There’s going to be some really great talks at the 2024 Palmetto Cyber Summit

Maximizing Your Conference Experience: preparing for the 2024 Palmetto Cyber Summit

January 30, 2024

I will be at the 2024 Palmetto Cyber Summit February 21-22, 2024, in Columbia, South Carolina. The schedule is up and I’ll be speaking at 2:15 pm ET in SALON C on the first day, February 21. One of the things I like to do as I prepare for a conference is pick out a schedule for myself. This usually doesn’t take long about 20 minutes. Picking the talks I’d like to go see allows me to utilize the conference to its fullest.

Now, I don’t go to most of the talks at a conference because I usually end up talking to people. HallwayCon can be a great use of time to network and gain knowledge from other people at the conference. When I’m not talking to someone that’s when I’ll usually hop into a presentation. In the post I want to walk through my process for anyone who is new to going to a conference.

The first step is to pick a place to put down the talks of interest. This should be something mobile friendly. At one point I was using Microsoft Excel or Google Sheets but spreadsheets can be hard to read on a mobile phone. Now I use some sort of notepad or Google Doc. If the conference has a hard copy of the agenda I may transfer my notes to there so I have a hard copy. For this conference I’m going to try this post.

Once I’ve figured out where I want to put my selections I start going through the schedule. If there are two talks I want to see at the same time slot I pick the one I prefer and then put the other down as a backup. If there’s not talk then I plan to talk to vendors or go wander around the venue. Stepping outside for a break is also an option. I usually put down the time, location, title of the talk, and the speaker.

Below are talks that are of interest to me currently. As expected AI is the hot topic and I’m looking to better understand other people’s viewpoints on it and how it’s used. Sometimes I’ll be in a talk where I don’t learn anything new but it confirms my current knowledge. I’ve also been in talks I don’t plan to go into because I decide to go with someone else and they make a compelling case for the talk. They speaker is also a factor. I try to support the people I know by going to their talks.

That’s one of the things I do to prepare for a conference. I now have one less thing to worry about at the conference and can take it in more fully. I also have a plan that allows me to take full advantage of the conference. Leave a comment below with your tips for attending conferences. Also, come say “Hi!” if you’re at the summit.

Tim’s 2024 Palmetto Cyber Summit Schedule

Feb 21

3:00 - 3:45

SALON A - Security Protection Using OSINT - Kurtis Suhs

3:50 - 4:20

SALON C - Countdown to Industrial Extinction - Michael Holcomb

4:20 - 4:50

SALON C - The Future of Security: Embracing a Platform-Centric Appraoch - Ken Alexander

Feb 22

8:30 - 9:00

SALON B - Lessons Learned Applying Machine Learning in Cybersecurity - Jeff Janies

9:00 - 9:30

SALON B - What Neuroscience Taught Us About CyberSecurity in 1885 - Chip Reaves

11:15 - 12:00

SALON B - The Enhancement of Malicious Social Engineering with AI - Dr. Sybil Rosado

1:30 - 2:15:

SALON B - Misinformation in the Age of Generative AI - Dr. Donnie Wendy
Backup: xIoT Hacking Demonstration and Strategies to Disappoint Bad Actors - SALON C - John Vecchi

2:20 - 2:45 -

SALON B - Using AI/ML to Manager Your Organization’s Cybersecurity Program - Tom Scott
Backup: SALON A - Automating Compliance - Carl Bjerke

3:00 - 4:00 - This one is a bit of a toss up:

SALON B - Enhancing Cybersecurity: AI and Modern Threat Defense - Jim Hayes
SALON C - Know Yourself: We’ve Focused on Attackers for Too Long, it’s Time to Look Inward - Justin Scarpaci

This post first appeared on Exploring Information Security.

