Writing the Truth Five Difficulties
Bertolt Brecht
1935
Nowadays, anyone who wishes to combat lies and ignorance and to write the truth must overcome at least five difficulties. He must have the courage to write the truth when truth is everywhere opposed; the keenness to recognize it, although it is everywhere concealed; the skill to manipulate it as a weapon; the judgment to select those in whose hands it will be effective; and the cunning to spread the truth among such persons. These are formidable problems for writers living under Fascism, but they exist also for those writers who have fled or been exiled; they exist even for writers working in countries where civil liberty prevails.
1 The Courage to Write the Truth
It seems obvious that whoever writes should write the truth in the sense that he ought not to suppress or conceal truth or write something deliberately untrue. He ought not to cringe before the powerful, nor betray the weak. It is, of course, very hard not to cringe before the powerful, and it is highly advantageous to betray the weak. To displease the possessors means to become one of the dispossessed. To renounce payment for work may be the equivalent of giving up the work, and to decline fame when it is offered by the mighty may mean to decline it forever. This takes courage.
Times of extreme oppression are usually times when there is much talk about high and lofty matters. At such times it takes courage to write of low and ignoble matters such as food and shelter for workers; it takes courage when everyone else is ranting about the vital importance of sacrifice. When all sorts of honors are showered upon the peasants it takes courage to speak of machines and good stock feeds which would lighten their honorable labor. When every radio station is blaring that a man without knowledge or education is better than one who has studied, it takes courage to ask: better for whom? When all the talk is of perfect and imperfect races, it takes courage to ask whether it not hunger and ignorance and war that produce deformities.
And it also takes courage to tell the truth about oneself, about one’s own defeat. Many of the perse- cuted lose their capacity for seeing their own mistakes. It seems to them that the persecution itself is the greatest injustice. The persecutors are wicked simply because they persecute; the persecuted suffer because of their goodness. But this goodness has been beaten, defeated, suppressed; it was therefore a weak goodness, a bad, indefensible, unreliable goodness. For it will not do to grant that goodness must be weak as rain must be wet. It takes courage to say that the good were defeated not because they were good, but because they were weak.
Naturally, in the struggle with falsehood we must write the truth, and this truth must not be a lofty and ambiguous generality. When it is said of someone, “He spoke the truth,” this implies that some people or many people or least one person said something unlike the truth—a lie or a generality—but he spoke the truth, he said something practical, factual, undeniable, something to the point.
It takes little courage to mutter a general complaint, in a part of the world where complaining is still permitted, about the wickedness of the world and the triumph of barbarism, or to cry boldly that the victory of the human spirit is assured. There are many who pretend that cannons are aimed at them when in reality they are the target merely of opera glasses. They shout their generalized demands to a world of friends and harmless persons. They insist upon a generalized justice for which they have never done anything; they ask for generalized freedom and demand a share of the booty which they have long since enjoyed. They think that truth is only what sounds nice. If truth should prove to be something statistical, dry, or factual, something difficult to find and requiring study, they do not recognize it as
BER TOLT BRECHT 1 Writing the Truth: Five Difficulties
truth; it does not intoxicate them. They possess only the external demeanor of truth-tellers. The trouble with them is: they do not know the truth.
2 The Keenness to Recognize the Truth
Since it is hard to write the truth because truth is everywhere suppressed, it seems to most people to be a question of character whether the truth is written or not written. They believe that courage alone suffices. They forget the second obstacle: the difficulty of finding the truth. It is impossible to assert that the truth is easily ascertained.
First of all we strike trouble in determining what truth is worth the telling. For example, before the eyes of the whole world one great civilized nation after the other falls into barbarism. Moreover, everyone knows that the domestic war which is being waged by the most ghastly methods can at any moment be converted into a foreign war which may well leave our continent a heap of ruins. This, undoubtedly, is one truth, but there are others. Thus, for example, it is not untrue that chairs have seats and that rain falls downward. Many poets write truths of this sort. They are like a painter adorning the walls of a sinking ship with a still life. Our first difficulty does not trouble them and their consciences are clear. Those in power cannot corrupt them, but neither are they disturbed by the cries of the oppressed; they go on painting. The senselessness of their behavior engenders in them a “profound” pessimism which they sell at good prices; yet such pessimism would be more fitting in one who observes these masters and their sales. At the same time it is not easy to realize that their truths are truths about chairs or rain; they usually sound like truths about important things. But on closer examination it is possible to see that they say merely: a chair is a chair; and: no one can prevent the rain from falling down.
