• Explore
  • Blog
  • Podcast
  • Community
  • About
  • Services
  • Contact
Menu

Exploring Information Security

Securing the Future - A Journey into Cybersecurity Exploration
  • Explore
  • Blog
  • Podcast
  • Community
  • About
  • Services
  • Contact

Created by ChatGPT

How to Participate in a CTF: A Beginner’s Guide to Capture The Flag Competitions

February 25, 2025

Generated by ChatGPT with some light editing based on a conversation from a live recording of the podcast with Corelight. The live recording is available on YouTube.

Why Should You Participate in a CTF?

CTFs provide an interactive way to develop technical skills, enhance problem-solving abilities, and gain practical security knowledge. Here’s why you should consider joining one:

  • Hands-on Learning – Apply security concepts in a real-world setting.

  • Team Collaboration – Work with others to solve complex problems.

  • Networking Opportunities – Connect with industry experts and fellow security enthusiasts.

  • Skill Validation – Test your knowledge against different challenge levels.

  • Fun and Competitive – Experience the thrill of hacking in a safe and controlled environment.

Getting Started with CTFs

Choose the Right CTF

If you’re new, start with beginner-friendly CTFs, such as:

  • OverTheWire: Bandit (for Linux basics)

  • PicoCTF (a beginner-friendly CTF created by Carnegie Mellon University)

  • Hack The Box (provides a variety of cybersecurity challenges)

For more advanced competitions, check CTFTime.org, which tracks global CTF events.

Learn Essential Tools

Familiarize yourself with tools commonly used in CTF challenges:

  • Wireshark – For network traffic analysis.

  • Burp Suite or OWASP ZAP– For web security testing.

  • Zeek – Open-source network monitoring.

  • John the Ripper – For password cracking.

  • Ghidra or IDA – For reverse engineering binaries.

Understand Common CTF Categories

  • Cryptography – Solving encrypted messages and ciphers.

  • Web Exploitation – Identifying vulnerabilities in web applications.

  • Forensics – Investigating and analyzing system data.

  • Reverse Engineering – Understanding how compiled programs work.

  • Binary Exploitation – Discovering and exploiting vulnerabilities in executable files.

Practice, Practice, Practice

CTFs require a mix of technical knowledge, creativity, and persistence. Some great platforms to practice include:

  • TryHackMe

  • Hack The Box

  • OverTheWire

  • CTFTime.org

  • SANS Holiday Hack Challenge (for past challenges and write-ups)

Join a Team or Community

Many CTFs allow team participation, which can be a great way to learn from experienced players. Joining security communities, such as local security meetups, Discord groups, or Defcon groups, can help expand your knowledge.

Avoiding Common Mistakes

  • Overthinking – Many CTF challenges have simple solutions. Read questions carefully before diving deep.

  • Not Taking Breaks – If you get stuck, step away for a few minutes and return with a fresh perspective.

  • Skipping Documentation – Reviewing tool documentation can help you understand how to use them effectively.

Conclusion

Participating in a CTF is one of the most effective ways to learn cybersecurity hands-on, improve your problem-solving skills, and engage with a vibrant cybersecurity community. Whether you’re competing for fun, skill-building, or career advancement, CTFs offer an exciting way to test your knowledge and push your limits.

By choosing the right challenges, using the appropriate tools, and learning from others, you’ll develop a strong cybersecurity foundation that will benefit you in your career.

In Advice, Experiences Tags CTF, Capture The Flag, Podcast, Corelight
Comment

Created by ChatGPT

Exploring TEMPEST: Hacking the Future of Space Security

February 19, 2025

This blog post is based on a podcast I recorded with Tim Fowler back in January. I’ve used ChatGPT to take the episode transcript and turn it into a blog that I have reviewed and edited. Check out the episode: https://www.exploresec.com/eis/219

The Rise of Space Cybersecurity

Cybersecurity has long been a critical focus in terrestrial technology, but as the space industry continues to expand, the need for security in orbit has never been more urgent. One person leading this charge is Tim Fowler, the creator of TEMPEST, a 1U CubeSat educational project designed to bring hands-on security training into the realm of space systems.

In a recent Exploring Information Security podcast episode, I sat down with Fowler to discuss TEMPEST, its impact on cybersecurity education, and why space security needs a shift in focus.

Why Space Security Matters

The rapid expansion of satellite technology means that more devices than ever before are being launched into space—often without robust security measures. Fowler highlighted that traditional approaches to securing IT systems don’t always translate well to space-based infrastructure.

Some of the key concerns include:

  • Unsecured Communication Links – Space systems often rely on unencrypted signals, making them susceptible to interception.

  • Satellite Hijacking – Attackers could take control of a satellite’s operations and disrupt services or use it for malicious activities.

  • Supply Chain Vulnerabilities – Many CubeSats are built from commercial off-the-shelf components, which can introduce security risks.

TEMPEST allows students and professionals to experience these risks firsthand in a controlled environment, making it an essential tool for training the next generation of space cybersecurity experts.

What is TEMPEST?

TEMPEST—an acronym for Tim’s Endeavor into Manically Producing Educational Space Technologies—is a modular, intentionally vulnerable CubeSat that provides cybersecurity professionals, students, and researchers with a hands-on way to test and hack satellite systems.

Fowler, an expert in space cybersecurity, launched the project to address a major gap in the industry: most CubeSat kits focus on functionality, but none include security as a fundamental component. TEMPEST is designed to fill that void by allowing users to simulate attacks, build defenses, and understand real-world space security challenges.

A Hands-On Approach to Learning

TEMPEST was designed to be modular and hackable. Fowler structured the CubeSat with intentionally built-in security flaws to simulate real-world attack scenarios. Users can explore:

  • Radio frequency (RF) security and satellite communications.

  • Embedded system vulnerabilities within the CubeSat’s flight computer.

  • Software-defined radios (SDRs) for signal interception and manipulation.

  • Security hardening techniques to counteract common attack vectors.

The first generation of TEMPEST hardware debuted at Wild West Hacking Fest in 2024, where attendees were able to test, break, and improve upon the system in real time. Fowler also runs training sessions where participants assemble and experiment with the CubeSat, learning about space security hands-on.

The Accidental Broadcast Storm

One of the most entertaining moments Fowler shared was an unexpected security lesson during a training session. When a room full of students powered up their TEMPEST CubeSats simultaneously, the devices inadvertently started talking to each other, creating a self-replicating “broadcast storm.”

This unintentional experiment highlighted a crucial lesson in satellite security: small design choices can have major consequences. Even unintended interactions between satellites can create denial-of-service conditions or unexpected network behaviors, reinforcing the importance of secure communication protocols in space systems.

What’s Next for TEMPEST?

While TEMPEST is currently only available through Fowler’s space cybersecurity training courses, plans are underway to release a public version that allows more people to engage with the project.

Upcoming developments include:

  • A new defensive security course focused on satellite protection strategies.

  • Open-source release of older TEMPEST versions, allowing users to build their own CubeSats.

  • Expanded training opportunities at major security conferences in 2025.

Where to Learn More

If you’re interested in learning about space cybersecurity and hacking CubeSats, TEMPEST offers a unique and invaluable resource. Keep an eye out for future training sessions and updates by following:

🌐 EthosLabs.space – Fowler’s main site for TEMPEST training and updates.
🎙️ Exploring Information Security Podcast – Listen to the full episode for an in-depth discussion on TEMPEST.

Final Thoughts

Space cybersecurity is one of the most exciting frontiers in infosec, and projects like TEMPEST are helping shape the future. By providing a hands-on, educational platform for space security, TEMPEST ensures that the next generation of security professionals is ready to defend our critical space infrastructure. 🚀

What are your thoughts on space cybersecurity? Let’s discuss in the comments!

In Experiences, Technology Tags Ethos Labs, TEMPEST, Hacking Space, Space, Space Cybersecurity
Comment

Image created by ChatGPT

Inside ShowMeCon: Community, Education, and Security with Dave Chronister

February 18, 2025

Blog post generated by ChatGPT and reviewed and edited by me.

Cybersecurity conferences have become essential hubs for professionals looking to expand their knowledge, connect with industry leaders, and gain hands-on experience in emerging security trends. Among these, ShowMeCon stands out as a premier security event that blends corporate professionalism with hacker culture. Recently, on the Exploring Information Security podcast, I sat down with ShowMeCon founder Dave Chronister and organizer Brooke Deneen to discuss what makes this conference unique and what attendees can expect in 2025.

The Origin and Vision of ShowMeCon

ShowMeCon was founded with a clear mission: to provide high-quality security education in an engaging, community-driven environment. Unlike traditional conferences that often feel like corporate networking events, ShowMeCon fosters an atmosphere where security researchers, IT professionals, and ethical hackers can exchange knowledge in a collaborative setting.

During the podcast, Dave Chronister shared the story behind ShowMeCon’s inception, emphasizing the importance of bridging the gap between technical expertise and real-world security applications. By creating a space where attendees can both learn and engage with top security minds, the conference has grown into a must-attend event for security professionals.

What Sets ShowMeCon Apart?

One of the defining aspects of ShowMeCon is its ability to strike a balance between corporate and hacker culture. As Brooke Deneen explained, the conference offers a professional yet welcoming environment that caters to both seasoned professionals and newcomers to the field.

Key Features That Make ShowMeCon Unique:

  • Immersive Venue: Hosted at the Ameristar Casino in St. Louis, the setting provides a comfortable yet dynamic backdrop for networking and learning.

  • Engaging Speakers: The event prioritizes bringing in experts who are not only knowledgeable but also passionate and approachable.

  • Hands-On Learning: ShowMeCon features training sessions, Capture The Flag (CTF) competitions, and lockpicking villages, offering attendees the chance to apply their skills in real-world scenarios.

  • Expanding Reach: The ShowMeCon team is exploring ways to expand the conference to new cities like Nashville, ensuring more professionals have access to top-tier security education.

Highlights of ShowMeCon 2025

The upcoming 2025 edition of ShowMeCon is set to be bigger and better, with new elements designed to enhance the attendee experience. Some of the highlights include:

  • The Return of Pre-Conference Training: Attendees can participate in deep-dive workshops led by industry experts.

  • Exciting Themed Experiences: This year’s event will feature a Fallout-theme, adding a creative twist to the conference experience.

  • Stronger Community Building: Encouraging new speakers and first-time attendees to engage and contribute to the security conversation.

Why You Should Attend ShowMeCon

If you're looking for a conference that goes beyond lectures and sales pitches, ShowMeCon is for you. Whether you're an IT administrator, security analyst, penetration tester, or student, this event offers valuable insights and opportunities to:

✔️ Learn from industry experts in a practical and engaging environment.
✔️ Network with peers and leaders who share a passion for security.
✔️ Gain hands-on experience through CTFs, training sessions, and interactive villages.
✔️ Explore new security trends that will shape the industry in the coming years.

Final Thoughts

ShowMeCon continues to grow as a hub for cybersecurity professionals. With its community-driven approach, diverse speaker lineup, and immersive experiences, it’s clear why this event has become a staple in the cybersecurity world.

🚀 Want to attend? Visit showmecon.com to learn more and register for the 2025 event.

🎙️ Listen to the full conversation on the Exploring Information Security podcast and you may just hear the discount code to save $50 on tickets or training: Podcast Website

See you at ShowMeCon 2025! 🔐🔥

In Opinion, Experiences Tags ShowMeCon, Security Conference
Comment

Beware of Fake Job Offers in the 2025 job market

January 17, 2025

In today's job market, the allure of remote work has become increasingly enticing. However, companies have started to shift away from remote work post-pandemic and are requiring more in-person or hybrid for employees. Combine that with the downsizing companies are going through at this time and job scams are going to pop up on a more regular basis. Recently, I got the above text from a “recruiter.”

While this might seem like a great opportunity it’s a scam. A job offer does not typically come over text nor does it happen without an interview. This is a path to getting personal information, financial, or drawn into the scam ecosystem as a money mule.

The Scam: Too Good to Be True

The scam typically begins with an unsolicited message from an individual claiming to be "Emily," a customer service agent at Bonanza. The message outlines an attractive remote position with the following promises:

  • High Earnings: Potential to earn between $50 to $500 per day, with a base salary of $1,000 for every four days worked.

