Too Good to Be True? Text-Based Job Scam are Spiking

April 7, 2025

Feel free to take this blog post and use it for your own internal security awareness program.

Have you ever received a text message offering a part-time job with incredibly high pay and flexible hours? It might sound like the perfect opportunity—until you look a little closer. Over the weekend I received the text below.

At first glance, it seems like a dream gig: no experience needed, immediate pay, and high earnings. But this is a classic job scam designed to lure you in and exploit your trust. Scammers are aware of the current state of the U.S. economy and they are looking to exploit it for their own financial gain.

How These Scams Work:

Initial Hook: They send a message with flattery and a compelling offer.
Urgency or Exclusivity: They claim they found your profile and that it’s a unique opportunity.
Off-Platform Contact: You’re asked to message them on WhatsApp or Telegram—a red flag.
Fake Training or Tasks: You may be asked to complete “trial” work or even pay a fee up front.
Financial Risk: Scammers might ask for personal sensitive information, send fake checks, or trick you into forwarding money.

Red Flags to Watch For:

Vague company info (DSL? TEMU merchants?).
Unrealistic pay for minimal effort.
Requests to communicate on encrypted apps like WhatsApp.
Spelling and grammar issues or overly generic language.
No official email or website.

What You Can Do:

Don’t respond to the message.
Don’t click any links or share personal info.
Report the message to your mobile provider (forward to 7726).
Block the number and delete the message.

Stay alert. If a job offer seems too good to be true—it probably is.

Double-Check Before You Hit Send: A Real-World Reminder with Lessons for Healthcare

March 27, 2025

I created this blog post to share internally as part of security awareness. It’s focused on healthcare but feel free to grab and adjust based on your organization.

We often remind staff to double-check before sharing sensitive information—but a recent national security incident shows just how critical that habit really is. If top government officials can make this kind of mistake, so can we—and in healthcare, the consequences can be just as severe.

What Happened?

Recently, a Signal group chat meant for senior U.S. national security officials mistakenly included Jeffrey Goldberg, editor-in-chief of The Atlantic. The chat included operational details about military actions and involved key figures like the Secretary of Defense and CIA Director. The worst part? No one noticed Goldberg was there. He even left the group on his own, without anyone asking who he was or why he left.

The entire exchange happened on personal devices, outside of secure government systems—an environment where sensitive discussions have no business taking place.

Why This Matters in Healthcare

This story should strike a chord in healthcare. We work in an industry where confidentiality isn’t just a best practice—it’s the law. Whether it’s a patient’s diagnosis, treatment plan, or billing information, sharing sensitive data with the wrong person can lead to HIPAA violations, fines, reputational damage, and—most importantly—a loss of patient trust.

And here’s something we can’t overlook: internal mishaps cause more security incidents than external attacks. It’s not always hackers or ransomware actors—it’s misdirected emails, accidental disclosures, and staff using unapproved tools for convenience. These are preventable mistakes, but only if we stay mindful of how we handle sensitive information.

Best Practices for Handling Sensitive Information

Verify recipients: Before sharing anything patient-related, make sure you’re communicating with the right colleague—especially in group chats or email threads.
Use approved platforms: Consumer apps like Signal or iMessage are not secure for handling protected health information (PHI). Stick to tools your organization has approved for sensitive communication.
Be aware of who's listening: Just because someone is in a conversation doesn’t mean they should be. If you don’t recognize a name, say something.
Treat names and dates as sensitive too: Even something as simple as a patient’s name and appointment time can be considered PHI under HIPAA.

Security culture in healthcare means asking the hard questions, slowing down when it matters most, and protecting every patient’s privacy—one message at a time. Because it’s not just about following rules. It’s about earning the trust our patients place in us every single day.

How to Participate in a CTF: A Beginner’s Guide to Capture The Flag Competitions

February 25, 2025

Generated by ChatGPT with some light editing based on a conversation from a live recording of the podcast with Corelight. The live recording is available on YouTube.

Why Should You Participate in a CTF?

CTFs provide an interactive way to develop technical skills, enhance problem-solving abilities, and gain practical security knowledge. Here’s why you should consider joining one:

Hands-on Learning – Apply security concepts in a real-world setting.
Team Collaboration – Work with others to solve complex problems.
Networking Opportunities – Connect with industry experts and fellow security enthusiasts.
Skill Validation – Test your knowledge against different challenge levels.
Fun and Competitive – Experience the thrill of hacking in a safe and controlled environment.

Getting Started with CTFs

Choose the Right CTF

If you’re new, start with beginner-friendly CTFs, such as:

OverTheWire: Bandit (for Linux basics)
PicoCTF (a beginner-friendly CTF created by Carnegie Mellon University)
Hack The Box (provides a variety of cybersecurity challenges)

For more advanced competitions, check CTFTime.org, which tracks global CTF events.

Learn Essential Tools

Familiarize yourself with tools commonly used in CTF challenges:

Wireshark – For network traffic analysis.
Burp Suite or OWASP ZAP– For web security testing.
Zeek – Open-source network monitoring.
John the Ripper – For password cracking.
Ghidra or IDA – For reverse engineering binaries.

Understand Common CTF Categories

Cryptography – Solving encrypted messages and ciphers.
Web Exploitation – Identifying vulnerabilities in web applications.
Forensics – Investigating and analyzing system data.
Reverse Engineering – Understanding how compiled programs work.
Binary Exploitation – Discovering and exploiting vulnerabilities in executable files.

Practice, Practice, Practice

CTFs require a mix of technical knowledge, creativity, and persistence. Some great platforms to practice include:

TryHackMe
Hack The Box
OverTheWire
CTFTime.org
SANS Holiday Hack Challenge (for past challenges and write-ups)

Join a Team or Community

Many CTFs allow team participation, which can be a great way to learn from experienced players. Joining security communities, such as local security meetups, Discord groups, or Defcon groups, can help expand your knowledge.

Avoiding Common Mistakes

Overthinking – Many CTF challenges have simple solutions. Read questions carefully before diving deep.
Not Taking Breaks – If you get stuck, step away for a few minutes and return with a fresh perspective.
Skipping Documentation – Reviewing tool documentation can help you understand how to use them effectively.

Conclusion

Participating in a CTF is one of the most effective ways to learn cybersecurity hands-on, improve your problem-solving skills, and engage with a vibrant cybersecurity community. Whether you’re competing for fun, skill-building, or career advancement, CTFs offer an exciting way to test your knowledge and push your limits.

By choosing the right challenges, using the appropriate tools, and learning from others, you’ll develop a strong cybersecurity foundation that will benefit you in your career.

Tax Fraud: How to Avoid Criminals Filing Fraudulent Returns

January 30, 2025

This is a post I put together for my own internal security awareness program. Feel free to grab and use within your own organization. Created with help from ChatGPT.

Tax season is a time when individuals and businesses focus on filing their returns and securing their refunds. However, it is also a prime opportunity for fraudsters looking to exploit the system. One particularly alarming form of fraud is when criminals file tax returns on behalf of individuals without their knowledge, stealing valuable refunds in the process. This type of fraud, known as tax-related identity theft, can have serious financial consequences for the victim. In this post, we'll dive into how this scheme works, its impact, and the steps you can take to protect yourself.

How the Scheme Operates

Data Acquisition Criminals obtain personal information through a variety of methods, such as data breaches, phishing attacks, or purchasing stolen data from underground markets. This personal information—such as your Social Security number and other identifying details—becomes their key to committing fraud.
Filing False Returns Once they have the necessary information, criminals file tax returns on behalf of individuals without their consent, typically early in the tax season to get ahead of the legitimate filer.
Refund Diversion The fraudsters request that the refund be deposited into bank accounts they control, bypassing the rightful taxpayer entirely. By the time the legitimate taxpayer files their return, the criminals have already claimed the refund.

Consequences for Victims

Delayed Refunds The IRS will flag the duplicate filings, resulting in significant delays for the legitimate taxpayer's refund. This can cause frustration and financial strain, especially if the refund was anticipated to cover expenses.
Tax Liabilities Victims may find themselves liable for taxes owed on fraudulent returns filed by the criminals. This unexpected liability can lead to a tax debt that wasn’t part of the original financial planning.
Identity Theft Beyond the immediate tax consequences, the stolen personal information can be used in other fraudulent activities, such as opening new credit accounts or applying for loans in the victim’s name.

How to Protect Yourself

File Early One of the best ways to prevent criminals from filing fraudulent returns is to file your taxes early. The sooner your return is filed, the less likely criminals are to file a fake return using your information. Early filing reduces the opportunity for fraudsters to get to your refund first.
Use a Reputable Tax Service Ensure that the tax preparer you use is legitimate and has a good reputation. If you're using a tax professional, verify their credentials, such as their IRS Preparer Tax Identification Number (PTIN). Check online reviews or ask for referrals from trusted sources to avoid working with fraudulent tax preparers who might exploit your information.
Consider an Identity Protection PIN (IP PIN) The IRS offers an Identity Protection PIN program, which provides an added layer of security for taxpayers. This PIN is used when filing taxes and helps prevent unauthorized returns from being filed in your name.

Conclusion

Tax fraud in the form of criminals filing fraudulent returns can cause significant stress and financial loss. By understanding how the scheme works and taking proactive measures, you can better protect yourself from becoming a victim. Filing early, using a reputable tax service, monitoring your personal information, and using additional security measures like an IP PIN are all critical steps in preventing and mitigating the effects of tax-related identity theft.

Beware of Fake Job Offers in the 2025 job market

January 17, 2025

In today's job market, the allure of remote work has become increasingly enticing. However, companies have started to shift away from remote work post-pandemic and are requiring more in-person or hybrid for employees. Combine that with the downsizing companies are going through at this time and job scams are going to pop up on a more regular basis. Recently, I got the above text from a “recruiter.”

While this might seem like a great opportunity it’s a scam. A job offer does not typically come over text nor does it happen without an interview. This is a path to getting personal information, financial, or drawn into the scam ecosystem as a money mule.

