Adam Shostack: Privacy

Adam Shostack has decades of experience as a cybersecurity expert, and his work has enabled him to research extensively into the issue of privacy in the digital world. Like many experts, Adam Shostack is aware of the importance of privacy with the advancement of technology and is continually looking at better ways of ensuring privacy is respected.

The modern digital world is perhaps witnessing a great technological revolution as the world transforms from a paper-based society to a digital one. As part of that transformation, technology is being pushed to the limit, with the new world consisting of common technologies such as dishwashers and televisions, to less familiar ones such as military weapons systems, emergency response systems and process control systems for power plants. As these technologies become vital and casual, so too does information, including personal and intellectual property.

Innovations in information technology will no doubt continue to make life more productive and help solve difficult problems. While these advancements are compelling, they also have the potential to put individuals at high risk of losing their security and privacy.

Adam Shostack is the co-author of The New School of Information Security.

Advertisement

Adam Shostack: Black Hat

Over the years, the Black Hat USA security conference has become one of the most significant events on the cybersecurity calendar. As Adam Shostack, a member of the Black Hat Review Board knows, some of the most prominent and infamous security research and attacks have been made public at Black Hat. From the talks to the panel discussions and the demonstration, much of what happens at the event makes national and international headlines and helps change perceptions and policy on cybersecurity.

For more than two decades, the Black Hat event has provided attendees with the latest information in security research, trends and developments in a vendor-neutral setting. The event strives to bring together some of the industry thought leaders and professionals who aspire to meet the needs of the security community and want to encourage collaboration among various actors.

Held annually since 1997, the Black Hat Briefings have grown from a single conference to a series of trainings and events that are held in Asia, Europe and the United States. The briefings are designed to help leading security researchers take the stage to share their findings with the community and collaborate in finding answers to a growing list of vulnerabilities.

Adam Shostack is an entrepreneur, consultant and author who’s helped many organizations improve their security.

Adam Shostack: Security Risks Associated with USB Devices

As an information and cybersecurity expert, Adam Shostack focuses on providing clients with expert security solutions that improve security outcomes for their organizations. Shostack was instrumental in fixing the Windows Autorun malware problem that plagued Windows machines since the deployment of Windows 95, and now warns users against the security risks associated with USB devices.

Most individuals know they should never insert an unknown USB device into their computer because the flash drive may contain malicious software. However, an even more insidious problem exists because these devices may have malicious firmware.

USB is a universal type of port that allows users to connect a variety of devices (e.g., flash drives, external hard drives, game controllers, network adapters, etc.) to their computers. These devices, along with your computer, run a type of software known as firmware. When a user connects a device to his or her computer, the device’s firmware is what makes the device function. This is certainly convenient; however, there is no secure way to verify whether the firmware on the USB device is safe.

For example, a USB flash drive may appear to function normally, but the firmware associated with it could modify files in the background and infect a computer. Further, using a connected device with malicious firmware as a USB Ethernet adapter could potentially route internet traffic over servers that contain malware. While a user’s USB flash drive may function as such, it could also contain firmware that allows it to run as a keyboard and Ethernet network adapter. Additionally, computers have the potential to infect a USB device’s firmware.

To make matters worse, Adam Shostack warns there are no known defenses from USB attacks. Malware scanners are typically unable to access the firmware running on a USB device and behavioral detection is almost impossible because the behavior of an infected device may look as though a user has simply plugged in a new USB device. While it is possible to block or allow specific classes of USB devices, these lists are easy to bypass.

Adam Shostack emphasizes that users exercise caution when dealing with suspicious USB devices. Never connect an unknown device to your computer. With the Windows Autorun feature now disabled by default, it is easy to become complacent but the fundamental design flaw in these types of devices demonstrates a potential but serious danger to a user’s computer.

