Writing the Truth Five Difficulties

Bertolt Brecht

1935

Nowadays, anyone who wishes to combat lies and ignorance and to write the truth must overcome at least five difficulties. He must have the courage to write the truth when truth is everywhere opposed; the keenness to recognize it, although it is everywhere concealed; the skill to manipulate it as a weapon; the judgment to select those in whose hands it will be effective; and the cunning to spread the truth among such persons. These are formidable problems for writers living under Fascism, but they exist also for those writers who have fled or been exiled; they exist even for writers working in countries where civil liberty prevails.

1 The Courage to Write the Truth

It seems obvious that whoever writes should write the truth in the sense that he ought not to suppress or conceal truth or write something deliberately untrue. He ought not to cringe before the powerful, nor betray the weak. It is, of course, very hard not to cringe before the powerful, and it is highly advantageous to betray the weak. To displease the possessors means to become one of the dispossessed. To renounce payment for work may be the equivalent of giving up the work, and to decline fame when it is offered by the mighty may mean to decline it forever. This takes courage.

Times of extreme oppression are usually times when there is much talk about high and lofty matters. At such times it takes courage to write of low and ignoble matters such as food and shelter for workers; it takes courage when everyone else is ranting about the vital importance of sacrifice. When all sorts of honors are showered upon the peasants it takes courage to speak of machines and good stock feeds which would lighten their honorable labor. When every radio station is blaring that a man without knowledge or education is better than one who has studied, it takes courage to ask: better for whom? When all the talk is of perfect and imperfect races, it takes courage to ask whether it not hunger and ignorance and war that produce deformities.

And it also takes courage to tell the truth about oneself, about one’s own defeat. Many of the perse- cuted lose their capacity for seeing their own mistakes. It seems to them that the persecution itself is the greatest injustice. The persecutors are wicked simply because they persecute; the persecuted suffer because of their goodness. But this goodness has been beaten, defeated, suppressed; it was therefore a weak goodness, a bad, indefensible, unreliable goodness. For it will not do to grant that goodness must be weak as rain must be wet. It takes courage to say that the good were defeated not because they were good, but because they were weak.

Naturally, in the struggle with falsehood we must write the truth, and this truth must not be a lofty and ambiguous generality. When it is said of someone, “He spoke the truth,” this implies that some people or many people or least one person said something unlike the truth—a lie or a generality—but he spoke the truth, he said something practical, factual, undeniable, something to the point.

It takes little courage to mutter a general complaint, in a part of the world where complaining is still permitted, about the wickedness of the world and the triumph of barbarism, or to cry boldly that the victory of the human spirit is assured. There are many who pretend that cannons are aimed at them when in reality they are the target merely of opera glasses. They shout their generalized demands to a world of friends and harmless persons. They insist upon a generalized justice for which they have never done anything; they ask for generalized freedom and demand a share of the booty which they have long since enjoyed. They think that truth is only what sounds nice. If truth should prove to be something statistical, dry, or factual, something difficult to find and requiring study, they do not recognize it as

BER TOLT BRECHT 1 Writing the Truth: Five Difficulties

truth; it does not intoxicate them. They possess only the external demeanor of truth-tellers. The trouble with them is: they do not know the truth.

2 The Keenness to Recognize the Truth

Since it is hard to write the truth because truth is everywhere suppressed, it seems to most people to be a question of character whether the truth is written or not written. They believe that courage alone suffices. They forget the second obstacle: the difficulty of finding the truth. It is impossible to assert that the truth is easily ascertained.

First of all we strike trouble in determining what truth is worth the telling. For example, before the eyes of the whole world one great civilized nation after the other falls into barbarism. Moreover, everyone knows that the domestic war which is being waged by the most ghastly methods can at any moment be converted into a foreign war which may well leave our continent a heap of ruins. This, undoubtedly, is one truth, but there are others. Thus, for example, it is not untrue that chairs have seats and that rain falls downward. Many poets write truths of this sort. They are like a painter adorning the walls of a sinking ship with a still life. Our first difficulty does not trouble them and their consciences are clear. Those in power cannot corrupt them, but neither are they disturbed by the cries of the oppressed; they go on painting. The senselessness of their behavior engenders in them a “profound” pessimism which they sell at good prices; yet such pessimism would be more fitting in one who observes these masters and their sales. At the same time it is not easy to realize that their truths are truths about chairs or rain; they usually sound like truths about important things. But on closer examination it is possible to see that they say merely: a chair is a chair; and: no one can prevent the rain from falling down.