The Scam: Too Good to Be True

The scam typically begins with an unsolicited message from an individual claiming to be "Emily," a customer service agent at Bonanza. The message outlines an attractive remote position with the following promises:

High Earnings: Potential to earn between $50 to $500 per day, with a base salary of $1,000 for every four days worked.
Flexible Hours: Commitment of just 60 to 90 minutes per day.
Comprehensive Benefits: Offers include paid annual leave, maternity and paternity leave, and other legal holidays.
Minimal Effort: Assurances of free training and a guaranteed paid probation period.

Recipients are encouraged to respond to a provided phone number to seize this "opportunity."

Red Flags in the Offer

While the proposition may appear appealing, several indicators suggest it's a scam:

Unsolicited Contact: Legitimate companies seldom extend job offers without prior interaction or application. Receiving such a message without prior engagement is suspicious.
Free Email Account: This text was sent with a Gmail account that anyone that is available to anyone for free.
Exaggerated Earnings and Benefits: Promises of substantial income for minimal work are classic red flags. Genuine employers provide realistic compensation aligned with industry standards.
Vague Job Description: The lack of specific details about job responsibilities, using ambiguous phrases like "helping merchants update data," is a common tactic to obscure the scam's true nature.
Urgency to Respond: Scammers often create a sense of urgency to prevent thorough consideration. Pressuring immediate action is a tactic to catch victims off-guard.
Unprofessional Communication: Errors in grammar, informal language, or inconsistencies in the message are telltale signs of fraudulent communication.
Request for Contact via Personal Number: Legitimate companies typically use official communication channels. Requests to contact personal numbers are uncommon and suspicious.

What Happens If You Respond?

Engaging with the scammer can lead to several detrimental outcomes:

Phishing for Personal Information: Scammers may request sensitive data, such as Social Security numbers or banking details, under the guise of processing employment paperwork.
Upfront Payments: Requests for fees covering "training" or "equipment," with promises of reimbursement, are common. Once paid, these funds are unrecoverable.
Identity Theft: Shared personal information can be exploited for identity theft, leading to financial and legal complications.
No Real Job: After extracting money or information, the scammer disappears, leaving the victim without employment and at a loss.
Become a Money Mule: A money mule is someone who transfers or moves illegally acquired money on behalf of others, often unknowingly.

Protecting Yourself from Job Scams

To shield yourself from such fraudulent schemes, consider the following precautions:

Research the Company: Visit the official website and verify job postings. Authentic opportunities are listed on company websites or reputable job boards.
Verify the Contact: Ensure that communications come from official company channels. Be wary of contacts using personal email addresses or phone numbers.
Be Skeptical of Extravagant Claims: If an offer seems too good to be true, it warrants skepticism. Legitimate jobs have clear expectations and reasonable compensation.
Never Pay to Work: Authentic employers do not require upfront payments for any reason.
Report Suspicious Offers: Report potential scams to the Federal Trade Commission (FTC) at ReportFraud.ftc.gov and to the platform where the offer was encountered.

Conclusion

Scammers continually adapt their tactics to exploit the evolving job market and technological landscape. By staying informed and vigilant, you can protect yourself from falling victim to such schemes. Always verify the legitimacy of job offers and remain cautious of unsolicited communications. Remember, if something feels amiss, it's worth investigating further. Stay safe and informed in your job search and digital interactions.

DHHS Angry Translator: Breaking Down the Latest HIPAA Security Rule Proposal

January 7, 2025

Let’s face it: regulatory updates like those from the Department of Health and Human Services (DHHS) often come wrapped in a blanket of formal language that makes you wonder, What are they really saying? Enter the DHHS Angry Translator, here to break it down and tell it like it is. Like the recently introduced CISA Angry Translator, the DHHS Angry Translator, Hank, has a no-nonsense take on the proposed changes to the HIPAA Security Rule—because sometimes, you need a little fire to get the message across.

Created with help from ChatGPT

DHHS Says:
"Covered entities and business associates must adopt reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI."

Hank:
"Look, people! You’re handling sensitive health information here—stop treating it like a casual to-do list. Lock it down! If you wouldn’t leave patient records lying around in a coffee shop, don’t let your servers be a free-for-all!"

DHHS Says:
"We propose clarifying the definition of 'security incident' to ensure timely identification and response to unauthorized access, use, or disclosure of ePHI."

Hank:
"Translation: Stop pretending you didn’t notice the breach. When someone jiggles the doorknob, that’s your cue to ACT, not wait for the whole door to come down!"

DHHS Says:
"Entities must perform regular risk assessments to identify vulnerabilities and implement measures to mitigate those risks effectively."

Hank:
"Let me break it down for you: Take a good, hard look at your systems. If you see a crack, fix it! Don’t wait for a cybercriminal to make it a canyon!"

DHHS Says:
"The proposed changes aim to enhance accountability and transparency in managing ePHI security."

Hank:
"Translation: If you mess up, we’re coming for you. There’s no hiding anymore. Either you get your house in order, or we’ll do it for you—with penalties."

DHHS Says:
"We propose revisions to the administrative safeguards, emphasizing the necessity of documented policies and procedures for incident response and risk management."

Hank:
"Y’all need to WRITE THIS DOWN! A half-baked plan in someone’s head doesn’t cut it. If a breach happens and your response is ‘Uh... what now?’—you’re already toast!"

DHHS Says:
"The proposal includes requirements to integrate continuous monitoring into risk management practices for ePHI security."

Hank:
"‘Continuous monitoring’ means don’t just check your security once a year like it’s a New Year’s resolution. Stay on top of it! Hackers aren’t taking vacations—they’re coming for you every day!"

DHHS Says:
"Entities must evaluate their use of encryption to ensure ePHI remains secure during transmission and storage."

Hank:
"If your data isn’t encrypted, it’s like sending patient records via postcard: everyone can see it! Encrypt. Everything. Period."

DHHS Says:
"We are revising technical safeguard requirements to account for emerging technologies and new cybersecurity threats."

Hank:
"Translation: If you’re still using security from the early 2000s, it’s time for an upgrade. Hackers have moved on, and so should you!"

DHHS Says:
"Workforce training should address phishing attacks, unauthorized device use, and secure access to ePHI."

Hank:
"Teach your people that clicking shady links isn’t just a bad idea—it’s a disaster waiting to happen. Also, tell them to stop using their cousin’s unsecured iPad for work!"

DHHS Says:
"The proposed changes highlight accountability mechanisms for business associates handling ePHI."

Angry Translator:
"Listen up, third parties: If you’re touching ePHI, you’re on the hook too. No more pointing fingers when things go wrong. Handle the data like it’s your grandma’s—or get burned!"

DHHS Says:
"Periodic evaluations of safeguards will ensure compliance with evolving security standards."

Angry Translator:
"‘Periodic evaluations’ means you don’t just set it and forget it. Check your defenses regularly, or you’ll be picking up the pieces after the next attack!"

Final Note from the Angry Translator:
"This proposal isn’t just about checking boxes—it’s about protecting people. If your security plan is older than your favorite streaming service, fix it. Now. Because when things go wrong, it’s not just your reputation on the line—it’s patients’ trust and safety too."

The commenting period for the HIPAA Security Rule Draft is open until March 7, 2025. If you’re at a healthcare organization make sure to consume it and submit your public comments. I am currently doing a deep dive on the proposal and will have thoughts in a future blog post.

Avoiding Legal Landmines in Incident Response: A Practical Guide for Security Teams

December 10, 2024

The information provided in this blog post does not, and is not intended to, constitute legal advice; rather, the ensuing conversation is for general informational purposes only.

In today’s cybersecurity landscape, responding swiftly and effectively to security incidents is critical. However, navigating the legal implications during an incident is equally vital to protect an organization from further liabilities. This guide covers essential strategies for avoiding the most common legal pitfalls in incident response (IR), based on insights from my recent podcast episode with cybersecurity attorney Thomas Ritter Exploring Legal Landmines in Incident Response.

Use Careful Terminology: “Incident” vs. “Breach”

When a security event occurs, the language you use to describe it can have significant legal implications. Terms like “breach” have specific legal definitions that can trigger mandatory notification requirements or other regulatory obligations. As a best practice, use neutral terms like “incident” until the situation is fully assessed by legal counsel.

Tip: Train your teams on preferred terminology and involve legal early in the process to make sure everyone understands when and how to escalate terms like “breach.”

Establish Attorney-Client Privilege Early

Engaging external counsel immediately after a security incident helps protect sensitive communications and investigative findings under attorney-client privilege. This protection is crucial should your organization face litigation, as it limits the exposure of certain communications during the discovery process.

Tip: Collaborate with your legal team to establish protocols for involving external counsel, even for minor incidents, to ensure privilege is in place if needed.

Refine Your Communication Strategy

Transparency is key during incident response, but be cautious with internal and external communications, especially in the early stages. Avoid speculative statements and keep communications brief until forensic findings provide a clearer picture.

Tip: Work with your legal and PR teams to develop standardized communications templates for different scenarios, ensuring clarity and consistency without compromising on accuracy.

Define Roles and Responsibilities in Your IR Plan

Many incident response plans (IRPs) lack a clear delineation of responsibilities, particularly regarding who determines when an incident becomes a breach. Ideally, legal counsel—preferably external—should make this determination to preserve objectivity and privilege.

Tip: Review your IRP to ensure that roles and escalation points are well defined, with legal counsel involved at key decision points.

Handle Ransomware Negotiations Carefully

Ransomware incidents often involve complex decisions about whether to engage with or pay threat actors. Professional negotiators can play a valuable role here, as they are well-versed in handling threat actor communications and negotiating terms without compromising your organization’s legal standing.

Tip: Always hire professionals for ransomware negotiations. Amateur negotiators risk mishandling sensitive communications, which can exacerbate both financial and reputational damage.

Prepare for Possible Class Action Litigation

In the event of a data breach, it’s increasingly common for affected parties to file class action lawsuits. Many legal teams recommend proactive measures to limit liability, such as documented protocols that show your team acted swiftly and responsibly during the incident.

Tip: Ensure your IR documentation is thorough and compliant with industry standards, as this can provide valuable evidence should litigation arise.

