Basics of Threat Modeling

February 12, 2024

My presentation for this year is Threat Modeling. My first stop is the 2024 Palmetto Cybersecurity Summit Feb 21-22, 2024, in Columbia SC. I’ll also be speaking at BSides Nashville May 11, 2024, and ShowMeCon May 13-14, 2024.

The basics of threat modeling starts with the understanding that it’s simply doing a data flow discussion. In fact, when I do these I name the meeting data flow discussion instead of threat modeling discussion. This allows people to come to the meeting with the mindset that it’s just a discussion about how data flows through an application or business process. And then we’re going to do naughty things to it.

The session itself is broken up into five parts:

Identifying assets and data flows
Establishing the security profile
Identifying potential threats
Assessing vulnerabilities
Prioritizing risks

We’ll explore each part in more detail below.

Identifying assets and data flows

This is scoping what will be part of the threat modeling session. This could be an application or a business process. It sets the boundaries to keep everyone in the meeting on track. Scope creep is something that can and will most likely happen. Setting the scope more easily helps identify when the discussion is getting off track. If someone goes out of scope then we can call it out and setup a separate session or cover it later in the meeting if time is available.

A diagram is drawn as part of the session if one is not already provided. When I’m asked for how to make the meeting run smoother I ask for an existing data flow diagram or for one to be created. This doesn’t need to be anything elaborate just something to get started. Everyone that can speak to the application or business process needs to be in the meeting. This may be just the development team or it may also include people from infrastructure, compliance, or other areas.

When there is no diagram a whiteboard and markers will do for an in-person meeting. If virtual most video conferencing tools have a whiteboard feature. There’s also many third-party options online. A favorite of a lot of development teams is draw.io. Infrastructure teams usually prefer a licensed version of Microsoft Visio. We’ll get more into tools in the next blog post.

Diagram is simply using arrows, squared, and circles to draw the diagram. OWASP has examples of shapes to use for the diagram. I would typically use a square for an application and then a circle for a database. The big thing is to use a standard shape for each thing within the diagram. Once the diagram is drawn we can move to establishing the security profile.

Establish the security profile

This is the part where the group identifies what security is currently in place. This deals with items like if HTTPS or HTTP are in place (lots of backend things may use HTTP) or how do users access the application or process. Thoroughness is good but new security measures may be discovered as the application is attacked. Compliance requirements also need to be understood for the application. Healthcare, financial, and personal data all have different requirements and security protections than data that is expected to be public. Once the security profile is established we get to be bad boys.

Will Smith and Martin Lawrence singing Bad Boys in the movie Bad Boys

Identify potential threats

This part we get to play the bad guys and think about how we can break the application or process. When just introducing this activity to departments you’ll need to keep in mind that they’re builders, not breakers. We have to unlock that mindset within them. Once the ball get’s rolling though people can come up with some pretty creative ways to attack their own application or process.

One of the important techniques someone facilitating the session will need is being silent. People can’t stand silence so learning to stay silent will help with getting people in the room to participate. Having a pentester in the room may help the juices flowing but don’t let them only provide more than one or two examples. They can quickly takeover and then it’s just the pentester talking about how they’re going to test the application. The underlying objective here is getting people into a better security mindset. To do that they need to start learning how to think like an attacker.

Anything is on the table from simple attacks to elaborate Mission Impossible style attacks. One of my favorite attacks to use to get people thinking is to talk about bribe scenarios or insider threat, “What if I give you a million dollars for your access?” The response is usually, “but you can’t do that….ohhhhh!” It happens. In 2021 news broke that Russian man offered a Tesla employee to put ransomware on the company’s network. Insider threat is a huge attack vector and a massive risk and is something that should be discussed.

There are different methodologies for attacks in a threat model session. I like using STRIDE which is mnemonic for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service (DoS), and Elevation of Privilege. Simply walk through each on of these types of attacks as part of the session. Once that’s done we assess the attacks we found.

Assessing attacks

When coming up with attacks make sure to document the attack. They should still be visible to everyone to discuss mitigating controls. Again, this is where the group needs to speak up about how to mitigate controls. As a facilitator I’ve often had the answer but I want the group to provide that answer so they can start exercising those security thought muscles. Often, I’ve found that the group will come up with creative solutions for mitigating controls. Once all attacks have mitigating controls we move onto prioritization.