Adam Shostack: Creator of the Elevation of Privilege Game

Adam Shostack is the founder and President of Shostack & Associates. Adam Shostack was part of Microsoft’s Security Development Lifecycle (SDL) Strategy team for several years and was instrumental in overhauling Microsoft’s SDL threat modeling system. Adam Shostack also created Microsoft’s Elevation of Privilege (EOP) threat modeling card game.

What is an Elevation of Privilege?

An elevation of privilege occurs when a user or application gains rights (i.e., privileges) that should not be available to him or her. For example, a system’s user that should have “read-only” permission somehow elevates their system privileges to include “read and write” permissions.

Elevation of Privilege: The Threat Modeling Game is a card game Adam Shostack designed for 3-5 players and works to draw people who are not information security practitioners or experts into the craft of threat modeling. The game uses a variety of techniques to accomplish this and does so in an enticing, supportive, and non-threatening way. You can download the Elevation of Privilege threat modeling card game free from Microsoft.

Explore more via adam shostack (@adamshostack) | Twitter

Adam Shostack: How to Become a CVE Numbering Authority (CNA)

After the second Workshop on Vulnerability Databases at Purdue, Adam Shostack worked hard to make the Common Vulnerabilities and Exposures (CVE) list a reality. Now broadly used, CVE Numbering Authorities, or CNAs, from around the world are responsible for maintaining the list.

What are the Common Vulnerabilities and Exposures list?

Common Vulnerabilities and Exposures (CVE) is a list that tracks common identifiers for publicly known cybersecurity vulnerabilities that is free for use and download. When parties discuss or share information about a unique security vulnerability found in software or firmware, a CVE Numbering Authority (i.e., CNA) adds the information to the CVE list. This process enables users to exchange data and provides a baseline for evaluation.

How to Become a CNA

Adam Shostack emphasizes that there are numerous considerations and responsibilities in becoming a CNA that ensures the continuing quality of the CVE List and improving CVE’s operation and timeliness. Additionally, potential CNAs must go through a candidate process and possess specific qualifications. If you are interested in becoming a CNA, click here for more information about the process and qualifications required.

Go through Emergent Chaos | The Emergent Chaos Jazz Combo

Adam Shostack: 2017 Privacy Threat Modeling Project

Adam Shostack takes the issues of personal privacy and institutional transparency; one of the primary reasons why he is involved in the Seattle Privacy Coalition. A Member of the Seattle Privacy Coalition Board since 2015, Adam Shostack works to utilize his skills, insight, and experience in cyber security to provide the organization strategic guidance in terms of how digital information is collected; to better inform the Coalition’s efforts in terms of advocating for privacy protection and security far down the road.

One such effort was Adam Shostack’s leadership on a 2017 Threat Modeling Privacy project. Along with a noted colleague and fellow Seattle Privacy Coalition board member, Shostack took on the responsibilities of this project with enthusiasm; one with the eventual goals of:

  • Modeling and categorizing the methods through which organizations, both public and private, collect personal data and information, as well as to determine options and their tradeoff or cost to the individual.
  • Developing an inventory that includes both those things people do online and the ways their data is gathered by organizations. This inventory would then be utilized to build a bigger picture of online data collection, from which further analysis is/was to be performed.
  • Coming to a tool, process or method that can be effectively applied across a variety of target groups and threat models so as to provide a method for better approaching and understanding holistic defense strategies.

Get more info through Threat Modeling: Lessons from Star Wars – Adam Shostack – Tripwire

Adam Shostack: What do Security Engineers Do?

Adam Shostack enjoys the opportunity not only to identify potential threats to and points of attack within a client’s information system(s) but to architect and implement the custom solutions needed to mitigate and eliminate system vulnerabilities while giving the client the tools and insight needed to achieve a more secure future.

Founder and Managing Consultant of Shostack & Associates, Adam Shostack engineers high-quality security solutions that address and resolve complex security issues, as well as to prepare organizations for the challenges of an ever-changing digital environment.

