most restricted, closed source, no change or redistribution is allowed.