Prioritizing risks

I use DREAD, which is another mnemonic for evaluating and prioritizing risk. It stands for Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability. I write each of these out to the side of the attacks so we can rate them. I use a 1-3 scale with one being low, two being medium, and three being high. I like to keep things simple but something like a 1-10 scale can also be used. Once a score is given for each of the items you add it up. The higher the number the higher the priority. This allows teams to focus on the attacks that have the most risk and can do the most damage. Make sure to identify and assign action items for addressing the necessary attacks.

Documenting the threat model

From there it’s documenting the outcomes of the meeting. I will take notes during the session (another reason to stay silent) and type those out in a follow up email to the group. I also take a picture or screenshot of the diagram and provide that in the meeting notes as well. I would recommend storing those in a repository that’s available to everyone involved in the discussion. As part of the meeting notes I include action items at the top and have the agreed upon name of the person that will make sure the item is addressed.

Summary

Threat modeling is simply a data flow discussion. I’ve used data flow discussion to make the meeting less intimidating. Sessions can be from one to several hours long it depends on the application or business process and how deep you may need to go. One long session or multiple sessions can be setup. Having a diagram ahead of time will significantly reduce the time needed for a threat modeling session.

The session itself is building the diagram, adding the security profile, attacking the application, identifying the mitigating controls, and prioritizing the risk. Finally, document the session and assign action items. Someone will need to follow up on each item to make sure they get addressed properly.

Next, we’ll dive deeper into methodologies and approaches that can be used as part of a threat modeling session.

What is Threat Modeling?

February 8, 2024

Here’s what ChatGPT said:

Threat modeling is a structured approach used in cybersecurity to identify, prioritize, and address potential threats to a system. It involves a series of steps to assess the security of an application or system by identifying what needs to be protected, determining potential threats and vulnerabilities, and then devising strategies to mitigate or prevent the identified risks. The primary goal of threat modeling is to enhance the security posture of a system by focusing on protection measures from the early stages of design and development through to deployment and maintenance.

Within the context of the cybersecurity field this is true but it’s more general than that. Threat modeling is something we all do in daily life. Driving, planning a trip, planning a birthday party, talking about who’s going to win the Super Bowl, etc. It’s talking about what might happen and then putting things in place to help mitigate those potential scenarios. I use the analogy of driving a lot. While on the road I am constantly thinking about some of the following things:

“What happens if this person get’s into my lane?”
“The onramp coming up is usually pretty busy”
“I have X amount of gas and this far to go”

This is threat modeling and we all already do this on a daily basis. This is why I find implementing threat modeling into a project to be super easy.

Threat modeling is a step-by-step process for identifying all the things that could go wrong. It’s meant to find solutions to problems before they happen. It can also be a lot of fun to come up with Mission Impossible level types of attack scenarios. Here are the steps to go through a threat model.

Scope the application or project
Build out a diagram of the application or project
Identify what security measures are already in place
Attack the diagram by using simple and elaborate attack techniques
Identify mitigating controls for the attack scenarios
Rate the attack techniques for prioritization
Assign action items
Document the session and follow up items

Sometimes these sessions can take an hour sometimes multiple hours are needed. Having a diagram before hand helps speed up the process.

Benefits of Threat Modeling

Doing threat modeling early in the development cycle can help get everyone on the same page and identify potential risks before development even begins. This allows developers to think through issues and put mitigating controls in place. This actually reduces the cost of finding a security issue later in the process because it’s addressed early on.

Another benefit I’ve found is in exploring legacy applications and applications that join the organization as part of a merger or acquisition. Often, applications don’t have any documentation in place. This can make it difficult if people who have helped build or maintain the application have left the organization. Threat modeling is a way to better understand and document those applications. Any security issues or risks identified can be added to the backlog for getting addressed.

Next we’ll dive deeper into the basics of threat modeling.

Why Threat Modeling is important

February 7, 2024

But Why? meme from Harold and Kumar go to White Castle

Why this talk?

I’ve done 10 different topics publicly. Six of those talks had threat modeling in them. It’s something I bring up in over half of my talks. It’s low cost, easy to implement, easy to get started, and provides a tremendous amount of value. It’s main purpose is to talk through all the things that can go wrong but it also does a really good job of getting everyone on the same page.