Use Tabletop Exercises to Strengthen Incident Preparedness

Incident response tabletop exercises, especially those involving executive teams, help prepare your organization to navigate both operational and legal complexities in a crisis. In addition to familiarizing staff with the IRP, tabletop exercises offer an opportunity to practice coordination with legal counsel, PR, and executive stakeholders.

Tip: Schedule annual or biannual tabletop exercises that simulate high-stakes incidents, like ransomware attacks, to ensure all teams are familiar with legal protocols.

Conclusion: A Proactive Legal Strategy in Incident Response

Responding to a security incident without considering legal implications can expose your organization to additional risks. By carefully navigating language, establishing attorney-client privilege, and preparing staff with tabletop exercises, your organization can avoid many of the legal pitfalls associated with incident response. Whether preparing for regulatory inquiries or class action lawsuits, these best practices can help your organization respond to incidents effectively and with minimized legal exposure.

Key Takeaways from NIST SP 800-50r1 – Building a Cybersecurity and Privacy Learning Program

December 2, 2024

In September 2024, the National Institute of Standards and Technology (NIST) released the updated Special Publication (SP) 800-50r1, "Building a Cybersecurity and Privacy Learning Program." This is an update to the 2003 NIST Special Publication (SP) 800-50, Building an Information Technology Security Awareness and Training Program. I hadn’t realized that there was a NIST publication on building a security awareness program. It’s good to see an update after 21 years! Here's a look at the key insights and recommendations from the updated publication. This was written with the help of ChatGPT.

Understanding THE Cybersecurity and Privacy Learning Program (CPLP)

Name Change! The document introduces the Cybersecurity and Privacy Learning Program (CPLP) as an overarching framework that includes awareness campaigns, role-based training, and workforce education initiatives. Aimed at fostering a culture of security and privacy, the CPLP is a strategic effort to manage risks and comply with federal regulations, such as FISMA. With privacy becoming a much bigger topic in the last 10 years, rolling it into an cybersecurity awareness program makes sense. This could cross multiple teams depending on how an organization is setup.

CPLP emphasizes awareness and education, incorporating role-specific training alongside general awareness activities, and focuses on encouraging behavior change to reduce risks and foster a culture of security. Continuous improvement is integral, with metrics and evaluations used to adapt programs to evolving needs.

The CPLP Life Cycle

NIST defines a four-phase life cycle for managing CPLPs: Plan and Strategy; Analysis and Design; Development and Implementation; and Assessment and Improvement. These phases involve developing a strategic vision that aligns learning objectives with organizational goals, identifying learning needs and creating tailored program designs, building or procuring learning materials and deploying the program, and measuring effectiveness while refining strategies based on outcomes. This iterative approach ensures that the CPLP remains dynamic and aligned with organizational needs.

Leadership and Organizational Roles

The success of a CPLP hinges on active involvement across all levels of the organization. Senior leadership plays a crucial role in providing strategic direction and resources, while CPLP managers oversee program design, delivery, and metrics. System users, on the other hand, are responsible for adhering to policies and participating in required training. Leadership participation, such as senior leaders engaging in training themselves, reinforces the importance of the program. Leadership buy-in is the first step to getting any sort of program off the ground. Heavily regulated industries are easier to get buy-in for than others.

Metrics and Measurements

Effective CPLPs rely on a mix of quantitative and qualitative metrics to evaluate success. Quantitative metrics include training completion rates, reductions in incidents, and compliance statistics, while qualitative metrics involve employee feedback, focus group discussions, and behavioral observations. NIST emphasizes using these metrics not just for compliance but to drive meaningful behavior change and demonstrate return on investment.

This section was helpful for thinking about what sort of metrics to have. One of the examples brought up is click rate which is a highly volatile statistic. A better statistic is report rate which is a positive behavior an organization wants to encourage within their population. The document doesn’t define what an organization should have for metrics but instead provides guidance.

Integrating Privacy into Cybersecurity Training

One of the standout updates in SP 800-50r1 is the seamless integration of privacy training into cybersecurity programs. It highlights the interconnected nature of these disciplines and the need for training to address both cybersecurity incidents and privacy risks, such as data re-identification or misuse. Teaching employees about privacy risks enables them to recognize potential problems and implement procedures that minimize such risks.

This is big within healthcare. Reports like the Verizon Data Breach Investigation Report show that the healthcare industry has higher internal threat actors due to mistakes and errors with handling information. This can lead to huge privacy implications for the organization.

Tailored Training for Diverse Audiences

CPLPs should be segmented to address specific needs. General users benefit from training on fundamental security practices, such as phishing awareness, while privileged access holders require advanced training on managing sensitive systems. Those in specialized roles undergo deeper training specific to their risks and responsibilities. Tailoring training ensures that it remains relevant and impactful for all user groups.

Easy to suggest much harder to do. A good starting point is what’s mentioned in the publication: all users; privileged access account holders; new employees; and staff with cybersecurity and privacy responsibilities. Tailored training should be broken down further into departments such as service desk and finance but this is a good starting point.

Focusing on Improvement Without Punishment

One of the critical takeaways from NIST SP 800-50r1 is the emphasis on using cybersecurity exercises, such as phishing tests, as opportunities for learning and improvement rather than punishment. The publication highlights the importance of informing employees that these exercises are conducted randomly and that the results will guide future learning activities. Such exercises should not be punitive, nor should employees be singled out for their responses. By framing these activities as learning opportunities, organizations can gather valuable data on vulnerabilities while fostering a supportive environment that encourages employee growth and engagement with cybersecurity practices.

A Culture of Learning

At its core, SP 800-50r1 promotes a culture of continuous learning and adaptation. From onboarding new employees to advanced training for cybersecurity professionals, the document underscores the importance of embedding cybersecurity and privacy awareness into organizational DNA. By viewing cybersecurity and privacy learning as an evolving process, organizations can be prepared for emerging risks and technologies.

Conclusion

NIST SP 800-50r1 offers a robust roadmap for organizations looking to strengthen their cybersecurity and privacy posture. For organizations aiming to enhance their cybersecurity and privacy programs, reading SP 800-50r1 is a great starting point. A focus on building culture and rewarding people will help change behavior and reduce the human element in incidents.

Explore the full NIST SP 800-50r1 publication here.

The 12 Scams of The Holiday Seasons: How to Stay Safe This Holiday Season

November 26, 2024

I wrote this for a security awareness program with help from ChatGPT. Feel free to grab and share within your own organizations.

The Better Business Bureau (BBB) has long been a trusted resource for protecting consumers and promoting trustworthy business practices. Their mission to provide valuable insights and tools to stay vigilant against fraud is especially critical during the holidays. This year, the BBB has compiled a list of the "12 Scams of Christmas" to help ensure your festive season remains joyful and scam-free.

Here’s a quick overview of these scams and how to protect yourself:

Fake Social Media Ads: Beware of deals that are too good to be true—they may lead to counterfeit or undelivered goods.
Gift Exchange Scams: Pyramid schemes disguised as “fun” gift exchanges often harvest personal information.
Holiday Apps: Some seemingly festive apps collect data or install malware on your device.
Fake Toll Texts: Scammers target holiday travelers with bogus unpaid toll notifications.
“Free” Gift Cards: Phishing emails offering gift cards often aim to steal sensitive data.
Seasonal Job Scams: Fake job listings trick job seekers into providing personal or financial details.
Impostor Scams: Fraudsters pose as customer service reps or mimic legitimate websites.
Fake Charities: Scammers take advantage of the season’s generosity with fraudulent donation appeals.
Phishing Shipping Notifications: Fake alerts about undelivered packages are phishing attempts.
Advent Calendar Scams: Low-quality or nonexistent calendars sold by untrustworthy vendors.
Shady Pop-Up Shops: Temporary retailers that vanish with your money or sell counterfeit goods.
Too-Good-To-Be-True Travel Deals: Unrealistically low offers designed to scam travelers.

How to Stay Safe:

Be skeptical of deals that sound too good to be true.
Verify sellers, charities, and offers through trusted sources.
Avoid clicking on unsolicited links or emails.

The BBB offers a wealth of information to help you navigate the holiday season safely. For the full list of scams and detailed safety tips, visit their 12 Scams of Christmas page.

This holiday season let’s protect our wallets and our personal information while spreading cheer and generosity. A little awareness can go a long way in keeping the holidays merry and bright!

How to Get a Pentest: A Step-by-Step Guide for Organizations

September 23, 2024

I like to call them security assessments. A test you can flunk; an assessment tells you where you’re at.
-Dave Chronister founder of Parameter Security

In today's rapidly evolving cybersecurity landscape, penetration testing (pentesting) is a crucial practice for organizations aiming to protect their systems and data. Pentesting involves simulating cyberattacks to identify vulnerabilities in a company’s infrastructure, allowing businesses to fix potential weaknesses before malicious actors can exploit them. But how do you approach getting a pentest, and what should your organization consider? Here’s a step-by-step guide to help you navigate the process.

Why Should Your Organization Get a Pentest?

Pentesting is essential for organizations of all sizes and industries. It provides a proactive approach to cybersecurity by identifying vulnerabilities and offering actionable solutions. Companies should consider scheduling a pentest if they are experiencing any of the following:

Deployment of new systems or applications
Significant organizational changes, such as mergers or expansions
Meeting compliance requirements (e.g., PCI-DSS, HIPAA)
Preparing for audits or certifications
Regular cybersecurity maintenance to ensure ongoing protection

In short, a pentest is your best defense against unknown vulnerabilities that could put your business at risk of being compromised.

Common Misconceptions About Pentesting

Many businesses have misconceptions about pentesting when they first approach the process. Some think it's a one-time event or believe that only large enterprises need it. In reality, pentesting should be a continuous part of an organization’s cybersecurity efforts. Even small businesses and startups can be targets for cyberattacks, making it essential to stay vigilant.

Additionally, pentests do not guarantee total security; instead, they highlight risks and provide insights to improve overall security measures.

