Avoiding Legal Landmines in Incident Response: A Practical Guide for Security Teams

December 10, 2024

The information provided in this blog post does not, and is not intended to, constitute legal advice; rather, the ensuing conversation is for general informational purposes only.

In today’s cybersecurity landscape, responding swiftly and effectively to security incidents is critical. However, navigating the legal implications during an incident is equally vital to protect an organization from further liabilities. This guide covers essential strategies for avoiding the most common legal pitfalls in incident response (IR), based on insights from my recent podcast episode with cybersecurity attorney Thomas Ritter Exploring Legal Landmines in Incident Response.

Use Careful Terminology: “Incident” vs. “Breach”

When a security event occurs, the language you use to describe it can have significant legal implications. Terms like “breach” have specific legal definitions that can trigger mandatory notification requirements or other regulatory obligations. As a best practice, use neutral terms like “incident” until the situation is fully assessed by legal counsel.

Tip: Train your teams on preferred terminology and involve legal early in the process to make sure everyone understands when and how to escalate terms like “breach.”

Establish Attorney-Client Privilege Early

Engaging external counsel immediately after a security incident helps protect sensitive communications and investigative findings under attorney-client privilege. This protection is crucial should your organization face litigation, as it limits the exposure of certain communications during the discovery process.

Tip: Collaborate with your legal team to establish protocols for involving external counsel, even for minor incidents, to ensure privilege is in place if needed.

Refine Your Communication Strategy

Transparency is key during incident response, but be cautious with internal and external communications, especially in the early stages. Avoid speculative statements and keep communications brief until forensic findings provide a clearer picture.

Tip: Work with your legal and PR teams to develop standardized communications templates for different scenarios, ensuring clarity and consistency without compromising on accuracy.

Define Roles and Responsibilities in Your IR Plan

Many incident response plans (IRPs) lack a clear delineation of responsibilities, particularly regarding who determines when an incident becomes a breach. Ideally, legal counsel—preferably external—should make this determination to preserve objectivity and privilege.

Tip: Review your IRP to ensure that roles and escalation points are well defined, with legal counsel involved at key decision points.

Handle Ransomware Negotiations Carefully

Ransomware incidents often involve complex decisions about whether to engage with or pay threat actors. Professional negotiators can play a valuable role here, as they are well-versed in handling threat actor communications and negotiating terms without compromising your organization’s legal standing.

Tip: Always hire professionals for ransomware negotiations. Amateur negotiators risk mishandling sensitive communications, which can exacerbate both financial and reputational damage.

Prepare for Possible Class Action Litigation

In the event of a data breach, it’s increasingly common for affected parties to file class action lawsuits. Many legal teams recommend proactive measures to limit liability, such as documented protocols that show your team acted swiftly and responsibly during the incident.

Tip: Ensure your IR documentation is thorough and compliant with industry standards, as this can provide valuable evidence should litigation arise.

Use Tabletop Exercises to Strengthen Incident Preparedness

Incident response tabletop exercises, especially those involving executive teams, help prepare your organization to navigate both operational and legal complexities in a crisis. In addition to familiarizing staff with the IRP, tabletop exercises offer an opportunity to practice coordination with legal counsel, PR, and executive stakeholders.

Tip: Schedule annual or biannual tabletop exercises that simulate high-stakes incidents, like ransomware attacks, to ensure all teams are familiar with legal protocols.

Conclusion: A Proactive Legal Strategy in Incident Response

Responding to a security incident without considering legal implications can expose your organization to additional risks. By carefully navigating language, establishing attorney-client privilege, and preparing staff with tabletop exercises, your organization can avoid many of the legal pitfalls associated with incident response. Whether preparing for regulatory inquiries or class action lawsuits, these best practices can help your organization respond to incidents effectively and with minimized legal exposure.

Key Takeaways from NIST SP 800-50r1 – Building a Cybersecurity and Privacy Learning Program

December 2, 2024

In September 2024, the National Institute of Standards and Technology (NIST) released the updated Special Publication (SP) 800-50r1, "Building a Cybersecurity and Privacy Learning Program." This is an update to the 2003 NIST Special Publication (SP) 800-50, Building an Information Technology Security Awareness and Training Program. I hadn’t realized that there was a NIST publication on building a security awareness program. It’s good to see an update after 21 years! Here's a look at the key insights and recommendations from the updated publication. This was written with the help of ChatGPT.

Understanding THE Cybersecurity and Privacy Learning Program (CPLP)

Name Change! The document introduces the Cybersecurity and Privacy Learning Program (CPLP) as an overarching framework that includes awareness campaigns, role-based training, and workforce education initiatives. Aimed at fostering a culture of security and privacy, the CPLP is a strategic effort to manage risks and comply with federal regulations, such as FISMA. With privacy becoming a much bigger topic in the last 10 years, rolling it into an cybersecurity awareness program makes sense. This could cross multiple teams depending on how an organization is setup.

CPLP emphasizes awareness and education, incorporating role-specific training alongside general awareness activities, and focuses on encouraging behavior change to reduce risks and foster a culture of security. Continuous improvement is integral, with metrics and evaluations used to adapt programs to evolving needs.

The CPLP Life Cycle

NIST defines a four-phase life cycle for managing CPLPs: Plan and Strategy; Analysis and Design; Development and Implementation; and Assessment and Improvement. These phases involve developing a strategic vision that aligns learning objectives with organizational goals, identifying learning needs and creating tailored program designs, building or procuring learning materials and deploying the program, and measuring effectiveness while refining strategies based on outcomes. This iterative approach ensures that the CPLP remains dynamic and aligned with organizational needs.

Leadership and Organizational Roles

The success of a CPLP hinges on active involvement across all levels of the organization. Senior leadership plays a crucial role in providing strategic direction and resources, while CPLP managers oversee program design, delivery, and metrics. System users, on the other hand, are responsible for adhering to policies and participating in required training. Leadership participation, such as senior leaders engaging in training themselves, reinforces the importance of the program. Leadership buy-in is the first step to getting any sort of program off the ground. Heavily regulated industries are easier to get buy-in for than others.

Metrics and Measurements

Effective CPLPs rely on a mix of quantitative and qualitative metrics to evaluate success. Quantitative metrics include training completion rates, reductions in incidents, and compliance statistics, while qualitative metrics involve employee feedback, focus group discussions, and behavioral observations. NIST emphasizes using these metrics not just for compliance but to drive meaningful behavior change and demonstrate return on investment.

This section was helpful for thinking about what sort of metrics to have. One of the examples brought up is click rate which is a highly volatile statistic. A better statistic is report rate which is a positive behavior an organization wants to encourage within their population. The document doesn’t define what an organization should have for metrics but instead provides guidance.

Integrating Privacy into Cybersecurity Training

One of the standout updates in SP 800-50r1 is the seamless integration of privacy training into cybersecurity programs. It highlights the interconnected nature of these disciplines and the need for training to address both cybersecurity incidents and privacy risks, such as data re-identification or misuse. Teaching employees about privacy risks enables them to recognize potential problems and implement procedures that minimize such risks.

This is big within healthcare. Reports like the Verizon Data Breach Investigation Report show that the healthcare industry has higher internal threat actors due to mistakes and errors with handling information. This can lead to huge privacy implications for the organization.

Tailored Training for Diverse Audiences

CPLPs should be segmented to address specific needs. General users benefit from training on fundamental security practices, such as phishing awareness, while privileged access holders require advanced training on managing sensitive systems. Those in specialized roles undergo deeper training specific to their risks and responsibilities. Tailoring training ensures that it remains relevant and impactful for all user groups.

Easy to suggest much harder to do. A good starting point is what’s mentioned in the publication: all users; privileged access account holders; new employees; and staff with cybersecurity and privacy responsibilities. Tailored training should be broken down further into departments such as service desk and finance but this is a good starting point.

Focusing on Improvement Without Punishment

One of the critical takeaways from NIST SP 800-50r1 is the emphasis on using cybersecurity exercises, such as phishing tests, as opportunities for learning and improvement rather than punishment. The publication highlights the importance of informing employees that these exercises are conducted randomly and that the results will guide future learning activities. Such exercises should not be punitive, nor should employees be singled out for their responses. By framing these activities as learning opportunities, organizations can gather valuable data on vulnerabilities while fostering a supportive environment that encourages employee growth and engagement with cybersecurity practices.

A Culture of Learning

At its core, SP 800-50r1 promotes a culture of continuous learning and adaptation. From onboarding new employees to advanced training for cybersecurity professionals, the document underscores the importance of embedding cybersecurity and privacy awareness into organizational DNA. By viewing cybersecurity and privacy learning as an evolving process, organizations can be prepared for emerging risks and technologies.

Conclusion

NIST SP 800-50r1 offers a robust roadmap for organizations looking to strengthen their cybersecurity and privacy posture. For organizations aiming to enhance their cybersecurity and privacy programs, reading SP 800-50r1 is a great starting point. A focus on building culture and rewarding people will help change behavior and reduce the human element in incidents.

Explore the full NIST SP 800-50r1 publication here.

The 12 Scams of The Holiday Seasons: How to Stay Safe This Holiday Season

November 26, 2024

I wrote this for a security awareness program with help from ChatGPT. Feel free to grab and share within your own organizations.

The Better Business Bureau (BBB) has long been a trusted resource for protecting consumers and promoting trustworthy business practices. Their mission to provide valuable insights and tools to stay vigilant against fraud is especially critical during the holidays. This year, the BBB has compiled a list of the "12 Scams of Christmas" to help ensure your festive season remains joyful and scam-free.

Here’s a quick overview of these scams and how to protect yourself:

Fake Social Media Ads: Beware of deals that are too good to be true—they may lead to counterfeit or undelivered goods.
Gift Exchange Scams: Pyramid schemes disguised as “fun” gift exchanges often harvest personal information.
Holiday Apps: Some seemingly festive apps collect data or install malware on your device.
Fake Toll Texts: Scammers target holiday travelers with bogus unpaid toll notifications.
“Free” Gift Cards: Phishing emails offering gift cards often aim to steal sensitive data.
Seasonal Job Scams: Fake job listings trick job seekers into providing personal or financial details.
Impostor Scams: Fraudsters pose as customer service reps or mimic legitimate websites.
Fake Charities: Scammers take advantage of the season’s generosity with fraudulent donation appeals.
Phishing Shipping Notifications: Fake alerts about undelivered packages are phishing attempts.
Advent Calendar Scams: Low-quality or nonexistent calendars sold by untrustworthy vendors.
Shady Pop-Up Shops: Temporary retailers that vanish with your money or sell counterfeit goods.
Too-Good-To-Be-True Travel Deals: Unrealistically low offers designed to scam travelers.