They do not discover the truths that are worth writing about. On the other hand, there are some who deal only with the most urgent tasks, who embrace poverty and do not fear rulers, and who nevertheless cannot find the truth. These lack knowledge. They are full of ancient superstitions, with notorious prejudices that in bygone days were often put into beautiful words. The world is too complicated for them; they do not know the facts; they do not perceive relationships. In addition to temperament, knowledge, which can be acquired, and methods, which can be learned, are needed. What is necessary for all writers in this age of perplexity and lightening change is a knowledge of the materialistic dialectic of economy and history. This knowledge can be acquired from books and from practical instruction, if the necessary diligence is applied. Many truths can be discovered in simpler fashion, or at least portions of truths, or facts that lead to the discovery of truths. Method is good in all inquiry, but it is possible to make discoveries without using any method—indeed, even without inquiry. But by such a casual procedure one does not come to the kind of presentation of truth which will enable men to act on the basis of that presentations. People who merely record little facts are not able to arrange the things of the world so that they can be easily controlled. Yet truth has this function alone and no other. Such people cannot cope with the requirement that they write the truth.
If a person is ready to write the truth and able to recognize it, there remain three more difficulties.
3 The Skill to Manipulate the Truth as a Weapon
The truth must be spoken with a view to the results it will produce in the sphere of action. As a specimen of a truth from which no results, or the wrong ones, follow, we can cite the widespread view that bad conditions prevail in a number of countries as a result of barbarism. In this view, Fascism is a wave of barbarism which has descended upon some countries with the elemental force of a natural phenomenon.
According to this view, Fascism is a new, third power beside (and above) capitalism and socialism; not only the socialist movement but capitalism as well might have survived without the intervention of Fascism. And so on. This is, of course, a Fascist claim; to accede to it is a capitulation to Fascism. Fascism is a historic phase of capitalism; in this sense it is something new and at the same time old. In Fascist countries capitalism continues to exist, but only in the form of Fascism; and Fascism can be combated as capitalism alone, as the nakedest, most shameless, most oppressive, and most treacherous form of capitalism.
But how can anyone tell the truth about Fascism, unless he is willing to speak out against capitalism, which brings it forth? What will be the practical results of such truth?
BER TOLT BRECHT 2 Writing the Truth: Five Difficulties
Access Control, Authentication, and Public Key Infrastructure
Lesson 4
Access Control Policies, Standards, Procedures, and Guidelines
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective and Key Concepts
Learning Objective
Develop an access control policy framework consisting of best practices for policies, standards, procedures, and guidelines to mitigate unauthorized access.
Key Concepts
Regulatory laws concerning unauthorized access
Organization-wide authorization and access policy
Access control and data classification policies
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2
DISCOVER: CONCEPTS
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Policy Framework
Identifies the importance of protecting assets and leading practices to achieve protection
Beneficial for documenting management understanding and commitment to asset protection
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Policies
Explicitly state responsibilities and accountabilities for achieving the framework principles
Establish and embed management’s commitment
Authorize the expenditure of resources
Inform those who need to know
Provide later documents for consultation to verify achievement of objectives
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Protecting the Infrastructure through Policies and Procedures
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Procedures and Guidelines
Procedures:
Tell how to do something
Step-by-step means to accomplish a task
Become “knowledge” transfer
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Procedures and Guidelines (Continued)
Guidelines:
Are generally accepted practices
Not mandatory
Allow implementation
May achieve objective through alternate means
Flexibility
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Password Management Controls
Log accesses and monitor activities
Validation programs
Enforce password changes at reasonable intervals
Expiry policy to lock accounts after a period of nonuse
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Most common and easiest form of access
To be effective: Requires the use of a secure channel through the network to transmit the encrypted password
Not very secure
WHY USE THEM??