One of my first sessions doing threat modeling one of the developers said, “I thought we were doing this in the cloud.” “Nope, we’re doing it in the data center.” That’s a pretty big difference in development and infrastructure efforts. The other thing threat modeling does is it get’s people into a security mindset. Thinking like a hacker isn’t a mindset a lot of people utilize. They’re builders; not breakers. To have an effective session and to start building that security mindset we have to show them the ways of the darkside.

Providing developers with a security mindset is the farthest left we can shift security into the software development lifecycle (SDLC). We can’t go any further than while they’re coding. They like to build things and don’t often think about how things can go wrong. Doing threat modeling at the design phase allows security to be thought about before development begins. This streamlines security into the SDLC and prevents security issues from popping up later in the process and in production.

A lack of threat modeling in the real-world

NotPetya

NotPetya leveraged a vulnerability in Microsoft Windows, EternalBlue and was further propelled by a compromised update mechanism of a widely used Ukrainian accounting software called M.E.Doc. Once a system was infected, NotPetya would encrypt the master boot record, rendering the computer unable to boot.

The impact of NotPetya was massive and far-reaching, affecting businesses, government entities, and infrastructure worldwide. Major multinational companies, including Maersk, Merck, FedEx's TNT Express, and many others, reported significant disruptions to their operations and financial losses. The total damages from the NotPetya attack are estimated to be in the billions of dollars, making it one of the costliest cyber incidents to date.

From a threat modeling standpoint this was an attack that unintentionally crossed network boundaries in the Ukraine and made it’s way to the United States. Network segmentation is an important talking point for projects that involve multiple countries and sensitive data.

SolarWinds Supply Chain Attack

Malicious actors compromised the software build system of SolarWinds, a company that produces network and infrastructure monitoring solutions. The attackers inserted a vulnerability into the software update mechanism, which was then distributed to thousands of SolarWinds' customers, including government agencies and Fortune 500 companies. This sophisticated attack highlighted the need for comprehensive threat modeling that includes supply chain risks and third-party dependencies.

Insider threat is an important talking point with internal processes that aren’t exposed to the internet. To kick start the conversation with developers and others new to threat modeling I often bring up insider threat to get the attack ideas flowing.

23andMe Hack

A credential stuffing attack was used by attackers to gain access to 14,000 accounts. 6.9 million users were ultimately impacted due to sharing permissions within the platform. While bad passwords are a problem, development teams via threat modeling can come up with solutions to a credential stuff attack. Multifactor Authentication (MFA), password strength, and detection for these types of attacks are all mitigating controls that can be put in place. Sharing permissions can also be discussed as part of a threat modeling session to ensure proper authorization mechanisms are in place and personal information isn’t exposed to a broader audience.

In the next blog post we’ll cover what is threat modeling?

Examples created with the help of ChatGPT

There’s going to be some really great talks at the 2024 Palmetto Cyber Summit

Maximizing Your Conference Experience: preparing for the 2024 Palmetto Cyber Summit

January 30, 2024

I will be at the 2024 Palmetto Cyber Summit February 21-22, 2024, in Columbia, South Carolina. The schedule is up and I’ll be speaking at 2:15 pm ET in SALON C on the first day, February 21. One of the things I like to do as I prepare for a conference is pick out a schedule for myself. This usually doesn’t take long about 20 minutes. Picking the talks I’d like to go see allows me to utilize the conference to its fullest.

Now, I don’t go to most of the talks at a conference because I usually end up talking to people. HallwayCon can be a great use of time to network and gain knowledge from other people at the conference. When I’m not talking to someone that’s when I’ll usually hop into a presentation. In the post I want to walk through my process for anyone who is new to going to a conference.

The first step is to pick a place to put down the talks of interest. This should be something mobile friendly. At one point I was using Microsoft Excel or Google Sheets but spreadsheets can be hard to read on a mobile phone. Now I use some sort of notepad or Google Doc. If the conference has a hard copy of the agenda I may transfer my notes to there so I have a hard copy. For this conference I’m going to try this post.

Once I’ve figured out where I want to put my selections I start going through the schedule. If there are two talks I want to see at the same time slot I pick the one I prefer and then put the other down as a backup. If there’s not talk then I plan to talk to vendors or go wander around the venue. Stepping outside for a break is also an option. I usually put down the time, location, title of the talk, and the speaker.