Preparing for a Pentest

Before reaching out to a pentesting service, companies should take several steps to prepare:

Identify scope: Determine whether you want to test your entire network, specific applications, or particular security controls.
Understand your risks: Have an internal discussion to identify the most important assets of the organization.
Ensure cooperation: Make sure relevant teams are on board and ready to provide necessary information to the pentesters.
- Relevant teams could include: Infrastructure, networking, application owner, development. and leadership.
Plan for remediation: Have a plan in place to quickly address vulnerabilities that the pentesters may find.
Avoid Q4 pentests: The fourth quarter of the year is notorious for being the busiest time of year for companies that do pentests because organizations have waited too long to get their annual assessment done. Try to get pentests scheduled earlier in the year and spread them out if multiple are needed.

Proper preparation will not only streamline the process but also ensure the pentest delivers valuable results.

What Information Should You Provide to Pentesters?

To get the most accurate and comprehensive results, your organization needs to share critical information with the pentesters, including:

Network architecture details
System configurations
Known vulnerabilities or past security incidents
Specific security policies and procedures This collaboration ensures that the pentesters have a clear understanding of your environment and can deliver actionable insights tailored to your organization's needs.
A single point of contact for regular and emergency communication.

How to Choose the Right Pentesting Provider

Choosing a pentesting provider can be daunting, but there are several factors to consider to ensure you're making the right decision:

Certifications and Experience: Look for certifications such as OSCP, CEH, or CREST, but also ask about the provider’s industry experience. This can also include profiles on the individuals that will be performing the assessment.
Client References: Request client references or case studies to understand their track record.
Methodology: Ensure they use recognized frameworks like PTES for pentesting in general, OWASP for web applications or NIST for broader networks.
Communication: A strong pentesting provider should communicate clearly, explaining technical details in a way that stakeholders at all levels can understand. Avoid providers who overpromise or seem to offer too-good-to-be-true results—security is complex, and no single test can guarantee protection.
Reporting: A sample report will allow organizations to see how the report overall is structured. If a pentest is unwilling to provide one that’s a red flag.
Pricing: Pentests are expensive. If a company comes in significantly lower than other pentest companies then this is an indication that the company lacks the proper skillset or outsources to a company with cheap labor.

The Pentesting Process: What to Expect

Once you’ve chosen a provider and prepared your organization, the pentest begins. Here’s an overview of what you can expect during the process:

Initial Scoping: The pentesting team will meet with you to define the scope of the test and identify what will be targeted.
Rules of Engagement: This ensure that everyone is aligned on the goals, risks, and limitations of the engagement
Testing Phase: The pentesters will simulate attacks based on the agreed-upon scope. This can include network testing, application testing, or social engineering.
Reporting: After the test, the pentesters will compile a detailed report outlining the vulnerabilities they discovered, along with recommendations for remediation.
Debrief: The pentesting team will explain the findings and answer any questions. They may also help prioritize which vulnerabilities to address first and any technical questions on the exploitability of a vulnerability.

Different Types of Pentests: Black-Box, Gray-Box, and White-Box

Not all pentests are the same. Depending on your needs, you might choose between different types:

Black-Box Testing: The pentesters have no prior knowledge of the environment. This simulates how an outside attacker would approach your systems. This will often take the most time and be the most expensive.
Gray-Box Testing: The pentesters have limited knowledge, like login credentials or partial access. This allows for a balance between simulating internal and external threats.
White-Box Testing: The pentesters have full access to system information, source code, and infrastructure. This test is the most thorough but requires significant collaboration. This is the most comprehensive and the most efficient for both time and budget.

Each type offers different insights, and choosing the right one depends on your objectives and current security posture.

Understanding Pentesting Reports

A pentesting report is one of the most important deliverables of the process. It typically includes:

Detailed vulnerability findings: With severity rankings for each issue.
Recommendations for fixes: Practical steps your organization can take to address the vulnerabilities.
Risk analysis: How each vulnerability impacts your overall security.

Your team should use the report as a roadmap to improve security, focusing first on high-severity issues.

What If No Vulnerabilities Are Found?

If a pentest finds no major vulnerabilities, that’s great news! However, it doesn’t mean your company is fully secure forever. Cybersecurity is a continuous process, and as new threats emerge, regular pentests are necessary to stay ahead of potential risks.

Innovative Trends in Pentesting

As cybersecurity threats evolve, so does the practice of pentesting. Organizations should stay aware of trends like:

Bug Bounty Programs: More companies are adopting crowd-sourced pentesting through ethical hacker communities. These programs are for mature companies that have address findings from several previous pentests. Bug bounties often require some sort of compensation to get value out of the program. If the environment is not in a state of low findings then the organization will be buying out large sums of bounties.
Automated Pentesting: This is not a pentest. While adding it can help improve security it will have lots of false positives and only catch low hanging fruit. At the time of this blog post, nothing can replace a humans critical thinking in regards to a pentest.

By staying on top of these trends, businesses can ensure their security practices remain effective and up to date.

Conclusion: Why Pentesting is a Must for Every Business

Pentesting provides critical insights into your organization’s security and helps protect against evolving cyber threats. By understanding the process, preparing adequately, and choosing the right provider, businesses can significantly reduce their security risks.

Investing in regular pentests is not just a one-time event; it’s part of a continuous effort to keep your organization secure in a world where cyber threats are always changing.

Navigating the Misinformation Minefield: How TikTok is Shaping Political Perceptions

August 16, 2024

This is a blog post I put together for distribution internally. Feel free to take and use as part of your own security awareness program. Created with help from ChatGPT

In the ever-evolving landscape of social media, TikTok has emerged as a dominant force, especially among younger generations. While the platform offers endless streams of creative content, it also harbors a growing concern: the spread of misinformation. Recent research has revealed that 33% of young Americans have encountered political lies on TikTok, highlighting the platform's significant role in shaping political perceptions.

As misinformation continues to proliferate across social media, it’s crucial to understand how it spreads, its potential impact, and the steps we can take to protect ourselves.

The Power of TikTok and the Rise of Misinformation

TikTok’s algorithm is designed to keep users engaged by serving up content tailored to their interests. However, this algorithmic precision also makes it easier for misinformation to find its way into users’ feeds. Content that sparks strong emotional reactions—whether outrage, fear, or excitement—tends to spread rapidly, often without scrutiny.

Political misinformation can have far-reaching consequences. False narratives can skew public perception, influence voting behavior, and deepen societal divides. For young Americans, many of whom turn to social media as their primary news source, the risks are especially pronounced.

The Cybersecurity Implications of Misinformation

While misinformation may seem like a mere nuisance, it poses serious cybersecurity risks. Cybercriminals can exploit false information to launch sophisticated social engineering attacks. For example, a fake news story might be used as bait in a phishing campaign, luring users to click on malicious links or download harmful software. Once trust is established through seemingly legitimate content, attackers can easily manipulate their targets.

Moreover, misinformation can be used to incite panic or distrust, leading to actions that compromise security. For instance, during elections, misinformation about voting procedures can confuse voters, leading to disenfranchisement or chaos at polling stations. In such scenarios, the lines between misinformation and cyber threats blur, creating a fertile ground for malicious activities.

Recognizing and Combating Misinformation

Understanding how to identify and counter misinformation is crucial in today’s digital age. Here are some strategies to help you stay informed and secure:

Critical Evaluation of Sources:
- Not all information online is created equal. Always consider the source of the information. Is it from a reputable news outlet or a verified account? Be wary of anonymous sources or accounts with little to no background information.
- Check the publication date to ensure the information is current. Outdated information, when recirculated, can cause unnecessary confusion.
Cross-Referencing Information:
- Before accepting information as true, verify it through multiple credible sources. Misinformation often crumbles under scrutiny when checked against reliable reports or official statements.
- Use fact-checking websites like Snopes or FactCheck.org to confirm the validity of sensational claims.
Recognizing Emotional Manipulation:
- Misinformation often relies on eliciting strong emotional responses to bypass rational thinking. Be cautious of content that triggers immediate emotional reactions such as anger, fear, or joy.
- Pause and reflect before sharing emotionally charged content. Consider why it evokes such a strong response and whether the information could be misleading.
Awareness of Manipulative Tactics:
- Social media is rife with clickbait headlines designed to draw users in. These headlines may oversimplify, exaggerate, or completely fabricate information. Always read beyond the headline before forming an opinion.
- Be mindful of deepfakes and manipulated media. Advances in technology have made it easier to create realistic but entirely fake images and videos that can be used to spread falsehoods.
Educating Yourself and Others:
- Stay informed about the latest tactics used to spread misinformation. Knowledge is your first line of defense. Participate in digital literacy programs and encourage others to do the same.
- Engage in discussions with friends and family about the importance of verifying information before sharing it. Misinformation spreads quickly when people don’t take the time to fact-check.

The Broader Impact of Misinformation

The dangers of misinformation extend beyond individual harm. On a larger scale, widespread misinformation can erode trust in institutions, polarize societies, and even threaten democratic processes. In an environment where misinformation thrives, it becomes increasingly difficult to have informed, rational discussions on critical issues.

Moreover, the spread of misinformation can contribute to the normalization of falsehoods. As false narratives become more prevalent, they can start to shape reality, influencing public opinion and policy in ways that are harmful or unjust.

Conclusion: Staying Vigilant in a Digital World

In an age where information is at our fingertips, the responsibility to discern truth from falsehood rests on each of us. TikTok and other social media platforms offer immense value, but they also present risks that must be navigated carefully. By adopting a skeptical mindset, verifying the content we encounter, and educating ourselves and others, we can protect ourselves from the dangers of misinformation.

As we continue to interact with digital content, let’s commit to being informed and responsible consumers of information. In doing so, we not only safeguard our own security but also contribute to a more truthful and resilient digital community.

What is Smishing and How You Can Protect Yourself

May 20, 2024

This is an article I’ve put together for my internal Security Awareness program. Feel free to grab and use in your own program. Created with help from ChatGPT.

In today's digital age, cybersecurity threats are evolving rapidly, and one of the rising threats is "smishing." Smishing, a blend of "SMS" (short message services) and "phishing," is a form of phishing that involves sending fraudulent SMS messages designed to deceive recipients into revealing personal information or installing malware.

