When it comes to threat modeling, not all threats are created equal

Identifying Inherent Threats: The Key to Effective Threat Modeling and Risk Mitigation https://jpmellojr.blogspot.com/2024/05/identifying-inherent-threats-key-to.html

Discover the Best Books for Software Security and Hacking - Top 10 Recommendations by Reddit Users With the growing threat of cyber attacks, it's essential to stay informed about software security and hacking techniques. Fortunately, there are many great books on the market that cover these topics in depth. Reddit users have recommended some of the best books on software security, covering topics such as malware analysis, encryption, and social engineering. In this article, we will provide an overview of these books and their contents. "The Web Application Hacker's Handbook" by Dafydd Stuttard and Marcus Pinto "The Web Application Hacker's Handbook" is a comprehensive guide to web application security that covers the latest hacking techniques and how to defend against them. The book provides a detailed overview of web application vulnerabilities, including cross-site scripting, SQL injection, and session hijacking, and explains how attackers exploit these vulnerabilities to compromise web applications. The authors also cover the tools and techniques used by hackers, as well as the best practices and tools that developers can use to build secure web applications. "Security Engineering: A Guide to Building Dependable Distributed Systems" by Ross Anderson "Security Engineering" is a comprehensive guide to building secure and dependable distributed systems. The book covers a wide range of security engineering principles and practices, including cryptography, access control, intrusion detection, and security protocols. The author provides detailed examples of how these principles can be applied to real-world systems, and offers guidance on how to design and implement secure systems that can withstand attacks and failures. "Threat Modeling: Designing for Security" by Adam Shostack "Threat Modeling" is a guide to designing secure software by identifying and addressing potential security threats. The book covers the threat modeling process, including how to identify potential threats, assess their impact, and develop countermeasures to mitigate them. The author also covers the different threat modeling methodologies and provides guidance on how to integrate threat modeling into the software development lifecycle. "Hacking: The Art of Exploitation" by Jon Erickson "Hacking: The Art of Exploitation" is a hands-on guide to hacking that teaches readers how to write their own exploits. The book covers a wide range of hacking techniques, including stack overflow attacks, format string vulnerabilities, and heap overflows, and provides detailed examples of how to exploit these vulnerabilities. The author also covers the basics of assembly language and C programming, and provides guidance on how to use these languages to write exploits. "Applied Cryptography" by Bruce Schneier "Applied Cryptography" is a comprehensive guide to cryptography and its applications in software security. The book covers the principles of cryptography, including symmetric and asymmetric encryption, hash functions, and digital signatures, and explains how to use these principles to secure software. The author also covers the latest cryptographic protocols and provides guidance on how to implement them in software. "The Tangled Web: A Guide to Securing Modern Web Applications" by Michal Zalewski "The Tangled Web" is a guide to web application security that covers the latest web application security issues and how to defend against them. The book covers a wide range of topics, including the basics of web architecture, HTTP, and HTML, as well as the latest web application vulnerabilities, including cross-site scripting, CSRF, and Clickjacking. The author also provides guidance on how to use different security measures, including CSP, HSTS, and HTTPS, to secure web applications. "Black Hat Python: Python Programming for Hackers and Pentesters" by Justin Seitz "Black Hat Python" is a guide to using the Python programming language for hacking and penetration testing.

The book covers a wide range of topics, including network programming, web scraping, and reverse engineering, and provides detailed examples of how to use Python to write exploits and automate hacking tasks. The author also covers the basics of the Python language, making it an accessible resource for both beginner and experienced Python programmers. "The Art of Deception: Controlling the Human Element of Security" by Kevin Mitnick and William L. Simon "The Art of Deception" is a guide to social engineering and how to defend against it. The book covers a wide range of social engineering techniques, including pretexting, phishing, and baiting, and explains how attackers use these techniques to gain access to secure systems. The authors also provide guidance on how to identify and defend against social engineering attacks, including training employees and implementing security policies. "Serious Cryptography: A Practical Introduction to Modern Encryption" by Jean-Philippe Aumasson "Serious Cryptography" is a guide to modern encryption and its practical applications. The book covers the principles of encryption, including symmetric and asymmetric encryption, hash functions, and authenticated encryption, and provides detailed examples of how to use these techniques to secure data. The author also covers the latest cryptographic protocols, including TLS 1.3 and Signal Protocol, and provides guidance on how to implement them in software. "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws" by Dafydd Stuttard and Marcus Pinto "The Web Application Hacker's Handbook" is a comprehensive guide to web application security and how to test for vulnerabilities. The book covers a wide range of topics, including the basics of web application architecture, input validation, authentication, and access control, and provides detailed examples of how to find and exploit security flaws in web applications. The authors also cover the latest attack techniques, including SQL injection, cross-site scripting, and file inclusion vulnerabilities. "The Art of Exploitation" by Jon Erickson "The Art of Exploitation" is a guide to software exploitation and how to write exploits. The book covers a wide range of topics, including the basics of assembly language, stack overflows, format string vulnerabilities, heap overflows, and return-oriented programming. The author also provides detailed examples of how to write exploits for real-world software vulnerabilities, making it an excellent resource for both beginner and experienced exploit developers. "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software" by Michael Sikorski and Andrew Honig "Practical Malware Analysis" is a guide to malware analysis and how to dissect malicious software. The book covers a wide range of topics, including malware behavior analysis, code analysis, and memory forensics, and provides detailed examples of how to analyze real-world malware samples. The authors also cover the latest malware analysis tools and techniques, making it an essential resource for anyone interested in malware analysis or reverse engineering. In conclusion, software security is a critical topic for anyone interested in technology or cybersecurity. The books recommended by Reddit users provide an excellent starting point for those looking to learn more about software exploitation, malware analysis, social engineering, and encryption. By reading these books and staying informed about the latest threats and vulnerabilities, you can better protect yourself and your organization from cyber attacks. Remember to always practice safe online habits and keep your software up to date to stay one step ahead of the hackers.