How to Stay Safe:

Be skeptical of deals that sound too good to be true.
Verify sellers, charities, and offers through trusted sources.
Avoid clicking on unsolicited links or emails.

The BBB offers a wealth of information to help you navigate the holiday season safely. For the full list of scams and detailed safety tips, visit their 12 Scams of Christmas page.

This holiday season let’s protect our wallets and our personal information while spreading cheer and generosity. A little awareness can go a long way in keeping the holidays merry and bright!

How to Get a Pentest: A Step-by-Step Guide for Organizations

September 23, 2024

I like to call them security assessments. A test you can flunk; an assessment tells you where you’re at.
-Dave Chronister founder of Parameter Security

In today's rapidly evolving cybersecurity landscape, penetration testing (pentesting) is a crucial practice for organizations aiming to protect their systems and data. Pentesting involves simulating cyberattacks to identify vulnerabilities in a company’s infrastructure, allowing businesses to fix potential weaknesses before malicious actors can exploit them. But how do you approach getting a pentest, and what should your organization consider? Here’s a step-by-step guide to help you navigate the process.

Why Should Your Organization Get a Pentest?

Pentesting is essential for organizations of all sizes and industries. It provides a proactive approach to cybersecurity by identifying vulnerabilities and offering actionable solutions. Companies should consider scheduling a pentest if they are experiencing any of the following:

Deployment of new systems or applications
Significant organizational changes, such as mergers or expansions
Meeting compliance requirements (e.g., PCI-DSS, HIPAA)
Preparing for audits or certifications
Regular cybersecurity maintenance to ensure ongoing protection

In short, a pentest is your best defense against unknown vulnerabilities that could put your business at risk of being compromised.

Common Misconceptions About Pentesting

Many businesses have misconceptions about pentesting when they first approach the process. Some think it's a one-time event or believe that only large enterprises need it. In reality, pentesting should be a continuous part of an organization’s cybersecurity efforts. Even small businesses and startups can be targets for cyberattacks, making it essential to stay vigilant.

Additionally, pentests do not guarantee total security; instead, they highlight risks and provide insights to improve overall security measures.

Preparing for a Pentest

Before reaching out to a pentesting service, companies should take several steps to prepare:

Identify scope: Determine whether you want to test your entire network, specific applications, or particular security controls.
Understand your risks: Have an internal discussion to identify the most important assets of the organization.
Ensure cooperation: Make sure relevant teams are on board and ready to provide necessary information to the pentesters.
- Relevant teams could include: Infrastructure, networking, application owner, development. and leadership.
Plan for remediation: Have a plan in place to quickly address vulnerabilities that the pentesters may find.
Avoid Q4 pentests: The fourth quarter of the year is notorious for being the busiest time of year for companies that do pentests because organizations have waited too long to get their annual assessment done. Try to get pentests scheduled earlier in the year and spread them out if multiple are needed.

Proper preparation will not only streamline the process but also ensure the pentest delivers valuable results.

What Information Should You Provide to Pentesters?

To get the most accurate and comprehensive results, your organization needs to share critical information with the pentesters, including:

Network architecture details
System configurations
Known vulnerabilities or past security incidents
Specific security policies and procedures This collaboration ensures that the pentesters have a clear understanding of your environment and can deliver actionable insights tailored to your organization's needs.
A single point of contact for regular and emergency communication.

How to Choose the Right Pentesting Provider

Choosing a pentesting provider can be daunting, but there are several factors to consider to ensure you're making the right decision:

Certifications and Experience: Look for certifications such as OSCP, CEH, or CREST, but also ask about the provider’s industry experience. This can also include profiles on the individuals that will be performing the assessment.
Client References: Request client references or case studies to understand their track record.
Methodology: Ensure they use recognized frameworks like PTES for pentesting in general, OWASP for web applications or NIST for broader networks.
Communication: A strong pentesting provider should communicate clearly, explaining technical details in a way that stakeholders at all levels can understand. Avoid providers who overpromise or seem to offer too-good-to-be-true results—security is complex, and no single test can guarantee protection.
Reporting: A sample report will allow organizations to see how the report overall is structured. If a pentest is unwilling to provide one that’s a red flag.
Pricing: Pentests are expensive. If a company comes in significantly lower than other pentest companies then this is an indication that the company lacks the proper skillset or outsources to a company with cheap labor.

The Pentesting Process: What to Expect

Once you’ve chosen a provider and prepared your organization, the pentest begins. Here’s an overview of what you can expect during the process:

Initial Scoping: The pentesting team will meet with you to define the scope of the test and identify what will be targeted.
Rules of Engagement: This ensure that everyone is aligned on the goals, risks, and limitations of the engagement
Testing Phase: The pentesters will simulate attacks based on the agreed-upon scope. This can include network testing, application testing, or social engineering.
Reporting: After the test, the pentesters will compile a detailed report outlining the vulnerabilities they discovered, along with recommendations for remediation.
Debrief: The pentesting team will explain the findings and answer any questions. They may also help prioritize which vulnerabilities to address first and any technical questions on the exploitability of a vulnerability.

Different Types of Pentests: Black-Box, Gray-Box, and White-Box

Not all pentests are the same. Depending on your needs, you might choose between different types:

Black-Box Testing: The pentesters have no prior knowledge of the environment. This simulates how an outside attacker would approach your systems. This will often take the most time and be the most expensive.
Gray-Box Testing: The pentesters have limited knowledge, like login credentials or partial access. This allows for a balance between simulating internal and external threats.
White-Box Testing: The pentesters have full access to system information, source code, and infrastructure. This test is the most thorough but requires significant collaboration. This is the most comprehensive and the most efficient for both time and budget.

Each type offers different insights, and choosing the right one depends on your objectives and current security posture.

Understanding Pentesting Reports

A pentesting report is one of the most important deliverables of the process. It typically includes:

Detailed vulnerability findings: With severity rankings for each issue.
Recommendations for fixes: Practical steps your organization can take to address the vulnerabilities.
Risk analysis: How each vulnerability impacts your overall security.

Your team should use the report as a roadmap to improve security, focusing first on high-severity issues.

What If No Vulnerabilities Are Found?

If a pentest finds no major vulnerabilities, that’s great news! However, it doesn’t mean your company is fully secure forever. Cybersecurity is a continuous process, and as new threats emerge, regular pentests are necessary to stay ahead of potential risks.

Innovative Trends in Pentesting

As cybersecurity threats evolve, so does the practice of pentesting. Organizations should stay aware of trends like:

Bug Bounty Programs: More companies are adopting crowd-sourced pentesting through ethical hacker communities. These programs are for mature companies that have address findings from several previous pentests. Bug bounties often require some sort of compensation to get value out of the program. If the environment is not in a state of low findings then the organization will be buying out large sums of bounties.
Automated Pentesting: This is not a pentest. While adding it can help improve security it will have lots of false positives and only catch low hanging fruit. At the time of this blog post, nothing can replace a humans critical thinking in regards to a pentest.

By staying on top of these trends, businesses can ensure their security practices remain effective and up to date.

Conclusion: Why Pentesting is a Must for Every Business

Pentesting provides critical insights into your organization’s security and helps protect against evolving cyber threats. By understanding the process, preparing adequately, and choosing the right provider, businesses can significantly reduce their security risks.

Investing in regular pentests is not just a one-time event; it’s part of a continuous effort to keep your organization secure in a world where cyber threats are always changing.

Navigating the Misinformation Minefield: How TikTok is Shaping Political Perceptions

August 16, 2024

This is a blog post I put together for distribution internally. Feel free to take and use as part of your own security awareness program. Created with help from ChatGPT

In the ever-evolving landscape of social media, TikTok has emerged as a dominant force, especially among younger generations. While the platform offers endless streams of creative content, it also harbors a growing concern: the spread of misinformation. Recent research has revealed that 33% of young Americans have encountered political lies on TikTok, highlighting the platform's significant role in shaping political perceptions.

As misinformation continues to proliferate across social media, it’s crucial to understand how it spreads, its potential impact, and the steps we can take to protect ourselves.

The Power of TikTok and the Rise of Misinformation

TikTok’s algorithm is designed to keep users engaged by serving up content tailored to their interests. However, this algorithmic precision also makes it easier for misinformation to find its way into users’ feeds. Content that sparks strong emotional reactions—whether outrage, fear, or excitement—tends to spread rapidly, often without scrutiny.

Political misinformation can have far-reaching consequences. False narratives can skew public perception, influence voting behavior, and deepen societal divides. For young Americans, many of whom turn to social media as their primary news source, the risks are especially pronounced.

The Cybersecurity Implications of Misinformation

While misinformation may seem like a mere nuisance, it poses serious cybersecurity risks. Cybercriminals can exploit false information to launch sophisticated social engineering attacks. For example, a fake news story might be used as bait in a phishing campaign, luring users to click on malicious links or download harmful software. Once trust is established through seemingly legitimate content, attackers can easily manipulate their targets.

Moreover, misinformation can be used to incite panic or distrust, leading to actions that compromise security. For instance, during elections, misinformation about voting procedures can confuse voters, leading to disenfranchisement or chaos at polling stations. In such scenarios, the lines between misinformation and cyber threats blur, creating a fertile ground for malicious activities.

Recognizing and Combating Misinformation

Understanding how to identify and counter misinformation is crucial in today’s digital age. Here are some strategies to help you stay informed and secure:

Critical Evaluation of Sources:
- Not all information online is created equal. Always consider the source of the information. Is it from a reputable news outlet or a verified account? Be wary of anonymous sources or accounts with little to no background information.
- Check the publication date to ensure the information is current. Outdated information, when recirculated, can cause unnecessary confusion.
Cross-Referencing Information:
- Before accepting information as true, verify it through multiple credible sources. Misinformation often crumbles under scrutiny when checked against reliable reports or official statements.
- Use fact-checking websites like Snopes or FactCheck.org to confirm the validity of sensational claims.
Recognizing Emotional Manipulation:
- Misinformation often relies on eliciting strong emotional responses to bypass rational thinking. Be cautious of content that triggers immediate emotional reactions such as anger, fear, or joy.
- Pause and reflect before sharing emotionally charged content. Consider why it evokes such a strong response and whether the information could be misleading.
Awareness of Manipulative Tactics:
- Social media is rife with clickbait headlines designed to draw users in. These headlines may oversimplify, exaggerate, or completely fabricate information. Always read beyond the headline before forming an opinion.
- Be mindful of deepfakes and manipulated media. Advances in technology have made it easier to create realistic but entirely fake images and videos that can be used to spread falsehoods.
Educating Yourself and Others:
- Stay informed about the latest tactics used to spread misinformation. Knowledge is your first line of defense. Participate in digital literacy programs and encourage others to do the same.
- Engage in discussions with friends and family about the importance of verifying information before sharing it. Misinformation spreads quickly when people don’t take the time to fact-check.