  • Flexible Hours: Commitment of just 60 to 90 minutes per day.

  • Comprehensive Benefits: Offers include paid annual leave, maternity and paternity leave, and other legal holidays.

  • Minimal Effort: Assurances of free training and a guaranteed paid probation period.

Recipients are encouraged to respond to a provided phone number to seize this "opportunity."

Red Flags in the Offer

While the proposition may appear appealing, several indicators suggest it's a scam:

  • Unsolicited Contact: Legitimate companies seldom extend job offers without prior interaction or application. Receiving such a message without prior engagement is suspicious.

  • Free Email Account: This text was sent with a Gmail account that anyone that is available to anyone for free.

  • Exaggerated Earnings and Benefits: Promises of substantial income for minimal work are classic red flags. Genuine employers provide realistic compensation aligned with industry standards.

  • Vague Job Description: The lack of specific details about job responsibilities, using ambiguous phrases like "helping merchants update data," is a common tactic to obscure the scam's true nature.

  • Urgency to Respond: Scammers often create a sense of urgency to prevent thorough consideration. Pressuring immediate action is a tactic to catch victims off-guard.

  • Unprofessional Communication: Errors in grammar, informal language, or inconsistencies in the message are telltale signs of fraudulent communication.

  • Request for Contact via Personal Number: Legitimate companies typically use official communication channels. Requests to contact personal numbers are uncommon and suspicious.

What Happens If You Respond?

Engaging with the scammer can lead to several detrimental outcomes:

  • Phishing for Personal Information: Scammers may request sensitive data, such as Social Security numbers or banking details, under the guise of processing employment paperwork.

  • Upfront Payments: Requests for fees covering "training" or "equipment," with promises of reimbursement, are common. Once paid, these funds are unrecoverable.

  • Identity Theft: Shared personal information can be exploited for identity theft, leading to financial and legal complications.

  • No Real Job: After extracting money or information, the scammer disappears, leaving the victim without employment and at a loss.

  • Become a Money Mule: A money mule is someone who transfers or moves illegally acquired money on behalf of others, often unknowingly.

Protecting Yourself from Job Scams

To shield yourself from such fraudulent schemes, consider the following precautions:

  • Research the Company: Visit the official website and verify job postings. Authentic opportunities are listed on company websites or reputable job boards.

  • Verify the Contact: Ensure that communications come from official company channels. Be wary of contacts using personal email addresses or phone numbers.

  • Be Skeptical of Extravagant Claims: If an offer seems too good to be true, it warrants skepticism. Legitimate jobs have clear expectations and reasonable compensation.

  • Never Pay to Work: Authentic employers do not require upfront payments for any reason.

  • Report Suspicious Offers: Report potential scams to the Federal Trade Commission (FTC) at ReportFraud.ftc.gov and to the platform where the offer was encountered.

Conclusion

Scammers continually adapt their tactics to exploit the evolving job market and technological landscape. By staying informed and vigilant, you can protect yourself from falling victim to such schemes. Always verify the legitimacy of job offers and remain cautious of unsolicited communications. Remember, if something feels amiss, it's worth investigating further. Stay safe and informed in your job search and digital interactions.

In Advice, Experiences Tags Smishing, Social Engineering, Scams
Comment

Created by ChatGPT

Whiskey with a Cause: An Inside Look at ILF’s Barrel Pick Adventure

November 14, 2024

The auction for some fabulous whisky is live at Unicorn Auctions until November 21, 2024. Proceeds go to the Innocent Lives Foundation.

You can view the live recording at the ExploreSec YouTube Channel. The audio version of the podcast will hit the podcast feed soon.

At Exploring Information Security, we’re passionate about all things cybersecurity, community, and—every now and then—a great bourbon adventure. In April 2024, I had the chance to join a unique charity experience: a barrel pick trip with the Innocent Lives Foundation (ILF). It was a memorable journey that not only deepened my appreciation for bourbon but also highlighted how a shared passion can turn into a powerful force for good.

The Origins of the ILF Barrel Pick Club

The ILF Barrel Pick Club started with a simple idea: what if they could combine a love for whiskey with a mission to protect children? A few conversations later, this idea grew into a fully-fledged project, allowing whiskey enthusiasts to purchase exclusive barrels with all proceeds supporting ILF’s mission of identifying predators and protecting children. The club's purpose is to create a community where each sip makes a difference. However, getting to that first barrel wasn’t straightforward; with whiskey’s growing popularity, acquiring a quality barrel often requires invites, lotteries, and long waitlists.

An Exclusive Tour of Legendary Distilleries

Our journey led us to Louisville, Kentucky, where we visited some of the country’s most iconic distilleries, including Four Roses and the lesser-known gem Starlight Distillery. These aren’t just whiskey manufacturers—they are stewards of tradition, science, and innovation, each offering distinct qualities that make them unique.

At Four Roses, we were taken behind the scenes and introduced to their precise process, from single-story rickhouses to unique yeast strains. We learned that each barrel tells a story; the location, temperature, and aging process impart distinct flavors and profiles. Four Roses, renowned for its transparent labeling, even indicates barrel location details down to the warehouse tier and barrel direction.

Across the river, we discovered Starlight Distillery, a family-owned operation with a 200-year history in farming and a more recent venture into bourbon-making. Known for experimenting with unique finishes like Mizunara oak (a notoriously tricky Japanese wood), Starlight introduced us to a whole new world of flavors and finishes. It’s a place as much for bourbon as for families, complete with a fun park and farm tours.

Crafting the Perfect Barrel Pick

Picking a barrel is a blend of art and science—and more challenging than one might expect. With guidance from our hosts, we tasted everything from rich caramel to floral and smoky notes. A well-rounded tasting experience involves layers of flavor and aroma that evolve with each sip. This nuanced approach is essential when selecting barrels for auction because our picks aren’t just about finding what tastes good—they have to resonate with the community of experienced drinkers while supporting ILF’s mission.

At each stop, we were welcomed with enthusiasm, kindness, and yes, lots of whiskey. Starlight even donated a bottle of their premium Mizunara cask-aged bourbon to support the ILF auction. The generosity of these distilleries reflects their alignment with ILF’s purpose. It was humbling to see how eager they were to support a mission that matters deeply to us.

Bidding on a Purpose: The ILF Whiskey Auction

The highlight of this journey is the ILF auction, hosted by Unicorn Auctions. Unicorn Auctions has gone above and beyond to support us by waiving all fees, ensuring that every dollar raised goes to ILF’s mission. The auction features exclusive bottles selected during our barrel pick trip, and each bottle represents a unique expression of craftsmanship and generosity.

These bottles aren’t just collectibles; they’re tokens of the ILF mission. Whether you’re an experienced bourbon enthusiast or a newcomer, bidding in the auction allows you to support ILF in a unique way. Proceeds from the auction directly fund ILF’s work in identifying and helping bring child predators to justice, one bottle at a time.

Memorable Moments and Tasting Notes

The trip was full of memorable (and hilarious) moments—like trying to keep our stomachs steady on bumpy Kentucky roads after too many tastings or debating flavor notes (shoutout to Chris for the “pine sol” descriptor!). The tasting process highlighted just how subjective and personal whiskey can be. The complexities of flavor brought out some spirited debates and even a few new friendships.

One of the favorites of the group was the Starlight Double Oak—a rich, complex bourbon with dark spice and caramel notes that had us all captivated. If you’re lucky enough to get your hands on a bottle, it’s worth savoring every sip. For those looking for a unique twist, the Starlight honey finish adds a hint of natural sweetness that’s both unusual and surprisingly smooth.

Raising a Glass to a Cause

At the end of the day, these bottles represent something bigger. Each auction, each barrel, and each sip brings us closer to funding ILF’s crucial work. As we continue to grow the Barrel Pick Club, we’re reminded of the power of community, generosity, and shared passion. This journey has shown us that even something as simple as whiskey can make a profound difference.

If you’re interested in supporting ILF or exploring our latest auction, visit Unicorn Auctions and place a bid. Let’s raise a glass to great bourbon, and an even greater cause.

Created with the help of ChatGPT; edited by Timothy De Block. This post original posted on exploresec.com.

In Experiences Tags ILF, Innocent Lives Foundation, Unicorn Auctions, Charity
Comment

Created using ChatGPT

Join Us on a Barrel-Picking Adventure with the Innocent Lives Foundation!

November 12, 2024

This week, Exploring Information Security is excited to bring you a unique live recording that steps outside the digital world and into the heart of Kentucky and Indiana distilleries. We’re partnering with the Innocent Lives Foundation (ILF) for a special episode, where we dive into the art and experience of barrel picking. Our adventure took us to two iconic locations—Four Roses and Starlight Distillery—where we set out to find exceptional barrels and create a meaningful connection between the worlds of whiskey and cyber awareness.

Why a Barrel-Picking Adventure?

While cybersecurity and barrel picking might seem worlds apart, this journey is about more than just tasting whiskey. It’s about discovering the unique stories, craftsmanship, and community that make each barrel something special. For this live recording, we’re blending our curiosity for great whiskey with our commitment to the Innocent Lives Foundation’s important mission: protecting children from online exploitation.

Our Trip to Four Roses and Starlight Distillery

Our barrel-picking journey began at Four Roses, known for its distinctive, rich flavor profiles, and continued to Starlight Distillery, where each barrel tells its own story. At each stop, we dove into the meticulous process of selecting barrels, learning how master distillers and their teams create diverse flavors and memorable experiences.

Each barrel pick wasn’t just about taste—it was a sensory experience that engaged sight, smell, and sound. We discovered how small variations in wood, weather, and aging environments can shape a barrel's character and flavor. Selecting a barrel that stood out from the rest required both intuition and collaboration—a bit like finding the right approach to solving cybersecurity challenges.

Behind the Scenes: The Art of Barrel Picking

So, how does one go about picking a barrel? It starts with identifying what makes each barrel unique. From the moment we began the tasting process, we immersed ourselves in a symphony of aromas, textures, and flavors that define each barrel’s character. Some barrels surprised us with unexpected hints of fruit or spice, while others stood out for their smooth, rich finish. These discoveries weren’t just thrilling—they were a reminder of the craftsmanship and care that goes into every bottle.

Memorable Moments and Incredible People

One of the highlights of this journey was meeting the people behind the barrels. We heard stories from master distillers, learned about family traditions that have been passed down for generations, and saw firsthand the dedication it takes to produce high-quality spirits. These connections deepened our appreciation for the process and made each tasting session more meaningful.

Connecting the Dots: How This Adventure Supports ILF’s Mission

While we tasted and shared stories, we kept the Innocent Lives Foundation’s mission at the heart of this journey. ILF is dedicated to protecting children from online predators by working behind the scenes to identify and support law enforcement in bringing these offenders to justice. Each barrel we picked represents a small way to support ILF’s efforts, as proceeds from the sales will go directly to support their work.

For us, this experience was about more than the whiskey—it was about using this adventure to make a difference.

If you’d like to grab your own bottle head over to Unicorn Auctions!

Join Us Live!

Ready to dive into the world of barrel picking with us? Whether you’re a whiskey enthusiast, a cybersecurity pro, or a supporter of ILF’s mission, this episode promises to be packed with flavor, storytelling, and purpose.

🗓️ Tune in live around 6:30 PM ET on the ExploreSec YouTube channel: ExploreSec YouTube Channel. Join us for an unforgettable experience and discover the story behind each barrel we selected!

In Experiences Tags Whiskey, Innocent Lives Foundation, ILF, Charity
Comment

Image created by ChatGPT

How AI Has Impacted Our Lives in the Last Year

May 21, 2024

In the past year, the field of AI has seen significant advancements and a greater focus on regulatory and ethical considerations. At ColaSec we will be talking about AI for our May meetup. This will be a group discussion like we had last year. We wanted to revisit AI and how our views and uses of it have changed. We have a virtual option available for those that can’t make it in person.

To prepare for the discussion I wanted to put this blog post together reviewing AI and how it’s impacted our society over the last year. Ironically, this post was created with help from ChatGPT.

ChatGPT weighs in

  • Generative AI's Expansion: Generative AI technologies have experienced widespread adoption and development. Companies increasingly use these capabilities not just for enhancing existing products and services but also for innovating new business models​ (McKinsey & Company)​.

