Adam Shostack: Security Risks Associated with USB Devices

As an information and cybersecurity expert, Adam Shostack focuses on providing clients with expert security solutions that improve security outcomes for their organizations. Shostack was instrumental in fixing the Windows Autorun malware problem that plagued Windows machines since the deployment of Windows 95, and now warns users against the security risks associated with USB devices.

Most individuals know they should never insert an unknown USB device into their computer because the flash drive may contain malicious software. However, an even more insidious problem exists because these devices may have malicious firmware.

USB is a universal type of port that allows users to connect a variety of devices (e.g., flash drives, external hard drives, game controllers, network adapters, etc.) to their computers. These devices, along with your computer, run a type of software known as firmware. When a user connects a device to his or her computer, the device’s firmware is what makes the device function. This is certainly convenient; however, there is no secure way to verify whether the firmware on the USB device is safe.

For example, a USB flash drive may appear to function normally, but the firmware associated with it could modify files in the background and infect a computer. Further, using a connected device with malicious firmware as a USB Ethernet adapter could potentially route internet traffic over servers that contain malware. While a user’s USB flash drive may function as such, it could also contain firmware that allows it to run as a keyboard and Ethernet network adapter. Additionally, computers have the potential to infect a USB device’s firmware.

To make matters worse, Adam Shostack warns there are no known defenses from USB attacks. Malware scanners are typically unable to access the firmware running on a USB device and behavioral detection is almost impossible because the behavior of an infected device may look as though a user has simply plugged in a new USB device. While it is possible to block or allow specific classes of USB devices, these lists are easy to bypass.

Adam Shostack emphasizes that users exercise caution when dealing with suspicious USB devices. Never connect an unknown device to your computer. With the Windows Autorun feature now disabled by default, it is easy to become complacent but the fundamental design flaw in these types of devices demonstrates a potential but serious danger to a user’s computer.


Adam Shostack: Creator of the Elevation of Privilege Game

Adam Shostack is the founder and President of Shostack & Associates. Adam Shostack was part of Microsoft’s Security Development Lifecycle (SDL) Strategy team for several years and was instrumental in overhauling Microsoft’s SDL threat modeling system. Adam Shostack also created Microsoft’s Elevation of Privilege (EOP) threat modeling card game.

What is an Elevation of Privilege?

An elevation of privilege occurs when a user or application gains rights (i.e., privileges) that should not be available to him or her. For example, a system’s user that should have “read-only” permission somehow elevates their system privileges to include “read and write” permissions.

Elevation of Privilege: The Threat Modeling Game is a card game Adam Shostack designed for 3-5 players and works to draw people who are not information security practitioners or experts into the craft of threat modeling. The game uses a variety of techniques to accomplish this and does so in an enticing, supportive, and non-threatening way. You can download the Elevation of Privilege threat modeling card game free from Microsoft.

Explore more via adam shostack (@adamshostack) | Twitter

Adam Shostack: How to Become a CVE Numbering Authority (CNA)

After the second Workshop on Vulnerability Databases at Purdue, Adam Shostack worked hard to make the Common Vulnerabilities and Exposures (CVE) list a reality. Now broadly used, CVE Numbering Authorities, or CNAs, from around the world are responsible for maintaining the list.

What are the Common Vulnerabilities and Exposures list?

Common Vulnerabilities and Exposures (CVE) is a list that tracks common identifiers for publicly known cybersecurity vulnerabilities that is free for use and download. When parties discuss or share information about a unique security vulnerability found in software or firmware, a CVE Numbering Authority (i.e., CNA) adds the information to the CVE list. This process enables users to exchange data and provides a baseline for evaluation.

How to Become a CNA

Adam Shostack emphasizes that there are numerous considerations and responsibilities in becoming a CNA that ensures the continuing quality of the CVE List and improving CVE’s operation and timeliness. Additionally, potential CNAs must go through a candidate process and possess specific qualifications. If you are interested in becoming a CNA, click here for more information about the process and qualifications required.