The Broader Impact of Misinformation

The dangers of misinformation extend beyond individual harm. On a larger scale, widespread misinformation can erode trust in institutions, polarize societies, and even threaten democratic processes. In an environment where misinformation thrives, it becomes increasingly difficult to have informed, rational discussions on critical issues.

Moreover, the spread of misinformation can contribute to the normalization of falsehoods. As false narratives become more prevalent, they can start to shape reality, influencing public opinion and policy in ways that are harmful or unjust.

Conclusion: Staying Vigilant in a Digital World

In an age where information is at our fingertips, the responsibility to discern truth from falsehood rests on each of us. TikTok and other social media platforms offer immense value, but they also present risks that must be navigated carefully. By adopting a skeptical mindset, verifying the content we encounter, and educating ourselves and others, we can protect ourselves from the dangers of misinformation.

As we continue to interact with digital content, let’s commit to being informed and responsible consumers of information. In doing so, we not only safeguard our own security but also contribute to a more truthful and resilient digital community.

What is Smishing and How You Can Protect Yourself

May 20, 2024

This is an article I’ve put together for my internal Security Awareness program. Feel free to grab and use in your own program. Created with help from ChatGPT.

In today's digital age, cybersecurity threats are evolving rapidly, and one of the rising threats is "smishing." Smishing, a blend of "SMS" (short message services) and "phishing," is a form of phishing that involves sending fraudulent SMS messages designed to deceive recipients into revealing personal information or installing malware.

Understanding Smishing

Smishing attacks typically involve a text message that appears to come from a legitimate source, such as a bank, a well-known retailer, or even government agencies. These messages may claim that there's an urgent issue requiring your immediate attention, such as a problem with your bank account, a missed delivery, or a tax refund opportunity. The message will usually include a link that you are urged to click to resolve the issue.

How Smishing Works

The goal of smishing is to trick the recipient into providing sensitive information, such as login credentials, credit card details, or personal identification numbers. Alternatively, the link may download malware onto the recipient’s phone, which can lead to data theft or loss, financial loss, and sometimes even identity theft.

Examples of Smishing Attacks

Financial Frauds: "Notice from Bank XYZ: Unusual activity detected on your account. Please verify your identity immediately to prevent closure. Click here [link]."
Fake Contests: "Congratulations! You’ve won a $500 gift card from [Popular Brand]. Claim your prize now [link]."
Impersonation of Authorities: "Urgent COVID-19 alert in your area. Click here for safety measures to follow [link]."
CEO Fraud: “Hi [employee], are you available? I have an urgent need.”

Tips to Protect Yourself from Smishing

Be Skeptical of Unsolicited Messages: Always be wary of text messages that ask for personal information, especially if they convey a sense of urgency.
Verify the Source: If a message claims to be from an organization you do business with, verify its authenticity by contacting the organization directly using a phone number or email address from their official website—not the contact details provided in the message.
Avoid Clicking on Suspicious Links: Do not click on links in unsolicited texts or emails. Instead, go directly to the website by typing the URL into your browser.
Educate Yourself and Others: Awareness is your best defense. Learn about the latest smishing tactics and educate your family and friends on how to protect themselves.

Conclusion

Smishing is a significant and growing threat in the realm of cyber scams. By staying informed and cautious, you can protect yourself from falling victim to these malicious attacks. Always remember that when it comes to protecting your personal information, vigilance is key. If you suspect you’re being targeted by a smishing attack please contact [INTERNAL SECURITY TEAM INBOX].

AI security and healthcare - created by ChatGPT

Embracing AI with Care: A Guide for using AI in the healthcare workplace

April 10, 2024

This is an article I put together for internal communication on my companies intranet. I actually put two different articles together. Both are along the same lines just written different. I would love feedback on anything I may have missed. Otherwise feel free to use this as part of your company’s internal communication. This was most written by ChatGPT.

Introduction

In the rapidly evolving world of healthcare, Artificial Intelligence (AI) has emerged as a beacon of hope and innovation. From improving patient outcomes to optimizing operational efficiencies, AI's potential is undeniable. However, as we integrate these powerful tools into our daily operations, it's imperative to approach AI with a blend of enthusiasm and caution.

The Power of AI in Healthcare

AI's application within healthcare spans from predictive analytics in patient care to automating administrative tasks, allowing healthcare professionals to focus on what they do best—caring for patients. AI algorithms can analyze vast amounts of data to predict patient deterioration or optimize treatment plans. Additionally, AI-driven chatbots can enhance patient engagement and support, providing timely information and assistance.

Ethical Considerations and Patient Privacy

While AI can significantly improve efficiency and patient care, its implementation in healthcare comes with profound ethical implications, especially concerning patient privacy and data security. As stewards of sensitive health information, it's our collective responsibility to ensure that AI tools are used ethically and in compliance with all applicable laws and regulations, such as HIPAA.

Transparency and Consent: Patients should be informed about how AI might be used in their care, including the benefits and potential risks. Obtaining informed consent is not just a legal requirement; it's a cornerstone of trust.
Data Privacy: Always ensure that AI systems handling patient data are secure and compliant with data protection laws. Anonymization of data before AI analysis is a critical step in safeguarding patient privacy.
Bias and Fairness: AI systems are only as unbiased as the data they're trained on. It's essential to continuously monitor and evaluate AI tools for any form of bias, ensuring equitable healthcare outcomes for all patients.

Cybersecurity Implications

The integration of AI into healthcare systems increases the complexity of our cybersecurity landscape. AI can both bolster our cybersecurity defenses and represent a novel vector for cyber threats. Therefore, a proactive and informed cybersecurity approach is essential.

Adherence to Security Policies: All use of AI technology must comply with our comprehensive security policies, which are designed to protect both patient data and our IT infrastructure. This includes strict access controls, regular security audits, and adherence to best practices in AI ethics and governance.
Education and Awareness: Employees must be educated about the potential cybersecurity risks associated with AI, including social engineering attacks that leverage AI-generated content.
Handling of sensitive data: It is crucial to ensure that sensitive data is not entered into or processed by AI systems that are not under our direct control and that do not meet our strict security and privacy standards. Employees should avoid the use of unauthorized AI tools and platforms that could inadvertently expose sensitive patient information or proprietary data. This includes being aware of third-party companies that have integrated AI into their platforms.
Secure AI Development: AI systems must be developed and maintained with security in mind. Threat modeling helps to identify potential issues before they arise. Regularly updating and patching systems helps maintain the integrity and security of systems.
Vigilance and Reporting: Employees are empowered to report any suspicious activities or vulnerabilities. Early detection is key to preventing cyber incidents or data privacy issues.

Looking Ahead

As we journey forward, integrating AI into our healthcare practices, let us do so with a vigilant eye on the ethical, privacy, and security implications. By fostering a culture of responsible AI use, we not only protect our patients and their data but also contribute to the advancement of healthcare, making it more accessible, efficient, and effective for all.

Conclusion

The integration of AI in healthcare represents a frontier of endless possibilities. Yet, as we harness these technologies, we must navigate this terrain thoughtfully and responsibly, ensuring that we remain steadfast in our commitment to patient care, privacy, and security. Together, we can create a future where AI empowers us to deliver better healthcare than ever before.

The Art of Secure Passwords: Safeguarding Your Digital Life

March 27, 2024

This is a blog post I plan to submit to my companies intranet site as part of security awareness program. I wanted to post this here in case others would like to use it for their own internal programs. This was largely generated with ChatGPT. I have gone through and made my own edits and adjustments.

In today’s interconnected world, passwords are the gatekeepers to our digital existence. Whether it’s accessing your email, online banking, or social media accounts, a strong password is your first line of defense against cyber threats. In this blog post, we’ll explore essential practices for creating and managing secure passwords.

The Key to Your Account: Guard Your Passwords

Your passwords are like the keys to your virtual kingdom. Treat them with utmost care and never share them with anyone. Remember, a password shared is a vulnerability exposed. Whether it’s your Netflix account or your corporate email, keep those keys close and confidential.

Password managers are great for both storing and creating passwords. Password managers generate and store complex, unique passwords for each of your accounts. Instead of remembering dozens (or even hundreds) of passwords, you only need to remember one master password. Password managers can auto-fill your login information on websites and apps, streamlining the login process. Below are some recommended password managers for personal use:

LastPass

Features: LastPass offers a user-friendly interface, secure password storage, and strong password generation. It's accessible across various devices and browsers, making it convenient for users who need to manage their passwords on the go. LastPass also features secure sharing options, allowing users to safely share login information with trusted individuals.

1Password

Features: 1Password is known for its strong security measures, including a unique security key for encryption, making it nearly impossible for unauthorized users to access your vault. It also offers a Travel Mode, which temporarily removes sensitive data from your devices when crossing borders. 1Password's user interface is clean and intuitive, with excellent organization features for managing passwords and documents.

Dashlane

Features: Dashlane provides a robust set of features, including password management, a secure digital wallet, and a VPN for safe browsing. Its password changer feature can automatically update passwords on various sites, enhancing security with minimal user effort. Dashlane is suitable for individuals and businesses looking for a comprehensive security solution.

Bitwarden

Features: Bitwarden stands out for being open-source, offering transparency in its security practices. It provides a secure vault for passwords and sensitive information, with options for self-hosting for users who prefer complete control over their data storage. Bitwarden's free version is feature-rich, making it an excellent choice for budget-conscious users seeking reliable security.

Keeper

Features: Keeper is noted for its high-level security features, including biometric logins and a secure messaging vault. It offers flexible storage options for passwords, files, and private client data, making it a suitable option for both personal and professional use. Keeper also includes breach monitoring to alert users of potential security threats.

Browsers

Browsers can be a good place to store passwords for users seeking convenience and simplicity, offering several features that facilitate better password practices. However, for those who require more robust security features, flexibility, and functionality, a dedicated password manager might be a more suitable option. As with any security tool, the best choice depends on your specific needs, habits, and the level of risk you're comfortable with.