Exploring a phishing program - *Created with the help of ChatGPT*

How to build a phishing program

January 25, 2024

The first thing I recommend, is reading Phishing Dark Waters by Christopher Hadnagy, Michele Fincher, and Robin Dreeke. They have a lot of great insights on phishing and how to build a program and I used the book as a guide to build my own. One of the ideas in the book that really helped give me direction for building the program were the metrics. The book broke metrics down into four categories:

Clicked and Reported
Clicked and Didn’t Report
Didn’t Click and Reported
Didn’t Click and Didn’t Report

The idea of a phishing program is to reduce click rates and increase reporting rates. These metrics helped establish goals and strategies for building and running a successful phishing program. Using these metrics as a guide we were able to reduce click rates and improve reporting rates by over 50% at a company with over 6000 employees. Below we’ll get into getting started, the mindset to have, how to mature the program, and metrics and reporting.

Getting Started

Leadership buy-in

The first thing needed is leadership buy-in. The higher up the leadership buy-in the more effective the program. If buy-in isn’t at the highest level don’t fret. Once the program is started leadership will start to buy-in once they see the metrics. Metrics have a way of providing valuable insight into the risk associated with phishing attacks for the company.

Who to tell

Before sending a phish you need to inform the people that will help keep the phish from becoming a full blown incident. This can vary depending on the organization. Some will want very few people to be told. Others will want legal and HR input. The essential people that need to be involved is the person you report to and the Security Operations Center (SOC) and help desk managers.

The SOC and help desk managers will need to determine if their people need to be told. The SOC and help desk should be included in the phishing simulation, other times it might be more beneficial to let them to know. Often, they managers will want to see how their directs respond to a phishing email report. For larger phishes it’s a good idea to inform the help desk but for more targeted phishes they may not need to be told. There’s also always the option of making them a targeted phishing group.

Automation

Sending out phishes will increase the workload on other departments like the help desk, the SOC, and anyone monitoring the security inbox, if that’s not already the SOC. Automation is a friend here. Setup automated responses wherever a phishing email may be reported.

We didn’t do this for our first phish of the company and had over 500 people report the email. I responded to every single one of them because it was my miss and I wanted to acknowledge and show people appreciation for reporting a phish. If they’re not acknowledged and thanked they’ll be less likely to send in a phishing email in the future.

Recognize people who report phishing emails

To make an effective phishing program people need to be recognized and thanked for taking the time to identify and report a phishing email. If there’s a platform where employees can send other employees praise or recognition I would load anyone who reports a phish in there. People need positive feedback to continue the positive behavior.

Also, it’s okay if people tell each other about the simulated phish. We want others getting into the habit of giving their peers and co-workers a heads up that they have a phishing email in their inbox. Simulated phish or real phish people giving each others a heads up is a good thing.

Create your first phish

To start pick something super dumb that has a lot of indicators that easily identify it as a phishing email. This will provide a baseline for the overall click rate of the organization. It will help build the roadmap for future phishes. Establishing the baseline sets the starting point. As click rates go down the difficulty of the phishes can be increased and reported on. This will help show a reduction in risk to leadership.

The thing to remember about click rate and phishing emails is that there a lot of factors that go into clicking on an email. The time of day, the stress levels of people, what’s going on at work and at home, and luck. Who get’s sent a phish, time of day, and the type of phish are the only things in our control. Click rate is volatile. I’ve seen a monthly phish get a 2% click rate. I’ve also seen a monthly phish get a 14% rate. Pay attention to the time of year and what might be going on inside and outside the organization.

Deciding on whether to blast out the email or schedule it over a period of time is going to be very important. For larger groups you want to schedule the phish over a period of time. I would phish the entire company monthly. They’d get the phish at random times throughout the month. For smaller groups I had the option of sending them the phish all at once. Sending out a phish to several thousand emails in one day that will not make you any friends with the SOC or help desk, especially if automation is not set up.

What’s off limits

Even if your CEO gives you free reign, like I’ve had in the past, you do not have free reign. GoDaddy got in trouble for a phish in 2020 that the security team sent. The lure was a $650 holiday bonus. After people clicked they instead got told they were assigned extra security awareness training. While the bad guys may use this type of technique or other types of phishing emails we as the good guys should not stoop so low. That type of phish is getting people’s hopes up and then bringing it back down. This will result in an angry reaction.