Below are talks that are of interest to me currently. As expected AI is the hot topic and I’m looking to better understand other people’s viewpoints on it and how it’s used. Sometimes I’ll be in a talk where I don’t learn anything new but it confirms my current knowledge. I’ve also been in talks I don’t plan to go into because I decide to go with someone else and they make a compelling case for the talk. They speaker is also a factor. I try to support the people I know by going to their talks.

That’s one of the things I do to prepare for a conference. I now have one less thing to worry about at the conference and can take it in more fully. I also have a plan that allows me to take full advantage of the conference. Leave a comment below with your tips for attending conferences. Also, come say “Hi!” if you’re at the summit.

Tim’s 2024 Palmetto Cyber Summit Schedule

Feb 21

3:00 - 3:45

SALON A - Security Protection Using OSINT - Kurtis Suhs

3:50 - 4:20

SALON C - Countdown to Industrial Extinction - Michael Holcomb

4:20 - 4:50

SALON C - The Future of Security: Embracing a Platform-Centric Appraoch - Ken Alexander

Feb 22

8:30 - 9:00

SALON B - Lessons Learned Applying Machine Learning in Cybersecurity - Jeff Janies

9:00 - 9:30

SALON B - What Neuroscience Taught Us About CyberSecurity in 1885 - Chip Reaves

11:15 - 12:00

SALON B - The Enhancement of Malicious Social Engineering with AI - Dr. Sybil Rosado

1:30 - 2:15:

SALON B - Misinformation in the Age of Generative AI - Dr. Donnie Wendy
Backup: xIoT Hacking Demonstration and Strategies to Disappoint Bad Actors - SALON C - John Vecchi

2:20 - 2:45 -

SALON B - Using AI/ML to Manager Your Organization’s Cybersecurity Program - Tom Scott
Backup: SALON A - Automating Compliance - Carl Bjerke

3:00 - 4:00 - This one is a bit of a toss up:

SALON B - Enhancing Cybersecurity: AI and Modern Threat Defense - Jim Hayes
SALON C - Know Yourself: We’ve Focused on Attackers for Too Long, it’s Time to Look Inward - Justin Scarpaci

This post first appeared on Exploring Information Security.

My Whoop stats from December 2022 to November 2023

New Years Resolutions: Taking small steps past January 31st

January 3, 2024

Not really a security topic but imagine I’m using a building a security program analogy.

I’m not a New Years resolution guy. I think January 1 is an arbitrary date and if that I’m going to make changes that stick I need to start now rather than later. I’ve started new habits in the middle of the year and on December 20th. I’ve found that I tend to be more successful when I just start. Three years ago I got a Whoop in November 2020 and it’s been tremendous for habit changes I want to make. It tracks my sleep and strain for the day using a heart rate, respiratory rate, blood oxygen, and stress levels. I fill out a journal every morning on the habits and activities that affect my recovery. I’ve discovered valuable insights that have allowed me to make adjustments for the betterment of my health.

This is one of the things to remember when making changes to your life. It’s not one month and done. It’s a journey. The Whoop has helped with my journey because it provides me the data I need to make more targeted adjustments. It wasn’t something that happened over night or even in a month and I’ve been working on some of my vices for over three years. It took my seven years to quit smoking in my 20s. I did that with small steps.

It’s the same thing for any habit change. It requires small progressive steps. Some people can quit cold turkey or make drastic changes. Good for them! I’m not one of those people, unfortunately. For me it’s small changes that help me make life changing habits. There’s been set backs. A lot of setbacks!

If you’ve set a New Years Resolution that’s great! Making changes is hard. I would advice patience and the acceptance that there will be set backs. If there is a setback work to get back on track. If you keep plugging away it you’ll get better and be healthier for it. Health is very important not only for yourself but also for your career.

This blog post first appeared on Exploring Information Security.

Tips to help build strong relationships inside and outside of work

December 21, 2023

I love the saying from Manager Tools.

“There are three types of power? Technical power, role power, and relationship power. Relationship power is 75% of the power in an organization”

I quote it a lot to people when I’m having discussions about organizations.

Building relationships with people internally is what has allowed me to be successful in my career. We cannot do it all on our own. The techniques for building relationships apply both internally to a company as well as outside of the company at networking events. Her are some of the things I have done to build strong relationships inside and outside an organization.

How to build relationships

Ask questions

The number one thing I use to build relationships is ask questions. Then I follow that up by actively listening to the answer and asking more questions.