Go through Emergent Chaos | The Emergent Chaos Jazz Combo

Adam Shostack: 2017 Privacy Threat Modeling Project

Adam Shostack takes the issues of personal privacy and institutional transparency; one of the primary reasons why he is involved in the Seattle Privacy Coalition. A Member of the Seattle Privacy Coalition Board since 2015, Adam Shostack works to utilize his skills, insight, and experience in cyber security to provide the organization strategic guidance in terms of how digital information is collected; to better inform the Coalition’s efforts in terms of advocating for privacy protection and security far down the road.

One such effort was Adam Shostack’s leadership on a 2017 Threat Modeling Privacy project. Along with a noted colleague and fellow Seattle Privacy Coalition board member, Shostack took on the responsibilities of this project with enthusiasm; one with the eventual goals of:

  • Modeling and categorizing the methods through which organizations, both public and private, collect personal data and information, as well as to determine options and their tradeoff or cost to the individual.
  • Developing an inventory that includes both those things people do online and the ways their data is gathered by organizations. This inventory would then be utilized to build a bigger picture of online data collection, from which further analysis is/was to be performed.
  • Coming to a tool, process or method that can be effectively applied across a variety of target groups and threat models so as to provide a method for better approaching and understanding holistic defense strategies.

Get more info through Threat Modeling: Lessons from Star Wars – Adam Shostack – Tripwire

Adam Shostack: What do Security Engineers Do?

Adam Shostack enjoys the opportunity not only to identify potential threats to and points of attack within a client’s information system(s) but to architect and implement the custom solutions needed to mitigate and eliminate system vulnerabilities while giving the client the tools and insight needed to achieve a more secure future.

Founder and Managing Consultant of Shostack & Associates, Adam Shostack engineers high-quality security solutions that address and resolve complex security issues, as well as to prepare organizations for the challenges of an ever-changing digital environment.

Shostack has worked in cybersecurity his entire career and is well-versed in those many responsibilities most often laid upon the security engineer’s desk. While the high-level duties of the engineer include comprehensive risk assessment, network vulnerability identification, and system security enhancement, they must also maintain a high-level of proficiency in:

  • Grasping and managing the technical, complex information security issues within a fast-paced business atmosphere.
  • The maintenance of all hardware and software in relation to security.
  • Being able to identify both current and growing issues in terms of security threats, vulnerabilities, and trends.
  • Performing research to better identify and assess system weaknesses, as well as making recommendations on best strategies moving forward.

Navigate here: How to start with threat modeling – MIS Training Institute

Adam Shostack: An Examination of Threat Modeling

Cyber security professional Adam Shostack has helped to define the process of threat modeling, having not only been responsible for Microsoft’s approach, providing comprehensive threat modeling training, services, and solutions to client-organizations since 2016, and Adam Shostack is also the author of “Threat Modeling: Designing for Security;” the practical guide that lays out how to do threat modeling throughout the security development lifecycle.

A noted expert and author on the subject of threat modeling, Adam Shostack defined the four-step framework used to threat mode today. Those are:

  • What are we working on? This is important to ground threat modeling work and scope it to what can be addressed.  It’s also an important collaboration between security professionals and others working on the product or service.
  • What can go wrong? This key step is focused on bringing security knowledge to the analysis of a specific system.
  • What are we going to do about it? Once a list of potential problems is available, it’s important to address those problems!
  • Did we do a good job? Take a look at what’s been done, and assess if you’re satisfied and confident.

To know more go through Adam Shostack – Founder & CEO @ Stealth Startup | Crunchbase

Adam Shostack: Achieving Success in Cyber Consulting

As Adam Shostack knows, the field of information security consulting is very crowded and highly competitive. To achieve any level of success in the industry, one must not only possess a strong understanding of the security issues organizations face on a daily, monthly and yearly basis; they must also possess the ability to remain flexible when it comes to meeting the numerous different security needs unique organizations and industries face, as well as to have the willingness to stay current on the ever-changing technologies and threats that are forever challenging the industry.

