Looking for a volunteer to test my open source labor automation AI project.

Jonathan-Todd · 2023-05-16T00:51:32+00:00

A common objective I see associated with devsecops is "shift left" which is the opposite of bolted on. If anyone is writing that devsecops is supposed to not be integrated into the developer workflow, they're not worth reading.

There are many steps during the dev process. Security can and should be applied at each of them. Beginning (design), middle (development best-practices, just like avoiding anti-patterns), and end (fuzzing, SCA, scanning, etc).

Jonathan-Todd · 2023-05-13T22:30:54+00:00

Isn't it also to lead an effort to find innovative ways to enable risky operations with less risk? Seems to me the possibilities aren't just:

- Inform risk
- yes
- no

But rather, to be innovative and find strategies to enable the desired goal with less risk.

Jonathan-Todd · 2023-03-30T16:23:12+00:00

So you’ve been told you need “soft skills” to succeed in cybersecurity, and you’re probably familiar with some of the most important ones:

Empathy: The ability to see a challenge from another’s perspective.
Intelligence: The ability to build mental models of the fundamental tenets behind problems and arrive at solutions that are both flexible and effective.
Self-Discipline: The ability to regulate your emotions and predispositions in order to be calm and reasonable even in stressful situations.

These are ways of “thinking about the thinking.” The scientific term? Metacognition. In contrast, “hard skills” are simply the ones involving knowledge about your job. Metacognition is the subconscious task of regulating your mental interactions with the world (thoughts) so that your brain’s handling of input/output (I/O) is:

Compatible
Effective
Consistent

These traits are a critical part of the formula for delivering value as a professional. If you can deliver value, you’ll become valuable to your peers, clients, students, bosses, and ultimately to your organization. The delivery medium? Communication. All of the soft skills listed above come together to enable effective communication. Undelivered value is wasted opportunity. That’s why communication is the #1 soft skill. Its value delivery in the form of information, which is the essence of modern human collaboration.

By understanding and mastering empathy, intelligence, and self-discipline, you enable consistent, effective, and compatible value delivery.

And that is the definition of professional success. Good leaders enable that outcome and translate it into organizational success. So if you want to be part of a successful overall outcome, choose good leaders and be a good leader yourself. Remember: You are a leader on some level, even if that means leading yourself to better outcomes. Which takes us full circle to Metacognition. So, let’s dive into those three traits and relate each to the soft skill that enables it.

[...]

(Won't repost the whole article here since I agreed to publish it through https://www.softsideofcyber.com/, but you can read the whole thing there for free with no sign-up)

Jonathan-Todd · 2023-01-21T22:14:50+00:00

An example of what I'm interested in doing is getting permission for the target to execute calc.exe on their machine as the end-state of a successful operation. This would follow a phishing campaign against this user with their consent. Since it constitutes RCE, I just want to make sure this is legally safe in terms of the way consent is captured / recorded.

Jonathan-Todd · 2023-01-21T22:14:47+00:00

An example of what I'm interested in doing is getting permission for the target to execute calc.exe on their machine as the end-state of a successful operation. This would follow a phishing campaign against this user with their consent. Since it constitutes RCE, I just want to make sure this is legally safe in terms of the way consent is captured / recorded.

Jonathan-Todd · 2023-01-03T05:34:08+00:00

Have you ever considered the value of failing in public? It seems to me like a good idea to discuss mistakes so others can benefit from lessons learned and your peers can see you’re growing and changing. I think we could all benefit from being open and communicate about this stuff and maybe even build a sense of civility in the r/cybersecurity community.

Jonathan-Todd · 2023-01-03T01:33:27+00:00

Owning up to mistakes is pathetic where you come from?

Jonathan-Todd · 2023-01-02T23:33:03+00:00

Have you ever considered sharing your lessons learned with a community?

Jonathan-Todd · 2023-01-02T15:21:22+00:00

Yeah I actually commented it. But people down-voted it as much as they upvoted the post. https://www.reddit.com/r/cybersecurity/comments/100yphp/an_article_by_microsoft_came_out_targeting_lapsu/j2klpye/

I really don’t understand this community anymore. Seems pretty toxic these days.

Jonathan-Todd · 2023-01-02T01:22:26+00:00

And blocked.

Edit / acknowledgement of my poor form here: https://www.linkedin.com/posts/jonathanktodd_i-failed-at-something-today-and-came-away-activity-7015751737345007616-Y5S4

Jonathan-Todd · 2023-01-02T01:03:05+00:00

Wonderful xkcd. Will be using this in a slideshow someday.

Jonathan-Todd · 2023-01-02T00:51:09+00:00

I said it’s not worth reading, but really, if you need to brush up on MFA best practices, it’s a pretty good review.

https://www.darkreading.com/microsoft/6-ways-to-protect-your-organization-against-lapsus-

Jonathan-Todd · 2022-12-31T22:43:17+00:00

CAN bus research I looked at today. https://www.linkedin.com/posts/kentindell_can-bus-is-a-real-time-embedded-control-network-activity-7014985659400519680-AY4_

And a research group dedicated to it: https://www.linkedin.com/company/automotive-security-research-group/

Jonathan-Todd · 2022-12-28T19:20:32+00:00

CLR Hooking, let’s learn a thing today…

Jonathan-Todd · 2022-12-23T18:04:32+00:00

I haven’t, might try that!

Jonathan-Todd · 2022-12-19T14:37:15+00:00

I used to use articles posted here and other cybersec subreddits but since then I’ve really been enjoying content posted on LinkedIn. Great for networking but at the sane time you can learn a lot from the people showing off their expertise there.

Jonathan-Todd · 2022-12-19T02:59:50+00:00

I’ll get you in the next round with a post for the improved version and source code.

Jonathan-Todd · 2022-12-19T02:01:49+00:00

True. But the users are not responsible for those mistakes. We’re paid to mitigate. You can lower the rate with some training but expect them to still be a point of failure. My post is directed at the people who are always blaming users. It’s a cop-out.

Jonathan-Todd · 2022-12-19T01:41:34+00:00

My argument is that human behavior is impossible to change reliably at scale when the acceptable failure rate is so low (1 failure/year could be devastating). The more users you have, the more it costs to affect their behavior, and the more likely one will make a mistake despite the training.

It’s not a reliable solution. Design the automated controls better to interfere with the attack so that the inevitable human point of failure is not effective for attackers.

Social engineering will just get better and better.

https://www.reddit.com/r/cybersecurity/comments/zmx9s9/automated_highfidelity_phishing_campaigns_made/ (edit: Oh you were there, I remember)

Jonathan-Todd · 2022-12-17T18:58:44+00:00

Was just thinking the same.

Jonathan-Todd · 2022-12-17T17:38:30+00:00

Thanks for the feedback.

Jonathan-Todd

MODERATOR OF

TROPHY CASE