People’s favorite subject is themselves. Getting them to talk about themselves makes them feel good. If you are asking the questions you are the reason for that feeling. People will pick up if you’re being inauthentic, so it really helps if the questions are coming from a genuine curiosity. Look at them and hear what they’re saying and ask follow up questions to what they have just said.

When I first started doing this it was pretty hard. I liked to interject my own commentary. As I worked on it it eventually became easier. It is okay to interject here and there but talking less and listening more overall will help endear you to people quicker.

This was the tool I found most effective working with developers. Code is a developer’s baby. They create it. They nurture it. They get frustrated when it doesn’t pass tests. They may have dropped it once or twice. It’s their baby though and coming in and calling it ugly (even if it is ugly) isn’t going to make many friends.

This is where questions help. Developers lit up when you show an interest in their code (baby) and they will tell you everything about it. This helped me understand the code better. Why it was written the way it was written and allowed me to have tough conversations with them when it was causing problems. I had built that trust and they knew I was only trying to help them make the best code possible.

Spend time together

When you spend time together there’s a bonding that occurs. This builds trust and allows for people to get to know each other better. I’ll go to lunch with people if asked or I’ll ask others if they are interested in going to lunch. It’s a great way to just have a normal conversation outside of work. Asking questions gives insight into the person.

If money is tight, this can be done at work. If there’s an open spot a table ask to join (asking questions again ;). If it isn’t often people will tell you to pull up a chair and join them anyway. Worst case look for someone else to sit with. People that are sitting by themselves usually won’t mind company.

stay in touch

Make sure to stay in contact with people. This became harder with the pandemic and everyone working from home. Often I would reach out to them if we hadn’t chatted in a while and I was in a meeting with them. I’d shoot them a quick IM saying hi and asking how they were doing.

The Allen Curve is a study from the 1970s that described as distance increased between engineers communication became less frequent. If you are wondering why CEOs want people in the office it’s because of The Allen Curve (a future blog post).

I’m surprised at how many people are not familiar with this idea. Regardless, as distance increase communication decreases. It makes sense. When you were in school you stayed in contact with your classmates more often. As people moved the communication between people became less frequent. You may have experienced this during the pandemic with coworkers. The person you got coffee with every morning and chatted about work or real world events you no longer communicate with on a regular basis. I’ve seen this apply with people just switching floors or moving to a different part of the building. The distance doesn’t need to be far for communication to drastically decrease.

If you are back in the office walking around can be a good way to stay in touch, as well as get a little exercise and a break from the computer. Working remotely is tougher. That’s why I set up reminders to connect with people every so often. This can be a week, month, months, or several months.

Reciprocity

Give without expecting something in return. First, this is a great feeling to just give without expecting something in return. Letting go of the return also helps with any frustration or anger that might occur from not getting something back. This can feel difficult because we all would like to think people will return the favor but it is something that can be practiced. Most people will want to return the favor. It might not be immediate but it will come at some point. Some people won’t return the favor. Either way we learn something about that person. Be careful to identify what people consider a favor because we’ll all have different ideas.

The five love languages is a great resource to read and understand. Some people just want help with their work. Others will want gifts or money compensation. Others will want praise. Understanding what drives people will help better understand what they may give in return.

I enjoy helping others and would rather someone help me than give me a gift. I would often look into help desk tickets for others and try to push them along if I could. This was a small effort for me but paid off when I needed something from these same people. Often, because I had helped them they would return the favor.

Be yourself

Be genuine and authentic. People can tell if you’re just there to get something out of them. If someone determines another person has or is trying to manipulate them the relationship is toast. Be who you are and don’t try to be someone else. You can work to make positive changes in your behavior and habits but ultimately we’re all who we are. I’ve struggled with being myself. I want everyone to like me but that just isn’t possible. I’ve tried being someone else for people and it doesn’t work. I have improved how I interact with people but ultimately I have to still be true to myself and accept that I won’t connect with everyone.

Easy to start habits

Two techniques I like to tell people to start with is using people’s name and saying thank you. Again, people are their favorite subject and hearing there name is a good feeling. You’ll have to identify what and how people liked to be called. Don’t just shorten people’s names because some people like being called by their first name. Some people like using their middle name or nickname. It is also a great way to start a conversation.

