• Vulnerable U
  • Posts
  • 🎓 VulnU #006: Infosec Growth Unlocked: Harnessing the Power of Grit 💪

🎓 VulnU #006: Infosec Growth Unlocked: Harnessing the Power of Grit 💪

Transforming Challenges into Opportunities

Author

Matt Johansen
April 06, 2023

Read Time: 6 minutes

Vulnerable U Community,

Welcome to the latest edition!

Topic of the Week:

Picture this: you're scrolling the news and you come across yet another data breach in the headlines. It starts to feel like noise after a little while, doesn't it? Many of us assume that our email, phone number, and address are part of numerous data breaches and have various lines of defense mechanisms to limit the impact.

As infosec professionals, what can we learn from these breaches? Usually, we learn best from our own mistakes, and that still holds true. Who has worked at a company that has suffered a breach and all of a sudden found their previously proposed security roadmap has become miraculously prioritized? That's learning from one's own mistakes.

🌟 However, we work in a unique industry where we can also learn from others' mistakes frequently. This is due to some folks choosing to be vulnerable and talking publicly about their failures or challenges - but also helped along by regulations that require customer notification of data loss.

How can we best learn from others' challenges?

📚 I like a book by Angela Duckworth titled "Grit" where she uses a few key concepts that can help us here. One of my favorites is:

💡 “Develop a growth mindset” - Rewiring your brain to view challenges and setbacks as opportunities for growth and learning, rather than as evidence of unwavering limitations.

Fortunately, in our industry, we get to practice our growth mindset any time we open the news and read about a new breach. What can we learn from our peers challenges?

🔗 First off, as I stated in previous editions of Vulnerable U [link], extreme goals in infosec are useless. "Don't get hacked", "prevent all security incidents", these are things I've actually seen on strategy decks. Going back to Duckworth's book, she would suggest these goals could potentially lead to a fixed mindset and a sense of defeat when those outcomes are not achieved.

🏋️ To draw a parallel I came across in another part of my life: I've worked with a number of fitness coaches in my career and many times had a "goal weight" I wanted to achieve while working with them. One of my coaches at some point had a conversation with me early in the program where I asked him for help setting a good "goal weight" to strive for based on my height, age, etc. He said something along the lines of:

🤔 "What if we don't do that? If you said you wanted to lose 50 pounds with me and you only lost 40, would you consider yourself a failure?"

It really helped rewire me so that I wouldn't set myself up for potential disappointment and discouragement of even starting. Instead, we learn…

🎯 The process is the goal 🎯

So taking into account a recent breach like Uber's law firm [link], what can we learn without having to go through the same thing ourselves? I saw a few tweets about this article tongue in cheek saying "time to update your threat model" - but how many actually do that? Who is at work this week creating a document that illustrates how a data breach of their external council could lead to their own data loss event? I'd guess it is a very small number of folks. I'm making the case that number should be bigger.

🚀 Challenging you to take some actions:

  1. Write down what adapting a "growth mindset" would look like for you in your personal and professional life.

  2. Identify 3 setbacks you or your team have gone through recently. How could you view them as opportunities for improvement and identify areas for growth and development?

  3. Brainstorm ways you can foster a culture of continuous improvement and innovation on your team. If you bring up ideas and solutions instead of problems and complaints, I guarantee your team, boss, and family will see the shift immediately and positively.

By focusing on the process of learning and growth, individuals and organizations can maintain their growth mindset and approach infosec with a sense of possibility and resilience instead of perpetual failure. Embrace the lessons learned from data breaches and setbacks, and use them as fuel for continuous improvement in the ever-evolving world of information security.

Elective Reading

Here are some things I’m reading right now and some cliff notes or thoughts:

vx-underground - Malware Defense

www.vx-underground.org/malware_defense.htmlHuge aggregate of malware defense papers going back many years - but just this week updated for 2023

Huge aggregate of malware defense papers going back many years - but just this week updated for 2023

We put/ GPT-4 in Semgrep to point out false positives & fix code

Semgrep is a code search tool many use for security scanning (SAST). We added GPT-4 to our cloud service to ask which Semgrep findings matter before we notify developers, and on our internal projects, it seemed to reason well about this task. We also tried to have it automatically fix these findings, and its output is often correct.

semgrep.dev/blog/2023/gpt4-and-semgrep-detailed

SAST tool Semgrep has dipped their toe into using AI to help out with a problem that plagues vuln identification, false positives. - It even goes beyond that and suggests fixes to code automatically, powerful stuff on the horizon here.

AI Revolutionizes Infosec

After two and a half decades in information security, I've witnessed countless failures in security efforts. Most of them can be traced back to either

danielmiessler.com/blog/whats-the-future-of-post-ai-security-products

Staying on the AI topic - Daniel Miessler has been putting out some fantastic head scratchers on the future ahead of us know that the AI pandora’s box has begun to open.