Crafting Strong and Memorable Passwords

Creating strong and memorable passwords is essential, especially for securing critical accounts like those for work, email, and finances. Here's how to craft passwords that are both robust and easy to remember:

Ensure Uniqueness for Each Account

Distinguish your work and personal passwords to safeguard against potential breaches. Each account should have a unique password to prevent a security issue in one from affecting others. Websites like Have I Been Pwned offer valuable insights by letting you check if your email has been involved in any breaches, underscoring the importance of uniqueness.

My personal email shows up in the LinkedIn breach

Opt for Passphrases with Special Characters

Early in my career, I learned the effectiveness of using multi-word passphrases with special characters interspersed. This strategy not only makes passwords more difficult for attackers to guess or crack but also helps in keeping them memorable. Despite witnessing 22-character passwords being compromised, it's clear that security isn't solely about length. Crafting your password—a mix of length, complexity, and unpredictability—is key.

Avoid common or popular phrases. Instead, draw inspiration from less obvious sources, like obscure quotes or unique phrases from your favorite media. This approach significantly lowers the risk of your password being easily cracked while ensuring it remains memorable to you.

By focusing on creating unique, complex passphrases that are personal and meaningful, you can significantly enhance the security of your online accounts while maintaining ease of recall.

Conclusion

By adopting recommended practices—treating passwords as keys to our digital domains, leveraging password managers for enhanced security, and crafting strong, memorable passwords—we fortify our digital presence against unauthorized access.

Password managers like LastPass, 1Password, Dashlane, Bitwarden, and Keeper offer robust protection. For added simplicity, browser-stored passwords can also serve as a basic defense. Utilizing unique passphrases enriched with special characters further strengthens our security posture, as echoed by services like Have I Been Pwned, which emphasize the importance of password uniqueness.

In conclusion, secure password practices are not just about technical security; they're about empowering ourselves to navigate the digital space confidently and securely. Let's prioritize our digital safety by embracing these practices, ensuring our online presence is shielded from potential threats.

Leveraging AI to Ace Your Next Job Interview

February 29, 2024

In today's rapidly evolving job market, Artificial Intelligence (AI) has become more than just a buzzword—it's a tool that can provide a competitive edge in various aspects of life, including job hunting and interview preparation. As interviews become increasingly sophisticated, candidates are seeking innovative ways to prepare and stand out. I’ve recently gone through a few different interview processes and as part of that I leveraged AI to help do research and prepare for my interviews. Here's how AI can be your ally in acing your next job interview.

Understand the Role and Company

Before you even start preparing for the questions, it's crucial to have a deep understanding of the role you're applying for and the company behind it. AI-powered tools can analyze job descriptions, company websites, and news articles to provide a comprehensive overview of what the company values in its employees and what skills and experiences are critical for the role. This information can help tailor your interview responses to align with the company's culture and needs.

Personalized Practice Sessions

AI-driven interview preparation tools can simulate realistic interview scenarios tailored to the job you're applying for. These platforms use natural language processing to evaluate your answers, providing feedback on content, tone, clarity, and even body language in video-based practice sessions. This personalized feedback can help identify strengths to highlight and weaknesses to improve upon, making your preparation more focused and efficient.

I’ve taken the job description and my resume and put them into ChatGPT to help identify how my experience aligns with the role. I’ve also taken the job description and any other information about the interview I’ve been provided and asked ChatGPT to create practice questions. I then take those questions and practice saying out loud my responses. I found the interview questions to be pretty close to the real questions I got asked. The questions allowed me to think through how I would answer questions and lean on past experiences. While not an exact match it did afford me an opportunity to think through my experiences and apply those to similar questions.

If there is a technical aspect to the interview AI can be used to prepare by getting quizzed on technical questions. Unfortunately, I didn’t think of this use case until after I had already gone through an interview that had technical questions in it. I struggled through those questions and did not move one. Had I prepared using AI I would have been better prepared to answer those questions and a better shot at moving on.

Enhancing Your Answers

AI doesn't just stop at practice; it can also help refine your answers. Tools like GPT (Generative Pre-trained Transformer) can suggest ways to structure your responses more effectively or creatively. Input your basic answer, and AI can enhance it, ensuring you communicate your thoughts coherently and compellingly. However, it's essential to keep your answers authentic to your experiences and voice; use AI as a tool for improvement, not a crutch. It’s also very important to say the responses out loud to understand how the responses will come off. Sometimes what’s in our head doesn’t sound as good when it’s said out loud.

Final Thoughts

As AI continues to transform the job market, its role in interview preparation is undeniable. By offering personalized feedback, and enhancing response, AI can be a valuable asset in your job search toolkit. However, it's important to remember that AI is a supplement, not a substitute, for genuine preparation. The goal is to use AI to enhance your authentic self, showcasing your skills, experiences, and personality in the best possible light.

Embrace AI as part of your interview preparation strategy, but keep the focus on your unique contributions and how you can add value to the company. With the right preparation and mindset, you can use AI not just to prepare for interviews but to excel in them.

This blog post created with the help of ChatGPT

7 Tips and Best Practices for Threat Modeling

February 28, 2024

In the ever-evolving landscape of cybersecurity, threat modeling emerges as a crucial practice that helps organizations identify, assess, and mitigate potential security threats. It's a proactive approach that focuses on understanding the assets that need protection, identifying what threats those assets might face, and defining measures to mitigate those threats. Here are some essential tips and best practices for effective threat modeling:

1. Start Early and Integrate Continuously

Begin threat modeling at the earliest stages of system design and continue to integrate it throughout the development lifecycle. Early integration helps in identifying potential security issues when they are easier and less costly to resolve. Studies has shown the fixing issues later in development or IT project are more costly.

A chart showing the cost of fixing a bug throughout the development lifecycle

2. Involve a Cross-Functional Team

Threat modeling should not be the sole responsibility of the security team. It requires a collaborative effort involving developers, operations, architects, and business stakeholders. Each group brings a unique perspective that contributes to a comprehensive understanding of the system and its potential vulnerabilities.

There are other benefits to threat modeling outside of security. It get’s everyone involved in the project on the same page. Often development and infrastructure teams can be at odds about what needs to be done to complete the project. Threat modeling is an opportunity to bring everyone together to better understand and clarify what needs to get done.

3. Watch for scope creep

Identify what is being discussed at the start of the session. This will help setup boundaries for the discussion. People will want to dive into are other topics adjacent to the project. While they may need to be discussed at some point now is the time to discuss what was defined in the scope. I often will tell people let’s setup another session or move the discussion to later in the meeting if there’s time. This will help the meeting run more smoothly and ensure the topic of discussion get’s threat modeled.

4. Keep the Attacker's Perspective Simple

Thinking like an attacker can provide invaluable insights into potential vulnerabilities and attack vectors. Understand the capabilities, motives, and methods of potential attackers to better anticipate and counteract their actions. Not everyone has an attacker mindset. Most people in an organization are builders. We as attackers are looking to tear things down and break them.

This can take some getting used to for people. It may take multiple sessions before they start getting into the attacker mindset. It’s a lot like exercise. It takes time to build up those security muscles but once it happens it will make the meeting run a lot more smoother. I often start with simple attacks such as offering someone a million dollars for their access.

5. Use silence

As I’m drawing out a diagram, I will often be thinking of attacks. This isn’t necessarily the case with people outside of security. Especially, if threat modeling is new to them. If I provide all the attack scenarios it won’t help the others in the room foster that security mindset. Use silence to get people engaged in the discussion.

Most people are uncomfortable in a group setting with silence. The facilitator of the session will need to get comfortable with silence. After a period of time someone will speak up with an idea. Don’t shoot down all ideas. Write them down like you would a brainstorming session. This will help encourage more people to speak up with their ideas.

6. threat modeling discussions are chaos

If it feels like chaos you’re likely doing it right. As you go through the session you may feel like you’re taking a step back and adding things to the diagram or the security profile. That’s okay. Keep your eraser tool handy because you may need to adjust different things on the diagram. I’ve been in sessions that I thought were going to take 20 minutes and they ended up taking three hours.

7. Meeting notes and action notes

Identify someone to help take notes. This will with more thoroughly document the meeting. Governance Risk and Compliance (GRC) folks are great at this. After the meeting ask for the notes to compare with your own. Virtual meetings can be recorded for later viewing and ensuring notes are complete.

After the meeting send the meeting notes, a picture or screenshot of the diagram, and action items. This will help document the meeting and allow anyone to make corrections on the notes. Action items are important for any follow up items that need to be addressed. Make sure to identify a person to follow up with and not a group. Also, it doesn’t hurt to document these in a central repository that everyone can access.

Conclusion

Threat modeling is an essential practice in the toolkit of cybersecurity professionals. Threat modeling sessions can often feel like chaos and that’s okay. Make sure to start early and integrate into development and IT projects. Involve anyone that has work to be done as part of the process. Watch for scope creep and offer to set up another time to discuss. Use silence and keep the attacks simple to get people engaged in the conversation. Finally, remember to document each discussion, assign action items, and give people the opportunity to make corrections on the topic discussed.

Threat modeling is one of the low cost and most effective tools in your organization. These tips and best practices will ensure that threat modeling being performed at an organization will be efficient and effective. Leave a comment below if you have any tips or best practices for threat modeling.

Be a cybersecurity Kevin Bacon - *Image created with the help of ChatGPT*

How to become a Cybersecurity Kevin Bacon

February 21, 2024

The Six Degrees of Kevin Bacon proposes that anyone in the Hollywood film industry is linked to Kevin Bacon within six steps. I’ve somehow had the title applied to me by a few different people. A large part of that is the networking I’ve done in the industry. I’ve hung out and talked to a lot of people. I don’t know everyone in the industry but I have meet people for the first time and we’ve known similar people. In this post I want to cover the networking that may have put me in the same breadth as Mr. Bacon.

Attend Conferences

My very first conference when I got into security was BSides Charleston in 2013. I went down with a buddy to the conference and meet a few people. One of those people that stood out was Evan Davison who goes by the hacker name Pentestfail. He gave a great talk on defense in-depth (this is the same talk at a ISSA local chapter). Evan and I would cross paths multiple times over the next 10 years. We would volunteer and get to know each other at BSides Augusta and the Social Engineering Village at DEF CON.

It’s not just about attending conferences it’s about getting involved and interacting with people. That could be meeting and talking to people, participating in capture the flag competitions, volunteering, or speaking. If you’re nervous about meeting people volunteering is a great way to meet and interact with people.