Anything dealing with financial, family members, politics, religion, or sex are off limits. These topics create an extra strong emotional reaction from people. I also wouldn’t mess with anything related to marketing or other departments needing to get employees engaged. Any of these will be sure to get you in political hot water. Even if you get backed up by the CEO that group may have to accept it, but they won’t like it and will look to sabotage the program.

The phishing program is something people in the organization should understand is here to help. It’s already hard enough to get people to buy-in and feel good about security. Pissing them off won’t help the program and may even result in it being hamstrung. That’s why it’s important to remember that a phishing program is practicing for the real thing. It’s not the game of “Gotcha!” it’s practice.

It’s about practice

The phishing program is about practicing the activity of receiving and responding to a phishing email. Getting people to get them doesn’t help and can put the phishing program in choppy political waters. That’s why the program needs to tie back to something real world.

Dig into your email gateway and look for phishes that are being caught in there. Check the security inbox to see what actual phishing emails are being reported there. Look for ones that are of a general nature for the entire company. Pay attention to the news and what are some of the latest phishing emails being sent to people. Think about the time of year. Packages are flying around during November and December. The phishing platforms do a good job of adding new templates with the latest phishing emails they’re seeing. Make it relevant.

Targeted phishes

Targeted phishes are phishes that are sent to a targeted group. The purpose should be specific to the department or group of people and related to techniques attackers may use to try and get into an organization. Again, look in security tooling to understand what certain groups are being targeted with and research phishes in the news that relate to the company’s industry.

Depending on your organization you can go outside of the parameters of making it related to outside news events. In the past I’ve seen phishes using Game of Thrones and the latest Avengers movies as lures. These were sent to groups who were aware of the phishing program and did a better job of identifying phishes. For targeted phishes like this make sure to host training afterwards to discuss and reiterate the practice aspect of the phish.

One of the most successful phishes I ever did was part of a lunch and learn session. The phish got a 50% click rate and it wasn’t even my idea. As part of the session I asked the people in attendance for ideas for a phish to send to IT. We had a praise platform that you could use to send people praise. So we decided to do a phish that used one of the notification emails for getting praise. Then we made it look like it was from the CEO. We did add several indicators that it was a phishing email such as giving them a nonexistent praise and an obvious link if you hover over it. We got clicks almost immediately during the session.

Later that day I was visited by a couple of directors in the IT department who said they had never fallen for an internal phish before at any organization. I avoided severe political backlash in this situation because they were in a group with a low click rate and they had access to the lunch and learn where we did the phish. In another organization this could have caused a lot of issues.

Despite conducting phishes as a way to gather information and reduce risk in the organization we are still going to bruise some people’s ego. Which is why we need to be thoughtful and careful about the phishes we send.

Increase the difficulty

As the click rate goes down, increase the difficulty. Determining if you can increase the difficulty should be from a reduced click rate from a period of over three or more months. Month-to-month click rate can be volatile. To increase difficulty reduce the number of indicators in a phishing email. If you started with five indicators reduce it to four. This allows the phishing emails to have levels of difficulty that can be reported on.

Indicators can be anything from reducing misspellings to making domains look a lot more legitimate. We’ve used domains that were bought to protect the company from typosquatting attacks. We loaded those into the platform and used them when we needed to increase the difficulty of phishing emails.

Reporting, Metrics, and extra training

As mentioned above, I like to use click rate and report rate. Other statistics don’t provide as much insight. The phishing platform may not have those statistics as default which means some excel jujitsu will be needed to get the metrics worth reporting up.

I never liked calling out individuals unless they were flagged multiple times as repeat clickers and put the company at a significant risk. In that case a conversation with their manager and HR is useful. One of the things I find useful was to group click rate and report rate by department. Grouping departments gives people an out but still allows large groups of people to be reported up if they’re having trouble with phishing emails. Leadership liked this grouping as it provided them with good insight into which departments were struggling with phishing emails. This also motivates departments do better because they don’t want to be in the top 10 click rate and want to be in the top 10 for report rate.