  • Ethics and Regulation: There has been a growing global movement towards regulating AI more stringently. For example, the European Union has been active in proposing comprehensive AI legislation, and the White House has introduced an executive order aimed at setting standards for AI development and deployment​ (MIT Technology Review)​ (Goodwin)​.

  • Technological Innovations: On the technical front, major advancements have been made in areas such as AI explainability, privacy, and safety. New tools have been developed to improve the transparency and accountability of AI models, such as watermarking technologies for identifying AI-generated content​ (Google DeepMind)​.

  • Application in Science and Healthcare: AI's application in scientific research and healthcare continues to grow, with new models enhancing our ability to design novel proteins and materials, potentially revolutionizing fields like drug discovery and environmental sustainability​ (Microsoft Cloud)​.

  • Public Discourse and Awareness: The public discourse around AI has matured, with more widespread discussions on the ethical implications, societal impacts, and long-term consequences of AI technologies. This includes concerns about AI-generated disinformation and the privacy implications of widespread surveillance technologies​ (CSIS)​​ (Digital Watch Observatory)​.

  • Generative AI and Cybersecurity: AI technologies are playing an increasingly critical role in cybersecurity, automating tasks and enhancing threat detection and response capabilities. The dynamic nature of AI is likened to an arms race among companies, governments, and cybercriminals, emphasizing the need for vigilant cybersecurity practices​ (TechNewsWorld)​.

  • AI in Political Processes: The use of AI in political processes, such as elections, has become a significant concern. Issues like the generation and spread of political deepfakes are becoming more prevalent, complicating the political landscape and potentially influencing election outcomes. This underscores the urgent need for robust methods to detect and mitigate such AI-generated disinformation​ (MIT Technology Review)​​ (AI Index)​(Check Point).

  • Advancements in AI Applications: AI's capabilities continue to expand into more complex and nuanced areas, including multimodal interactions where AI systems can understand and generate outputs across text, image, video, and audio. This broadens AI's application in various fields but also raises concerns about privacy and the creation of synthetic content that can be difficult to distinguish from human-generated content​ (Tech Xplore)​.

  • Ethical Concerns and AI Bias: The integration of AI in sectors like finance, healthcare, and public services brings benefits such as increased efficiency and new capabilities. However, it also brings risks such as biases in AI algorithms, which can perpetuate existing inequalities. There is a growing emphasis on developing responsible AI practices to address these issues​ (AI Index)​.

These developments reflect a dynamic field that is not only advancing rapidly in terms of technology but also becoming increasingly intertwined with broader societal and regulatory frameworks.

Tim weighs in

  • Verizon DBIR: I recently read the latest Verizon DBIR and made a blog post about it. One of the takeaways was that AI hasn’t had a significant impact on attacks. It is helping with improving efficiencies of attacks but it’s not an action in itself yet. This may change or it may not. Attackers use the path of least resistance. Setup a scheme to attack people with deepfakes and voice impressions can be a bit more elaborate. Not to say that they aren’t out there. It’s just not as widespread.

  • Policy creation: One of the first things I did was create security policies for a small business. It took me just a few hours to create 10 security policies that the company was being required. They were concise and easy to read. I hope that security teams are paying attention as this will improve the quality of policies overall and make them much more consumable and easier to understand.

  • Building out ExploreSec.com: I’ve used AI to build out a large portion of this site. I’ve gotten a lot more done than I ever would have on my own. I can put up deep dives in less than an hour. I will go back and edit the initial output from ChatGPT. I’ve written a few blog posts with ChatGPT with varying results. I believe my better posts are going to be me and my stories and experiences. I did have one blog post get deleted accidentally after I wrote it. Instead of doing a full rewrite, I had ChatGPT write the article and I thought it came out very well. It’s been very useful for the podcast. I now use ChatGPT almost entirely to write my show notes. When I record I also transcript the conversation. I then take that transcript and have AI build show notes. It’s been an enhancement for show notes and streamlines my post editing process.

  • Creating Security Awareness Content: My new role is building out a security awareness program for a large healthcare organization. I’ve used ChatGPT to build out blog posts and create newsletter items. Smishing is my most recent blog post. Like the building out content on the site, I have it create the first draft and then make adjustments from there. This allows me to easily create regular content for our internal communication site while also educating people on different security topics. I’ve also started releasing a monthly newsletter for phishing threat intelligence and security awareness. I take articles I find online and have either ChatGPT or Gemini write a short newsletter item. With Gemini and Co-Pilot I could take the link and just feed it that instead of having to scrap the data. I found Co-Pilot to have the best repeatable format. Eventually I ran out of a free trial and it wanted me to login. It also got very uncomfortable when I was doing phishing research and it forced me off the topic. ChatGPT recently released 4o and it is now taking links and creating content out of it.

  • Scripting: I’ve found AI extremely useful for building out PowerShell scripts. One of the things I like to do in a new role is build out the metrics. This often means custom metrics that a platform doesn’t have reporting on. I’ve taken the raw data and created PowerShell scripts that massage the data into the metrics I want. The PowerShell created usually works the first time. If it doesn’t then I simply feed the AI the error. They usually start out being this simple script and quickly get more complicated as I think of more use cases for the script. I will be posting these scripts on my GitHub at some point.

  • Research: I’ve been using AI to help do research on topics. I still find that Google is better for some thing. AI is still several months behind on what it can provide but it’s getting better. Like creating content it’s a starting point for research. I’ve found in some of the topics I’ve explored in security it provides resources I’ve never heard of before but it can also be susceptible to marketing content. I would expect this will get worse as marketing teams figure out how to get their content into AI and a top result. Similar to how they figured out Google and other search platforms.

  • Image Generation: I’ve been extremely happy with the images generated by ChatGPT. I use it for blog posts where I can’t find images. Usually I feed it the content and ask it to make an accompanying image. I’ve also used it for my presentations when I can’t find a meme or visual that highlights the content. It’s not always great. It still struggles with words but I’ve seen it get better. The same prompt will give different results. Sometimes there’s one thing I don’t like and ask it remove it and it’ll create a whole new image. I’ve messed around with photoshop for a couple images but it usually ends up being more hassle than it’s worth. I just keep giving it prompts until I get something I want. Sometimes starting over and taking a different approach with the prompt is the best option.

  • Social Media: I’ve played around with AI for use on LinkedIn. Some of the posts it creates are cheesy. I primarily use it for podcast announcements. I need to play around with it more but I’ve started to move away from it. I have found that the view point for the prompt is big. It can get caught up creating words for a marketing team instead of someone with an idea or wants to comment on a blog post. This makes sense as I imagine marketing teams are using this to create social media posts on a more regular basis.

  • Presentations: This year I used AI to help build my abstract, bio, and outline for my presentation. I haven’t had it build my slide deck yet, but I’m toying around with it. The abstract and bio alone are huge for me as I’m not a great self-promoter. I was able to build out all three in 30 minutes. This used to take me several hours to put together. I also believe I’ve been accepted to speak more because of it.

I’ve found AI to be a valuable tool for content and scripting. It’s helped me build content for ExploreSec.com. It’s helped me improve my presentations both from a submission and content standpoint. I’m excited to get back into scripting to see what sorts of automation I can build for doing regular tasks like metrics. Looking ahead, I’m continuing to come up with use cases. My next project is to understand how to use voice AI from an attackers standpoint but also from a podcasters standpoint. There are some use cases that I think will enhance the podcast.

What are your thoughts on AI and how have you used it over the past year?

In Experiences Tags AI
Comment

Exploring the job market with my handy briefcase

Exploring the cybersecurity job market from late 2023 to early 2024

March 13, 2024

A job search is work

Below you will find several log entries from me as I recently went through a job search. I wanted to do this to highlight how things have changed and show that even for someone who has several years of experience it’s tough. I started my search around the end of November and had it end in early March. The holiday’s certainly slowed things down but it still took a good three solid months. Getting hired at the end of a year is a rare thing because companies aren’t looking to add more to their books. Their focus is to close out the books and look as good as possible from a financial standpoint.

A lot more job posting went up at the beginning of the year and things seemed to pick up from a reach out and interviewing perspective. The job I eventually accepted had their posting up in early December but didn’t start talking to me until the beginning of the year.

I cater my resume to the role and despite all that I still got A LOT of rejection letters. In fact I just got another one yesterday. Prepare for baseball type of stats where it’s normal to bat .300 instead of .800. I did notice that it’s less likely a company will talk to you if their not in their city. Through my network I heard this quite a bit despite my willingness to relocate to certain parts of the country. Talking to some recruiters it was certainly a weird market with a lot of companies wanting to be back in office and with the layoffs last year it was harder to stand out.

Another factor is my background. I have a broad background and have successfully implemented programs in multiple disciplines. I have confidence I can adapt my skillset to any role. I’ve done it in just about every job I’ve had. Unfortunately, a lot of hiring managers are looking for a specific skillset and only that skillset. Recruiters are another layer where they often are just looking for keywords in a resume. I also found that AI was starting to play a part. I had a screening call that utilized AI. I tried to better understand how that worked on the backend but couldn’t find a lot of materials. I’d like to see how AI is impacting candidates both positively or negatively.

Last year I took some time to reflect on what I really wanted to do and where my background and skillset could really be useful. I found that security awareness was something I’ve done at all my previous jobs and that there were companies hiring and paying well enough for the role. That’s where I focused my job search and that’s where I’ve ended up. I’m excited for what’s ahead. Below is my journey to that role.

Log

Entry 1: Willo and one-way video interviewing. This was an interesting experience because I was given a set of questions and asked to record my responses. I’ve never done this before and found it interesting. I had three minutes to record. I could save and continue or re-record. There was only one question I needed to re-record multiple times either because I ran out of time or screwed up. I thought it was a great way to do a screening. I also loved that the screening involved behavioral questions. Which I’m a big proponent of using.

Entry 2 (five days later): To this point I’ve applied to 16 roles: I’ve got one early stage interview setup; I’ve had one one-way video screening; and two, “we think you’re a great candidate but we don’t want to talk to you.” The last one I know one of them was due to pay because they reposted and took out the top part of the salary range and the other probably my resume. The one early stage interview I have is due to knowing someone at the company who put me in for a role. Which is why I always recommend networking to find a job.

I haven’t had to do a job search where I submitted blindly to companies for over 10 years. This is an experiment for me. Is my resume just not up to snuff anymore or is there some other factor. A couple factors I’m keeping in mind is that it’s the end of the year which means deadlines and goals. People outside of government work are usually pretty busy trying to wrap up the year and so hiring takes a back seat. Financially, people aren’t looking to add budget to their team at the end of the year.

It’s also been a tougher job market with the economy being down. I’ve talked to recruiters and they say it’s been a slow weird end of the year. There’s more competition for me in the job market so I’ll get less looks or get looked over. I’m also being more picky about the opportunities I apply for because I feel like I know what I want to do. My experience can be an issue because it’s a little all over the place. The closest I came to niching was application security but two years into that role I was promoted to manager over security engineers, pentesters, and application security.

Which brings me back to my resume. When I redid it over 10 years ago it was due to not getting call backs. It ended up taking 15 months to find a new job. Redoing it to the current format increased my interview opportunities by 50%. My resume format may be dated. My theory is that my resume may work for hiring managers but not for recruiters or talent acquisition people because they’re not in the field. They’re looking for those specific words and probably something more eye appealing. I’ve already started experimenting with different formats and I’ll provide the results here when it’s completed.

Entry 3 (Star Date -299052.05): The rejection emails have come in. I got two this morning and I expect more if I haven’t been reached out to by a recruiter. This means my resume is a problem and I need to work on that. I watched this talk from BSides San Francisco 2023 by Zach Strong on Hacking the Hiring Process. I think I need to simplify my resume and get it back down to under two pages. My master resume is currently at five pages. When I customize it to the job role it get’s down to four pages but I think I still need to cut that in half. Next role that I’m interested in, I’ll have to be brutal with my cuts. The last few I have added a new section called, “Applicable Qualifications” or “Applicable Experience” to try and highlight what makes me a potential candidate. We’ll see if that helps.

Ultimately, networking is still the best way to get in front of the hiring manager. I’ve gotten in front of one. Had the interview and then haven’t heard from them in about a week. This is unfortunately typical and disappointing. I’ve had enough of these that the behavior doesn’t bother me as much anymore. I’ve probably eliminated myself but it’d still be nice to be told that and given any feedback on what I’m lacking.