At one point I was going to 8-10 conferences a year. Most conferences were one day events within a a five hour driving distance so it was only a day or two. Still that’s a lot and it’s not something I’d necessarily recommend as I did get burned out and decided to tone back the conference attendance to three in 2019. There was also the cost. My company did always cover travel. I got maybe one a year. The rest was on my dime but I will say it was worth it for the connections I was able to build within the community.

Going to events allows for shared learning and job opportunities. I’ve learned a lot from just talking to people in the hallway at conferences. It’s a safe space for sharing interesting stories that you wouldn’t hear otherwise. If you’re the type that has a hard time starting a conversation, ask questions. People love talking about themselves and sharing their insights into the industry. I’ve had entire conversations with people who never asked a question or knew my name but I knew a ton about them and got some really great security stories.

Volunteer at events

When I first started attending conferences I would volunteer. This forced me to meet people and as a bonus got me a free ticket into the conference. To get away from registration or door duty I started asking organizers if I could bring my camera and shoot pictures for them at the conference. This was great because I got to be more mobile and allowed me to meet and talk to a variety of people at the conference.

This also opened the door for invitations to work other conferences where my travel expenses were covered. If you have an interest see if it fits into helping out with a conference. I know several people volunteer just to do video for a conference. I’ve also seen people contribute by providing a quilt that was auctioned off. Find something you feel can contribute to the conference. Working the registration desk is also fine.

Volunteering helped me get a really great job in Nashville, TN. I had been traveling to BSides Nashville since it’s inception. There was an opening at a company one of the organizers was working at. I didn’t know that organizer really well but when they were asked about me for the position they responded that I showed up and did my job. Not necessarily a glowing endorsement but it helps and you never know who you’re going to interact with while volunteering.

Attend Local User Groups

Local user groups are great if you’re looking to network within your own city. If there’s not one I’d recommend starting one up. It’s definitely a lot of work but very rewarding. When people ask me my greatest accomplishment I often will tell them it’s starting a local user group in Columbia, South Carolina, that has 20-25 regular attendees. That’s massive for a local user group by the way. If you need guidance on starting a local user group there’s a couple podcasts for that.

How to Start a Successful CitySec Meetup - Part 1

How to Start a Successful CitySec Meetup - Part 2

Starting the local user group allowed me to meet a lot of people in town. You never know if you’ll meet your future employer or someone that starts their own company. I had both those experiences starting a user group. The first was switching to a different state department after meeting the South Carolina state CISO at a meetup and going to lunch with him.

The other is meeting Andrew Morris who is the founder of GreyNoise a company that’s starting to make waves in the cybersecurity community. I met him at a conference called Trends in 2015 where he told me about his idea for the company. I’ve had him on the podcast a couple of times to talk about being a pentester.

Start a blog or podcast

Speaking of podcasts, most people don’t know that I had a podcast prior to my security podcasts. I ran The Crawfish Boxes (TCB) podcast for the Houston Astros fan site on SB Nation. I gained some notoriety with the Houston Astros organization due to that podcast and blogging I did for TCB. It’s amazing how more accessible people become when you offer to interview them. I have a big leaguer or two in my cell phone and at one point had two baseball General Manager’s following me on Twitter.

I took the lessons and experience from covering baseball and brought it into the infosec community and it has really helped my career. I’ve gotten to meet and talk to a lot of great people in the field on my podcast. I’ve had a lot of success just reaching out and asking people if they’d be interested in talking about a topic they’re presenting on or have blogged about. There are people who never responded or responded and then stopped responding but more often than not I can get an interview set up with them.

One of the hardest things getting started is imposter syndrome, “Why would people want to listen or read me?” “Someone else is already doing what I would want to do.” I had those same thoughts but went ahead because I have my own unique perspective to offer. It’s still nerve-racking but the longer I did it the more I realized I have something to offer to the community. I love having a conversation with people and learning more about what they know. Which made podcasting a great fit.

Blogging, on the other hand, is the one I’ve struggled with. I was never good in English class and if I had concerns about podcasting and what people thought my writing is on a much higher level of imposter syndrome. But blogging isn’t about perfect English, it’s about sharing a unique viewpoint. English and grammar help but it’s more about the idea and finding my voice. Plus, the more I do it my writing is bound to improve, right? Right? AI is something I’m leveraging as an assistant. It’s not always great but it can help.

Summary

To be a Kevin Bacon you gotta get out there. Attend conferences and local user groups. You’ll get to meet a lot of really great people. If you struggle with talking to people volunteer. It can force you to meet people and show your willingness to contribute to the community. Start a blog or podcast or vlog. Putting yourself out there can help you grow as a professional and open up doors. If blogging or podcast aren’t your thing that’s okay. Identify what you’re interested in and see how that can fit into the community. There’s a lot of ways to contribute. Contributing to an open source project or participating in a capture the flag event can do similar things for your career. Find ways to get involved.

Exploring tools and resources for threat modeling - *Created with the help of ChatGPT*

Tools and resources for effective Threat Modeling

February 19, 2024

My presentation for this year is Threat Modeling. My first stop is the 2024 Palmetto Cybersecurity Summit Feb 21-22, 2024, in Columbia SC. I’ll also be speaking at BSides Nashville May 11, 2024, and ShowMeCon May 13-14, 2024.

Getting Started

We’re going back to kindergarten people! We’ll get to draw shapes and lines and use different colored markers! To get started all one needs is a whiteboard and markers. Building out a diagram is the first step. As I mentioned in the Basics of Threat Modeling blog post having one prepared prior to the session will help expedite the process. Unfortunately, if there isn’t an existing diagram one will have to be done during the session. Adam Shostack has a description of the symbols and elements to use in a threat model on his GitHub page. They’re very simple and that’s the intention because threat modeling an application or process can get very complex.

Adam Shostack - DFD3 - https://github.com/adamshostack/DFD3

If the session is virtual and not in person the same principles applies. All popular video conferencing has a whiteboard feature on it that can be used for threat modeling. There are third-party options as well including:

Microsoft Whiteboard (Usually free with corporate account)
Microsoft Visio (License required)
Microsoft Threat Modeling Tool (Free)
OWASP Threat Dragon (Free)
Draw.io (Free)
Miro (Free version)
Lucidchart (Free version)
MURAL (Free version)
Whimsical (Free version)

The tools I’ve had experience with are Microsoft’s Whiteboard, Visio, and Threat Modeling Tool. Visio and the Threat Modeling Tool get into a lot of detail and can feel complex if you’re just getting started. The more important thing is learning the methodology and approach to threat modeling. Threat Dragon has a lot more simplicity. It is open-source so doesn’t have all the bells and whistles of other tools. It can take a little to get used to using. I’ve seen developers create diagrams with Draw.IO. It’s simple and easy to use but be mindful that if they build it on a third-party website they may be putting internal organization information on the internet. I have not used Miro, Lucidchart, MURAL, or Whimsical but they look similar to Draw.IO. Leave a comment below with your favorite white boarding tool.

Automated threat modeling tools

I have only used Microsoft Threat Modeling Tool and OWASP Threat Dragon for automating parts of the threat model process. Microsoft’s Threat Modeling Tool get’s very granular and tries to be exhaustive on attack scenarios. If you like digging into a lot of details it can be a very useful tool. OWASP Threat Dragon is a much lighter version of that which is why I used it a lot more. For me I wanted the group to come up with their own attack scenarios because it allowed them to exercise their security muscles and build a stronger security mindset. This impacts the other areas of their day-to-day work. As their working they’ll be thinking about security.

There are other commercial and open-source tools that promise one-click threat modeling. I have not had an opportunity to use them. Here are some popular ones I found:

If you have used one of these or another leave a comment below.

Educational Resources

The book I always recommend is Threat Modeling: Designing for Security by Adam Shostack. It is “THE” book on threat modeling. What I love about the book is that after the first chapter it says to just start threat modeling. It’s more of a companion book for learning and maturing the threat modeling program.

OWASP is another resource for threat modeling. They have an entire project on everything you need to know about Threat Modeling. The OWASP Cheat Sheet is also a great place to start and a good reference point while maturing the threat modeling practice. Finally, an exhaustive list of threat modeling resources can be found at Awesome Threat Modeling on GitHub.

Leave a comment below with resources or tools you recommend. If you’re interested in seeing a version of this talk check out the ColaSec Meetup page as I will be presenting on threat modeling at the February 20th, 2024, meetup. A virtual option for attending is available.

Threat modeling risk management

February 15, 2024

In this post I want to talk about rating and prioritizing the discovered threats from a threat modeling session. We’ll get into the different methodologies and talk about some of the nuances of them.

Methodologies for Risk Management

Created with help from ChatGPT

DREAD

DREAD, an acronym for Damage, Reproducibility, Exploitability, Affected users, and Discoverability, is a risk assessment model used to prioritize threats. Although its use has declined due to its subjective nature and lack of business context alignment, some organizations may still find it useful for quick, high-level risk assessments.

This is what I use for threat modeling. If you read Adam Shostack’s book he calls it obsolete and recommends SDL Bug Bar. The reason is that the different categories can be a bit ambiguous, lack granularity, and context. I think it’s great for getting started and keeps threat modeling simple. As threat modeling matures there may be a need to mature the risk management and switch to something that provides more scaleability.

Using DREAD we would rate the threat by each theat on a 1-3 scale. This allowed for prioritizing low, medium, and high. The final number will help prioritize the threats discovered for follow up. Again, when dealing with other groups it’s important to keep the bar to entry low. As the program matures and people get a better idea on threat modeling advancing to something a bit more technical can be useful.

SDL Bug Bar

The Security Development Lifecycle (SDL) Bug Bar is a concept and a set of criteria used within Microsoft's SDL framework to classify and prioritize the handling of software bugs based on their security implications. The "bug bar" establishes a baseline for the security severity that a bug must meet or exceed to be considered a priority for fix before software can be released. It helps teams make consistent, informed decisions about which security vulnerabilities to fix and when to fix them.

There’s not really a lot available online for implementing the Bug Bar. There are some blog posts and the SDL Bug Bar PDF which doesn’t exactly give instructions on how to implement. It can be loaded as a template into other Microsoft tooling so that can be helpful and will help with streamlining some of the threat modeling process. Leave a comment below if you’ve had experience implementing the SDL Bug Bar.

OWASP Risk Rating Methodology

The Open Web Application Security Project (OWASP) offers a risk rating methodology that considers factors such as threat agents, attack vectors, technical impact, and business impact to prioritize vulnerabilities. This methodology is particularly useful for web application security and can be adapted to fit an organization's specific needs. This has more in-depth math and expanded categories for rating a threat. This could be another option for maturity.