They do not discover the truths that are worth writing about. On the other hand, there are some who deal only with the most urgent tasks, who embrace poverty and do not fear rulers, and who nevertheless cannot find the truth. These lack knowledge. They are full of ancient superstitions, with notorious prejudices that in bygone days were often put into beautiful words. The world is too complicated for them; they do not know the facts; they do not perceive relationships. In addition to temperament, knowledge, which can be acquired, and methods, which can be learned, are needed. What is necessary for all writers in this age of perplexity and lightening change is a knowledge of the materialistic dialectic of economy and history. This knowledge can be acquired from books and from practical instruction, if the necessary diligence is applied. Many truths can be discovered in simpler fashion, or at least portions of truths, or facts that lead to the discovery of truths. Method is good in all inquiry, but it is possible to make discoveries without using any method—indeed, even without inquiry. But by such a casual procedure one does not come to the kind of presentation of truth which will enable men to act on the basis of that presentations. People who merely record little facts are not able to arrange the things of the world so that they can be easily controlled. Yet truth has this function alone and no other. Such people cannot cope with the requirement that they write the truth.

If a person is ready to write the truth and able to recognize it, there remain three more difficulties.

3 The Skill to Manipulate the Truth as a Weapon

The truth must be spoken with a view to the results it will produce in the sphere of action. As a specimen of a truth from which no results, or the wrong ones, follow, we can cite the widespread view that bad conditions prevail in a number of countries as a result of barbarism. In this view, Fascism is a wave of barbarism which has descended upon some countries with the elemental force of a natural phenomenon.

According to this view, Fascism is a new, third power beside (and above) capitalism and socialism; not only the socialist movement but capitalism as well might have survived without the intervention of Fascism. And so on. This is, of course, a Fascist claim; to accede to it is a capitulation to Fascism. Fascism is a historic phase of capitalism; in this sense it is something new and at the same time old. In Fascist countries capitalism continues to exist, but only in the form of Fascism; and Fascism can be combated as capitalism alone, as the nakedest, most shameless, most oppressive, and most treacherous form of capitalism.

But how can anyone tell the truth about Fascism, unless he is willing to speak out against capitalism, which brings it forth? What will be the practical results of such truth?

BER TOLT BRECHT 2 Writing the Truth: Five Difficulties

Access Control, Authentication, and Public Key Infrastructure

Lesson 4

Access Control Policies, Standards, Procedures, and Guidelines

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1

Learning Objective and Key Concepts

Learning Objective

Develop an access control policy framework consisting of best practices for policies, standards, procedures, and guidelines to mitigate unauthorized access.

Key Concepts

Regulatory laws concerning unauthorized access

Organization-wide authorization and access policy

Access control and data classification policies

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

2

DISCOVER: CONCEPTS

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Access Control Policy Framework

Identifies the importance of protecting assets and leading practices to achieve protection

Beneficial for documenting management understanding and commitment to asset protection

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Access Control Policies

Explicitly state responsibilities and accountabilities for achieving the framework principles

Establish and embed management’s commitment

Authorize the expenditure of resources

Inform those who need to know

Provide later documents for consultation to verify achievement of objectives

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Protecting the Infrastructure through Policies and Procedures

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Access Control Procedures and Guidelines

Procedures:

Tell how to do something

Step-by-step means to accomplish a task

Become “knowledge” transfer

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Access Control Procedures and Guidelines (Continued)

Guidelines:

Are generally accepted practices

Not mandatory

Allow implementation

May achieve objective through alternate means

Flexibility

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Password Management Controls

Log accesses and monitor activities

Validation programs

Enforce password changes at reasonable intervals

Expiry policy to lock accounts after a period of nonuse

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Most common and easiest form of access

To be effective: Requires the use of a secure channel through the network to transmit the encrypted password

Not very secure

WHY USE THEM??

Something you know

User friendly – People get the concept (like an ATM pin #)

Two factor authentication

– Combine passwords with a (smart card) token

– ATM card and PIN –improved protection

Easy to manage

Supported across IT platforms

9

Password Management Controls (Continued)

Audit logs to review for successful and failed attempts

Password policy

Privacy policy

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

10

Password Control Issues

Users:

Choose easy to guess passwords

Share passwords

Often forget passwords

Password vulnerable to hacker attacks

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

11

U.S. Compliance Laws for Organizations

Health Insurance Portability and Accountability Act (HIPAA)

Gramm-Leach-Bliley Act (GLBA)

Sarbanes-Oxley (SOX) Act

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

12

DISCOVER: PROCESS

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Access Control Principles

Minimal privilege or exposure

Regular monitoring of access privileges

Need to know basis for allowing access

Physical, logical, and integrated access controls

Monitor logs and correlate events across systems

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

14

Layered Security and Defense-in-Depth Mechanisms

Need to Know

Physical

RBAC

MAC

Least

Privilege

Layered Security

Defense-in-Depth

Security

Firewalls

Intrusion Prevention System (IPS)/ Intrusion Detection System (IDS)

Operating System (OS)

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Layered security arises from the desire to cover shortcoming of each network component by combining components into a single, comprehensive strategy – the whole of which is greater than the sum of its parts

Defense-in-Depth:

Takes advantage of threat and exploitation delay by using rapid notification and response when attacks and disasters are underway, and delaying their effects

Uses multiple layers of complementary technologies

ON THE PERIMETER:

Firewalls may constitute layer 1 & 2 or protection

Intrusion prevention/detection may be at layer 3

virus scanners and content filtering constitute layer 4

Each technology and each layer complements the protection provided by the other technologies and layers to protect against external attacks and in the internal network to protect against internal attacks

15

Summary

Access policy framework

Access control policies, procedures, and guidelines

Password management controls and issues

Layered security

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Access Control, Authentication, and Public Key Infrastructure

Lesson 3

Business Drivers for Access Controls

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1

Learning Objective

Analyze how a data classification standard impacts an IT infrastructure’s access control requirements and implementation.