Entry 4 (some time later): More rejection letters have come in. I’ve gotten my resume down to two pages. I’m not sure the format is great but I like it and I’d like an organization that would want that kind of format. That’s me being naïve though and I’ll end up changing it. I want to make small tweaks just to see if I start getting more screening calls.

I did recently talk to someone else doing a job search and they said it was tough. They had read an article or something on reddit where someone had applied to 500 jobs. Got 20 call backs and two offers. I think it highlights the current state of the job market. It’s tough but I feel like I’m starting to see more posts go up and as people start ramping up for 2024.

To be continued…

Entry 5 (later): I got the rejection email from the place that had me do a one-way interview. I noticed it mentioned AI in the email and now I’m curious what that actually means for the hiring process.

Ignyte AI is the tool that was used for the screening. Looking it up there’s not a lot of information on it other than marketing material. Definitely something to explore in the future. Here are some links I found on it.

https://www.ignyteai.com/

https://huntscanlon.com/recruiting-platform-ignyte-ai-launches/

Entry 6 (Happy New Year!): I got a screening call setup for a position I applied for a few weeks ago. Hiring slows down during the holiday pretty significantly. Either the talent acquisition people are out or the hiring people are out or both. I’m hoping thinks pickup thought I expect I’ll continue to get rejection letters.

Entry 7 (busy): I’ve been focusing on getting podcast and blog posts produced and published so this has gone by the wayside a little bit. Screening call and interview with the hiring manager went well. I am setup for another interview with a panel of people and then a decision will be made. I have gotten more rejection letters, but I also recorded and published a really interesting podcast with Erin Barry from Code Red Partners.

I learned a couple things from the conversation. As I suspected it’s a weird time to be looking for a job. Networking is still king but there’s also some really crappy things that organizations do. They’ll put up a posting just to see what the market. There’s also people just looking for keyword searches and not getting anywhere near your resume. One of the key points she made was not getting down on yourself as part of the process. There’s a lot of factors that go into an opening that we just don’t see.

As part of another recording session I had, the guest pointed out to me that my LinkedIn page needed some work. I followed their recommendation around adding a banner and cleaning some other stuff up. Today I got a call from a recruiter for a director cybersecurity position in my area. Not sure it’s a great fit but the resume is off and we’ll see if we ever hear anything back.

Entry 8 (end of January): I just had a final interview for the one position that has progressed significantly. I’m still in for another position that I started the conversation in early December but it’s been very quiet. Talking with the hiring manager it sounds like a lot of internal politics and a question about remote work. The position is unfortunately up north and a region that is off limits for my family. I am still looking at job postings and applying to the ones I find interesting. I have also reached out to a recruiter about one position but haven’t heard back from them.

I like the idea of reaching out to recruiters and feel I should have done it before but I imagine some of them may not get back to me because they’re busy. I have seen encouraging signs though for the market with recruiters seeing there’s more jobs being posted. There are also more people getting back into the job market hunt so I would expect it’s still a competitive market. The place of my final interview is local. I have an advantage there because the discussion around relocation won’t be necessary.

Entry 9 (beginning of February): Shortly after my final interview for one position, I had another one start with a screening. That has progressed to another panel interview that I’m still waiting to hear back on. I still have not heard anything from the one I had a final interview on. I’m okay with that because I’m still in process on a couple other things and I continue to find security awareness positions being posted. It seems to be a position that a lot more companies are looking at and that hopefully means I can land in one. I haven’t really talked about it here but security awareness is where I want to head with my career. several years ago it was an addon to GRC or other roles. I did it as a passionate project but that were was never the thought of it being a full time gig. I’m happy to see this because I have the experience, knowledge, and desire to be successful in this discipline. It’s now just a matter of convincing someone else I’m right for the job.

I will say the waiting is a bit frustration. Even if things are being lined up a yes or not would be fine with me because it allows me to adjust and something I’ll talk about more in a future blog post. I did have some progression on the first position where I’ve had some conversations. That’s actually shifted to a discussion on being a contractor and would significantly help me with continuing down the self-employed path.

One other item I want to talk about is using AI to prepare for an interview. I took the job description and information I got from the recruiter and had ChatGPT create me some interview questions. I then wrote the questions on one side of a notecard and my answers on the other. Then I practiced the question and answering the question out loud. This is something I’ve always done for interviews but AI helped me create the questions a lot easier and made them applicable to the questions I get accessed. I had a technical assessment on the panel interview. I suck at technical questions in interviews. I always overthink them. I didn’t do great but the idea that came from that experience was to use AI practice for the technical assessment in an interview.

Entry 10 (later that week): Got a call this morning for one job and my salary requirements. Also got an email about not moving forward in another interview process because of the competitive talent pool. I’ll address both below.

Salary requirements are always an interesting thing for me. I am not a person that is motivated by money. I’ve reached all my financial goals and so the range I’m in now. I’ve been told I can go make 200k easily and have several peers that do. I don’t need that much money. The problem with telling people that though is that I get the sense they feel bad and then don’t give me the work I need to stay busy. So I’m in this weird balancing act of taking less money or making my requirements higher. I’m always willing to negotiate lower if it’s a position I’m interested in. I’m also very likely overthinking it.

It’s tough getting a notice that I won’t be moving on in a process or another candidate was selected. I got no feedback other than it was a competitive pool of candidates which I have no doubt there are. I was told salary was not a factor in the decision. This is the part where I need to remind myself that I may have interviewed well but the decision could have been any number of factors out of my control. Someone may have been referred. There may have been an internal candidate preferred. The process may have not been set up to allow me to shine properly. It could have been any number of things. I would have still liked to get more feedback because I want to improve but I’ve said the same thing to other candidates. I had multiple people and liked both and one just edged out the other for whatever reason. The one thing I knew I could have been better on was the technical assessment. I have played around with AI a bit and I think it would be very useful for practice for a technical assessment. I will have a future blog post on the topic.

Entry 11 (last one): I did get a job offer the next week and I’ve started the onboarding process, which is why I haven’t updated this post until now. I start next Monday and this post will be up shortly after I start. The onboarding process has been good. I think a lot of organizations have embraced automations and using platforms to onboard people. This is a good thing and it seems like I’m getting a lot of the stuff I need lined up ahead of time. I’ve also got my first day orientation schedule which is nice to have and know ahead of time.

I’m excited for this opportunity. I’ll be focusing on security awareness for my career which is a role that wasn’t around a few years ago. Organizations seem to be taking security awareness a lot more seriously instead of it being just a checkbox. I’ve been doing security awareness at organizations as a passion project for years, so it’s nice to have a role where I can just focus on that. I’ll be writing more about it more in other blog posts and probably talking about it on the podcast. While I have a full-time job now, I do plan to continue to producing content on this site.

In Experiences Tags hiring, interviewing, job search, job postings, AI
Comment

Security explorer heading into the security awareness field - Created by ChatGPT

Charting a New Course in Security Awareness at Acadia Healthcare

March 6, 2024

I have started a position as a Senior Specialist, Security Awareness and Training at Acadia Healthcare. I’m excited for this opportunity because it’s a role that’s only more recently started to get some traction. I’ve been doing security awareness activities at previous organizations as a part-time thing. I’m excited to get the opportunity to really focus on security awareness training. It’s something that has been seen as a checkbox for a lot of organizations. I think it can be more than that. I think it can help build a security culture and foster a security mindset at an organization which result in a more secure organization.

I’ve been in a bit of a career transition the last 2-3 years. I’m not looking to get super technical. I’ve been in management and would probably be okay going back but I don’t play the political game as well as other. Reflecting over these last few years, I discovered that I enjoyed educating others. It’s actually something I wanted to do since high school but the only path I saw then was a high school teacher and I wasn’t really interested in leaving high school only to return shortly thereafter.

In the Navy I got the opportunity to go through instructor training and do some training while being an electronics technician. That led to me getting into the information technology field and eventually into security. At previous roles I’ve always either created content for distribution or presented internally. This past fall, I started looking for security awareness roles and found that several organizations were hiring for security awareness roles. This fit well with my desire to educate and where I was at in my career. I have a generalist background so I can speak to a variety of different fields within security.

I want to make security awareness interesting and impactful for an organization. Not just a checkbox. In my view I am here to foster and improve the security culture at the organization. To do that I’ll have to be creative and identify what engages people to think more about security. I’m excited for this challenge. I see people as the most complex systems in an organization.

I am going to continue to run Exploring Information Security (EIS) with a focus on security awareness. I believe this new role and EIS will compliment each other well. Next week I am planning to post my job search log. As part of the job search I decided to put in entries documenting my progress and thoughts during the hiring process. I wanted to show others that the hiring process is stressful, even for someone with 22+ years of IT experience. It’s also changed significantly since I first got in the job market and I wanted to highlight some of those changes as well.

In Experiences Tags Career
Comment

ChatGPT V4 - Image by D koi

Leveraging AI to Ace Your Next Job Interview

February 29, 2024

In today's rapidly evolving job market, Artificial Intelligence (AI) has become more than just a buzzword—it's a tool that can provide a competitive edge in various aspects of life, including job hunting and interview preparation. As interviews become increasingly sophisticated, candidates are seeking innovative ways to prepare and stand out. I’ve recently gone through a few different interview processes and as part of that I leveraged AI to help do research and prepare for my interviews. Here's how AI can be your ally in acing your next job interview.

Understand the Role and Company

Before you even start preparing for the questions, it's crucial to have a deep understanding of the role you're applying for and the company behind it. AI-powered tools can analyze job descriptions, company websites, and news articles to provide a comprehensive overview of what the company values in its employees and what skills and experiences are critical for the role. This information can help tailor your interview responses to align with the company's culture and needs.

Personalized Practice Sessions

AI-driven interview preparation tools can simulate realistic interview scenarios tailored to the job you're applying for. These platforms use natural language processing to evaluate your answers, providing feedback on content, tone, clarity, and even body language in video-based practice sessions. This personalized feedback can help identify strengths to highlight and weaknesses to improve upon, making your preparation more focused and efficient.

I’ve taken the job description and my resume and put them into ChatGPT to help identify how my experience aligns with the role. I’ve also taken the job description and any other information about the interview I’ve been provided and asked ChatGPT to create practice questions. I then take those questions and practice saying out loud my responses. I found the interview questions to be pretty close to the real questions I got asked. The questions allowed me to think through how I would answer questions and lean on past experiences. While not an exact match it did afford me an opportunity to think through my experiences and apply those to similar questions.

If there is a technical aspect to the interview AI can be used to prepare by getting quizzed on technical questions. Unfortunately, I didn’t think of this use case until after I had already gone through an interview that had technical questions in it. I struggled through those questions and did not move one. Had I prepared using AI I would have been better prepared to answer those questions and a better shot at moving on.

Enhancing Your Answers

AI doesn't just stop at practice; it can also help refine your answers. Tools like GPT (Generative Pre-trained Transformer) can suggest ways to structure your responses more effectively or creatively. Input your basic answer, and AI can enhance it, ensuring you communicate your thoughts coherently and compellingly. However, it's essential to keep your answers authentic to your experiences and voice; use AI as a tool for improvement, not a crutch. It’s also very important to say the responses out loud to understand how the responses will come off. Sometimes what’s in our head doesn’t sound as good when it’s said out loud.

Final Thoughts

As AI continues to transform the job market, its role in interview preparation is undeniable. By offering personalized feedback, and enhancing response, AI can be a valuable asset in your job search toolkit. However, it's important to remember that AI is a supplement, not a substitute, for genuine preparation. The goal is to use AI to enhance your authentic self, showcasing your skills, experiences, and personality in the best possible light.

Embrace AI as part of your interview preparation strategy, but keep the focus on your unique contributions and how you can add value to the company. With the right preparation and mindset, you can use AI not just to prepare for interviews but to excel in them.