CVSS (Common Vulnerability Scoring System)

CVSS provides an open framework for rating the severity of security vulnerabilities in software. It offers a standardized way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. CVSS scores can help organizations prioritize their response and remediation efforts based on the potential impact of each vulnerability. This is one of the standards for vulnerabilities.

FAIR (Factor Analysis of Information Risk)

FAIR is a quantitative risk analysis methodology that helps organizations understand, analyze, and quantify information risk in financial terms. FAIR differs from other models by focusing on the financial impact of risks, making it particularly useful for making informed, data-driven decisions about cybersecurity investments and risk management strategies. This methodology was created by Jack Jones with the intent of providing risk in financial terms for organization.

TARA (Threat Agent Risk Assessment)

TARA identifies potential threat agents and evaluates the risks they pose to an organization's critical assets. This methodology is useful for organizations that want to focus on the most likely sources of threats and tailor their defenses accordingly. Intel created TARA as part of its comprehensive security and risk management strategy to identify, assess, and prioritize risks based on the potential impact of various threat agents. This methodology was created by the Department of Defense (DoD) in 2010. It uses built in attacks to assist in the risk assessment process.

Summary

There are multiple options for rating and prioritizing the threats identified in a threat modeling session. I like DREAD because it’s simple but that might not be feasible for larger organizations. If you’re a Microsoft shop the SDL Bug Bar may be a better fit. OWASP Risk Rating Methodology is also another option. If you really want to go deep CVSS or another framework may be the best option. FAIR and TARA are two methodologies that look to provide specific context to risk management. FAIR from a financial standpoint and TARA has a DoD lean. Choosing the best risk management methodology will depend on the organization and it’s needs. Try multiple and see what works best for your organization.

Next we’ll get into tools and resources for threat modeling.

Exploring threat modeling methodologies and approaches - *Image created with the help of ChatGPT*

Methodologies and Approaches for Threat Modeling

February 14, 2024

There are a variety of ways to do threat modeling. Deciding which one to use will depend on the organization and what is being threat modeled. I started with STRIDE which is a standard methodology for getting started. We’ll touch on the other ones but I’ve not had experience with them. The basic concept should be the same. The methodologies are used to help guide a threat modeling session through attacking and mitigating the threats discussed.

MethodologieS

STRIDE

Developed by Microsoft, STRIDE is an acronym for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. This model helps in identifying threats in these six categories, making it easier to systematically address potential security issues.

Repudiation is the one that always get’s me. It’s attackers getting in and performing illegal operations without leaving any sort of evidence. This is usually due to a lack of logging. The others are fairly straight forward.

LINDDUN

This is a privacy-focused threat modeling methodology designed to help identify and address privacy threats in information systems. The acronym LINDDUN stands for the seven types of privacy threats it aims to uncover: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance.

PASTA

The Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step, risk-centric methodology. It focuses on aligning business objectives and technical requirements, taking into account the attacker's perspective and potential attack vectors. It is thorough and integrates well with risk management.

OCTAVE

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning. It focuses on organizational risk and security practices, making it more suited for strategic, rather than technical, threat analysis.

Attack Trees

Attack Trees provide a methodical way of describing the security of systems, based on varying attacks. It's a graphical representation of potential attacks, organized in a tree structure, showing how an overall goal (root) can be broken down into sub-goals (leaves). This is an example of an attack tree.

Example of using STRIDE

Created with the help of ChatGPT

A threat modeling tweet by @thegrugq that highlights attack surface.

Below are some examples I’ve seen discussed in a threat modeling session. The skies the limit and will be different depending on the application or process. At the very least it’s a thought exercise that helps people think about security and discuss mitigating controls. Some of these attacks are more likely than others. Within healthcare insider threat and errors are a lot higher than other industries. They’re still susceptible to external attacks but the bigger concern may already be inside the organization. Each organization will have it’s own attack surface.

Spoofing

Threat: A healthcare provider uses another users logged in session when they walk away form their computer.

Mitigation: Ensure session timeout is set to what is needed for the business use case of the application. If a user has several activities that require waiting for something to finish in the application or they need to login into other applications and then come back then the timeout may need to be longer.

Tampering

Threat: A healthcare provider accidentally modifies the wrong record for two different patients.

Mitigation: Add a, “are you sure?” pop-up. Logging and recovery will need to be in place for identification and recovery.

Repudiation

Threat: A user (patient or provider) denies sending a message or making changes to records.

Mitigation: Implement detailed logging and audit trails to track user actions and changes within the application.

Information Disclosure

Threat: S3 bucket with patient information is accidentally made available on the internet.

Mitigation: Use access controls to enforce the principle of least privilege, ensuring users can only access information necessary for their role, and encrypt data.

Denial of Service (DoS)

Threat: A ransomware attack encrypts the web server.

Mitigation: Web server and all needed systems have good backups and can be restored to get the service back online for users.

Elevation of Privilege

Threat: A user is bribed to give up their credentials to the application.

Mitigation: User IP logging to help identify when a user logs in from an abnormal location.

Approaches

At my organization I was the person doing the threat model. I was training up some of the other people on my team so they could do it and not create a bottle neck with my department. Some organizations an individual or team may not be the best approach. In this case a decentralized approach could be more beneficial where the teams are trained up on doing their own threat models.

As far as automated tooling I haven’t used a lot of it other than as a substitute for a whiteboard. I have seen the use of Microsoft’s Threat Modeling tool which will help with attacks but will require a lot more interaction. There’s not really a wrong or right answer. I’ve shown a lot of value and made projects run more smoothly and with less threat introduced by using just a whiteboard and markers. Haven’t explore the automated threat modeling space but I do believe that you can’t replace a human. A one-push threat model would be nice it’s just not that easy and as I’ve learned in the industry there is no easy button.

Threat modeling should be done as early in the process as possible. However, it is very useful for legacy applications or applications with minimal documentation. I’ve used it a lot for getting a better understanding of how an existing application or process works, especially if there’s very little documentation. These sessions usually require multiple because as unanswered questions comes up and people are tasked with doing some discovery work. Once that discovery has been made the threat model continues.

Summary

STRIDE is a good place to start with threat modeling. There are other methodologies that could be more applicable to the organization. I’ve only ever used STRIDE because it was effective for what I was doing with threat models. Walk through the chosen methodology to get an idea on the attacks possible within the application. These attacks can be simple or they can be a bit more elaborate. A few simple examples will help with getting people to think about how to attack an application or process.

Approaches to threat modeling will differ between organizations. A group of security experts can make an effective threat model but it may not be scaleable. The other option is to train people within the projects to perform the threat model. Thinking about what could go wrong will get people into the mindset of looking for problems before they happen. The earlier a problem is discovered the less costly it is to fix. Threat modeling can also be used for discovery on existing applications or processes.

There are tools available for threat modeling. The simplest and often the most effective is a whiteboard and markers. Threat modeling is like any other security program. Get it started and then mature it over time. Try new things and evaluate if it’s useful or not. Just get started.

Next we’ll go over risk management and rating the discovered threats.

Basics of Threat Modeling

February 12, 2024

The basics of threat modeling starts with the understanding that it’s simply doing a data flow discussion. In fact, when I do these I name the meeting data flow discussion instead of threat modeling discussion. This allows people to come to the meeting with the mindset that it’s just a discussion about how data flows through an application or business process. And then we’re going to do naughty things to it.

The session itself is broken up into five parts:

Identifying assets and data flows
Establishing the security profile
Identifying potential threats
Assessing vulnerabilities
Prioritizing risks

We’ll explore each part in more detail below.

Identifying assets and data flows

This is scoping what will be part of the threat modeling session. This could be an application or a business process. It sets the boundaries to keep everyone in the meeting on track. Scope creep is something that can and will most likely happen. Setting the scope more easily helps identify when the discussion is getting off track. If someone goes out of scope then we can call it out and setup a separate session or cover it later in the meeting if time is available.

A diagram is drawn as part of the session if one is not already provided. When I’m asked for how to make the meeting run smoother I ask for an existing data flow diagram or for one to be created. This doesn’t need to be anything elaborate just something to get started. Everyone that can speak to the application or business process needs to be in the meeting. This may be just the development team or it may also include people from infrastructure, compliance, or other areas.

When there is no diagram a whiteboard and markers will do for an in-person meeting. If virtual most video conferencing tools have a whiteboard feature. There’s also many third-party options online. A favorite of a lot of development teams is draw.io. Infrastructure teams usually prefer a licensed version of Microsoft Visio. We’ll get more into tools in the next blog post.

Diagram is simply using arrows, squared, and circles to draw the diagram. OWASP has examples of shapes to use for the diagram. I would typically use a square for an application and then a circle for a database. The big thing is to use a standard shape for each thing within the diagram. Once the diagram is drawn we can move to establishing the security profile.

Establish the security profile

This is the part where the group identifies what security is currently in place. This deals with items like if HTTPS or HTTP are in place (lots of backend things may use HTTP) or how do users access the application or process. Thoroughness is good but new security measures may be discovered as the application is attacked. Compliance requirements also need to be understood for the application. Healthcare, financial, and personal data all have different requirements and security protections than data that is expected to be public. Once the security profile is established we get to be bad boys.

Will Smith and Martin Lawrence singing Bad Boys in the movie Bad Boys

Identify potential threats

This part we get to play the bad guys and think about how we can break the application or process. When just introducing this activity to departments you’ll need to keep in mind that they’re builders, not breakers. We have to unlock that mindset within them. Once the ball get’s rolling though people can come up with some pretty creative ways to attack their own application or process.

One of the important techniques someone facilitating the session will need is being silent. People can’t stand silence so learning to stay silent will help with getting people in the room to participate. Having a pentester in the room may help the juices flowing but don’t let them only provide more than one or two examples. They can quickly takeover and then it’s just the pentester talking about how they’re going to test the application. The underlying objective here is getting people into a better security mindset. To do that they need to start learning how to think like an attacker.

Anything is on the table from simple attacks to elaborate Mission Impossible style attacks. One of my favorite attacks to use to get people thinking is to talk about bribe scenarios or insider threat, “What if I give you a million dollars for your access?” The response is usually, “but you can’t do that….ohhhhh!” It happens. In 2021 news broke that Russian man offered a Tesla employee to put ransomware on the company’s network. Insider threat is a huge attack vector and a massive risk and is something that should be discussed.

There are different methodologies for attacks in a threat model session. I like using STRIDE which is mnemonic for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service (DoS), and Elevation of Privilege. Simply walk through each on of these types of attacks as part of the session. Once that’s done we assess the attacks we found.