As far as training, I didn’t like assigning extra training from the phishing platform unless there was buy-in from the top and could be tied to something performance wise from an HR standpoint. If I assigned training without any sort of outcome, people could ignore the training and not have any repercussions. I do still think training is important and preferred in-person training because it allowed me to walk them through the phish and allow them to ask questions. I found that the groups I got to work with in these training sessions did a much better job with phishing emails. Those sessions can also be recorded and put into a LMS platform.

Summary

A phishing program can be a powerful security awareness tool for an organization. It should look to decrease click rate and improve report rate. The first phish should set a baseline. Increase the difficulty as click rates go down and report rates go up. Try to tie phishes to relevant phishes that is being seen in the company’s security tooling. Even with free reign certain phishes are off-limits. The CEO might be okay with it but everyone else will start to harbor bad feelings towards the phishing program and security and will look to undermine it when possible.

Identify what metrics are important and put those together to be reported up. Creating top 10 lists for departments is a great way to gamify the reporting and get people to more actively participate. Finally. remember this is about practice. Anyone can fall for a phish if the right factors line up. Taking an empathetic approach will help with making the program more engaging and effective.

Drop any questions you may have in the comment section below or reach out via the contact form.

This post first appeared on Exploring Information Security.

How to find your niche in information security

November 28, 2016

How to find your niche

Relax. It can take time to figure out what really engages you. Appreciate some of the skills you learn along the way. Ignore the advice to follow your passion. You may find work in security that you enjoy doing but aren't exactly passionate about. That is okay. You can be passionate about other things and still be happy in the work you do.

Explore. Try all the things. If your role allows it, take on security projects or initiatives in different areas. Research different areas. Go to security conferences and checkout various talks. Some of the best ones for exploring are single track conferences like BSides. Find a local security meetup. Follow a bunch of people on social media in the infosec field. Listen to security podcasts. There are a ton of them.

Play. Build a home lab. One of the great things about our industry is that there are a ton of free tools that do some amazing things. Some of my favorites are:

Redline a memory forensics tool
Zed Attack Proxy a dynamic analyzer for applications
EMET a windows hardening tool
PDQ Deploy third-party patch management and software deployment tool

Ask questions. Talk to people in various fields. Do this at work and at conferences and local meetups. Social media is also a great place to ask questions.

Evaluate your strengths. If you love math or a good puzzle, cryptography might be your thing. Do you love solving mysteries like a detective? Then maybe incident response or forensics might be your thing. Liking a little bit of everything may lead down a generalist path and into a management or CISO role. Whatever the strength try to match it to a different field in information security.

My story

I didn't really have a plan for what I wanted to do coming out of high school. The one thing I was sure of was that I was heading into the military. I didn't want to head to college not knowing what I wanted to do and put myself in debt. The military would give me an opportunity to figure that out and earn money for college when I did.

Prior to graduating I had looked at a number opportunities in the Army. Helicopter mechanic was one I remember. The other one I remember is paralegal, because that's what I ended up signing to do. That plan ended up falling through and I ended up working at Blockbuster for six months. I eventually signed on with the Navy and tested into the electronics technician role.

As an electronics technician I dealt with anything that had a circuit. Computers, phone lines, printers, communication equipment, and so on. I learned a lot about troubleshooting. I honorably discharged from the Navy after six years still without an idea of what I wanted to do. This lead to contract jobs pulling cable on and off for six months. Eventually, I landed an IT role as a tier two technician. The IT field was alright. I was good at it, but it wasn't exactly inspiring me.

At this point I started going to college part-time as a media arts undergraduate. Why media arts? I enjoyed movies and video games. I had an interest in possibly building websites. The biggest factor, however, was that the offered night classes. The computer science department did not. Plus, I had worked as an electronics technician for the past several years. I would only be gaining a little benefit in going back to school for that.