Understanding Smishing

Smishing attacks typically involve a text message that appears to come from a legitimate source, such as a bank, a well-known retailer, or even government agencies. These messages may claim that there's an urgent issue requiring your immediate attention, such as a problem with your bank account, a missed delivery, or a tax refund opportunity. The message will usually include a link that you are urged to click to resolve the issue.

How Smishing Works

The goal of smishing is to trick the recipient into providing sensitive information, such as login credentials, credit card details, or personal identification numbers. Alternatively, the link may download malware onto the recipient’s phone, which can lead to data theft or loss, financial loss, and sometimes even identity theft.

Examples of Smishing Attacks

Financial Frauds: "Notice from Bank XYZ: Unusual activity detected on your account. Please verify your identity immediately to prevent closure. Click here [link]."
Fake Contests: "Congratulations! You’ve won a $500 gift card from [Popular Brand]. Claim your prize now [link]."
Impersonation of Authorities: "Urgent COVID-19 alert in your area. Click here for safety measures to follow [link]."
CEO Fraud: “Hi [employee], are you available? I have an urgent need.”

Tips to Protect Yourself from Smishing

Be Skeptical of Unsolicited Messages: Always be wary of text messages that ask for personal information, especially if they convey a sense of urgency.
Verify the Source: If a message claims to be from an organization you do business with, verify its authenticity by contacting the organization directly using a phone number or email address from their official website—not the contact details provided in the message.
Avoid Clicking on Suspicious Links: Do not click on links in unsolicited texts or emails. Instead, go directly to the website by typing the URL into your browser.
Educate Yourself and Others: Awareness is your best defense. Learn about the latest smishing tactics and educate your family and friends on how to protect themselves.

Conclusion

Smishing is a significant and growing threat in the realm of cyber scams. By staying informed and cautious, you can protect yourself from falling victim to these malicious attacks. Always remember that when it comes to protecting your personal information, vigilance is key. If you suspect you’re being targeted by a smishing attack please contact [INTERNAL SECURITY TEAM INBOX].

AI security and healthcare - created by ChatGPT

Embracing AI with Care: A Guide for using AI in the healthcare workplace

April 10, 2024

This is an article I put together for internal communication on my companies intranet. I actually put two different articles together. Both are along the same lines just written different. I would love feedback on anything I may have missed. Otherwise feel free to use this as part of your company’s internal communication. This was most written by ChatGPT.

Introduction

In the rapidly evolving world of healthcare, Artificial Intelligence (AI) has emerged as a beacon of hope and innovation. From improving patient outcomes to optimizing operational efficiencies, AI's potential is undeniable. However, as we integrate these powerful tools into our daily operations, it's imperative to approach AI with a blend of enthusiasm and caution.

The Power of AI in Healthcare

AI's application within healthcare spans from predictive analytics in patient care to automating administrative tasks, allowing healthcare professionals to focus on what they do best—caring for patients. AI algorithms can analyze vast amounts of data to predict patient deterioration or optimize treatment plans. Additionally, AI-driven chatbots can enhance patient engagement and support, providing timely information and assistance.

Ethical Considerations and Patient Privacy

While AI can significantly improve efficiency and patient care, its implementation in healthcare comes with profound ethical implications, especially concerning patient privacy and data security. As stewards of sensitive health information, it's our collective responsibility to ensure that AI tools are used ethically and in compliance with all applicable laws and regulations, such as HIPAA.

Transparency and Consent: Patients should be informed about how AI might be used in their care, including the benefits and potential risks. Obtaining informed consent is not just a legal requirement; it's a cornerstone of trust.
Data Privacy: Always ensure that AI systems handling patient data are secure and compliant with data protection laws. Anonymization of data before AI analysis is a critical step in safeguarding patient privacy.
Bias and Fairness: AI systems are only as unbiased as the data they're trained on. It's essential to continuously monitor and evaluate AI tools for any form of bias, ensuring equitable healthcare outcomes for all patients.

Cybersecurity Implications

The integration of AI into healthcare systems increases the complexity of our cybersecurity landscape. AI can both bolster our cybersecurity defenses and represent a novel vector for cyber threats. Therefore, a proactive and informed cybersecurity approach is essential.

Adherence to Security Policies: All use of AI technology must comply with our comprehensive security policies, which are designed to protect both patient data and our IT infrastructure. This includes strict access controls, regular security audits, and adherence to best practices in AI ethics and governance.
Education and Awareness: Employees must be educated about the potential cybersecurity risks associated with AI, including social engineering attacks that leverage AI-generated content.
Handling of sensitive data: It is crucial to ensure that sensitive data is not entered into or processed by AI systems that are not under our direct control and that do not meet our strict security and privacy standards. Employees should avoid the use of unauthorized AI tools and platforms that could inadvertently expose sensitive patient information or proprietary data. This includes being aware of third-party companies that have integrated AI into their platforms.
Secure AI Development: AI systems must be developed and maintained with security in mind. Threat modeling helps to identify potential issues before they arise. Regularly updating and patching systems helps maintain the integrity and security of systems.
Vigilance and Reporting: Employees are empowered to report any suspicious activities or vulnerabilities. Early detection is key to preventing cyber incidents or data privacy issues.

Looking Ahead

As we journey forward, integrating AI into our healthcare practices, let us do so with a vigilant eye on the ethical, privacy, and security implications. By fostering a culture of responsible AI use, we not only protect our patients and their data but also contribute to the advancement of healthcare, making it more accessible, efficient, and effective for all.

Conclusion

The integration of AI in healthcare represents a frontier of endless possibilities. Yet, as we harness these technologies, we must navigate this terrain thoughtfully and responsibly, ensuring that we remain steadfast in our commitment to patient care, privacy, and security. Together, we can create a future where AI empowers us to deliver better healthcare than ever before.

The Art of Secure Passwords: Safeguarding Your Digital Life

March 27, 2024

This is a blog post I plan to submit to my companies intranet site as part of security awareness program. I wanted to post this here in case others would like to use it for their own internal programs. This was largely generated with ChatGPT. I have gone through and made my own edits and adjustments.

In today’s interconnected world, passwords are the gatekeepers to our digital existence. Whether it’s accessing your email, online banking, or social media accounts, a strong password is your first line of defense against cyber threats. In this blog post, we’ll explore essential practices for creating and managing secure passwords.

The Key to Your Account: Guard Your Passwords

Your passwords are like the keys to your virtual kingdom. Treat them with utmost care and never share them with anyone. Remember, a password shared is a vulnerability exposed. Whether it’s your Netflix account or your corporate email, keep those keys close and confidential.

Password managers are great for both storing and creating passwords. Password managers generate and store complex, unique passwords for each of your accounts. Instead of remembering dozens (or even hundreds) of passwords, you only need to remember one master password. Password managers can auto-fill your login information on websites and apps, streamlining the login process. Below are some recommended password managers for personal use:

LastPass

Features: LastPass offers a user-friendly interface, secure password storage, and strong password generation. It's accessible across various devices and browsers, making it convenient for users who need to manage their passwords on the go. LastPass also features secure sharing options, allowing users to safely share login information with trusted individuals.

1Password

Features: 1Password is known for its strong security measures, including a unique security key for encryption, making it nearly impossible for unauthorized users to access your vault. It also offers a Travel Mode, which temporarily removes sensitive data from your devices when crossing borders. 1Password's user interface is clean and intuitive, with excellent organization features for managing passwords and documents.

Dashlane

Features: Dashlane provides a robust set of features, including password management, a secure digital wallet, and a VPN for safe browsing. Its password changer feature can automatically update passwords on various sites, enhancing security with minimal user effort. Dashlane is suitable for individuals and businesses looking for a comprehensive security solution.

Bitwarden

Features: Bitwarden stands out for being open-source, offering transparency in its security practices. It provides a secure vault for passwords and sensitive information, with options for self-hosting for users who prefer complete control over their data storage. Bitwarden's free version is feature-rich, making it an excellent choice for budget-conscious users seeking reliable security.

Keeper

Features: Keeper is noted for its high-level security features, including biometric logins and a secure messaging vault. It offers flexible storage options for passwords, files, and private client data, making it a suitable option for both personal and professional use. Keeper also includes breach monitoring to alert users of potential security threats.

Browsers

Browsers can be a good place to store passwords for users seeking convenience and simplicity, offering several features that facilitate better password practices. However, for those who require more robust security features, flexibility, and functionality, a dedicated password manager might be a more suitable option. As with any security tool, the best choice depends on your specific needs, habits, and the level of risk you're comfortable with.

Crafting Strong and Memorable Passwords

Creating strong and memorable passwords is essential, especially for securing critical accounts like those for work, email, and finances. Here's how to craft passwords that are both robust and easy to remember:

Ensure Uniqueness for Each Account

Distinguish your work and personal passwords to safeguard against potential breaches. Each account should have a unique password to prevent a security issue in one from affecting others. Websites like Have I Been Pwned offer valuable insights by letting you check if your email has been involved in any breaches, underscoring the importance of uniqueness.

My personal email shows up in the LinkedIn breach

Opt for Passphrases with Special Characters

Early in my career, I learned the effectiveness of using multi-word passphrases with special characters interspersed. This strategy not only makes passwords more difficult for attackers to guess or crack but also helps in keeping them memorable. Despite witnessing 22-character passwords being compromised, it's clear that security isn't solely about length. Crafting your password—a mix of length, complexity, and unpredictability—is key.

Avoid common or popular phrases. Instead, draw inspiration from less obvious sources, like obscure quotes or unique phrases from your favorite media. This approach significantly lowers the risk of your password being easily cracked while ensuring it remains memorable to you.

By focusing on creating unique, complex passphrases that are personal and meaningful, you can significantly enhance the security of your online accounts while maintaining ease of recall.

Conclusion

By adopting recommended practices—treating passwords as keys to our digital domains, leveraging password managers for enhanced security, and crafting strong, memorable passwords—we fortify our digital presence against unauthorized access.