Something you know
User friendly – People get the concept (like an ATM pin #)
Two factor authentication
– Combine passwords with a (smart card) token
– ATM card and PIN –improved protection
Easy to manage
Supported across IT platforms
9
Password Management Controls (Continued)
Audit logs to review for successful and failed attempts
Password policy
Privacy policy
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
10
Password Control Issues
Users:
Choose easy to guess passwords
Share passwords
Often forget passwords
Password vulnerable to hacker attacks
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
11
U.S. Compliance Laws for Organizations
Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley Act (GLBA)
Sarbanes-Oxley (SOX) Act
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
12
DISCOVER: PROCESS
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Principles
Minimal privilege or exposure
Regular monitoring of access privileges
Need to know basis for allowing access
Physical, logical, and integrated access controls
Monitor logs and correlate events across systems
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
14
Layered Security and Defense-in-Depth Mechanisms
Need to Know
Physical
RBAC
MAC
Least
Privilege
Layered Security
Defense-in-Depth
Security
Firewalls
Intrusion Prevention System (IPS)/ Intrusion Detection System (IDS)
Operating System (OS)
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Layered security arises from the desire to cover shortcoming of each network component by combining components into a single, comprehensive strategy – the whole of which is greater than the sum of its parts
Defense-in-Depth:
Takes advantage of threat and exploitation delay by using rapid notification and response when attacks and disasters are underway, and delaying their effects
Uses multiple layers of complementary technologies
ON THE PERIMETER:
Firewalls may constitute layer 1 & 2 or protection
Intrusion prevention/detection may be at layer 3
virus scanners and content filtering constitute layer 4
Each technology and each layer complements the protection provided by the other technologies and layers to protect against external attacks and in the internal network to protect against internal attacks
15
Summary
Access policy framework
Access control policies, procedures, and guidelines
Password management controls and issues
Layered security
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control, Authentication, and Public Key Infrastructure
Lesson 3
Business Drivers for Access Controls
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective
Analyze how a data classification standard impacts an IT infrastructure’s access control requirements and implementation.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2
Key Concepts
Business requirements for asset protection
Privacy and privacy laws
Privacy regulations compliance
Access control implementation
Data classification
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3
DISCOVER: CONCEPTS
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data or Information Assets
An intangible asset with no form or substance:
Paper records
Electronic media
Intellectual property stored in people's heads
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Not every staff member or person requesting access to records has the need, requirement, or authority to receive the information or records
Minimizes unauthorized disclosure of sensitive information
Applies primarily to sensitive records
Need to Know
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Must always be balanced with the need to share
Clear delegation of authority from the originator or staff member who originally applied the classification level
Sensitive information disclosed only to trusted individuals
Need to Know (Continued)
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Refers to security of records and information not in electronic systems and applications
Access is regularly linked to functional responsibilities and not to position or grade
Security or background investigation required
Physical Security of Sensitive Information
Can/Should this information be shared?
Secure storage and limited access
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
DISCOVER: PROCESS
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
ISACA Model for Business Data Classification
.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
In a hospital, for example, a data classification scheme would identify the sensitivity of every piece of data in the hospital, from the cafeteria menu to patient medical records.
Classified as Public
For use by defined category within job role
Sensitivity-Based Data Classification
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
United Nations Classification Levels: STRICTLY CONFIDENTIAL CONFIDENTIAL UNCLASSIFIED |
United Nations Data Classification Scheme
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Electronic Records
United Nations Electronic Data Classification
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data Destruction
Use appropriate secure destruction method for the media and format.
Do not put in trash bins.
Data awaiting destruction should be placed in lockable containers.
Strictly confidential and confidential data is destroyed in accordance with specific guidelines.
.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data destroyed in accordance with administrative or operations retention schedule
14
Data Destruction (Continued)
.
Shredder/Degausser
Light office shredder/disintegrator
Electronic media
Portable devices
Portable devices
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data destroyed in accordance with administrative or operations retention schedule
15
Summary
Data or information assets
Need to know
ISACA business data classification
Data classification
Data destruction
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Virtual Lab
Configuring Windows File System Permissions
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
If your educational institution included the Jones & Bartlett labs as part of the course curriculum, use this script to introduce the lab:
"In this lesson, you learned about the business drivers for access controls. Information has value, can be classified, and can be used competitively; therefore, requires a well-thought-out access control implementation that furthers the goals of the organization.
In the lab for this lesson, you will continue to explore access controls within the Microsoft Windows environment. You will first design and implement a network folder structure based on a scenario provided in the lab. Next, you will create appropriate security groups to suit the requirements in the scenario and then apply the security groups to the folders you created."
3/30/2015
17
OPTIONAL SLIDES
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
(c) ITT Educational Services, Inc.
18
The Life Cycle of an Order
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
(c) ITT Educational Services, Inc.
19
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
19
Accidental Dissemination
of Electronic Information
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
(c) ITT Educational Services, Inc.
20
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
20

Get help from top-rated tutors in any subject.
Efficiently complete your homework and academic assignments by getting help from the experts at homeworkarchive.com