A year into my tier two technician role I got hired as a network/system administrator for a small state agency. This is where my interest in security really started to manifest. The first appliance I touched was the Sourcefire intrusion prevention system (IPS). I started tuning it and setup a process where I reported computers that needed to be grabbed because they were talking to places like China. This was a juvenile detention facility, there is no reason to talk to China. Despite starting to gain an interest in security, I had aspirations to move into the media arts field for a few years. I was blogging and podcasting about baseball and enjoying that opportunity. I even started making a little money from it. I didn't know what I wanted to do, but I started looking at opportunities in the field.

The problem with the media arts field is that it doesn't pay well and it's highly competitive. The money I started making wasn't anywhere close to feeding myself, wife, and child. I was also putting in a lot of hours after work just to maintain that extra source of income. After a few years of exploring the possibility of a career in media arts, I nixed it for practical reasons. This is when I started to gain clarity on the information security field.

After gaining some network and system, as well as security, administration experience, I was hired into my first security role. This role had me wearing several different hats in the security field. I managed AV, the webfilter, email spam filter, incident response, web application firewall, and much more. All these different areas intrigued me more than network or server administration had ever.

I thought I was good. Security was my niche. Done.

Then I found out I was supposed to find a niche within my niche. I had to pick a field in security. Really? I was enjoying doing it all in security. Can't I be a generalist. Well depending on who you talk to you can or you can not be a generalist. I think you can be a generalist and I was heading down that path as my niche. I had a wide range of experience in not only security but IT in general. I could walk into a network or server discussion and talk basics.

One day my manager came to me and said, "We need to setup an application security program." Off I went to figure out what I need to do. What I discovered in my research was that I had a strong interest in application security. Reading about the field was keeping my interest more than the other fields. Some of my strengths started to show themselves. I've also had an interest in web design. I know HTML and XML pretty well. Plus, I was wrapping up a degree in media arts that gave me more experience with websites. I also started to discover that I had a knack for working with other departments. Which came in handy when setting up security programs that involved other departments. I had found my niche.

Nearly, three years later I am working as senior software security engineer. I work with the development team to get security in the software development life cycle and I am loving absolutely every minute of it. I know I wouldn't be happy as a security operations center (SOC) analyst, because I was in that role for eight months and disliked it a lot. I think I would be happy working as a generalist in information security. For a time I thought I would have to be generalist. The "requirement" to get into application security is to have a programming and development background, which I don't have. That didn't stop me from perusing those types of roles and should probably be left to another blog post.

I shared this story, because I want to show people that it can take time to figure out what you want to do. I didn't know I wanted to be in security until my late 20s. I didn't get into security until after my 30th birthday. It was another two years from that point that I figured out what I wanted to do. Relax, explore, play, ask questions, and evaluate your strengths. Then you'll find your niche.

This post first appeared on Exploring Information Security.

How to start a podcast

November 3, 2016

I can remember the exact moment I decided I would start a podcast. I was mowing my lawn. It was several months after recording a podcast at the Crawfish Boxes. It was our first podcast where we ranked the players in the Houston Astros' minor league system. I didn't produce that episode but I was excited to take part in more. When more didn't happen I decided to take initiative. I decided to produce the podcast my self.

Five years later I've produced over 200 hours of baseball podcast content. I'm well on my way to replicating that in the information security space. Consistency has been the biggest thing for me. I've managed to produce content on a regular basis. I've done that by getting my process down to a few hours. I prepare, produce, edit, and then release episodes in just a few hours. Getting started took quite a bit more time.

If your week is slammed with different obligations and hobbies reconsider starting a podcast. Starting a podcast is easy. Have an idea and then record it. The challenge starts with distributing and maintaining a podcast. With an emphasis on maintaining the podcast. If there are several obligations that take up time then it will be hard to make a podcast a priority. And that's the key to a successful podcast. The willingness to make it a priority. If you're there, (or at least think you're there) read on.