Password managers like LastPass, 1Password, Dashlane, Bitwarden, and Keeper offer robust protection. For added simplicity, browser-stored passwords can also serve as a basic defense. Utilizing unique passphrases enriched with special characters further strengthens our security posture, as echoed by services like Have I Been Pwned, which emphasize the importance of password uniqueness.

In conclusion, secure password practices are not just about technical security; they're about empowering ourselves to navigate the digital space confidently and securely. Let's prioritize our digital safety by embracing these practices, ensuring our online presence is shielded from potential threats.

Leveraging AI to Ace Your Next Job Interview

February 29, 2024

In today's rapidly evolving job market, Artificial Intelligence (AI) has become more than just a buzzword—it's a tool that can provide a competitive edge in various aspects of life, including job hunting and interview preparation. As interviews become increasingly sophisticated, candidates are seeking innovative ways to prepare and stand out. I’ve recently gone through a few different interview processes and as part of that I leveraged AI to help do research and prepare for my interviews. Here's how AI can be your ally in acing your next job interview.

Understand the Role and Company

Before you even start preparing for the questions, it's crucial to have a deep understanding of the role you're applying for and the company behind it. AI-powered tools can analyze job descriptions, company websites, and news articles to provide a comprehensive overview of what the company values in its employees and what skills and experiences are critical for the role. This information can help tailor your interview responses to align with the company's culture and needs.

Personalized Practice Sessions

AI-driven interview preparation tools can simulate realistic interview scenarios tailored to the job you're applying for. These platforms use natural language processing to evaluate your answers, providing feedback on content, tone, clarity, and even body language in video-based practice sessions. This personalized feedback can help identify strengths to highlight and weaknesses to improve upon, making your preparation more focused and efficient.

I’ve taken the job description and my resume and put them into ChatGPT to help identify how my experience aligns with the role. I’ve also taken the job description and any other information about the interview I’ve been provided and asked ChatGPT to create practice questions. I then take those questions and practice saying out loud my responses. I found the interview questions to be pretty close to the real questions I got asked. The questions allowed me to think through how I would answer questions and lean on past experiences. While not an exact match it did afford me an opportunity to think through my experiences and apply those to similar questions.

If there is a technical aspect to the interview AI can be used to prepare by getting quizzed on technical questions. Unfortunately, I didn’t think of this use case until after I had already gone through an interview that had technical questions in it. I struggled through those questions and did not move one. Had I prepared using AI I would have been better prepared to answer those questions and a better shot at moving on.

Enhancing Your Answers

AI doesn't just stop at practice; it can also help refine your answers. Tools like GPT (Generative Pre-trained Transformer) can suggest ways to structure your responses more effectively or creatively. Input your basic answer, and AI can enhance it, ensuring you communicate your thoughts coherently and compellingly. However, it's essential to keep your answers authentic to your experiences and voice; use AI as a tool for improvement, not a crutch. It’s also very important to say the responses out loud to understand how the responses will come off. Sometimes what’s in our head doesn’t sound as good when it’s said out loud.

Final Thoughts

As AI continues to transform the job market, its role in interview preparation is undeniable. By offering personalized feedback, and enhancing response, AI can be a valuable asset in your job search toolkit. However, it's important to remember that AI is a supplement, not a substitute, for genuine preparation. The goal is to use AI to enhance your authentic self, showcasing your skills, experiences, and personality in the best possible light.

Embrace AI as part of your interview preparation strategy, but keep the focus on your unique contributions and how you can add value to the company. With the right preparation and mindset, you can use AI not just to prepare for interviews but to excel in them.

This blog post created with the help of ChatGPT

7 Tips and Best Practices for Threat Modeling

February 28, 2024

In the ever-evolving landscape of cybersecurity, threat modeling emerges as a crucial practice that helps organizations identify, assess, and mitigate potential security threats. It's a proactive approach that focuses on understanding the assets that need protection, identifying what threats those assets might face, and defining measures to mitigate those threats. Here are some essential tips and best practices for effective threat modeling:

1. Start Early and Integrate Continuously

Begin threat modeling at the earliest stages of system design and continue to integrate it throughout the development lifecycle. Early integration helps in identifying potential security issues when they are easier and less costly to resolve. Studies has shown the fixing issues later in development or IT project are more costly.

A chart showing the cost of fixing a bug throughout the development lifecycle

2. Involve a Cross-Functional Team

Threat modeling should not be the sole responsibility of the security team. It requires a collaborative effort involving developers, operations, architects, and business stakeholders. Each group brings a unique perspective that contributes to a comprehensive understanding of the system and its potential vulnerabilities.

There are other benefits to threat modeling outside of security. It get’s everyone involved in the project on the same page. Often development and infrastructure teams can be at odds about what needs to be done to complete the project. Threat modeling is an opportunity to bring everyone together to better understand and clarify what needs to get done.

3. Watch for scope creep

Identify what is being discussed at the start of the session. This will help setup boundaries for the discussion. People will want to dive into are other topics adjacent to the project. While they may need to be discussed at some point now is the time to discuss what was defined in the scope. I often will tell people let’s setup another session or move the discussion to later in the meeting if there’s time. This will help the meeting run more smoothly and ensure the topic of discussion get’s threat modeled.

4. Keep the Attacker's Perspective Simple

Thinking like an attacker can provide invaluable insights into potential vulnerabilities and attack vectors. Understand the capabilities, motives, and methods of potential attackers to better anticipate and counteract their actions. Not everyone has an attacker mindset. Most people in an organization are builders. We as attackers are looking to tear things down and break them.

This can take some getting used to for people. It may take multiple sessions before they start getting into the attacker mindset. It’s a lot like exercise. It takes time to build up those security muscles but once it happens it will make the meeting run a lot more smoother. I often start with simple attacks such as offering someone a million dollars for their access.

5. Use silence

As I’m drawing out a diagram, I will often be thinking of attacks. This isn’t necessarily the case with people outside of security. Especially, if threat modeling is new to them. If I provide all the attack scenarios it won’t help the others in the room foster that security mindset. Use silence to get people engaged in the discussion.

Most people are uncomfortable in a group setting with silence. The facilitator of the session will need to get comfortable with silence. After a period of time someone will speak up with an idea. Don’t shoot down all ideas. Write them down like you would a brainstorming session. This will help encourage more people to speak up with their ideas.

6. threat modeling discussions are chaos

If it feels like chaos you’re likely doing it right. As you go through the session you may feel like you’re taking a step back and adding things to the diagram or the security profile. That’s okay. Keep your eraser tool handy because you may need to adjust different things on the diagram. I’ve been in sessions that I thought were going to take 20 minutes and they ended up taking three hours.

7. Meeting notes and action notes

Identify someone to help take notes. This will with more thoroughly document the meeting. Governance Risk and Compliance (GRC) folks are great at this. After the meeting ask for the notes to compare with your own. Virtual meetings can be recorded for later viewing and ensuring notes are complete.

After the meeting send the meeting notes, a picture or screenshot of the diagram, and action items. This will help document the meeting and allow anyone to make corrections on the notes. Action items are important for any follow up items that need to be addressed. Make sure to identify a person to follow up with and not a group. Also, it doesn’t hurt to document these in a central repository that everyone can access.

Conclusion

Threat modeling is an essential practice in the toolkit of cybersecurity professionals. Threat modeling sessions can often feel like chaos and that’s okay. Make sure to start early and integrate into development and IT projects. Involve anyone that has work to be done as part of the process. Watch for scope creep and offer to set up another time to discuss. Use silence and keep the attacks simple to get people engaged in the conversation. Finally, remember to document each discussion, assign action items, and give people the opportunity to make corrections on the topic discussed.

Threat modeling is one of the low cost and most effective tools in your organization. These tips and best practices will ensure that threat modeling being performed at an organization will be efficient and effective. Leave a comment below if you have any tips or best practices for threat modeling.

Be a cybersecurity Kevin Bacon - *Image created with the help of ChatGPT*

How to become a Cybersecurity Kevin Bacon

February 21, 2024

The Six Degrees of Kevin Bacon proposes that anyone in the Hollywood film industry is linked to Kevin Bacon within six steps. I’ve somehow had the title applied to me by a few different people. A large part of that is the networking I’ve done in the industry. I’ve hung out and talked to a lot of people. I don’t know everyone in the industry but I have meet people for the first time and we’ve known similar people. In this post I want to cover the networking that may have put me in the same breadth as Mr. Bacon.

Attend Conferences

My very first conference when I got into security was BSides Charleston in 2013. I went down with a buddy to the conference and meet a few people. One of those people that stood out was Evan Davison who goes by the hacker name Pentestfail. He gave a great talk on defense in-depth (this is the same talk at a ISSA local chapter). Evan and I would cross paths multiple times over the next 10 years. We would volunteer and get to know each other at BSides Augusta and the Social Engineering Village at DEF CON.

It’s not just about attending conferences it’s about getting involved and interacting with people. That could be meeting and talking to people, participating in capture the flag competitions, volunteering, or speaking. If you’re nervous about meeting people volunteering is a great way to meet and interact with people.

At one point I was going to 8-10 conferences a year. Most conferences were one day events within a a five hour driving distance so it was only a day or two. Still that’s a lot and it’s not something I’d necessarily recommend as I did get burned out and decided to tone back the conference attendance to three in 2019. There was also the cost. My company did always cover travel. I got maybe one a year. The rest was on my dime but I will say it was worth it for the connections I was able to build within the community.

Going to events allows for shared learning and job opportunities. I’ve learned a lot from just talking to people in the hallway at conferences. It’s a safe space for sharing interesting stories that you wouldn’t hear otherwise. If you’re the type that has a hard time starting a conversation, ask questions. People love talking about themselves and sharing their insights into the industry. I’ve had entire conversations with people who never asked a question or knew my name but I knew a ton about them and got some really great security stories.

Volunteer at events

When I first started attending conferences I would volunteer. This forced me to meet people and as a bonus got me a free ticket into the conference. To get away from registration or door duty I started asking organizers if I could bring my camera and shoot pictures for them at the conference. This was great because I got to be more mobile and allowed me to meet and talk to a variety of people at the conference.

