Adam Shostack: Near Misses in Cybersecurity

Adam Shostack is a cybersecurity expert with decades of experience who has advocated for the reporting and analysis of cybersecurity’s “near misses” – incidents that organizations could report on to give the industry some crucial clues on hacks and breaches with the aim of learning what works and where the weak spots are.

It’s quite common to treat events as black or white, with an event either treated as a success or a failure. A near miss may have come close to bringing an adverse outcome, but even if the miss were out of sheer luck, by this thinking, it would be considered a success. However, there are plenty of things to learn from near misses – lessons that can save a lot of time and resources down the road.

When the near miss is an attempted cyber attack, the outcome for a large organization, for example, would potentially be a significant and costly data breach. However, since it’s a near miss, it costs the organization nothing at the time but could cost a lot more if the organization fails to learn from the failed attack. And that’s what Adam Shostack advocates for, organizations pre-empting future assaults by learning from near misses.


Adam Shostack: Black Hat

Over the years, the Black Hat USA security conference has become one of the most significant events on the cybersecurity calendar. As Adam Shostack, a member of the Black Hat Review Board knows, some of the most prominent and infamous security research and attacks have been made public at Black Hat. From the talks to the panel discussions and the demonstration, much of what happens at the event makes national and international headlines and helps change perceptions and policy on cybersecurity.

For more than two decades, the Black Hat event has provided attendees with the latest information in security research, trends and developments in a vendor-neutral setting. The event strives to bring together some of the industry thought leaders and professionals who aspire to meet the needs of the security community and want to encourage collaboration among various actors.

Held annually since 1997, the Black Hat Briefings have grown from a single conference to a series of trainings and events that are held in Asia, Europe and the United States. The briefings are designed to help leading security researchers take the stage to share their findings with the community and collaborate in finding answers to a growing list of vulnerabilities.

Adam Shostack is an entrepreneur, consultant and author who’s helped many organizations improve their security.

Adam Shostack: Secure Systems Lead to Success

Adam Shostack is an experienced security professional who’s worked for more than two decades with some of the leading firms in the industry. Perhaps better than many organizations know, Mr. Adam Shostack recognizes the importance of having systems operate in a secure network. He’s seen the security industry evolve with the growth of technology, and appreciates the role it plays in a firm’s success.

As more and more company assets continue to be recorded, processed and stored in electronic form, the value of this data grows. The Internet has also made it possible to have new business models that incorporate security as a vital factor in their growth and success.

According to Adam Shostack, Experts in the security industry agree on the importance of having it included in the development and operation process because it can’t be added at a later stage. The decisions made early in the security design process by professionals tasked with building it are crucial to reducing system vulnerabilities and other potential areas of attacks. Taking a measured approach to security ensures that later costs are better anticipated and managed.

Adam Shostack: What is a Privacy Impact Assessment (PIA)?

Adam Shostack is the founder and President of Shostack & Associates and focuses on providing clients with expert security analysis and solutions that work to improve their organizational security. As an information security expert, Adam Shostack has extensive experience with threat modeling and analysing security processes.

According to the Federal Trade Commission (FTC), “A Privacy Impact Assessment, or PIA, is an analysis of how personally identifiable information is collected, used, shared, and maintained.”

What is the purpose of a PIA?

The purpose of a privacy impact assessment is to demonstrate that program managers and system owners have incorporated robust and effective privacy protections throughout the development life cycle of a system or program. This analysis allow organizations to communicate how personally identifiable information is handled, as well as how the organization addresses privacy concerns and safeguards information.

Adam Shostack believes the best way to protect your personally identifying information is by respectfully refusing to hand it out. Individuals must carefully consider the information they share about themselves. Organizations should threat model to only collect what they need and to protect your sensitive personal data. Your personally identifiable information must be handled and maintained with care and accessed only a strict need-to-know basis.

Adam Shostack: Security Risks Associated with USB Devices

As an information and cybersecurity expert, Adam Shostack focuses on providing clients with expert security solutions that improve security outcomes for their organizations. Shostack was instrumental in fixing the Windows Autorun malware problem that plagued Windows machines since the deployment of Windows 95, and now warns users against the security risks associated with USB devices.

Most individuals know they should never insert an unknown USB device into their computer because the flash drive may contain malicious software. However, an even more insidious problem exists because these devices may have malicious firmware.

USB is a universal type of port that allows users to connect a variety of devices (e.g., flash drives, external hard drives, game controllers, network adapters, etc.) to their computers. These devices, along with your computer, run a type of software known as firmware. When a user connects a device to his or her computer, the device’s firmware is what makes the device function. This is certainly convenient; however, there is no secure way to verify whether the firmware on the USB device is safe.

For example, a USB flash drive may appear to function normally, but the firmware associated with it could modify files in the background and infect a computer. Further, using a connected device with malicious firmware as a USB Ethernet adapter could potentially route internet traffic over servers that contain malware. While a user’s USB flash drive may function as such, it could also contain firmware that allows it to run as a keyboard and Ethernet network adapter. Additionally, computers have the potential to infect a USB device’s firmware.

To make matters worse, Adam Shostack warns there are no known defenses from USB attacks. Malware scanners are typically unable to access the firmware running on a USB device and behavioral detection is almost impossible because the behavior of an infected device may look as though a user has simply plugged in a new USB device. While it is possible to block or allow specific classes of USB devices, these lists are easy to bypass.

Adam Shostack emphasizes that users exercise caution when dealing with suspicious USB devices. Never connect an unknown device to your computer. With the Windows Autorun feature now disabled by default, it is easy to become complacent but the fundamental design flaw in these types of devices demonstrates a potential but serious danger to a user’s computer.