This blog post created with the help of ChatGPT

In Experiences, Advice Tags Career, interviewing
Comment

The five stages of cybersecurity grief from Mathieu Gorge at the 2024 Palmetto Cybersecurity Summit

Impressions from the 2024 Palmetto Cybersecurity Summit

February 26, 2024

Last week I had the pleasure of attending the 2024 Palmetto Cybersecurity Summit in Columbia, SC. It was a great conference with a good venue and really great speakers. The keynote speakers brought a really great insight and of course the hot topics was artificial intelligence (AI). I’m hoping to attend again next year!

Prior to the conference I presented at ColaSec which is a local cybersecurity user group that I helped start about 10 years ago. I gave my threat modeling talk that I presented at the conference the next day. I like using ColaSec as a first run for my talks because I get a lot of really great feedback to refine the talk. You can watch the talk on ColaSec’s YouTube page. I adjusted the acronyms section and made some other minor adjustments to make the talk flow better. That helped for the conference the next day because I realized I had 10 less minutes for my presentation due to a reading error.

What I’m really excited about for this years conference is doing a demo of a live threat modeling session. I have about 20-25 mins of content and then we get into the demo. I like it because I want people to get a feel for how a threat modeling session should flow. I am planning to switch up the demo for each talk so that each version is a little different.

One of the things I rate conferences on is the drinks and food. I’m happy to report that the conference got an A in both regards. They had tea which is great because I’m not a coffee drinkers and the food was pretty good. Sometimes you go to a conference and the food is just meh or in a box. This was not the case for this conference. The other thing to call out is the chairs. Big comfy adjustable chairs. You could spend all day in those chairs.

The keynotes were really great. Mathieu Gorge talked about cybersecurity from a broader global level and the 5 Pillars of Security Framework. The picture above is the five stages of cybersecurity grief. William MacMillian was the former Chief Security Information Officer (CISO) at the Central Intelligence Agency (CIA) and he talked about his experience taking over there right before Solarwinds came out. He also talked about platform centric vs best-in-breed and how platform can provide simplicity to security teams that live in a world of complexity. Both provided some different perspectives and insights on the cybersecurity landscape and dropped some thought provoking ideas.

The majority of talks I attended were around AI. Before I get to that though I also went to Michael Holcomb’s talk on industrial control systems (ICS/OT). He gave some really good insights but more impressive he put together free ICS/OT courses on YouTube for people looking to get into the ICS/OT space.

The second day was filled with talks on AI. That will be a thing throughout this year and potentially for the next 2-3 years. I love that it’s something new to learn. A lot of the conferences I’ve attended in the last few years haven’t really provided me with the opportunity of learning new things. A lot of the talks just confirmed my own ideas and thoughts around security topics. Nothing really challenged those ideas either. There is value in confirming my knowledge and experiences but I want to continue to learn. AI is that current topic.

Dr. Sybil Rosado talked about the social engineering aspects of AI. While she talked about some of the malicious uses of AI she was a big proponent of using AI and learning how to work with it. She’s a professor at Benedict College in Columbia, SC, and has seen students using it. She actually likes that it’s making the writing better. Dr. Donnie Wendt talked about deepfakes and how they’re playing a role in the world today. It’s super easy to use and get started with. My own thought is that deepfakes are a great way to improve a security awareness program simply by talking about it and showing some examples. Plus there are already attacks where someone is using AI to imitate a voice and ask for money to be sent. Finally, Tom Scott talked about managing your security program with AI. One nugget that really stuck with me was that AI does not remember your interaction in a new chat. To continue to train it you need to keep the same chat.

The conference was a really great start to the year for conferences. I learned some new things, got to meet some new people, and catch up with some people I haven’t seen in a while. I’d definitely recommend checking it out for next year. Talking to one of the organizers it sounds like it’s going to get even bigger.

In Experiences Tags AI, Security Conference, ICS/OT
Comment

Be a cybersecurity Kevin Bacon - Image created with the help of ChatGPT

How to become a Cybersecurity Kevin Bacon

February 21, 2024

The Six Degrees of Kevin Bacon proposes that anyone in the Hollywood film industry is linked to Kevin Bacon within six steps. I’ve somehow had the title applied to me by a few different people. A large part of that is the networking I’ve done in the industry. I’ve hung out and talked to a lot of people. I don’t know everyone in the industry but I have meet people for the first time and we’ve known similar people. In this post I want to cover the networking that may have put me in the same breadth as Mr. Bacon.

My gamer tag is Jeditimmy

Attend Conferences

My very first conference when I got into security was BSides Charleston in 2013. I went down with a buddy to the conference and meet a few people. One of those people that stood out was Evan Davison who goes by the hacker name Pentestfail. He gave a great talk on defense in-depth (this is the same talk at a ISSA local chapter). Evan and I would cross paths multiple times over the next 10 years. We would volunteer and get to know each other at BSides Augusta and the Social Engineering Village at DEF CON.

It’s not just about attending conferences it’s about getting involved and interacting with people. That could be meeting and talking to people, participating in capture the flag competitions, volunteering, or speaking. If you’re nervous about meeting people volunteering is a great way to meet and interact with people.

At one point I was going to 8-10 conferences a year. Most conferences were one day events within a a five hour driving distance so it was only a day or two. Still that’s a lot and it’s not something I’d necessarily recommend as I did get burned out and decided to tone back the conference attendance to three in 2019. There was also the cost. My company did always cover travel. I got maybe one a year. The rest was on my dime but I will say it was worth it for the connections I was able to build within the community.

Going to events allows for shared learning and job opportunities. I’ve learned a lot from just talking to people in the hallway at conferences. It’s a safe space for sharing interesting stories that you wouldn’t hear otherwise. If you’re the type that has a hard time starting a conversation, ask questions. People love talking about themselves and sharing their insights into the industry. I’ve had entire conversations with people who never asked a question or knew my name but I knew a ton about them and got some really great security stories.

Volunteer at events

When I first started attending conferences I would volunteer. This forced me to meet people and as a bonus got me a free ticket into the conference. To get away from registration or door duty I started asking organizers if I could bring my camera and shoot pictures for them at the conference. This was great because I got to be more mobile and allowed me to meet and talk to a variety of people at the conference.

This also opened the door for invitations to work other conferences where my travel expenses were covered. If you have an interest see if it fits into helping out with a conference. I know several people volunteer just to do video for a conference. I’ve also seen people contribute by providing a quilt that was auctioned off. Find something you feel can contribute to the conference. Working the registration desk is also fine.

Volunteering helped me get a really great job in Nashville, TN. I had been traveling to BSides Nashville since it’s inception. There was an opening at a company one of the organizers was working at. I didn’t know that organizer really well but when they were asked about me for the position they responded that I showed up and did my job. Not necessarily a glowing endorsement but it helps and you never know who you’re going to interact with while volunteering.

Attend Local User Groups

Local user groups are great if you’re looking to network within your own city. If there’s not one I’d recommend starting one up. It’s definitely a lot of work but very rewarding. When people ask me my greatest accomplishment I often will tell them it’s starting a local user group in Columbia, South Carolina, that has 20-25 regular attendees. That’s massive for a local user group by the way. If you need guidance on starting a local user group there’s a couple podcasts for that.

How to Start a Successful CitySec Meetup - Part 1

How to Start a Successful CitySec Meetup - Part 2

Starting the local user group allowed me to meet a lot of people in town. You never know if you’ll meet your future employer or someone that starts their own company. I had both those experiences starting a user group. The first was switching to a different state department after meeting the South Carolina state CISO at a meetup and going to lunch with him.

The other is meeting Andrew Morris who is the founder of GreyNoise a company that’s starting to make waves in the cybersecurity community. I met him at a conference called Trends in 2015 where he told me about his idea for the company. I’ve had him on the podcast a couple of times to talk about being a pentester.

Start a blog or podcast

Speaking of podcasts, most people don’t know that I had a podcast prior to my security podcasts. I ran The Crawfish Boxes (TCB) podcast for the Houston Astros fan site on SB Nation. I gained some notoriety with the Houston Astros organization due to that podcast and blogging I did for TCB. It’s amazing how more accessible people become when you offer to interview them. I have a big leaguer or two in my cell phone and at one point had two baseball General Manager’s following me on Twitter.

I took the lessons and experience from covering baseball and brought it into the infosec community and it has really helped my career. I’ve gotten to meet and talk to a lot of great people in the field on my podcast. I’ve had a lot of success just reaching out and asking people if they’d be interested in talking about a topic they’re presenting on or have blogged about. There are people who never responded or responded and then stopped responding but more often than not I can get an interview set up with them.

One of the hardest things getting started is imposter syndrome, “Why would people want to listen or read me?” “Someone else is already doing what I would want to do.” I had those same thoughts but went ahead because I have my own unique perspective to offer. It’s still nerve-racking but the longer I did it the more I realized I have something to offer to the community. I love having a conversation with people and learning more about what they know. Which made podcasting a great fit.

Blogging, on the other hand, is the one I’ve struggled with. I was never good in English class and if I had concerns about podcasting and what people thought my writing is on a much higher level of imposter syndrome. But blogging isn’t about perfect English, it’s about sharing a unique viewpoint. English and grammar help but it’s more about the idea and finding my voice. Plus, the more I do it my writing is bound to improve, right? Right? AI is something I’m leveraging as an assistant. It’s not always great but it can help.

Summary

To be a Kevin Bacon you gotta get out there. Attend conferences and local user groups. You’ll get to meet a lot of really great people. If you struggle with talking to people volunteer. It can force you to meet people and show your willingness to contribute to the community. Start a blog or podcast or vlog. Putting yourself out there can help you grow as a professional and open up doors. If blogging or podcast aren’t your thing that’s okay. Identify what you’re interested in and see how that can fit into the community. There’s a lot of ways to contribute. Contributing to an open source project or participating in a capture the flag event can do similar things for your career. Find ways to get involved.

In Experiences, Advice Tags Kevin Bacon, Networking, security conferences, local user group, citysec
Comment

This way to BSides Nashville - From BSides Nashville 2016.

Threat Modeling at BSides Nashville 2024

February 20, 2024

I’m excited to announce that I will be speaking at BSides Nashville May 11, 2024. I will presenting my threat modeling talk which I’ve been blogging about the past couple of weeks. I’ll link the blog posts to the talk and pictures for past BSides events below. I’ve been going to BSides Nashville since it started in 2014. The first few years I attended I lived in Columbia, SC, which meant a seven hour drive to attend the conference. In 2016 I moved to Nashville and now consider it my home BSides conference.

It’s a really great event with a lot of great speakers and great spot. It’s also Nashville so getting into some fun (or trouble) is right around the corner. Prior to the pandemic they used to sell out 300 tickets very quickly. Post-pandemic they’ve struggled to get back to those number but so has every other local user group and conference. I’m expecting this year to be a big year for conference attendance not only for myself but the community. I believe people are ready to get back out there. More importantly the job market is influx and a lot of people are looking for jobs. The best way to do that is to get out and network with people at local user groups and conferences. If you’re planning to attend reach out and we can meet in person!

Threat modeling blog posts:

  • Why Threat Modeling is Important

  • What is Threat Modeling?

  • Basics of Threat Modeling

  • Methodologies and Approaches for Threat Modeling

  • Threat Modeling Risk Management

BSides Nashville Pictures:

NashBsides8.JPG
BSides Nashville 2014

Bsides Nashville, TN, May 17, 2014.

BSidesNash_Panorama1.jpg
BSides Nashville 2015

BSides Nashville, TN, April 11, 2015.

DSC_2691.jpg
BSides Nashville 2016

BSides Nashville, TN, April 16, 2016

BSides Nashville 2017

Nashville, TN, April 22, 2017

BSides Nashville 2018

Nashville, TN, April 14, 2018

BSides Nashville 2019

Nashville, TN, April 13, 2019

Subscribe

Sign up with your email address to receive news and updates.

We respect your privacy.

Thank you!
In Experiences, Media Tags Threat Modeling, BSides Nashville
Comment

Exploring tools and resources for threat modeling - Created with the help of ChatGPT

Tools and resources for effective Threat Modeling

February 19, 2024

My presentation for this year is Threat Modeling. My first stop is the 2024 Palmetto Cybersecurity Summit Feb 21-22, 2024, in Columbia SC. I’ll also be speaking at BSides Nashville May 11, 2024, and ShowMeCon May 13-14, 2024.