Assessing attacks

When coming up with attacks make sure to document the attack. They should still be visible to everyone to discuss mitigating controls. Again, this is where the group needs to speak up about how to mitigate controls. As a facilitator I’ve often had the answer but I want the group to provide that answer so they can start exercising those security thought muscles. Often, I’ve found that the group will come up with creative solutions for mitigating controls. Once all attacks have mitigating controls we move onto prioritization.

Prioritizing risks

I use DREAD, which is another mnemonic for evaluating and prioritizing risk. It stands for Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability. I write each of these out to the side of the attacks so we can rate them. I use a 1-3 scale with one being low, two being medium, and three being high. I like to keep things simple but something like a 1-10 scale can also be used. Once a score is given for each of the items you add it up. The higher the number the higher the priority. This allows teams to focus on the attacks that have the most risk and can do the most damage. Make sure to identify and assign action items for addressing the necessary attacks.

Documenting the threat model

From there it’s documenting the outcomes of the meeting. I will take notes during the session (another reason to stay silent) and type those out in a follow up email to the group. I also take a picture or screenshot of the diagram and provide that in the meeting notes as well. I would recommend storing those in a repository that’s available to everyone involved in the discussion. As part of the meeting notes I include action items at the top and have the agreed upon name of the person that will make sure the item is addressed.

Summary

Threat modeling is simply a data flow discussion. I’ve used data flow discussion to make the meeting less intimidating. Sessions can be from one to several hours long it depends on the application or business process and how deep you may need to go. One long session or multiple sessions can be setup. Having a diagram ahead of time will significantly reduce the time needed for a threat modeling session.

The session itself is building the diagram, adding the security profile, attacking the application, identifying the mitigating controls, and prioritizing the risk. Finally, document the session and assign action items. Someone will need to follow up on each item to make sure they get addressed properly.

Next, we’ll dive deeper into methodologies and approaches that can be used as part of a threat modeling session.

What is Threat Modeling?

February 8, 2024

Here’s what ChatGPT said:

Threat modeling is a structured approach used in cybersecurity to identify, prioritize, and address potential threats to a system. It involves a series of steps to assess the security of an application or system by identifying what needs to be protected, determining potential threats and vulnerabilities, and then devising strategies to mitigate or prevent the identified risks. The primary goal of threat modeling is to enhance the security posture of a system by focusing on protection measures from the early stages of design and development through to deployment and maintenance.

Within the context of the cybersecurity field this is true but it’s more general than that. Threat modeling is something we all do in daily life. Driving, planning a trip, planning a birthday party, talking about who’s going to win the Super Bowl, etc. It’s talking about what might happen and then putting things in place to help mitigate those potential scenarios. I use the analogy of driving a lot. While on the road I am constantly thinking about some of the following things:

“What happens if this person get’s into my lane?”
“The onramp coming up is usually pretty busy”
“I have X amount of gas and this far to go”

This is threat modeling and we all already do this on a daily basis. This is why I find implementing threat modeling into a project to be super easy.

Threat modeling is a step-by-step process for identifying all the things that could go wrong. It’s meant to find solutions to problems before they happen. It can also be a lot of fun to come up with Mission Impossible level types of attack scenarios. Here are the steps to go through a threat model.

Scope the application or project
Build out a diagram of the application or project
Identify what security measures are already in place
Attack the diagram by using simple and elaborate attack techniques
Identify mitigating controls for the attack scenarios
Rate the attack techniques for prioritization
Assign action items
Document the session and follow up items

Sometimes these sessions can take an hour sometimes multiple hours are needed. Having a diagram before hand helps speed up the process.

Benefits of Threat Modeling

Doing threat modeling early in the development cycle can help get everyone on the same page and identify potential risks before development even begins. This allows developers to think through issues and put mitigating controls in place. This actually reduces the cost of finding a security issue later in the process because it’s addressed early on.

Another benefit I’ve found is in exploring legacy applications and applications that join the organization as part of a merger or acquisition. Often, applications don’t have any documentation in place. This can make it difficult if people who have helped build or maintain the application have left the organization. Threat modeling is a way to better understand and document those applications. Any security issues or risks identified can be added to the backlog for getting addressed.

Next we’ll dive deeper into the basics of threat modeling.

Why Threat Modeling is important

February 7, 2024

But Why? meme from Harold and Kumar go to White Castle

Why this talk?

I’ve done 10 different topics publicly. Six of those talks had threat modeling in them. It’s something I bring up in over half of my talks. It’s low cost, easy to implement, easy to get started, and provides a tremendous amount of value. It’s main purpose is to talk through all the things that can go wrong but it also does a really good job of getting everyone on the same page.

One of my first sessions doing threat modeling one of the developers said, “I thought we were doing this in the cloud.” “Nope, we’re doing it in the data center.” That’s a pretty big difference in development and infrastructure efforts. The other thing threat modeling does is it get’s people into a security mindset. Thinking like a hacker isn’t a mindset a lot of people utilize. They’re builders; not breakers. To have an effective session and to start building that security mindset we have to show them the ways of the darkside.

Providing developers with a security mindset is the farthest left we can shift security into the software development lifecycle (SDLC). We can’t go any further than while they’re coding. They like to build things and don’t often think about how things can go wrong. Doing threat modeling at the design phase allows security to be thought about before development begins. This streamlines security into the SDLC and prevents security issues from popping up later in the process and in production.

A lack of threat modeling in the real-world

NotPetya

NotPetya leveraged a vulnerability in Microsoft Windows, EternalBlue and was further propelled by a compromised update mechanism of a widely used Ukrainian accounting software called M.E.Doc. Once a system was infected, NotPetya would encrypt the master boot record, rendering the computer unable to boot.

The impact of NotPetya was massive and far-reaching, affecting businesses, government entities, and infrastructure worldwide. Major multinational companies, including Maersk, Merck, FedEx's TNT Express, and many others, reported significant disruptions to their operations and financial losses. The total damages from the NotPetya attack are estimated to be in the billions of dollars, making it one of the costliest cyber incidents to date.

From a threat modeling standpoint this was an attack that unintentionally crossed network boundaries in the Ukraine and made it’s way to the United States. Network segmentation is an important talking point for projects that involve multiple countries and sensitive data.

SolarWinds Supply Chain Attack

Malicious actors compromised the software build system of SolarWinds, a company that produces network and infrastructure monitoring solutions. The attackers inserted a vulnerability into the software update mechanism, which was then distributed to thousands of SolarWinds' customers, including government agencies and Fortune 500 companies. This sophisticated attack highlighted the need for comprehensive threat modeling that includes supply chain risks and third-party dependencies.

Insider threat is an important talking point with internal processes that aren’t exposed to the internet. To kick start the conversation with developers and others new to threat modeling I often bring up insider threat to get the attack ideas flowing.

23andMe Hack

A credential stuffing attack was used by attackers to gain access to 14,000 accounts. 6.9 million users were ultimately impacted due to sharing permissions within the platform. While bad passwords are a problem, development teams via threat modeling can come up with solutions to a credential stuff attack. Multifactor Authentication (MFA), password strength, and detection for these types of attacks are all mitigating controls that can be put in place. Sharing permissions can also be discussed as part of a threat modeling session to ensure proper authorization mechanisms are in place and personal information isn’t exposed to a broader audience.

In the next blog post we’ll cover what is threat modeling?

Examples created with the help of ChatGPT

There’s going to be some really great talks at the 2024 Palmetto Cyber Summit

Maximizing Your Conference Experience: preparing for the 2024 Palmetto Cyber Summit

January 30, 2024

I will be at the 2024 Palmetto Cyber Summit February 21-22, 2024, in Columbia, South Carolina. The schedule is up and I’ll be speaking at 2:15 pm ET in SALON C on the first day, February 21. One of the things I like to do as I prepare for a conference is pick out a schedule for myself. This usually doesn’t take long about 20 minutes. Picking the talks I’d like to go see allows me to utilize the conference to its fullest.

Now, I don’t go to most of the talks at a conference because I usually end up talking to people. HallwayCon can be a great use of time to network and gain knowledge from other people at the conference. When I’m not talking to someone that’s when I’ll usually hop into a presentation. In the post I want to walk through my process for anyone who is new to going to a conference.

The first step is to pick a place to put down the talks of interest. This should be something mobile friendly. At one point I was using Microsoft Excel or Google Sheets but spreadsheets can be hard to read on a mobile phone. Now I use some sort of notepad or Google Doc. If the conference has a hard copy of the agenda I may transfer my notes to there so I have a hard copy. For this conference I’m going to try this post.

Once I’ve figured out where I want to put my selections I start going through the schedule. If there are two talks I want to see at the same time slot I pick the one I prefer and then put the other down as a backup. If there’s not talk then I plan to talk to vendors or go wander around the venue. Stepping outside for a break is also an option. I usually put down the time, location, title of the talk, and the speaker.

Below are talks that are of interest to me currently. As expected AI is the hot topic and I’m looking to better understand other people’s viewpoints on it and how it’s used. Sometimes I’ll be in a talk where I don’t learn anything new but it confirms my current knowledge. I’ve also been in talks I don’t plan to go into because I decide to go with someone else and they make a compelling case for the talk. They speaker is also a factor. I try to support the people I know by going to their talks.

That’s one of the things I do to prepare for a conference. I now have one less thing to worry about at the conference and can take it in more fully. I also have a plan that allows me to take full advantage of the conference. Leave a comment below with your tips for attending conferences. Also, come say “Hi!” if you’re at the summit.

Tim’s 2024 Palmetto Cyber Summit Schedule

Feb 21

3:00 - 3:45

SALON A - Security Protection Using OSINT - Kurtis Suhs

3:50 - 4:20

SALON C - Countdown to Industrial Extinction - Michael Holcomb

4:20 - 4:50

SALON C - The Future of Security: Embracing a Platform-Centric Appraoch - Ken Alexander

Feb 22

8:30 - 9:00

SALON B - Lessons Learned Applying Machine Learning in Cybersecurity - Jeff Janies

9:00 - 9:30

SALON B - What Neuroscience Taught Us About CyberSecurity in 1885 - Chip Reaves

11:15 - 12:00

SALON B - The Enhancement of Malicious Social Engineering with AI - Dr. Sybil Rosado

1:30 - 2:15:

SALON B - Misinformation in the Age of Generative AI - Dr. Donnie Wendy
Backup: xIoT Hacking Demonstration and Strategies to Disappoint Bad Actors - SALON C - John Vecchi

2:20 - 2:45 -

SALON B - Using AI/ML to Manager Your Organization’s Cybersecurity Program - Tom Scott
Backup: SALON A - Automating Compliance - Carl Bjerke

3:00 - 4:00 - This one is a bit of a toss up:

SALON B - Enhancing Cybersecurity: AI and Modern Threat Defense - Jim Hayes
SALON C - Know Yourself: We’ve Focused on Attackers for Too Long, it’s Time to Look Inward - Justin Scarpaci

This post first appeared on Exploring Information Security.