How the United States has just made it illegal for #WhatsApp to contain a Remote Code Execution (RCE) bug, via the Executive Order on Spyware

I have spent literally years attempting to explain to civil society and the public at large, that: …that attempting to regulate software by the “shape” of it (viz: what features it enab…

alecmuffett.com/article/50467

Super interesting point made by Alec Muffett here. The Executive Order has failed to link "capability to gain remote access" to the intended purpose of the software, which makes any application with an RCE bug illegal under the current definition of "commercial spyware.”

Plan for the future

Looking further out gives you advantages both now, when you make moves that might surprise others, and later, when that surprise makes you look truly foresightful.

duhaone.substack.com/p/plan-for-the-future

orca founder stepping down as ceo to shift leaders. Andy Ellis - Previous CISO for Akamai - talks about how this is a very mature move to avoid Founders Syndrome.

AWS KMS Threat Model

What are the threats in letting an AWS service manage the encryption of your data instead of creating a Customer Managed Key?

airwalkreply.com/aws-kms-threat-model

This is one of the best public write ups of a Threat Model I’ve ever seen. I’m going to do some long form discussions about it its so good. Attack trees, Data flow diagrams, trust boundaries, its got it all!

IT and security pros pressured to keep quiet about data breaches - Help Net Security

IT and security professionals face immense pressure to keep security breaches confidential, even when they should be reported.

www.helpnetsecurity.com/2023/04/06/pressure-keeping-breaches-confidential

Kind of on brand with today’s newsletter topic eh? There are usually a lot of external forces pushing against sharing breach info publicly.

Andrew from GreyNoise sharing some great data as usual about a recent ransomware wave. Some great data visualizations to check out on it attached.

Hackers Can Remotely Open Smart Garage Doors Across the World

A security researcher found a series of vulnerabilities with the Nexx brand of smart garage openers. He says he could remotely find garages to target, and then open them across the internet.

www.vice.com/en/article/pkadqy/hackers-can-remotely-open-smart-garage-doors-across-the-world-simpaltek

Hackers getting into the mainstream media always entertains me. Also why I dislike most “smart” devices in the home.

FBI Seizes Bot Shop ‘Genesis Market’ Amid Arrests Targeting Operators, Suppliers – Krebs on Security

krebsonsecurity.com/2023/04/fbi-seizes-bot-shop-genesis-market-amid-arrests-targeting-operators-suppliers

Plenty of articles on the takedown of Genesis Market. But a pretty cool document you don’t always get to see, the actual warrant used to perform the seizure: https://s3.documentcloud.org/documents/23742615/genesis-market.pdf

🔴 Executive Offense Issue #2

Executive Offense: where offensive security meets security strategy.

executiveoffense.beehiiv.com/p/executive-offense-issue-2

Jhaddix has been sharing a lot of good with the community for years. Lately he’s been pouring gas on that fire and really focusing on it. His new newsletter is full of goodies, he’s teaching a good course, he put out his master GPT prompts for free. Go give him a follow - especially if you’re a bug hunter or red teamer.

Community Spotlight:

Michael Roytman on LinkedIn: My book with Ed Bellis is out today. Culmination of 10 years of work in… | 36 comments

My book with Ed Bellis is out today. Culmination of 10 years of work in vuln management data science, insights from the hundreds of people who’ve worked at… | 36 comments on LinkedIn

www.linkedin.com/posts/michael-roytman_my-book-with-ed-bellis-is-out-today-culmination-activity-7048580988196507648-N0Mi?utm_source=share&utm_medium=member_desktop

Two of my favorite people in the industry, Ed Bellis and Michael Roytman released a book this week. I’ve worked closely with these two over the years and even given conference talks with both of them on the topics that they have not only written a book about, but built a company around.

If you’ve ever read about data driven approaches to vulnerability management, chances are you came across some of the data these two produced at their time running Kenna Security (now part of Cisco).

I still reference a slide deck Roytman put out titled “CVSS Sucks” and the breakdown of how fixing vulns stack ranked by CVSS Score is no better than randomly picking from your pile in actually fixing a vuln that might be used in a breach.

I’m excited to go through this book, they have told me its basically “How to build your own Kenna” - which I feel like a lot of people are trying to do, if they realize it or not.

(this is not a sponsored slot, I genuinely am proud of these two and love everything they put out)

Please write to me and share stories or anecdotes for this section. It goes very well with the theme of being vulnerable together to share stories. I’d especially love to hear about your failures. What is a time you failed? What did you learn? How did it change your life?

Extra Credit:

Help Us Grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them! As of now, spread will just be by word of mouth.

Parting Thoughts:

Let me know how I can help as always.. If there's a topic you'd like to see covered in a future edition of the newsletter, or if you have any questions or concerns, please don't hesitate to reach out to us. I’m always happy to hear from our readers and help in any way I can.

Stay safe, Matt Johansen
@mattjay