This also opened the door for invitations to work other conferences where my travel expenses were covered. If you have an interest see if it fits into helping out with a conference. I know several people volunteer just to do video for a conference. I’ve also seen people contribute by providing a quilt that was auctioned off. Find something you feel can contribute to the conference. Working the registration desk is also fine.

Volunteering helped me get a really great job in Nashville, TN. I had been traveling to BSides Nashville since it’s inception. There was an opening at a company one of the organizers was working at. I didn’t know that organizer really well but when they were asked about me for the position they responded that I showed up and did my job. Not necessarily a glowing endorsement but it helps and you never know who you’re going to interact with while volunteering.

Attend Local User Groups

Local user groups are great if you’re looking to network within your own city. If there’s not one I’d recommend starting one up. It’s definitely a lot of work but very rewarding. When people ask me my greatest accomplishment I often will tell them it’s starting a local user group in Columbia, South Carolina, that has 20-25 regular attendees. That’s massive for a local user group by the way. If you need guidance on starting a local user group there’s a couple podcasts for that.

How to Start a Successful CitySec Meetup - Part 1

How to Start a Successful CitySec Meetup - Part 2

Starting the local user group allowed me to meet a lot of people in town. You never know if you’ll meet your future employer or someone that starts their own company. I had both those experiences starting a user group. The first was switching to a different state department after meeting the South Carolina state CISO at a meetup and going to lunch with him.

The other is meeting Andrew Morris who is the founder of GreyNoise a company that’s starting to make waves in the cybersecurity community. I met him at a conference called Trends in 2015 where he told me about his idea for the company. I’ve had him on the podcast a couple of times to talk about being a pentester.

Start a blog or podcast

Speaking of podcasts, most people don’t know that I had a podcast prior to my security podcasts. I ran The Crawfish Boxes (TCB) podcast for the Houston Astros fan site on SB Nation. I gained some notoriety with the Houston Astros organization due to that podcast and blogging I did for TCB. It’s amazing how more accessible people become when you offer to interview them. I have a big leaguer or two in my cell phone and at one point had two baseball General Manager’s following me on Twitter.

I took the lessons and experience from covering baseball and brought it into the infosec community and it has really helped my career. I’ve gotten to meet and talk to a lot of great people in the field on my podcast. I’ve had a lot of success just reaching out and asking people if they’d be interested in talking about a topic they’re presenting on or have blogged about. There are people who never responded or responded and then stopped responding but more often than not I can get an interview set up with them.

One of the hardest things getting started is imposter syndrome, “Why would people want to listen or read me?” “Someone else is already doing what I would want to do.” I had those same thoughts but went ahead because I have my own unique perspective to offer. It’s still nerve-racking but the longer I did it the more I realized I have something to offer to the community. I love having a conversation with people and learning more about what they know. Which made podcasting a great fit.

Blogging, on the other hand, is the one I’ve struggled with. I was never good in English class and if I had concerns about podcasting and what people thought my writing is on a much higher level of imposter syndrome. But blogging isn’t about perfect English, it’s about sharing a unique viewpoint. English and grammar help but it’s more about the idea and finding my voice. Plus, the more I do it my writing is bound to improve, right? Right? AI is something I’m leveraging as an assistant. It’s not always great but it can help.

Summary

To be a Kevin Bacon you gotta get out there. Attend conferences and local user groups. You’ll get to meet a lot of really great people. If you struggle with talking to people volunteer. It can force you to meet people and show your willingness to contribute to the community. Start a blog or podcast or vlog. Putting yourself out there can help you grow as a professional and open up doors. If blogging or podcast aren’t your thing that’s okay. Identify what you’re interested in and see how that can fit into the community. There’s a lot of ways to contribute. Contributing to an open source project or participating in a capture the flag event can do similar things for your career. Find ways to get involved.

Exploring tools and resources for threat modeling - *Created with the help of ChatGPT*

Tools and resources for effective Threat Modeling

February 19, 2024

My presentation for this year is Threat Modeling. My first stop is the 2024 Palmetto Cybersecurity Summit Feb 21-22, 2024, in Columbia SC. I’ll also be speaking at BSides Nashville May 11, 2024, and ShowMeCon May 13-14, 2024.

Getting Started

We’re going back to kindergarten people! We’ll get to draw shapes and lines and use different colored markers! To get started all one needs is a whiteboard and markers. Building out a diagram is the first step. As I mentioned in the Basics of Threat Modeling blog post having one prepared prior to the session will help expedite the process. Unfortunately, if there isn’t an existing diagram one will have to be done during the session. Adam Shostack has a description of the symbols and elements to use in a threat model on his GitHub page. They’re very simple and that’s the intention because threat modeling an application or process can get very complex.

Adam Shostack - DFD3 - https://github.com/adamshostack/DFD3

If the session is virtual and not in person the same principles applies. All popular video conferencing has a whiteboard feature on it that can be used for threat modeling. There are third-party options as well including:

Microsoft Whiteboard (Usually free with corporate account)
Microsoft Visio (License required)
Microsoft Threat Modeling Tool (Free)
OWASP Threat Dragon (Free)
Draw.io (Free)
Miro (Free version)
Lucidchart (Free version)
MURAL (Free version)
Whimsical (Free version)

The tools I’ve had experience with are Microsoft’s Whiteboard, Visio, and Threat Modeling Tool. Visio and the Threat Modeling Tool get into a lot of detail and can feel complex if you’re just getting started. The more important thing is learning the methodology and approach to threat modeling. Threat Dragon has a lot more simplicity. It is open-source so doesn’t have all the bells and whistles of other tools. It can take a little to get used to using. I’ve seen developers create diagrams with Draw.IO. It’s simple and easy to use but be mindful that if they build it on a third-party website they may be putting internal organization information on the internet. I have not used Miro, Lucidchart, MURAL, or Whimsical but they look similar to Draw.IO. Leave a comment below with your favorite white boarding tool.

Automated threat modeling tools

I have only used Microsoft Threat Modeling Tool and OWASP Threat Dragon for automating parts of the threat model process. Microsoft’s Threat Modeling Tool get’s very granular and tries to be exhaustive on attack scenarios. If you like digging into a lot of details it can be a very useful tool. OWASP Threat Dragon is a much lighter version of that which is why I used it a lot more. For me I wanted the group to come up with their own attack scenarios because it allowed them to exercise their security muscles and build a stronger security mindset. This impacts the other areas of their day-to-day work. As their working they’ll be thinking about security.

There are other commercial and open-source tools that promise one-click threat modeling. I have not had an opportunity to use them. Here are some popular ones I found:

If you have used one of these or another leave a comment below.

Educational Resources

The book I always recommend is Threat Modeling: Designing for Security by Adam Shostack. It is “THE” book on threat modeling. What I love about the book is that after the first chapter it says to just start threat modeling. It’s more of a companion book for learning and maturing the threat modeling program.

OWASP is another resource for threat modeling. They have an entire project on everything you need to know about Threat Modeling. The OWASP Cheat Sheet is also a great place to start and a good reference point while maturing the threat modeling practice. Finally, an exhaustive list of threat modeling resources can be found at Awesome Threat Modeling on GitHub.

Leave a comment below with resources or tools you recommend. If you’re interested in seeing a version of this talk check out the ColaSec Meetup page as I will be presenting on threat modeling at the February 20th, 2024, meetup. A virtual option for attending is available.

Threat modeling risk management

February 15, 2024

In this post I want to talk about rating and prioritizing the discovered threats from a threat modeling session. We’ll get into the different methodologies and talk about some of the nuances of them.

Methodologies for Risk Management

Created with help from ChatGPT

DREAD

DREAD, an acronym for Damage, Reproducibility, Exploitability, Affected users, and Discoverability, is a risk assessment model used to prioritize threats. Although its use has declined due to its subjective nature and lack of business context alignment, some organizations may still find it useful for quick, high-level risk assessments.

This is what I use for threat modeling. If you read Adam Shostack’s book he calls it obsolete and recommends SDL Bug Bar. The reason is that the different categories can be a bit ambiguous, lack granularity, and context. I think it’s great for getting started and keeps threat modeling simple. As threat modeling matures there may be a need to mature the risk management and switch to something that provides more scaleability.

Using DREAD we would rate the threat by each theat on a 1-3 scale. This allowed for prioritizing low, medium, and high. The final number will help prioritize the threats discovered for follow up. Again, when dealing with other groups it’s important to keep the bar to entry low. As the program matures and people get a better idea on threat modeling advancing to something a bit more technical can be useful.

SDL Bug Bar

The Security Development Lifecycle (SDL) Bug Bar is a concept and a set of criteria used within Microsoft's SDL framework to classify and prioritize the handling of software bugs based on their security implications. The "bug bar" establishes a baseline for the security severity that a bug must meet or exceed to be considered a priority for fix before software can be released. It helps teams make consistent, informed decisions about which security vulnerabilities to fix and when to fix them.

There’s not really a lot available online for implementing the Bug Bar. There are some blog posts and the SDL Bug Bar PDF which doesn’t exactly give instructions on how to implement. It can be loaded as a template into other Microsoft tooling so that can be helpful and will help with streamlining some of the threat modeling process. Leave a comment below if you’ve had experience implementing the SDL Bug Bar.

OWASP Risk Rating Methodology

The Open Web Application Security Project (OWASP) offers a risk rating methodology that considers factors such as threat agents, attack vectors, technical impact, and business impact to prioritize vulnerabilities. This methodology is particularly useful for web application security and can be adapted to fit an organization's specific needs. This has more in-depth math and expanded categories for rating a threat. This could be another option for maturity.

CVSS (Common Vulnerability Scoring System)

CVSS provides an open framework for rating the severity of security vulnerabilities in software. It offers a standardized way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. CVSS scores can help organizations prioritize their response and remediation efforts based on the potential impact of each vulnerability. This is one of the standards for vulnerabilities.

FAIR (Factor Analysis of Information Risk)

FAIR is a quantitative risk analysis methodology that helps organizations understand, analyze, and quantify information risk in financial terms. FAIR differs from other models by focusing on the financial impact of risks, making it particularly useful for making informed, data-driven decisions about cybersecurity investments and risk management strategies. This methodology was created by Jack Jones with the intent of providing risk in financial terms for organization.