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

2

Key Concepts

Business requirements for asset protection

Privacy and privacy laws

Privacy regulations compliance

Access control implementation

Data classification

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3

DISCOVER: CONCEPTS

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Data or Information Assets

An intangible asset with no form or substance:

Paper records

Electronic media

Intellectual property stored in people's heads

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Not every staff member or person requesting access to records has the need, requirement, or authority to receive the information or records

Minimizes unauthorized disclosure of sensitive information

Applies primarily to sensitive records

Need to Know

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Must always be balanced with the need to share

Clear delegation of authority from the originator or staff member who originally applied the classification level

Sensitive information disclosed only to trusted individuals

Need to Know (Continued)

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Refers to security of records and information not in electronic systems and applications

Access is regularly linked to functional responsibilities and not to position or grade

Security or background investigation required

Physical Security of Sensitive Information

Can/Should this information be shared?

Secure storage and limited access

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

DISCOVER: PROCESS

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

ISACA Model for Business Data Classification

.

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

In a hospital, for example, a data classification scheme would identify the sensitivity of every piece of data in the hospital, from the cafeteria menu to patient medical records.

Classified as Public

For use by defined category within job role

Sensitivity-Based Data Classification

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

United Nations Classification Levels: STRICTLY CONFIDENTIAL CONFIDENTIAL UNCLASSIFIED

United Nations Data Classification Scheme

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Electronic Records

United Nations Electronic Data Classification

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Data Destruction

Use appropriate secure destruction method for the media and format.

Do not put in trash bins.

Data awaiting destruction should be placed in lockable containers.

Strictly confidential and confidential data is destroyed in accordance with specific guidelines.

.

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Data destroyed in accordance with administrative or operations retention schedule

14

Data Destruction (Continued)

.

Shredder/Degausser

Light office shredder/disintegrator

Electronic media

Portable devices

Portable devices

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Data destroyed in accordance with administrative or operations retention schedule

15

Summary

Data or information assets

Need to know

ISACA business data classification

Data classification

Data destruction

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Virtual Lab

Configuring Windows File System Permissions

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

If your educational institution included the Jones & Bartlett labs as part of the course curriculum, use this script to introduce the lab:

 

"In this lesson, you learned about the business drivers for access controls. Information has value, can be classified, and can be used competitively; therefore, requires a well-thought-out access control implementation that furthers the goals of the organization.

 

In the lab for this lesson, you will continue to explore access controls within the Microsoft Windows environment. You will first design and implement a network folder structure based on a scenario provided in the lab. Next, you will create appropriate security groups to suit the requirements in the scenario and then apply the security groups to the folders you created."

3/30/2015

17

OPTIONAL SLIDES

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

09/23/10

(c) ITT Educational Services, Inc.

18

The Life Cycle of an Order

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

09/23/10

(c) ITT Educational Services, Inc.

19

Defense:

Risk: Insecure Direct Object Reference

Use an automated tool for real-time attack.

Monitor parameter manipulation–hidden/static.

Establish baseline configuration.

Risk: Cross-Site Request Forgery

Use an automated tool for real-time attack.

Alert/respond to parameter manipulation.

Use known attack signatures.

Establish baseline/monitor resource changes.

Risk: Security Misconfiguration

Use an automated tool for real-time attack.

Inspect outbound responses.

Investigate application failures.

09/23/10

(c) ITT Educational Services, Inc.

19

Accidental Dissemination

of Electronic Information

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

09/23/10

(c) ITT Educational Services, Inc.

20

Defense:

Risk: Insecure Direct Object Reference

Use an automated tool for real-time attack.

Monitor parameter manipulation–hidden/static.

Establish baseline configuration.

Risk: Cross-Site Request Forgery

Use an automated tool for real-time attack.

Alert/respond to parameter manipulation.

Use known attack signatures.

Establish baseline/monitor resource changes.

Risk: Security Misconfiguration

Use an automated tool for real-time attack.

Inspect outbound responses.

Investigate application failures.

09/23/10

(c) ITT Educational Services, Inc.

20

Get help from top-rated tutors in any subject.

Efficiently complete your homework and academic assignments by getting help from the experts at homeworkarchive.com