Getting Started

We’re going back to kindergarten people! We’ll get to draw shapes and lines and use different colored markers! To get started all one needs is a whiteboard and markers. Building out a diagram is the first step. As I mentioned in the Basics of Threat Modeling blog post having one prepared prior to the session will help expedite the process. Unfortunately, if there isn’t an existing diagram one will have to be done during the session. Adam Shostack has a description of the symbols and elements to use in a threat model on his GitHub page. They’re very simple and that’s the intention because threat modeling an application or process can get very complex.

Adam Shostack - DFD3 - https://github.com/adamshostack/DFD3

If the session is virtual and not in person the same principles applies. All popular video conferencing has a whiteboard feature on it that can be used for threat modeling. There are third-party options as well including:

  • Microsoft Whiteboard (Usually free with corporate account)

  • Microsoft Visio (License required)

  • Microsoft Threat Modeling Tool (Free)

  • OWASP Threat Dragon (Free)

  • Draw.io (Free)

  • Miro (Free version)

  • Lucidchart (Free version)

  • MURAL (Free version)

  • Whimsical (Free version)

The tools I’ve had experience with are Microsoft’s Whiteboard, Visio, and Threat Modeling Tool. Visio and the Threat Modeling Tool get into a lot of detail and can feel complex if you’re just getting started. The more important thing is learning the methodology and approach to threat modeling. Threat Dragon has a lot more simplicity. It is open-source so doesn’t have all the bells and whistles of other tools. It can take a little to get used to using. I’ve seen developers create diagrams with Draw.IO. It’s simple and easy to use but be mindful that if they build it on a third-party website they may be putting internal organization information on the internet. I have not used Miro, Lucidchart, MURAL, or Whimsical but they look similar to Draw.IO. Leave a comment below with your favorite white boarding tool.

Automated threat modeling tools

I have only used Microsoft Threat Modeling Tool and OWASP Threat Dragon for automating parts of the threat model process. Microsoft’s Threat Modeling Tool get’s very granular and tries to be exhaustive on attack scenarios. If you like digging into a lot of details it can be a very useful tool. OWASP Threat Dragon is a much lighter version of that which is why I used it a lot more. For me I wanted the group to come up with their own attack scenarios because it allowed them to exercise their security muscles and build a stronger security mindset. This impacts the other areas of their day-to-day work. As their working they’ll be thinking about security.

There are other commercial and open-source tools that promise one-click threat modeling. I have not had an opportunity to use them. Here are some popular ones I found:

  • IrisusRisk

  • Threat Modeler

  • SecuriCAD

  • SD Elements

If you have used one of these or another leave a comment below.

Educational Resources

The book I always recommend is Threat Modeling: Designing for Security by Adam Shostack. It is “THE” book on threat modeling. What I love about the book is that after the first chapter it says to just start threat modeling. It’s more of a companion book for learning and maturing the threat modeling program.

OWASP is another resource for threat modeling. They have an entire project on everything you need to know about Threat Modeling. The OWASP Cheat Sheet is also a great place to start and a good reference point while maturing the threat modeling practice. Finally, an exhaustive list of threat modeling resources can be found at Awesome Threat Modeling on GitHub.

Leave a comment below with resources or tools you recommend. If you’re interested in seeing a version of this talk check out the ColaSec Meetup page as I will be presenting on threat modeling at the February 20th, 2024, meetup. A virtual option for attending is available.

Subscribe

Sign up with your email address to receive news and updates.

We respect your privacy.

Thank you!
In Technology, Experiences, Advice Tags threat modeling, presentation
Comment

Explore threat modeling risk management - Created with help from ChatGPT

Threat modeling risk management

February 15, 2024

My presentation for this year is Threat Modeling. My first stop is the 2024 Palmetto Cybersecurity Summit Feb 21-22, 2024, in Columbia SC. I’ll also be speaking at BSides Nashville May 11, 2024, and ShowMeCon May 13-14, 2024.

In this post I want to talk about rating and prioritizing the discovered threats from a threat modeling session. We’ll get into the different methodologies and talk about some of the nuances of them.

Methodologies for Risk Management

Created with help from ChatGPT

DREAD

DREAD, an acronym for Damage, Reproducibility, Exploitability, Affected users, and Discoverability, is a risk assessment model used to prioritize threats. Although its use has declined due to its subjective nature and lack of business context alignment, some organizations may still find it useful for quick, high-level risk assessments.

This is what I use for threat modeling. If you read Adam Shostack’s book he calls it obsolete and recommends SDL Bug Bar. The reason is that the different categories can be a bit ambiguous, lack granularity, and context. I think it’s great for getting started and keeps threat modeling simple. As threat modeling matures there may be a need to mature the risk management and switch to something that provides more scaleability.

Using DREAD we would rate the threat by each theat on a 1-3 scale. This allowed for prioritizing low, medium, and high. The final number will help prioritize the threats discovered for follow up. Again, when dealing with other groups it’s important to keep the bar to entry low. As the program matures and people get a better idea on threat modeling advancing to something a bit more technical can be useful.

SDL Bug Bar

The Security Development Lifecycle (SDL) Bug Bar is a concept and a set of criteria used within Microsoft's SDL framework to classify and prioritize the handling of software bugs based on their security implications. The "bug bar" establishes a baseline for the security severity that a bug must meet or exceed to be considered a priority for fix before software can be released. It helps teams make consistent, informed decisions about which security vulnerabilities to fix and when to fix them.

There’s not really a lot available online for implementing the Bug Bar. There are some blog posts and the SDL Bug Bar PDF which doesn’t exactly give instructions on how to implement. It can be loaded as a template into other Microsoft tooling so that can be helpful and will help with streamlining some of the threat modeling process. Leave a comment below if you’ve had experience implementing the SDL Bug Bar.

OWASP Risk Rating Methodology

The Open Web Application Security Project (OWASP) offers a risk rating methodology that considers factors such as threat agents, attack vectors, technical impact, and business impact to prioritize vulnerabilities. This methodology is particularly useful for web application security and can be adapted to fit an organization's specific needs. This has more in-depth math and expanded categories for rating a threat. This could be another option for maturity.

CVSS (Common Vulnerability Scoring System)

CVSS provides an open framework for rating the severity of security vulnerabilities in software. It offers a standardized way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. CVSS scores can help organizations prioritize their response and remediation efforts based on the potential impact of each vulnerability. This is one of the standards for vulnerabilities.

FAIR (Factor Analysis of Information Risk)

FAIR is a quantitative risk analysis methodology that helps organizations understand, analyze, and quantify information risk in financial terms. FAIR differs from other models by focusing on the financial impact of risks, making it particularly useful for making informed, data-driven decisions about cybersecurity investments and risk management strategies. This methodology was created by Jack Jones with the intent of providing risk in financial terms for organization.

TARA (Threat Agent Risk Assessment)

TARA identifies potential threat agents and evaluates the risks they pose to an organization's critical assets. This methodology is useful for organizations that want to focus on the most likely sources of threats and tailor their defenses accordingly. Intel created TARA as part of its comprehensive security and risk management strategy to identify, assess, and prioritize risks based on the potential impact of various threat agents. This methodology was created by the Department of Defense (DoD) in 2010. It uses built in attacks to assist in the risk assessment process.

Summary

There are multiple options for rating and prioritizing the threats identified in a threat modeling session. I like DREAD because it’s simple but that might not be feasible for larger organizations. If you’re a Microsoft shop the SDL Bug Bar may be a better fit. OWASP Risk Rating Methodology is also another option. If you really want to go deep CVSS or another framework may be the best option. FAIR and TARA are two methodologies that look to provide specific context to risk management. FAIR from a financial standpoint and TARA has a DoD lean. Choosing the best risk management methodology will depend on the organization and it’s needs. Try multiple and see what works best for your organization.

Next we’ll get into tools and resources for threat modeling.

Subscribe

Sign up with your email address to receive news and updates.

We respect your privacy.

Thank you!
In Experiences, Advice Tags Threat Modeling, Risk
Comment

Exploring threat modeling methodologies and approaches - Image created with the help of ChatGPT

Methodologies and Approaches for Threat Modeling

February 14, 2024

My presentation for this year is Threat Modeling. My first stop is the 2024 Palmetto Cybersecurity Summit Feb 21-22, 2024, in Columbia SC. I’ll also be speaking at BSides Nashville May 11, 2024, and ShowMeCon May 13-14, 2024.

There are a variety of ways to do threat modeling. Deciding which one to use will depend on the organization and what is being threat modeled. I started with STRIDE which is a standard methodology for getting started. We’ll touch on the other ones but I’ve not had experience with them. The basic concept should be the same. The methodologies are used to help guide a threat modeling session through attacking and mitigating the threats discussed.

MethodologieS

STRIDE

Developed by Microsoft, STRIDE is an acronym for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. This model helps in identifying threats in these six categories, making it easier to systematically address potential security issues.

Repudiation is the one that always get’s me. It’s attackers getting in and performing illegal operations without leaving any sort of evidence. This is usually due to a lack of logging. The others are fairly straight forward.

LINDDUN

This is a privacy-focused threat modeling methodology designed to help identify and address privacy threats in information systems. The acronym LINDDUN stands for the seven types of privacy threats it aims to uncover: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance.

PASTA

The Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step, risk-centric methodology. It focuses on aligning business objectives and technical requirements, taking into account the attacker's perspective and potential attack vectors. It is thorough and integrates well with risk management.

OCTAVE

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning. It focuses on organizational risk and security practices, making it more suited for strategic, rather than technical, threat analysis.

Attack Trees

Attack Trees provide a methodical way of describing the security of systems, based on varying attacks. It's a graphical representation of potential attacks, organized in a tree structure, showing how an overall goal (root) can be broken down into sub-goals (leaves). This is an example of an attack tree.



Example of using STRIDE

Created with the help of ChatGPT

A threat modeling tweet by @thegrugq that highlights attack surface.

Below are some examples I’ve seen discussed in a threat modeling session. The skies the limit and will be different depending on the application or process. At the very least it’s a thought exercise that helps people think about security and discuss mitigating controls. Some of these attacks are more likely than others. Within healthcare insider threat and errors are a lot higher than other industries. They’re still susceptible to external attacks but the bigger concern may already be inside the organization. Each organization will have it’s own attack surface.

Spoofing

Threat: A healthcare provider uses another users logged in session when they walk away form their computer.

Mitigation: Ensure session timeout is set to what is needed for the business use case of the application. If a user has several activities that require waiting for something to finish in the application or they need to login into other applications and then come back then the timeout may need to be longer.

Tampering

Threat: A healthcare provider accidentally modifies the wrong record for two different patients.

Mitigation: Add a, “are you sure?” pop-up. Logging and recovery will need to be in place for identification and recovery.

Repudiation

Threat: A user (patient or provider) denies sending a message or making changes to records.

Mitigation: Implement detailed logging and audit trails to track user actions and changes within the application.

Information Disclosure

Threat: S3 bucket with patient information is accidentally made available on the internet.

Mitigation: Use access controls to enforce the principle of least privilege, ensuring users can only access information necessary for their role, and encrypt data.

Denial of Service (DoS)

Threat: A ransomware attack encrypts the web server.

Mitigation: Web server and all needed systems have good backups and can be restored to get the service back online for users.

Elevation of Privilege

Threat: A user is bribed to give up their credentials to the application.

Mitigation: User IP logging to help identify when a user logs in from an abnormal location.


Approaches

At my organization I was the person doing the threat model. I was training up some of the other people on my team so they could do it and not create a bottle neck with my department. Some organizations an individual or team may not be the best approach. In this case a decentralized approach could be more beneficial where the teams are trained up on doing their own threat models.

As far as automated tooling I haven’t used a lot of it other than as a substitute for a whiteboard. I have seen the use of Microsoft’s Threat Modeling tool which will help with attacks but will require a lot more interaction. There’s not really a wrong or right answer. I’ve shown a lot of value and made projects run more smoothly and with less threat introduced by using just a whiteboard and markers. Haven’t explore the automated threat modeling space but I do believe that you can’t replace a human. A one-push threat model would be nice it’s just not that easy and as I’ve learned in the industry there is no easy button.

Threat modeling should be done as early in the process as possible. However, it is very useful for legacy applications or applications with minimal documentation. I’ve used it a lot for getting a better understanding of how an existing application or process works, especially if there’s very little documentation. These sessions usually require multiple because as unanswered questions comes up and people are tasked with doing some discovery work. Once that discovery has been made the threat model continues.