The Managing Consultant of Shostack & Associates, Adam Shostack understands that for cybersecurity consultants of any specialty to remain competitive and successful, they must:

  • Always be learning. Keeping a finger on the pulse of the industry and maintaining the desire to learn where it is and where its head is essential to anticipating and managing client’s current and future needs
  • Challenge themselves regularly. Consultants are responsible for solving problems. In the world of cybersecurity, those problems are changing and evolving constantly. To stay on top and ahead of these changes, it’s important to always seek out problems you’ve never dealt with or resolved before, as such situations can help to keep you sharp and prepared for anything that comes your way.

Go through Adam Shostack – Founder & CEO @ Stealth Startup | Crunchbase

Adam Shostack: Key Attributes Found in Successful Security Engineers

Adam Shostack has worked in the field of cybersecurity engineering for much of his career. The Managing Consultant of Shostack & Associates, Shostack has served as a leader within three successful startup firms centered focused on the development of security products and solutions, was a key driver of Microsoft’s Software Development Lifecycle, and has written or co-authored multiple books on the subject of online threats and information security.

A longtime security engineer and entrepreneur, Adam Shostack possesses many of the key attributes and skills most commonly found among those who have attained long-term success in the field. Some of the defining characteristics of a successful security engineer include:

  • The ability to focus on and manage the details of a given project, as well as to work methodically.
  • A curiosity and enthusiasm that drives the professional to dig deeply into complex technical issues, as well as to examine problems from all sides.
  • The ability to adapt to new situations; to identify and deliver solutions that best meet the needs of unique organizations, clients, and systems.
  • An updated understanding of the current risks and vulnerabilities, as well as the curiosity needed to learn and stay updated on the ever-changing nature of threats and organizational demands.

Go through adam shostack (@adamshostack) | Twitter

Adam Shostack: Common Responsibilities of the Security Engineer

Adam Shostack specializes in identifying and tackling the complex technical security issues faced by professionals and organizations. The Managing Consultant and Founder of Shostack & Associates, Shostack looks to design, build and implement the security strategies and solutions companies count on for solving their cybersecurity problems, and for being better prepared for the challenges of a fast-paced, often unpredictable future.

A longtime member and professional of the security engineering community, Adam Shostack understands the numerous responsibilities placed on the cybersecurity engineer on a regular basis. Many times an organization’s first line of defense in the constant struggle against potential security threats and risks, the security engineer is often responsible for:

  • Providing assistance in the installation and use of security software, including data encryption programs and firewalls.
  • Establishing and building the organization’s security practices and standards.
  • Developing innovative ways for solving existing security issues.
  • Making recommendations to management regarding needed security enhancements.
  • Scanning networks to identify and isolate potential vulnerabilities.
  • Monitoring organization systems and networks for security intrusions and breaches.
  • Keeping an eye out for irregular system behavior(s).
  • Investigating how security breaches happen and establishing protocols for managing and preventing breaches in the future.

To more check out  Black Hat USA 2012 | Speaker – Adam Shostack

Adam Shostack: What are the Primary Objectives of Cyber Security?

Adam Shostack works diligently to not only identify the cybersecurity issues his clients are or could be facing but to design and develop solutions that deliver improved security outcomes that will protect and benefit their organizations down the road.

A security engineering professional, consultant and advisor with Shostack & Associates, Adam Shostack is well known for his experience and expertise in the field, and for consistently providing clients comprehensive, customized information security solutions that add real value for years to come.

As Adam Shostack knows, there are several high-level principles that tend to instruct and guide the field of security engineering. These include:


One of the primary goals of security engineers is to make it incredibly difficult, if not impossible, for unauthorized users to change the information, as well as to provide the client or organization the ability to track changes made by authorized users.


Security engineering professionals work to ensure the information in question can only be accessed, seen or used by those with explicit authorization to do so.


Information must be readily accessible to authorized users when they need to access it.

Have a peek Adam Shostack – Founder & CEO @ Stealth Startup | Crunchbase