Have an idea

It took me a couple years before I had my own idea for an infosec related podcast. I didn't want to be like the other security podcasts out there. Talking about the latest news and ideas in infosec. I wanted something different. That's not to say you can't do what others are doing. Your voice is unique enough to do the same thing as others. For me I wanted something that was timeless and would provide value to others.

Once an idea has presented itself, I would recommend writing down the idea and format for the podcast. What is the duration of the podcast? What sections will it have? Is there a co-host? What do you want to cover? Is it focused on a specific topic or more general? What is the description of the podcast? What is the tagline? Who is this podcast for? Answering these questions will help get a clearer picture of what's needed.

Record it

My podcast setup is low-cast. I record using a soundcard that has a "What U Hear" function. With this input I record every sound made on the computer. The one sound that doesn't get recorded is my microphone, because it's a separate input. Which is why I use two Skype accounts and hook my microphone up to my laptop when recording guests. An alternative to this is getting a mixer. I've never used one so I can't provide any tips on using that instead.

A solo podcast is much easier to produce. A microphone and audacity is all that is needed. I use the ATR-2100 microphone and Audacity to record audio. The ATR-2100 is a $35-75 microphone that will provide 7 out of 10 quality. The more expensive professional microphones will provide a 9 out of 10 quality. The ATR-2100 provides a 7 out of 10 quality. The ATR-2100 is well worth the money.

Audacity is free and gets the job done. Software is available with a price tag for editing. That decision usually involves improving workflow.

Edit it

Audacity is where most of my editing occurs. While recording I will use the marker hot key to mark any points I need to review after recording. The default key mapping is CTRL + M. It took me a little time to get used to using it. Once I got used to it, I was able to edit without having to re-listen to the entire recording again. I could just go to the marker and make my edits. When working with markers you have to edit from the end of the episode to the front. Editing from the front will move all the markers.

Of course there is value in listening to the entire episode again. When I first started I would pick-up on things that needed improving on. Some examples include, improving the transition from topic to topic. Do things like reducing "uh" and "um" in our speech.

After editing, export the audio into a .wav file. Then run it through Levelator2. This tool will normalize levels and clean up the audio a bit. This makes listening to the podcast a little more enjoyable for the listener.

Once that's done the convert the .wav file to a .mp3 file for storage reasons. Wav files are big. MP3 files not so much. This will help with storage and improve download times for the listener. I use iTunes to convert my .wav files to .mp3 files. After that's done upload it to storage for distribution.

Store and distribute it

Storage is a cost. There are free options, but those are trickier and add complexity. I've used Libsyn and would recommend them. For me I discovered that I could host and create the RSS feed for my podcast on my own personal site. This made things much easier for me.

The last thing to do is get the podcast setup in a distribution platform. There are a lot of them. The most popular one is iTunes. This will be where you'll see most of your download traffic. Other podcast distributors include Stitcher, BluBrry, and many others. My current podcast is only on iTunes. That is the biggest distributor. I gain a much smaller amount of listeners submitting to other podcast directories. If a listener were to request another podcast directory then I'd submit there.

Submitting to a podcast directory is well documented by each site. You will need an RSS feed. There are many ways to setup one. Most storage providers like Libsyn will create an RSS feed for you. You can also do it yourself. Which is what I did for the four years of the Crawfish Boxes podcast. Currently, I'm using the EIS Podcast page on this site as the RSS feed.

Once submitted it usually takes a few days for the podcast to show up. I recommend having three episodes in the RSS feed before submitting.

Numbers to care about

If a podcaster got past 7 episode he is more likely to stick with podcasting and produce it on a regular basis. I'm not sure how true that is, but I feel like it there is some truth to it. In my experience podcasts stop because they're complicated to produce. Which leads me to my last bit of advice. If you want to keep at it, make the process as simple and as efficient as possible.

Resources:

This post first appeared on Exploring Information Security.