Summary

STRIDE is a good place to start with threat modeling. There are other methodologies that could be more applicable to the organization. I’ve only ever used STRIDE because it was effective for what I was doing with threat models. Walk through the chosen methodology to get an idea on the attacks possible within the application. These attacks can be simple or they can be a bit more elaborate. A few simple examples will help with getting people to think about how to attack an application or process.

Approaches to threat modeling will differ between organizations. A group of security experts can make an effective threat model but it may not be scaleable. The other option is to train people within the projects to perform the threat model. Thinking about what could go wrong will get people into the mindset of looking for problems before they happen. The earlier a problem is discovered the less costly it is to fix. Threat modeling can also be used for discovery on existing applications or processes.

There are tools available for threat modeling. The simplest and often the most effective is a whiteboard and markers. Threat modeling is like any other security program. Get it started and then mature it over time. Try new things and evaluate if it’s useful or not. Just get started.

Next we’ll go over risk management and rating the discovered threats.

Subscribe

Sign up with your email address to receive news and updates.

We respect your privacy.

Thank you!
In Experiences, Advice Tags threat modeling, presentation
Comment

Exploring the basics of threat modeling - Image created by ChatGPT

Basics of Threat Modeling

February 12, 2024

My presentation for this year is Threat Modeling. My first stop is the 2024 Palmetto Cybersecurity Summit Feb 21-22, 2024, in Columbia SC. I’ll also be speaking at BSides Nashville May 11, 2024, and ShowMeCon May 13-14, 2024.

The basics of threat modeling starts with the understanding that it’s simply doing a data flow discussion. In fact, when I do these I name the meeting data flow discussion instead of threat modeling discussion. This allows people to come to the meeting with the mindset that it’s just a discussion about how data flows through an application or business process. And then we’re going to do naughty things to it.

The session itself is broken up into five parts:

  • Identifying assets and data flows

  • Establishing the security profile

  • Identifying potential threats

  • Assessing vulnerabilities

  • Prioritizing risks

We’ll explore each part in more detail below.


Identifying assets and data flows

This is scoping what will be part of the threat modeling session. This could be an application or a business process. It sets the boundaries to keep everyone in the meeting on track. Scope creep is something that can and will most likely happen. Setting the scope more easily helps identify when the discussion is getting off track. If someone goes out of scope then we can call it out and setup a separate session or cover it later in the meeting if time is available.

A diagram is drawn as part of the session if one is not already provided. When I’m asked for how to make the meeting run smoother I ask for an existing data flow diagram or for one to be created. This doesn’t need to be anything elaborate just something to get started. Everyone that can speak to the application or business process needs to be in the meeting. This may be just the development team or it may also include people from infrastructure, compliance, or other areas.

When there is no diagram a whiteboard and markers will do for an in-person meeting. If virtual most video conferencing tools have a whiteboard feature. There’s also many third-party options online. A favorite of a lot of development teams is draw.io. Infrastructure teams usually prefer a licensed version of Microsoft Visio. We’ll get more into tools in the next blog post.

Diagram is simply using arrows, squared, and circles to draw the diagram. OWASP has examples of shapes to use for the diagram. I would typically use a square for an application and then a circle for a database. The big thing is to use a standard shape for each thing within the diagram. Once the diagram is drawn we can move to establishing the security profile.

Establish the security profile

This is the part where the group identifies what security is currently in place. This deals with items like if HTTPS or HTTP are in place (lots of backend things may use HTTP) or how do users access the application or process. Thoroughness is good but new security measures may be discovered as the application is attacked. Compliance requirements also need to be understood for the application. Healthcare, financial, and personal data all have different requirements and security protections than data that is expected to be public. Once the security profile is established we get to be bad boys.

Will Smith and Martin Lawrence singing Bad Boys in the movie Bad Boys


Identify potential threats

This part we get to play the bad guys and think about how we can break the application or process. When just introducing this activity to departments you’ll need to keep in mind that they’re builders, not breakers. We have to unlock that mindset within them. Once the ball get’s rolling though people can come up with some pretty creative ways to attack their own application or process.

One of the important techniques someone facilitating the session will need is being silent. People can’t stand silence so learning to stay silent will help with getting people in the room to participate. Having a pentester in the room may help the juices flowing but don’t let them only provide more than one or two examples. They can quickly takeover and then it’s just the pentester talking about how they’re going to test the application. The underlying objective here is getting people into a better security mindset. To do that they need to start learning how to think like an attacker.

Anything is on the table from simple attacks to elaborate Mission Impossible style attacks. One of my favorite attacks to use to get people thinking is to talk about bribe scenarios or insider threat, “What if I give you a million dollars for your access?” The response is usually, “but you can’t do that….ohhhhh!” It happens. In 2021 news broke that Russian man offered a Tesla employee to put ransomware on the company’s network. Insider threat is a huge attack vector and a massive risk and is something that should be discussed.

There are different methodologies for attacks in a threat model session. I like using STRIDE which is mnemonic for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service (DoS), and Elevation of Privilege. Simply walk through each on of these types of attacks as part of the session. Once that’s done we assess the attacks we found.

Assessing attacks

When coming up with attacks make sure to document the attack. They should still be visible to everyone to discuss mitigating controls. Again, this is where the group needs to speak up about how to mitigate controls. As a facilitator I’ve often had the answer but I want the group to provide that answer so they can start exercising those security thought muscles. Often, I’ve found that the group will come up with creative solutions for mitigating controls. Once all attacks have mitigating controls we move onto prioritization.

Prioritizing risks

I use DREAD, which is another mnemonic for evaluating and prioritizing risk. It stands for Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability. I write each of these out to the side of the attacks so we can rate them. I use a 1-3 scale with one being low, two being medium, and three being high. I like to keep things simple but something like a 1-10 scale can also be used. Once a score is given for each of the items you add it up. The higher the number the higher the priority. This allows teams to focus on the attacks that have the most risk and can do the most damage. Make sure to identify and assign action items for addressing the necessary attacks.

Documenting the threat model

From there it’s documenting the outcomes of the meeting. I will take notes during the session (another reason to stay silent) and type those out in a follow up email to the group. I also take a picture or screenshot of the diagram and provide that in the meeting notes as well. I would recommend storing those in a repository that’s available to everyone involved in the discussion. As part of the meeting notes I include action items at the top and have the agreed upon name of the person that will make sure the item is addressed.

Summary

Threat modeling is simply a data flow discussion. I’ve used data flow discussion to make the meeting less intimidating. Sessions can be from one to several hours long it depends on the application or business process and how deep you may need to go. One long session or multiple sessions can be setup. Having a diagram ahead of time will significantly reduce the time needed for a threat modeling session.

The session itself is building the diagram, adding the security profile, attacking the application, identifying the mitigating controls, and prioritizing the risk. Finally, document the session and assign action items. Someone will need to follow up on each item to make sure they get addressed properly.

Next, we’ll dive deeper into methodologies and approaches that can be used as part of a threat modeling session.

Subscribe

Sign up with your email address to receive news and updates.

We respect your privacy.

Thank you!
In Experiences, Advice Tags threat modeling, presentation
Comment

Exploring what is threat modeling

What is Threat Modeling?

February 8, 2024

My presentation for this year is Threat Modeling. My first stop is the 2024 Palmetto Cybersecurity Summit Feb 21-22, 2024, in Columbia SC. I’ll also be speaking at BSides Nashville May 11, 2024, and ShowMeCon May 13-14, 2024.

Here’s what ChatGPT said:

Threat modeling is a structured approach used in cybersecurity to identify, prioritize, and address potential threats to a system. It involves a series of steps to assess the security of an application or system by identifying what needs to be protected, determining potential threats and vulnerabilities, and then devising strategies to mitigate or prevent the identified risks. The primary goal of threat modeling is to enhance the security posture of a system by focusing on protection measures from the early stages of design and development through to deployment and maintenance.

Within the context of the cybersecurity field this is true but it’s more general than that. Threat modeling is something we all do in daily life. Driving, planning a trip, planning a birthday party, talking about who’s going to win the Super Bowl, etc. It’s talking about what might happen and then putting things in place to help mitigate those potential scenarios. I use the analogy of driving a lot. While on the road I am constantly thinking about some of the following things:

  • “What happens if this person get’s into my lane?”

  • “The onramp coming up is usually pretty busy”

  • “I have X amount of gas and this far to go”

This is threat modeling and we all already do this on a daily basis. This is why I find implementing threat modeling into a project to be super easy.

Threat modeling is a step-by-step process for identifying all the things that could go wrong. It’s meant to find solutions to problems before they happen. It can also be a lot of fun to come up with Mission Impossible level types of attack scenarios. Here are the steps to go through a threat model.

  • Scope the application or project

  • Build out a diagram of the application or project

  • Identify what security measures are already in place

  • Attack the diagram by using simple and elaborate attack techniques

  • Identify mitigating controls for the attack scenarios

  • Rate the attack techniques for prioritization

  • Assign action items

  • Document the session and follow up items

Sometimes these sessions can take an hour sometimes multiple hours are needed. Having a diagram before hand helps speed up the process.

Benefits of Threat Modeling

Doing threat modeling early in the development cycle can help get everyone on the same page and identify potential risks before development even begins. This allows developers to think through issues and put mitigating controls in place. This actually reduces the cost of finding a security issue later in the process because it’s addressed early on.

Another benefit I’ve found is in exploring legacy applications and applications that join the organization as part of a merger or acquisition. Often, applications don’t have any documentation in place. This can make it difficult if people who have helped build or maintain the application have left the organization. Threat modeling is a way to better understand and document those applications. Any security issues or risks identified can be added to the backlog for getting addressed.

Next we’ll dive deeper into the basics of threat modeling.

Subscribe

Sign up with your email address to receive news and updates.

We respect your privacy.

Thank you!
In Experiences, Advice Tags threat modeling, presentation
Comment

Why Threat Modeling is important

February 7, 2024

My presentation for this year is Threat Modeling. My first stop is the 2024 Palmetto Cybersecurity Summit Feb 21-22, 2024, in Columbia SC. I’ll also be speaking at BSides Nashville May 11, 2024, and ShowMeCon May 13-14, 2024.

But Why? meme from Harold and Kumar go to White Castle

Why this talk?

I’ve done 10 different topics publicly. Six of those talks had threat modeling in them. It’s something I bring up in over half of my talks. It’s low cost, easy to implement, easy to get started, and provides a tremendous amount of value. It’s main purpose is to talk through all the things that can go wrong but it also does a really good job of getting everyone on the same page.

One of my first sessions doing threat modeling one of the developers said, “I thought we were doing this in the cloud.” “Nope, we’re doing it in the data center.” That’s a pretty big difference in development and infrastructure efforts. The other thing threat modeling does is it get’s people into a security mindset. Thinking like a hacker isn’t a mindset a lot of people utilize. They’re builders; not breakers. To have an effective session and to start building that security mindset we have to show them the ways of the darkside.

Providing developers with a security mindset is the farthest left we can shift security into the software development lifecycle (SDLC). We can’t go any further than while they’re coding. They like to build things and don’t often think about how things can go wrong. Doing threat modeling at the design phase allows security to be thought about before development begins. This streamlines security into the SDLC and prevents security issues from popping up later in the process and in production.

A lack of threat modeling in the real-world

NotPetya

NotPetya leveraged a vulnerability in Microsoft Windows, EternalBlue and was further propelled by a compromised update mechanism of a widely used Ukrainian accounting software called M.E.Doc. Once a system was infected, NotPetya would encrypt the master boot record, rendering the computer unable to boot.

The impact of NotPetya was massive and far-reaching, affecting businesses, government entities, and infrastructure worldwide. Major multinational companies, including Maersk, Merck, FedEx's TNT Express, and many others, reported significant disruptions to their operations and financial losses. The total damages from the NotPetya attack are estimated to be in the billions of dollars, making it one of the costliest cyber incidents to date.

From a threat modeling standpoint this was an attack that unintentionally crossed network boundaries in the Ukraine and made it’s way to the United States. Network segmentation is an important talking point for projects that involve multiple countries and sensitive data.