A Cyber Green Initiative: The Science of Cyber Public Health

Cyber Green

At Google cloud think that knowledge of the relative “health” of the Internet should influence how cloud infrastructure is approached. The conditions that contribute to the unhealthy, hazardous, and unsecured nature of the internet can be proactively and comprehensively identified and addressed with the use of these crucial statistics. Most importantly, they can be applied to the development of a comprehensive understanding of the internet that integrates cybersecurity with public health research and principles a developing discipline known as Cyber Public Health (CPH).

Google cloud is pleased to declare Google’s support for CPH, as it can assist us in determining whether the measures taken by each of Google cloud organisations to secure their systems add up to a larger overall benefit for cyber public health. The goal of CPH is to manage the hazards that the internet faces, which can only be achieved by taking a broad view. This entails moving past events and vulnerabilities and towards procedures that maintain systems linked to the internet safe and secure.

For instance, examining the cumulative impact of patching susceptible systems on reducing malware transmission and enhancing overall system uptime is one method by which Google’s might quantify CPH. Organisations must identify, quantify, and make publicly available the equivalent of vital statistics, or common health data, as it is now reported in public health reporting in order to do these kinds of measurements. With this more comprehensive data context, comprehend the state of the internet as a whole and utilise that knowledge to implement safe system practices.

Obtaining more accurate and thorough data

Organisations are exposed to novel and developing attacks because traditional a cybersecurity models frequently respond to isolated threats. It is frequently difficult to access, siloed, and fragmented existing data, which makes it difficult to discern trends, patterns, and risk factors at the population level.

Google cloud can’t really learn anything about what led to a specific weakness, how it was exploited, what worked as a “cure,” or how to avoid similar vulnerabilities from occurring in the future, as a lot of security breaches remain undisclosed.

Google’s do not currently have complete community data regarding the state of the internet as a whole. Since CPH primarily focuses on measuring and reporting the behaviours that have been shown to lower cyber-risk, Google’s think it can contribute to Google cloud growing understanding of the Healthcare��of the internet.

From response to forecasting to safeguarding the internet

A paradigm change in cybersecurity is provided by CPH. With the use of data-driven insights and stakeholder participation, CPH can assist us in creating a digital environment that is more robust and safe. Google Cloud is dedicated to assisting this new strategy by funding research, creating cutting-edge technology, and encouraging knowledge exchange within the cybersecurity community.

Recently, Google Cloud and the Cyber Green Institute, a group that measures the state of the internet and advocates for CPH, co-hosted a session. The Cyber Green Institute enables individuals and organisations to take proactive steps to help them prevent and minimise cybersecurity challenges, as opposed to concentrating on treating threats and responding to assaults in a reactive manner. Lead author of the workshop report Adam Shostack remarked, “Such approaches are analogous to treating a case of malaria through medicine, while leaving the nearby mosquito swamp untouched, or creating technologies for cancer treatment while ignoring the public’s tobacco consumption.”

Google cloud VISION

The COVID-19 pandemic highlighted the world’s interconnection, shared risks, and public health’s role in promoting the common good. Although the internet has many of the same challenges, Google cloud understanding and abilities to solve them are obsolete.

Nowadays, cybersecurity is frequently more of an art than a science. Cybersecurity experts lack access to the kind of comprehensive data or methodology required to examine collective risk at any meaningful scale, despite decades of research, investment, invention, and hard work. Google cloud is unable to forecast future events, evaluate the efficacy of mitigation initiatives, or pinpoint the broader factors that influence cyber security risk. Similar difficulties beset medicine until the development of epidemiology and public health sciences, which renewed interest in gathering and combining health-related data and opened the door to a more rigorously scientific methodology.

Google cloud require a science of cyber public health and institutions to use it in order to address the changing risks of the future. Since data is the foundation of science, compiling a more extensive quantity of data and standardising it for researchers should be Google cloud top priorities. Every facet of cybersecurity will be revolutionised by taking a society-level perspective on hazards, including lowering systemic risks, resolving current injustices, and improving everyone’s access to a safe and reliable internet.

Through the establishment and advancement of the science of Cyber Public Health, Cyber Green aims to mobilise a global community of specialists, corporate leaders, and policymakers to revolutionise cybersecurity.