Say, “Thank you!” This is so easy to do and one of the least used techniques in the workplace. Say thank you to people for their work. Say thank you for getting you something. Say thank you for sharing their insights. It’s so easy to do and something people don’t hear enough.

Summary

Relationships are a very powerful thing. They can help advance a career and they can help get a job. To build a strong relationship, make it about the other person. Ask questions and spend time with them. Give without expecting something in return. This can feel very difficult because we are very transactional and want to get what’s rightfully ours. Most people will return the favor. The ones that don’t you will still learning something about them.

Finally, Be yourself and start small. Be who you are but realize you can make improvements to your behavior and habits. One of those can be by using people’s name and saying “Thank you!” for something they’ve done. Gratitude is a powerful thing and makes you and the other person feel good.

How do you go about building good relationships with people? Leave a comment below.

Resources

If you want to learn more about social engineering check out my GitHub page, Social Engineering for the Blue Team. You can also click on Social Engineering page or reach out to me directly with any questions you may have.

Social Engineering - Deep Dive

Contact

This blog post first appeared on Exploring Information Security.

Why Taking a Break is Important

November 29, 2023

Because we all need opportunities to recharge our brain. Even Bill Gates took a week off twice a year to recharge. I like to take a week in the spring and one in the fall just for myself to recharge. I usually play golf and video games during that week. I’ve found I’m stressed leading up to that week and recharged after the week. This is outside of family trips and vacations which can add a crinkle to taking time off if paid leave is limited. I’ve been fortunate to work at companies where I have quite a bit of time off and I can work from anywhere so I can maximize the time-off when I get there.

At one point I thought some friends and other people I knew who seemed to work all the time were different but eventually they burned out too. I do think tolerances are different and some people need less time away from others but we all eventually do need some time to unplug. And this isn’t going on vacation and answering emails or responding to alerts. It’s getting away completely. This was recently reaffirmed to me in my current role at an incident response company.

Notifications are the devil. Leaving notifications on is very much death by a thousand notifications. In my current role I’ve had email and multiple IMs on at the start. I’ve since reeled that in to just IM notifications and direct mentions specifically because no time of day or weekend was safe. Each notifications requires brain energy. It’s like running a car if you leave it on even in park it will run out of gas. That’s why turning off the car and in this case notification saves some of that energy for when I need to make a trip.

As a leader I need to be conscious of it because I impact a lot more people at work. I remember delivering a performance review to someone in January and they were a little surprised at the exceeding expectations review I gave them. They told me that at the end of the year they were wondering what they had done wrong to tick me off. As I reflected I realized I was burnt out during that time. While I tried to put on a nothing wrong is face and I don’t yell at people it was still pretty clear to the people that reported to me (and probably those that didn’t) that I was in a fowl mood.

I also need to be watching out for my directs and ensuring they’re in the best state mentally. Again, some people are better at it than others, so identifying the people that need to be told to go on paid leave is important. People earlier in their career are usually the ones that will work until they have some sort of breakdown. I know I was and to a certain point I still am based on what happened as a manager. Coming from a military background and getting into the private sector I expected to be told when to go home sick and when to go on leave. By the way if you’re sick go away and if you’re in an office go home.

I had 60 days of leave available when I left the Navy. Now I did take that as terminal leave and enjoyed my last two months of service playing World of Warcraft: The Burning Crusade but it highlights that I really wasn’t taking time for myself. As we get older there are more and more stresses added to our life and career. Starting a family or having family members to take care of takes it’s toll. As we advance in our careers we get better at what we do and gain wisdom from our experiences but new problems like politics and health problems start to creep into our world. It’s more important than ever to make sure we are taking breaks to ensure we’re performing at our best.

This blog post first appear on Exploring Information Security.

The future of AI and security

September 25, 2023

Artificial Intelligence (AI) is quickly changing the landscape for all of our society. It will significantly change our way of life over the next 10 years similar to how computers and mobile devices impacted our lives. If you’re not getting familiar with it now you may get left behind. This website is really only possible because of AI and more specifically ChatGPT. I’m able to crank out articles and information way faster than if I were creating the website entirely by myself.

I note all the pages I’m creating with the help of ChatGPT at the bottom so people know when it’s me and when it’s AI. I’ll be doing the blog posts and AI will be helping me build out all the other pages. You’ll probably notice the difference pretty quickly. I’m noting because I expect laws to come out in the future that require disclosure if AI was used in the creating of content. This is similar to how bloggers had to disclose if they were getting money from an entity as part of a post or other content on their website. Let’s dive into the predictions.