TARA (Threat Agent Risk Assessment)

TARA identifies potential threat agents and evaluates the risks they pose to an organization's critical assets. This methodology is useful for organizations that want to focus on the most likely sources of threats and tailor their defenses accordingly. Intel created TARA as part of its comprehensive security and risk management strategy to identify, assess, and prioritize risks based on the potential impact of various threat agents. This methodology was created by the Department of Defense (DoD) in 2010. It uses built in attacks to assist in the risk assessment process.

Summary

There are multiple options for rating and prioritizing the threats identified in a threat modeling session. I like DREAD because it’s simple but that might not be feasible for larger organizations. If you’re a Microsoft shop the SDL Bug Bar may be a better fit. OWASP Risk Rating Methodology is also another option. If you really want to go deep CVSS or another framework may be the best option. FAIR and TARA are two methodologies that look to provide specific context to risk management. FAIR from a financial standpoint and TARA has a DoD lean. Choosing the best risk management methodology will depend on the organization and it’s needs. Try multiple and see what works best for your organization.

Next we’ll get into tools and resources for threat modeling.

Exploring threat modeling methodologies and approaches - *Image created with the help of ChatGPT*

Methodologies and Approaches for Threat Modeling

February 14, 2024

There are a variety of ways to do threat modeling. Deciding which one to use will depend on the organization and what is being threat modeled. I started with STRIDE which is a standard methodology for getting started. We’ll touch on the other ones but I’ve not had experience with them. The basic concept should be the same. The methodologies are used to help guide a threat modeling session through attacking and mitigating the threats discussed.

MethodologieS

STRIDE

Developed by Microsoft, STRIDE is an acronym for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. This model helps in identifying threats in these six categories, making it easier to systematically address potential security issues.

Repudiation is the one that always get’s me. It’s attackers getting in and performing illegal operations without leaving any sort of evidence. This is usually due to a lack of logging. The others are fairly straight forward.

LINDDUN

This is a privacy-focused threat modeling methodology designed to help identify and address privacy threats in information systems. The acronym LINDDUN stands for the seven types of privacy threats it aims to uncover: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance.

PASTA

The Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step, risk-centric methodology. It focuses on aligning business objectives and technical requirements, taking into account the attacker's perspective and potential attack vectors. It is thorough and integrates well with risk management.

OCTAVE

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning. It focuses on organizational risk and security practices, making it more suited for strategic, rather than technical, threat analysis.

Attack Trees

Attack Trees provide a methodical way of describing the security of systems, based on varying attacks. It's a graphical representation of potential attacks, organized in a tree structure, showing how an overall goal (root) can be broken down into sub-goals (leaves). This is an example of an attack tree.

Example of using STRIDE

Created with the help of ChatGPT

A threat modeling tweet by @thegrugq that highlights attack surface.

Below are some examples I’ve seen discussed in a threat modeling session. The skies the limit and will be different depending on the application or process. At the very least it’s a thought exercise that helps people think about security and discuss mitigating controls. Some of these attacks are more likely than others. Within healthcare insider threat and errors are a lot higher than other industries. They’re still susceptible to external attacks but the bigger concern may already be inside the organization. Each organization will have it’s own attack surface.

Spoofing

Threat: A healthcare provider uses another users logged in session when they walk away form their computer.

Mitigation: Ensure session timeout is set to what is needed for the business use case of the application. If a user has several activities that require waiting for something to finish in the application or they need to login into other applications and then come back then the timeout may need to be longer.

Tampering

Threat: A healthcare provider accidentally modifies the wrong record for two different patients.

Mitigation: Add a, “are you sure?” pop-up. Logging and recovery will need to be in place for identification and recovery.

Repudiation

Threat: A user (patient or provider) denies sending a message or making changes to records.

Mitigation: Implement detailed logging and audit trails to track user actions and changes within the application.

Information Disclosure

Threat: S3 bucket with patient information is accidentally made available on the internet.

Mitigation: Use access controls to enforce the principle of least privilege, ensuring users can only access information necessary for their role, and encrypt data.

Denial of Service (DoS)

Threat: A ransomware attack encrypts the web server.

Mitigation: Web server and all needed systems have good backups and can be restored to get the service back online for users.

Elevation of Privilege

Threat: A user is bribed to give up their credentials to the application.

Mitigation: User IP logging to help identify when a user logs in from an abnormal location.

Approaches

At my organization I was the person doing the threat model. I was training up some of the other people on my team so they could do it and not create a bottle neck with my department. Some organizations an individual or team may not be the best approach. In this case a decentralized approach could be more beneficial where the teams are trained up on doing their own threat models.

As far as automated tooling I haven’t used a lot of it other than as a substitute for a whiteboard. I have seen the use of Microsoft’s Threat Modeling tool which will help with attacks but will require a lot more interaction. There’s not really a wrong or right answer. I’ve shown a lot of value and made projects run more smoothly and with less threat introduced by using just a whiteboard and markers. Haven’t explore the automated threat modeling space but I do believe that you can’t replace a human. A one-push threat model would be nice it’s just not that easy and as I’ve learned in the industry there is no easy button.

Threat modeling should be done as early in the process as possible. However, it is very useful for legacy applications or applications with minimal documentation. I’ve used it a lot for getting a better understanding of how an existing application or process works, especially if there’s very little documentation. These sessions usually require multiple because as unanswered questions comes up and people are tasked with doing some discovery work. Once that discovery has been made the threat model continues.

Summary

STRIDE is a good place to start with threat modeling. There are other methodologies that could be more applicable to the organization. I’ve only ever used STRIDE because it was effective for what I was doing with threat models. Walk through the chosen methodology to get an idea on the attacks possible within the application. These attacks can be simple or they can be a bit more elaborate. A few simple examples will help with getting people to think about how to attack an application or process.

Approaches to threat modeling will differ between organizations. A group of security experts can make an effective threat model but it may not be scaleable. The other option is to train people within the projects to perform the threat model. Thinking about what could go wrong will get people into the mindset of looking for problems before they happen. The earlier a problem is discovered the less costly it is to fix. Threat modeling can also be used for discovery on existing applications or processes.

There are tools available for threat modeling. The simplest and often the most effective is a whiteboard and markers. Threat modeling is like any other security program. Get it started and then mature it over time. Try new things and evaluate if it’s useful or not. Just get started.

Next we’ll go over risk management and rating the discovered threats.

Latest PoDCASTS

Featured

Apr 8, 2025

[RERELEASE] How to ZAP your websites

Apr 8, 2025

Apr 1, 2025

How Do Ransomware Gangs Work?

Apr 1, 2025

Mar 25, 2025

Offensive Tools for Pentesters with Chris Traynor

Mar 25, 2025

Mar 18, 2025

Hands-On Hacking with James Gillkey

Mar 18, 2025

Mar 11, 2025

Breaking Bad Code with Kevin Johnson

Mar 11, 2025

Mar 4, 2025

ShowMeCon and Security Perspectives with Amanda Berlin

Mar 4, 2025

Feb 25, 2025

How to Participate in a CTF

Feb 25, 2025

Feb 18, 2025

Real World Windows Forensics and Incident Response with JC at ShowMeCon 2025

Feb 18, 2025

Feb 12, 2025

ShowMeCon: A Must-Attend Conference for Cybersecurity Pros

Feb 12, 2025

Feb 4, 2025

Enhancing Online Privacy with Anonyome Labs

Feb 4, 2025

What Happened?

Why This Matters in Healthcare

Best Practices for Handling Sensitive Information

Why Should You Participate in a CTF?

Getting Started with CTFs

Choose the Right CTF

Learn Essential Tools

Understand Common CTF Categories

Practice, Practice, Practice

Join a Team or Community

Avoiding Common Mistakes

Conclusion

How the Scheme Operates

Consequences for Victims

How to Protect Yourself

Conclusion

Further Reading

The Scam: Too Good to Be True

Red Flags in the Offer

What Happens If You Respond?

Protecting Yourself from Job Scams

Conclusion

Use Careful Terminology: “Incident” vs. “Breach”

Establish Attorney-Client Privilege Early

Refine Your Communication Strategy

Define Roles and Responsibilities in Your IR Plan

Handle Ransomware Negotiations Carefully

Prepare for Possible Class Action Litigation

Use Tabletop Exercises to Strengthen Incident Preparedness

Conclusion: A Proactive Legal Strategy in Incident Response

Understanding THE Cybersecurity and Privacy Learning Program (CPLP)

The CPLP Life Cycle

Leadership and Organizational Roles

Metrics and Measurements

Integrating Privacy into Cybersecurity Training

Tailored Training for Diverse Audiences

Focusing on Improvement Without Punishment

A Culture of Learning

Conclusion

How to Stay Safe:

Why Should Your Organization Get a Pentest?

Common Misconceptions About Pentesting

Preparing for a Pentest

What Information Should You Provide to Pentesters?

How to Choose the Right Pentesting Provider

The Pentesting Process: What to Expect

Different Types of Pentests: Black-Box, Gray-Box, and White-Box

Understanding Pentesting Reports

What If No Vulnerabilities Are Found?

Innovative Trends in Pentesting

Conclusion: Why Pentesting is a Must for Every Business

The Power of TikTok and the Rise of Misinformation

The Cybersecurity Implications of Misinformation

Recognizing and Combating Misinformation

Critical Evaluation of Sources:

Cross-Referencing Information:

Recognizing Emotional Manipulation:

Awareness of Manipulative Tactics:

Educating Yourself and Others:

The Broader Impact of Misinformation

Conclusion: Staying Vigilant in a Digital World

Understanding Smishing

How Smishing Works

Tips to Protect Yourself from Smishing

Conclusion

Introduction

The Power of AI in Healthcare

Ethical Considerations and Patient Privacy

Cybersecurity Implications

Looking Ahead

Conclusion

The Key to Your Account: Guard Your Passwords

LastPass

1Password

Dashlane

Bitwarden

Keeper

Browsers

Crafting Strong and Memorable Passwords

Ensure Uniqueness for Each Account