Shostack has worked in cybersecurity his entire career and is well-versed in those many responsibilities most often laid upon the security engineer’s desk. While the high-level duties of the engineer include comprehensive risk assessment, network vulnerability identification, and system security enhancement, they must also maintain a high-level of proficiency in:

  • Grasping and managing the technical, complex information security issues within a fast-paced business atmosphere.
  • The maintenance of all hardware and software in relation to security.
  • Being able to identify both current and growing issues in terms of security threats, vulnerabilities, and trends.
  • Performing research to better identify and assess system weaknesses, as well as making recommendations on best strategies moving forward.

Navigate here: How to start with threat modeling – MIS Training Institute

Adam Shostack: An Examination of Threat Modeling

Cyber security professional Adam Shostack has helped to define the process of threat modeling, having not only been responsible for Microsoft’s approach, providing comprehensive threat modeling training, services, and solutions to client-organizations since 2016, and Adam Shostack is also the author of “Threat Modeling: Designing for Security;” the practical guide that lays out how to do threat modeling throughout the security development lifecycle.

A noted expert and author on the subject of threat modeling, Adam Shostack defined the four-step framework used to threat mode today. Those are:

  • What are we working on? This is important to ground threat modeling work and scope it to what can be addressed.  It’s also an important collaboration between security professionals and others working on the product or service.
  • What can go wrong? This key step is focused on bringing security knowledge to the analysis of a specific system.
  • What are we going to do about it? Once a list of potential problems is available, it’s important to address those problems!
  • Did we do a good job? Take a look at what’s been done, and assess if you’re satisfied and confident.

To know more go through Adam Shostack – Founder & CEO @ Stealth Startup | Crunchbase

Adam Shostack: Achieving Success in Cyber Consulting

As Adam Shostack knows, the field of information security consulting is very crowded and highly competitive. To achieve any level of success in the industry, one must not only possess a strong understanding of the security issues organizations face on a daily, monthly and yearly basis; they must also possess the ability to remain flexible when it comes to meeting the numerous different security needs unique organizations and industries face, as well as to have the willingness to stay current on the ever-changing technologies and threats that are forever challenging the industry.

The Managing Consultant of Shostack & Associates, Adam Shostack understands that for cybersecurity consultants of any specialty to remain competitive and successful, they must:

  • Always be learning. Keeping a finger on the pulse of the industry and maintaining the desire to learn where it is and where its head is essential to anticipating and managing client’s current and future needs
  • Challenge themselves regularly. Consultants are responsible for solving problems. In the world of cybersecurity, those problems are changing and evolving constantly. To stay on top and ahead of these changes, it’s important to always seek out problems you’ve never dealt with or resolved before, as such situations can help to keep you sharp and prepared for anything that comes your way.

Go through Adam Shostack – Founder & CEO @ Stealth Startup | Crunchbase

Adam Shostack: Key Attributes Found in Successful Security Engineers

Adam Shostack has worked in the field of cybersecurity engineering for much of his career. The Managing Consultant of Shostack & Associates, Shostack has served as a leader within three successful startup firms centered focused on the development of security products and solutions, was a key driver of Microsoft’s Software Development Lifecycle, and has written or co-authored multiple books on the subject of online threats and information security.

A longtime security engineer and entrepreneur, Adam Shostack possesses many of the key attributes and skills most commonly found among those who have attained long-term success in the field. Some of the defining characteristics of a successful security engineer include:

  • The ability to focus on and manage the details of a given project, as well as to work methodically.
  • A curiosity and enthusiasm that drives the professional to dig deeply into complex technical issues, as well as to examine problems from all sides.
  • The ability to adapt to new situations; to identify and deliver solutions that best meet the needs of unique organizations, clients, and systems.
  • An updated understanding of the current risks and vulnerabilities, as well as the curiosity needed to learn and stay updated on the ever-changing nature of threats and organizational demands.

Go through adam shostack (@adamshostack) | Twitter