Category: Threat Modeling

Techniques to determine where IT and data is the most vulnerable to attack.

Human Aspects, Online Safety Tips, Security Education, Security Management, Threat Modeling

My Tweets from the 2014 RSA Conference

Posted on by Ron Woerner

The RSA 2014 Conference took place in San Francisco February 24-28.  It’s the top gathering of information security and risk professionals in the world with over 25,000 attendees.  I had the privilege to attend (and lead a CISO panel).  While I was there, I used twitter (@ronw123) to record my thoughts of the sessions and events.  Below is a snapshot with commentary:

Security Awareness and education was a common theme throughout the conference.  The industry is finally realizing it’s about the humans and people will always be the weakest security link

@ddkirsch: Heard at #RSAC — Even my Mom knows that #HTTPS isn’t a plural of HTTP. #ITsecurity” < too bad
so many moms, dads, & kids don’t

Chris Hadnagy (@humanhacker & Social-Engineer.org) talked about, “Social Engineering: When the Phone is More Dangerous than Malware.”  

Wow! Even @humanhacker got caught w/ phishing. It can happen to you. There are no stupid users, just uneducated
ones. @SocEngineerInc

@humanhacker @SocEngineerInc showing stats from . Scary. But there’s hope. 🙂

Jack Jones (@JonesFAIRiq) had a great presentation titled, “Ending Risk Management Groundhog Day.”  He didn’t even realize that there was a running panel from 2008-2010 that I was on with the name “Security Groundhog Day” (2008, 2009, 2010).  Jack is the father of FAIR and provides great ideas for proactively using risk management practices to manage security.

Get off the “Hamster Wheel of Pain.” Stop repeating past errors. @JonesFAIRiq @alexhutton [Note: I’ve learned
that this comes from “The Phoenix Project”]

@JonesFAIRiq “Policies need to be clear, concise, and useful… & written to a 9th grade level.”

@JonesFAIRiq “We’re really good at fixing symptoms, but not root causes.” #1problem is asking the right questions about risk.

Info Risk Mgmt Groundhog Day. Dude… Really… Again. It’s déjà Vu all over again.

Presentations on risks and threats are now commonplace at the RSA Conference. Here are thoughts on talks by Adam Shostack (@adamshostack), Pete Lindstrom (@SpireSec), and Andy Ellis (@csoandy).

@adamshostack talking New Foundations of Threat Modeling. Asking & answering 4 questions about threat modeling and the right ways to find good threats. [Note: He has a new book out on Threat Modeling.]

@SpireSec just mentioned the Hand Rule (see en.wikipedia.org/wiki/Calculus_).
So few security / risk professionals know anything about it.

@SpireSec – Being a contrarian in security makes you normal. Meaning we seek the truth even if it may hurt.

@csoandy: The true problem of a Prisoner’s Dilemma Scenario is that it disregards the Game Manager.” < tying Game Theory to security

NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014.  Of course, this generated a few comments:

The NIST Cybersecurity Framework, Here we are *again* writes @georgevhulme, Engage
#infosec

News from #RSAC – DHS working with MS-ISAC on offering managed security services to state/local gov’t who adopt Cybersecurity framework.

The National Cyber Security Alliance (NCSA) held a twitter session where they asked pointed questions on encouraging kids to StaySafeOnline.

@StaySafeOnline & others are great! The material is there. It’s getting it out to people who need it the most. #securitychat #ChatSTC

Should there be a license to drive on the Information Superhighway? IOW: Required Education? #securitychat #ChatSTC

We need to challenge more Cybersecurity professionals to get out and educate. Make it required for certifications? #SecurityChat #ChatSTC

@STOPTHNKCONNECT #securitychat #ChatSTC A7: Reach the kids at their level. Don’t talk down to them. Challenge them to teach their parents.

Of course, one of the hot topics was NSA Surveillance: 

“Understanding NSA Surveillance: The Washington View #RSAC” < what’s legal may not be wise – said by both Hayden & Clarke

We need a real debate at #RSAC on the NSA, not pontificating and opinions. High School Debate did it last Nov. see bit.ly/MZJVrQ.

Last, but hardly least is my frustration in the opening keynote of attendees spending their time on their devices and not meeting others.

Listen #RSAC peeps! Stop playing with your phones and start meeting someone new. The greatest minds in Cybersecurity are
here.

These are my quick, but not complete thoughts. No doubt they will lead to many blogs in the future.

Concepts, Security Assessments, Threat Modeling

Threat Modeling – What’s the worst that can happen?

Posted on by Ron Woerner

A threat is defined as “a person or thing likely to cause damage or danger.”  Threats are all around us, but we shouldn’t treat all threats as equal.  Too often we fail to identify threats because they aren’t readily apparent or we consider them to be too small.

Threats and vulnerabilities are both part of the overall risk equation.  While organizations are getting better at identifying and fixing weaknesses, many still don’t understand the potential threat landscape.  We’ve all heard, “Oh no one would ever want to attack us. We’re so small and our systems have no value.”  I can hear Target saying that about their HVAC systems. Malicious hackers can use anything connected to a production network in order to gain access.  It shouldn’t be assumed that a small target means it can’t be hit.

All organizations should conduct assessments to understand the multitude of threats they face both in and out of their cybersystems. Threat modeling is still a new arena in security, but it’s gaining in prevalence.  In CSOOnline (http://www.csoonline.com/), George V. Hulme has an article, “Can threat modeling keep security a step ahead of the risks?” where he makes a case for more effective threat modeling. He references how a CISO uses threat modeling to understand the organization’s risks, prioritize security spending, and focus security efforts.

Adam Shostack is also calling for increased threat awareness.  In his book coming out on Feb 17 called, “Threat Modeling: Designing for Security”  he explores various threat modeling approaches, explains how to test system designs against threats, and learn effective ways to address threats that have been validated at many top companies.

What does this mean for you?  As security professionals, we conduct threat modeling throughout our career.  That’s why we take the time to study threat modeling and apply it.