My Whoop stats from December 2022 to November 2023

New Years Resolutions: Taking small steps past January 31st

January 3, 2024

Not really a security topic but imagine I’m using a building a security program analogy.

I’m not a New Years resolution guy. I think January 1 is an arbitrary date and if that I’m going to make changes that stick I need to start now rather than later. I’ve started new habits in the middle of the year and on December 20th. I’ve found that I tend to be more successful when I just start. Three years ago I got a Whoop in November 2020 and it’s been tremendous for habit changes I want to make. It tracks my sleep and strain for the day using a heart rate, respiratory rate, blood oxygen, and stress levels. I fill out a journal every morning on the habits and activities that affect my recovery. I’ve discovered valuable insights that have allowed me to make adjustments for the betterment of my health.

This is one of the things to remember when making changes to your life. It’s not one month and done. It’s a journey. The Whoop has helped with my journey because it provides me the data I need to make more targeted adjustments. It wasn’t something that happened over night or even in a month and I’ve been working on some of my vices for over three years. It took my seven years to quit smoking in my 20s. I did that with small steps.

It’s the same thing for any habit change. It requires small progressive steps. Some people can quit cold turkey or make drastic changes. Good for them! I’m not one of those people, unfortunately. For me it’s small changes that help me make life changing habits. There’s been set backs. A lot of setbacks!

If you’ve set a New Years Resolution that’s great! Making changes is hard. I would advice patience and the acceptance that there will be set backs. If there is a setback work to get back on track. If you keep plugging away it you’ll get better and be healthier for it. Health is very important not only for yourself but also for your career.

This blog post first appeared on Exploring Information Security.

Tips to help build strong relationships inside and outside of work

December 21, 2023

I love the saying from Manager Tools.

“There are three types of power? Technical power, role power, and relationship power. Relationship power is 75% of the power in an organization”

I quote it a lot to people when I’m having discussions about organizations.

Building relationships with people internally is what has allowed me to be successful in my career. We cannot do it all on our own. The techniques for building relationships apply both internally to a company as well as outside of the company at networking events. Her are some of the things I have done to build strong relationships inside and outside an organization.

How to build relationships

Ask questions

The number one thing I use to build relationships is ask questions. Then I follow that up by actively listening to the answer and asking more questions.

People’s favorite subject is themselves. Getting them to talk about themselves makes them feel good. If you are asking the questions you are the reason for that feeling. People will pick up if you’re being inauthentic, so it really helps if the questions are coming from a genuine curiosity. Look at them and hear what they’re saying and ask follow up questions to what they have just said.

When I first started doing this it was pretty hard. I liked to interject my own commentary. As I worked on it it eventually became easier. It is okay to interject here and there but talking less and listening more overall will help endear you to people quicker.

This was the tool I found most effective working with developers. Code is a developer’s baby. They create it. They nurture it. They get frustrated when it doesn’t pass tests. They may have dropped it once or twice. It’s their baby though and coming in and calling it ugly (even if it is ugly) isn’t going to make many friends.

This is where questions help. Developers lit up when you show an interest in their code (baby) and they will tell you everything about it. This helped me understand the code better. Why it was written the way it was written and allowed me to have tough conversations with them when it was causing problems. I had built that trust and they knew I was only trying to help them make the best code possible.

Spend time together

When you spend time together there’s a bonding that occurs. This builds trust and allows for people to get to know each other better. I’ll go to lunch with people if asked or I’ll ask others if they are interested in going to lunch. It’s a great way to just have a normal conversation outside of work. Asking questions gives insight into the person.

If money is tight, this can be done at work. If there’s an open spot a table ask to join (asking questions again ;). If it isn’t often people will tell you to pull up a chair and join them anyway. Worst case look for someone else to sit with. People that are sitting by themselves usually won’t mind company.

stay in touch

Make sure to stay in contact with people. This became harder with the pandemic and everyone working from home. Often I would reach out to them if we hadn’t chatted in a while and I was in a meeting with them. I’d shoot them a quick IM saying hi and asking how they were doing.

The Allen Curve is a study from the 1970s that described as distance increased between engineers communication became less frequent. If you are wondering why CEOs want people in the office it’s because of The Allen Curve (a future blog post).

I’m surprised at how many people are not familiar with this idea. Regardless, as distance increase communication decreases. It makes sense. When you were in school you stayed in contact with your classmates more often. As people moved the communication between people became less frequent. You may have experienced this during the pandemic with coworkers. The person you got coffee with every morning and chatted about work or real world events you no longer communicate with on a regular basis. I’ve seen this apply with people just switching floors or moving to a different part of the building. The distance doesn’t need to be far for communication to drastically decrease.

If you are back in the office walking around can be a good way to stay in touch, as well as get a little exercise and a break from the computer. Working remotely is tougher. That’s why I set up reminders to connect with people every so often. This can be a week, month, months, or several months.

Reciprocity

Give without expecting something in return. First, this is a great feeling to just give without expecting something in return. Letting go of the return also helps with any frustration or anger that might occur from not getting something back. This can feel difficult because we all would like to think people will return the favor but it is something that can be practiced. Most people will want to return the favor. It might not be immediate but it will come at some point. Some people won’t return the favor. Either way we learn something about that person. Be careful to identify what people consider a favor because we’ll all have different ideas.

The five love languages is a great resource to read and understand. Some people just want help with their work. Others will want gifts or money compensation. Others will want praise. Understanding what drives people will help better understand what they may give in return.

I enjoy helping others and would rather someone help me than give me a gift. I would often look into help desk tickets for others and try to push them along if I could. This was a small effort for me but paid off when I needed something from these same people. Often, because I had helped them they would return the favor.

Be yourself

Be genuine and authentic. People can tell if you’re just there to get something out of them. If someone determines another person has or is trying to manipulate them the relationship is toast. Be who you are and don’t try to be someone else. You can work to make positive changes in your behavior and habits but ultimately we’re all who we are. I’ve struggled with being myself. I want everyone to like me but that just isn’t possible. I’ve tried being someone else for people and it doesn’t work. I have improved how I interact with people but ultimately I have to still be true to myself and accept that I won’t connect with everyone.

Easy to start habits

Two techniques I like to tell people to start with is using people’s name and saying thank you. Again, people are their favorite subject and hearing there name is a good feeling. You’ll have to identify what and how people liked to be called. Don’t just shorten people’s names because some people like being called by their first name. Some people like using their middle name or nickname. It is also a great way to start a conversation.

Say, “Thank you!” This is so easy to do and one of the least used techniques in the workplace. Say thank you to people for their work. Say thank you for getting you something. Say thank you for sharing their insights. It’s so easy to do and something people don’t hear enough.

Summary

Relationships are a very powerful thing. They can help advance a career and they can help get a job. To build a strong relationship, make it about the other person. Ask questions and spend time with them. Give without expecting something in return. This can feel very difficult because we are very transactional and want to get what’s rightfully ours. Most people will return the favor. The ones that don’t you will still learning something about them.

Finally, Be yourself and start small. Be who you are but realize you can make improvements to your behavior and habits. One of those can be by using people’s name and saying “Thank you!” for something they’ve done. Gratitude is a powerful thing and makes you and the other person feel good.

How do you go about building good relationships with people? Leave a comment below.

Resources

If you want to learn more about social engineering check out my GitHub page, Social Engineering for the Blue Team. You can also click on Social Engineering page or reach out to me directly with any questions you may have.

Social Engineering - Deep Dive

Contact

This blog post first appeared on Exploring Information Security.

Use Careful Terminology: “Incident” vs. “Breach”

Establish Attorney-Client Privilege Early

Refine Your Communication Strategy

Define Roles and Responsibilities in Your IR Plan

Handle Ransomware Negotiations Carefully

Prepare for Possible Class Action Litigation

Use Tabletop Exercises to Strengthen Incident Preparedness

Conclusion: A Proactive Legal Strategy in Incident Response

Understanding THE Cybersecurity and Privacy Learning Program (CPLP)

The CPLP Life Cycle

Leadership and Organizational Roles

Metrics and Measurements

Integrating Privacy into Cybersecurity Training

Tailored Training for Diverse Audiences

Focusing on Improvement Without Punishment

A Culture of Learning

Conclusion

How to Stay Safe:

Why Should Your Organization Get a Pentest?

Common Misconceptions About Pentesting

Preparing for a Pentest

What Information Should You Provide to Pentesters?

How to Choose the Right Pentesting Provider

The Pentesting Process: What to Expect

Different Types of Pentests: Black-Box, Gray-Box, and White-Box

Understanding Pentesting Reports

What If No Vulnerabilities Are Found?

Innovative Trends in Pentesting

Conclusion: Why Pentesting is a Must for Every Business

The Power of TikTok and the Rise of Misinformation

The Cybersecurity Implications of Misinformation

Recognizing and Combating Misinformation

Critical Evaluation of Sources:

Cross-Referencing Information:

Recognizing Emotional Manipulation:

Awareness of Manipulative Tactics:

Educating Yourself and Others:

The Broader Impact of Misinformation

Conclusion: Staying Vigilant in a Digital World

Understanding Smishing

How Smishing Works

Tips to Protect Yourself from Smishing

Conclusion

Introduction

The Power of AI in Healthcare

Ethical Considerations and Patient Privacy

Cybersecurity Implications

Looking Ahead

Conclusion

The Key to Your Account: Guard Your Passwords

LastPass

1Password

Dashlane

Bitwarden

Keeper

Browsers

Crafting Strong and Memorable Passwords

Ensure Uniqueness for Each Account

Opt for Passphrases with Special Characters

Conclusion

Understand the Role and Company

Personalized Practice Sessions

Enhancing Your Answers

Final Thoughts

1. Start Early and Integrate Continuously

2. Involve a Cross-Functional Team

3. Watch for scope creep

4. Keep the Attacker's Perspective Simple

5. Use silence

6. threat modeling discussions are chaos

7. Meeting notes and action notes

Conclusion

Attend Conferences

Volunteer at events

Attend Local User Groups

Start a blog or podcast

Summary

Getting Started

Automated threat modeling tools

Educational Resources