SolarWinds Supply Chain Attack

Malicious actors compromised the software build system of SolarWinds, a company that produces network and infrastructure monitoring solutions. The attackers inserted a vulnerability into the software update mechanism, which was then distributed to thousands of SolarWinds' customers, including government agencies and Fortune 500 companies. This sophisticated attack highlighted the need for comprehensive threat modeling that includes supply chain risks and third-party dependencies.

Insider threat is an important talking point with internal processes that aren’t exposed to the internet. To kick start the conversation with developers and others new to threat modeling I often bring up insider threat to get the attack ideas flowing.

23andMe Hack

A credential stuffing attack was used by attackers to gain access to 14,000 accounts. 6.9 million users were ultimately impacted due to sharing permissions within the platform. While bad passwords are a problem, development teams via threat modeling can come up with solutions to a credential stuff attack. Multifactor Authentication (MFA), password strength, and detection for these types of attacks are all mitigating controls that can be put in place. Sharing permissions can also be discussed as part of a threat modeling session to ensure proper authorization mechanisms are in place and personal information isn’t exposed to a broader audience.

In the next blog post we’ll cover what is threat modeling?

Examples created with the help of ChatGPT

Subscribe

Sign up with your email address to receive news and updates.

We respect your privacy.

Thank you!
In Advice, Experiences Tags threat modeling, presentation
Comment

Exploring a phishing program - Created with the help of ChatGPT

How to build a phishing program

January 25, 2024

The first thing I recommend, is reading Phishing Dark Waters by Christopher Hadnagy, Michele Fincher, and Robin Dreeke. They have a lot of great insights on phishing and how to build a program and I used the book as a guide to build my own. One of the ideas in the book that really helped give me direction for building the program were the metrics. The book broke metrics down into four categories:

  • Clicked and Reported

  • Clicked and Didn’t Report

  • Didn’t Click and Reported

  • Didn’t Click and Didn’t Report

The idea of a phishing program is to reduce click rates and increase reporting rates. These metrics helped establish goals and strategies for building and running a successful phishing program. Using these metrics as a guide we were able to reduce click rates and improve reporting rates by over 50% at a company with over 6000 employees. Below we’ll get into getting started, the mindset to have, how to mature the program, and metrics and reporting.

Getting Started

Leadership buy-in

The first thing needed is leadership buy-in. The higher up the leadership buy-in the more effective the program. If buy-in isn’t at the highest level don’t fret. Once the program is started leadership will start to buy-in once they see the metrics. Metrics have a way of providing valuable insight into the risk associated with phishing attacks for the company.

Who to tell

Before sending a phish you need to inform the people that will help keep the phish from becoming a full blown incident. This can vary depending on the organization. Some will want very few people to be told. Others will want legal and HR input. The essential people that need to be involved is the person you report to and the Security Operations Center (SOC) and help desk managers.

The SOC and help desk managers will need to determine if their people need to be told. The SOC and help desk should be included in the phishing simulation, other times it might be more beneficial to let them to know. Often, they managers will want to see how their directs respond to a phishing email report. For larger phishes it’s a good idea to inform the help desk but for more targeted phishes they may not need to be told. There’s also always the option of making them a targeted phishing group.

Automation

Sending out phishes will increase the workload on other departments like the help desk, the SOC, and anyone monitoring the security inbox, if that’s not already the SOC. Automation is a friend here. Setup automated responses wherever a phishing email may be reported.

We didn’t do this for our first phish of the company and had over 500 people report the email. I responded to every single one of them because it was my miss and I wanted to acknowledge and show people appreciation for reporting a phish. If they’re not acknowledged and thanked they’ll be less likely to send in a phishing email in the future.

Recognize people who report phishing emails

To make an effective phishing program people need to be recognized and thanked for taking the time to identify and report a phishing email. If there’s a platform where employees can send other employees praise or recognition I would load anyone who reports a phish in there. People need positive feedback to continue the positive behavior.

Also, it’s okay if people tell each other about the simulated phish. We want others getting into the habit of giving their peers and co-workers a heads up that they have a phishing email in their inbox. Simulated phish or real phish people giving each others a heads up is a good thing.

Create your first phish

To start pick something super dumb that has a lot of indicators that easily identify it as a phishing email. This will provide a baseline for the overall click rate of the organization. It will help build the roadmap for future phishes. Establishing the baseline sets the starting point. As click rates go down the difficulty of the phishes can be increased and reported on. This will help show a reduction in risk to leadership.

The thing to remember about click rate and phishing emails is that there a lot of factors that go into clicking on an email. The time of day, the stress levels of people, what’s going on at work and at home, and luck. Who get’s sent a phish, time of day, and the type of phish are the only things in our control. Click rate is volatile. I’ve seen a monthly phish get a 2% click rate. I’ve also seen a monthly phish get a 14% rate. Pay attention to the time of year and what might be going on inside and outside the organization.

Deciding on whether to blast out the email or schedule it over a period of time is going to be very important. For larger groups you want to schedule the phish over a period of time. I would phish the entire company monthly. They’d get the phish at random times throughout the month. For smaller groups I had the option of sending them the phish all at once. Sending out a phish to several thousand emails in one day that will not make you any friends with the SOC or help desk, especially if automation is not set up.

What’s off limits

Even if your CEO gives you free reign, like I’ve had in the past, you do not have free reign. GoDaddy got in trouble for a phish in 2020 that the security team sent. The lure was a $650 holiday bonus. After people clicked they instead got told they were assigned extra security awareness training. While the bad guys may use this type of technique or other types of phishing emails we as the good guys should not stoop so low. That type of phish is getting people’s hopes up and then bringing it back down. This will result in an angry reaction.

Anything dealing with financial, family members, politics, religion, or sex are off limits. These topics create an extra strong emotional reaction from people. I also wouldn’t mess with anything related to marketing or other departments needing to get employees engaged. Any of these will be sure to get you in political hot water. Even if you get backed up by the CEO that group may have to accept it, but they won’t like it and will look to sabotage the program.

The phishing program is something people in the organization should understand is here to help. It’s already hard enough to get people to buy-in and feel good about security. Pissing them off won’t help the program and may even result in it being hamstrung. That’s why it’s important to remember that a phishing program is practicing for the real thing. It’s not the game of “Gotcha!” it’s practice.

It’s about practice

From Ted Lasso

The phishing program is about practicing the activity of receiving and responding to a phishing email. Getting people to get them doesn’t help and can put the phishing program in choppy political waters. That’s why the program needs to tie back to something real world.

Dig into your email gateway and look for phishes that are being caught in there. Check the security inbox to see what actual phishing emails are being reported there. Look for ones that are of a general nature for the entire company. Pay attention to the news and what are some of the latest phishing emails being sent to people. Think about the time of year. Packages are flying around during November and December. The phishing platforms do a good job of adding new templates with the latest phishing emails they’re seeing. Make it relevant.

Targeted phishes

Targeted phishes are phishes that are sent to a targeted group. The purpose should be specific to the department or group of people and related to techniques attackers may use to try and get into an organization. Again, look in security tooling to understand what certain groups are being targeted with and research phishes in the news that relate to the company’s industry.

Depending on your organization you can go outside of the parameters of making it related to outside news events. In the past I’ve seen phishes using Game of Thrones and the latest Avengers movies as lures. These were sent to groups who were aware of the phishing program and did a better job of identifying phishes. For targeted phishes like this make sure to host training afterwards to discuss and reiterate the practice aspect of the phish.

One of the most successful phishes I ever did was part of a lunch and learn session. The phish got a 50% click rate and it wasn’t even my idea. As part of the session I asked the people in attendance for ideas for a phish to send to IT. We had a praise platform that you could use to send people praise. So we decided to do a phish that used one of the notification emails for getting praise. Then we made it look like it was from the CEO. We did add several indicators that it was a phishing email such as giving them a nonexistent praise and an obvious link if you hover over it. We got clicks almost immediately during the session.

Later that day I was visited by a couple of directors in the IT department who said they had never fallen for an internal phish before at any organization. I avoided severe political backlash in this situation because they were in a group with a low click rate and they had access to the lunch and learn where we did the phish. In another organization this could have caused a lot of issues.

Despite conducting phishes as a way to gather information and reduce risk in the organization we are still going to bruise some people’s ego. Which is why we need to be thoughtful and careful about the phishes we send.

Increase the difficulty

As the click rate goes down, increase the difficulty. Determining if you can increase the difficulty should be from a reduced click rate from a period of over three or more months. Month-to-month click rate can be volatile. To increase difficulty reduce the number of indicators in a phishing email. If you started with five indicators reduce it to four. This allows the phishing emails to have levels of difficulty that can be reported on.

Indicators can be anything from reducing misspellings to making domains look a lot more legitimate. We’ve used domains that were bought to protect the company from typosquatting attacks. We loaded those into the platform and used them when we needed to increase the difficulty of phishing emails.

Reporting, Metrics, and extra training

As mentioned above, I like to use click rate and report rate. Other statistics don’t provide as much insight. The phishing platform may not have those statistics as default which means some excel jujitsu will be needed to get the metrics worth reporting up.

I never liked calling out individuals unless they were flagged multiple times as repeat clickers and put the company at a significant risk. In that case a conversation with their manager and HR is useful. One of the things I find useful was to group click rate and report rate by department. Grouping departments gives people an out but still allows large groups of people to be reported up if they’re having trouble with phishing emails. Leadership liked this grouping as it provided them with good insight into which departments were struggling with phishing emails. This also motivates departments do better because they don’t want to be in the top 10 click rate and want to be in the top 10 for report rate.

As far as training, I didn’t like assigning extra training from the phishing platform unless there was buy-in from the top and could be tied to something performance wise from an HR standpoint. If I assigned training without any sort of outcome, people could ignore the training and not have any repercussions. I do still think training is important and preferred in-person training because it allowed me to walk them through the phish and allow them to ask questions. I found that the groups I got to work with in these training sessions did a much better job with phishing emails. Those sessions can also be recorded and put into a LMS platform.

Summary

A phishing program can be a powerful security awareness tool for an organization. It should look to decrease click rate and improve report rate. The first phish should set a baseline. Increase the difficulty as click rates go down and report rates go up. Try to tie phishes to relevant phishes that is being seen in the company’s security tooling. Even with free reign certain phishes are off-limits. The CEO might be okay with it but everyone else will start to harbor bad feelings towards the phishing program and security and will look to undermine it when possible.

Identify what metrics are important and put those together to be reported up. Creating top 10 lists for departments is a great way to gamify the reporting and get people to more actively participate. Finally. remember this is about practice. Anyone can fall for a phish if the right factors line up. Taking an empathetic approach will help with making the program more engaging and effective.

Drop any questions you may have in the comment section below or reach out via the contact form.

This post first appeared on Exploring Information Security.

Subscribe

Sign up with your email address to receive news and updates.

We respect your privacy.

Thank you!
In Technology, Experiences Tags phishing, build a program, how to
Comment
Older Posts →

Latest PoDCASTS

Featured
Sep 2, 2025
Kate Johnson's Winding Path to a Director Role in Cybersecurity
Sep 2, 2025
Sep 2, 2025
Aug 26, 2025
LIVE: Unraveling the SharePoint Zero-Day Exploit (CVE-2025-53770)
Aug 26, 2025
Aug 26, 2025
Aug 19, 2025
How to Launch Your Own Cybersecurity Podcast
Aug 19, 2025
Aug 19, 2025
Aug 12, 2025
How BSides St Louis Can Help Take The Next Step in Cybersecurity
Aug 12, 2025
Aug 12, 2025
Aug 5, 2025
[RERELEASE] What it's like in the SECTF sound booth
Aug 5, 2025
Aug 5, 2025
Jul 29, 2025
[RERELEASE] How to network in information security - part 2
Jul 29, 2025
Jul 29, 2025
Jul 22, 2025
[RERELEASE] How to network in information security - part 1
Jul 22, 2025
Jul 22, 2025
Jul 15, 2025
[RERELEASE] What are BEC attacks?
Jul 15, 2025
Jul 15, 2025
Jul 8, 2025
[RERELEASE] How to crack passwords
Jul 8, 2025
Jul 8, 2025
Jul 2, 2025
[RERELEASE] How to find vulnerabilites
Jul 2, 2025
Jul 2, 2025

Powered by Squarespace