The government will regulate AI

As mentioned above the government will step in to ensure AI is being used in an ethical way. I’m curious how using AI to create things will hold up in court around topics such as copyright and data usage. I was hesitant to create an entire website and other documentation using AI because I don’t know if it would be considered plagiarism or copyright infringement. Amazon recently came out and limited self-publishing books to three a day. I think there are unforeseen things that will end up in discussion around AI and it’s use that will require regulation.

With any document being able to be feed into AI there’s a question for companies around sensitive data being leaked. This can be intellectual property and more concerning people’s personal information. As we see incidents where AI is leaking this type of information the government will step in and adjust laws an regulations, if not make new ones.

Creators will shift from writing to editing

This includes people like developers who are already using ChatGPT to write code. While AI is not any good at secure code review it can help developers get started with writing their own code. This can be a good thing as long as developers use it as a starting point and don’t just shove it right into production.

There’s no reason not to use ChatGPT as a first draft for things. I’ve written security policies for a company with just a couple hours of using ChatGPT and editing the output. This can be a good thing for smaller companies who don’t have a security team. Also, ChatGPT is able to write things in a much easier to understand format. Reading company policies may get a bit easier. Which leads into the next predication.

This will disrupt documentation

If you’re in Governance Risk and Compliance (GRC) or some other discipline within security that focuses on documentation it’s a good idea to start getting familiar with ChatGPT. There are people already out there using it and their output is going to be significantly more than anyone not using ChatGPT. GRC will need fewer people to complete their work. The ones who embrace it will stay because their productivity level is higher.

Summary

AI is a step forward and I think it’s going to help in a lot of ways. Yes, there will be some bad things and misuses that occur but overall it’s progress for our society. People creating within the tech space will see the biggest benefit. It will reduce the amount of time it takes to get a written piece of code or document out the door.

As far as securing the data their will be the usual growing pains when a new technology becomes easily accessible to everyone. Guardrails and guidelines will need to be put around the data as leaking the data is the biggest concern for AI. It’s benefits though could be significant and so security will again have to balance innovation with keeping people’s information safe.

This blog post first appear on Exploring Information Security

Being a Security Generalist

August 3, 2023

I am a security generalist. That’s not something I’ve heard many people describe themselves in the industry. In fact when I got into the industry I was told to specialize. That sort of happened with application security but I continued to get drawn back into more generalized roles. I have a diverse background in the field. I was IT focused for 10 years five with the Navy and five with the State of South Carolina. Then I shifted into security and was one of three people wearing multiple hats. I did eventually get an appsec focused role but then the development team was cut and I now had appsec as well as security engineering and pentesting. Which I was fine with. The company was great and the opportunity was interesting. Plus, I actually wanted to get into management.

I certainly think you can specialize but I think it’s okay to be a generalist too. In fact some people just have that mindset. They enjoy learning a bunch of different things instead of diving into on particularly subject. This website and the podcast are a testament to that. I can certainly specialize. I did it well with application security but I can also shift into other field. I’m now in a incident response role. I’ve never been one to dig to deep. Once I get to a certain level of knowledge with a particular topic I start to get bored. I need a constant challenge.

The downside of course is that there is not generalist role in security unless you consider management. Which has it’s own skillset outside of technical ability. I’ve struggled to prove to people on paper that I can do the job with such a diverse background. This is why networking is so important within the field. My current role came about because I knew several people on the company and they knew me and had no qualms about my ability to contribute to the company.

After 20 years of being in IT and security I’ve seen a lot of roles start to specialize. When I came up we wore many different hats across multiple fields. So, it may become harder to be a generalist. The issue I have with that is if someone goes down a path and then discovers it’s not for them. I do not want to be in a security operations center looking at logs all day. I did the job fine but four months in I was ready to be out because I felt like I was chained to my desk. Some people are fine with that. I’m just not one of them.

I encourage everyone just getting into the field to be okay with not knowing and to explore options. If something clicks then stay if not move onto something else and try that. If you do that (or have done that) enough times and nothing really sticks or you keep getting drawn back to other fields then maybe you’re a security generalist. That’s okay because we need security generalists too.

This blog post first appear on Exploring Information Security