Adam Shostack: Creator of the Elevation of Privilege Game

Adam Shostack is the founder and President of Shostack & Associates. Adam Shostack was part of Microsoft’s Security Development Lifecycle (SDL) Strategy team for several years and was instrumental in overhauling Microsoft’s SDL threat modeling system. Adam Shostack also created Microsoft’s Elevation of Privilege (EOP) threat modeling card game.

What is an Elevation of Privilege?

An elevation of privilege occurs when a user or application gains rights (i.e., privileges) that should not be available to him or her. For example, a system’s user that should have “read-only” permission somehow elevates their system privileges to include “read and write” permissions.

Elevation of Privilege: The Threat Modeling Game is a card game Adam Shostack designed for 3-5 players and works to draw people who are not information security practitioners or experts into the craft of threat modeling. The game uses a variety of techniques to accomplish this and does so in an enticing, supportive, and non-threatening way. You can download the Elevation of Privilege threat modeling card game free from Microsoft.

Explore more via adam shostack (@adamshostack) | Twitter

Adam Shostack: How to Become a CVE Numbering Authority (CNA)

After the second Workshop on Vulnerability Databases at Purdue, Adam Shostack worked hard to make the Common Vulnerabilities and Exposures (CVE) list a reality. Now broadly used, CVE Numbering Authorities, or CNAs, from around the world are responsible for maintaining the list.

What are the Common Vulnerabilities and Exposures list?

Common Vulnerabilities and Exposures (CVE) is a list that tracks common identifiers for publicly known cybersecurity vulnerabilities that is free for use and download. When parties discuss or share information about a unique security vulnerability found in software or firmware, a CVE Numbering Authority (i.e., CNA) adds the information to the CVE list. This process enables users to exchange data and provides a baseline for evaluation.

How to Become a CNA

Adam Shostack emphasizes that there are numerous considerations and responsibilities in becoming a CNA that ensures the continuing quality of the CVE List and improving CVE’s operation and timeliness. Additionally, potential CNAs must go through a candidate process and possess specific qualifications. If you are interested in becoming a CNA, click here for more information about the process and qualifications required.

Go through Emergent Chaos | The Emergent Chaos Jazz Combo

Adam Shostack: 2017 Privacy Threat Modeling Project

Adam Shostack takes the issues of personal privacy and institutional transparency; one of the primary reasons why he is involved in the Seattle Privacy Coalition. A Member of the Seattle Privacy Coalition Board since 2015, Adam Shostack works to utilize his skills, insight, and experience in cyber security to provide the organization strategic guidance in terms of how digital information is collected; to better inform the Coalition’s efforts in terms of advocating for privacy protection and security far down the road.

One such effort was Adam Shostack’s leadership on a 2017 Threat Modeling Privacy project. Along with a noted colleague and fellow Seattle Privacy Coalition board member, Shostack took on the responsibilities of this project with enthusiasm; one with the eventual goals of:

  • Modeling and categorizing the methods through which organizations, both public and private, collect personal data and information, as well as to determine options and their tradeoff or cost to the individual.
  • Developing an inventory that includes both those things people do online and the ways their data is gathered by organizations. This inventory would then be utilized to build a bigger picture of online data collection, from which further analysis is/was to be performed.
  • Coming to a tool, process or method that can be effectively applied across a variety of target groups and threat models so as to provide a method for better approaching and understanding holistic defense strategies.

Get more info through Threat Modeling: Lessons from Star Wars – Adam Shostack – Tripwire

Adam Shostack: What do Security Engineers Do?

Adam Shostack enjoys the opportunity not only to identify potential threats to and points of attack within a client’s information system(s) but to architect and implement the custom solutions needed to mitigate and eliminate system vulnerabilities while giving the client the tools and insight needed to achieve a more secure future.

Founder and Managing Consultant of Shostack & Associates, Adam Shostack engineers high-quality security solutions that address and resolve complex security issues, as well as to prepare organizations for the challenges of an ever-changing digital environment.

Shostack has worked in cybersecurity his entire career and is well-versed in those many responsibilities most often laid upon the security engineer’s desk. While the high-level duties of the engineer include comprehensive risk assessment, network vulnerability identification, and system security enhancement, they must also maintain a high-level of proficiency in:

  • Grasping and managing the technical, complex information security issues within a fast-paced business atmosphere.
  • The maintenance of all hardware and software in relation to security.
  • Being able to identify both current and growing issues in terms of security threats, vulnerabilities, and trends.
  • Performing research to better identify and assess system weaknesses, as well as making recommendations on best strategies moving forward.

Navigate here: How to start with threat modeling – MIS Training Institute

Adam Shostack: Security Engineering Solutions that Deliver Results

Adam Shostack has focused on the needs of each unique client; an effort to design and deliver those cybersecurity services and solutions that best address the organization’s unique problems while preparing them for a stronger, more secure and more confident future.

A cybersecurity specialist and Founder of Shostack & Associates, Adam Shostack offers the tailored security engineering, risk management and threat modeling services clients need to find effective answers as quickly as possible.

Under the direction and information security expertise of its leader, Shostack & Associates offer clients across industries and fields a unique value proposition; one that offers that advantages of:

  • Security engineering solutions and services that are far more secure than the competition.
  • More effective security crisis avoidance and management through threat modeling and early threat identification.
  • Detailed, thorough and professional analysis of potential risks and steps for prevention and remediation.
  • Experienced, credible professionals with years of insight and expertise in the field of cybersecurity.
  • A strategic, effective approach for engaging regulators.

Adam Shostack and his team understand the challenges organizations face when it comes to the design, implementation, and management of secure information systems, and have the knowledge, experience, and expertise to provide a more confident and secure future for every client.

For more info click here Adam Shostack | RSA Conference