,
9 tweets,
2 min read
Read on Twitter
*Deep breath* So like, this is a great thread, and Rob’s commentary on why the higher layers of the OSI model aren’t what actually happened in reality is very accurate. However, I don’t quite agree on starting an OSI revolution *today* in college classrooms - here’s why... (1/n)
The dirty secret is ALL the models we use in cybersecurity are deeply flawed and rarely fully representational. The Kill Chain. Purdue Model. MITRE ATT&CK gets closer only because of massive verbosity. And we who teach and frequently refer to them all KNOW it. We still use them..
I run into developers *building security products*, regularly, who don’t know the OSI model at all. Therefore, we’re missing common verbiage, and that’s a Problem. Do I commonly refer to the presentation later? No, of course not. The higher layers of the model are quite flawed.
I refer to layers 1-4 all the time, however. They’re a simplified and fairly easy way to understand the obtuse and arcane way modern networks are kludged together. It’s really hard to convey the layers necessary to do proper monitoring and detection without that understanding.
For example, people not grasping TCP/IP well is why layer 2 attacks are a scary problem in our non-airgapped, heavily VLANed environments. It’s why we often treat IPv6 as a confusing problem we just ignore. It’s why we presume network issues are security incidents and vice versa.
Could we get rid of OSI and replace it with something more accurate? Probably. Would it be as simple and effective tool to teach and refer to network (dys)function? Maybe, maybe not. It *should* be pursued. It’s the same with the kill chain and the Purdue model...
There’s a lot of grumbling about how unrepresentative and inaccurate those models are, today. Yet security and networks are so complex and varied that really putting anything into a box ends up being a 40 page appendix. Which is a hard way to convey concepts to students or devs.
So, I would simply challenge anyone who suggests we throw out a teaching tool to recommend a reasonable and fleshed our plan to replace it with something that can be used effectively in its place - remembering that oversimplification can be necessary to teach concepts and define.
Anyway, read Rob’s whole thread because he’s absolutely correct about the problem and why we’re where we are today. Just consider the immense problem of teaching THE INTERNET, the Universe, and Everything to security and non-security people - and that someone has to tackle it.