FORMING A GROUPS

In order to establish a science of Cyber Public Health, Cyber Green is assembling a group of professionals, corporate executives, and legislators that share similar views. Together, Google’s will assist in identifying the information, organisations, and laws required to apply this research to the worldwide threats that the internet faces.

ACTIVITIES

Cyber Green collaborates with regulators, standards organisations, and legislators to promote laws that increase pertinent data collecting and progress the field of cyber public health research and practice.

METRICS AND DATA

Cyber Green gathers information and works with international partners to develop a comprehensive framework that uses metrics and scoring to evaluate the global cyber risk that all share.

Investigate

Cyber Green is working on research projects to determine the main obstacles to the establishment of a science of cyber public health as well as future directions in this area.

DATA STATISTICS

Cyber Green is dedicated to laying the groundwork for cyber public health through thorough scientific research and statistics. The internet services that can be utilised as DDoS attack infrastructure are the main focus of Google cloud current data collection study.

Experts from a range of fields convened for the first-ever Cyber Public Health workshop to deliberate on the future trajectory of CPH. Important study areas were identified during the session, including:

Establishing the basic CPH units of measurement (devices, accounts, and users).

Locating trustworthy data sources and resolving privacy issues.

Creating metrics and incident reporting forms that are standardised.

Studying the effects of developing technologies, such as  artificial intelligence, on cybersecurity.

The idea of digital activities of daily living (DADLs) was one topic of discussion. DADLs expand the concept of measuring a person’s capacity to conduct daily, routine activities to their digital lives, in a manner similar to how physical health impairment is measured in humans.

“DADLs stand for the essential digital tasks that people, groups, and even entire countries need to complete in order to keep a safe and secure cyber ecosystem in place. “DADLs are essential for modern digital well-being, just as ADLs are for physical well-being,” stated Josiah Dykstra, director of Strategic Initiatives at Trail of Bits, in a recent Cyber Green blog post.

Google Cloud actively participates in these research projects, working with eminent institutions and scientists to progress the subject of CPH.

Next up

Together with concepts like those proposed by the public-private PCAST Cyber-Physical Resilience Strategy, Cyber Public Health is a promising new strategy that has the potential to completely transform cybersecurity. As a proud participant in this initiative, Google Cloud cordially invites you to work with us to create a safer and more secure online environment.

Google cloud strongly advise you to become more knowledgeable about the work of the Institute and Cyber Public Health.

Read more on Govindhtech.com

Threats: What Every Engineer Should Learn From Star Wars

Okay, I know this isn't a general purpose security topic, but hey, I've seen a lot of Tumblr users admit to being in software dev over the years ;) Adam Shostack, well known in the security space on a variety of topics, particularly threat modeling, has a new book out. The twist? Looking at the concept of threats to software through the lens of Star Wars.

I haven't read this one myself yet so no book review right now, but it looks fun!

Blueprint service diagrams were first published in the Harvard Business Review in 1984 by G. Lynn Shostack, and they visually map out the steps in a service process, making it easier to design a new process or record and improve an existing one.

In case you are constantly searching for ‘blue print service near me’ or ‘the best printing services in Miami’, maybe we have something for you. Keep reading this blog till the end to find out!

Service blueprints provide a flexible, focused look at an organization’s service processes and integrate the customer’s perspective while being simpler than UML and BPMN (Business Process Model and Notation).

Price: [price_with_discount] (as of [price_update_date] - Details) [ad_1] Secure your applications with help from your favorite Jedi mastersIn Threats: What Every Engineer Should Learn From Star Wars, accomplished security expert and educator Adam Shostack delivers an easy-to-read and engaging discussion of security threats and how to develop secure systems. The book will prepare you to take on the Dark Side as you learn—in a structured and memorable way—about the threats to your systems. You’ll move from thinking of security issues as clever one-offs and learn to see the patterns they follow. This book brings to light the burning questions software developers should be asking about securing systems, and answers them in a fun and entertaining way, incorporating cybersecurity lessons from the much-loved Star Wars series. You don’t need to be fluent in over 6 million forms of exploitation to face these threats with the steely calm of a Jedi master. You’ll also find: Understandable and memorable introductions to the most important threats that every engineer should knowStraightforward software security frameworks that will help engineers bake security directly into their systemsStrategies to align large teams to achieve application security in today’s fast-moving and agile worldStrategies attackers use, like tampering, to interfere with the integrity of applications and systems, and the kill chains that combine these threats into fully executed campaignsAn indispensable resource for software developers and security engineers, Threats: What Every Engineer Should Learn From Star Wars belongs on the bookshelves of everyone delivering or operating technology: from engineers to executives responsible for shipping secure code. ASIN ‏ : ‎ B0BT3RGRKS Publisher ‏ : ‎ Wiley; 1st edition (18 January 2023) Language ‏ : ‎ English File size ‏ : ‎ 2941 KB Text-to-Speech ‏ : ‎ Enabled Screen Reader ‏ : ‎ Supported Enhanced typesetting ‏ : ‎ Enabled X-Ray ‏ : ‎ Not Enabled Word Wise ‏ : ‎ Not Enabled Print length ‏ : ‎ 341 pages Page numbers source ISBN ‏ : ‎ 1119895162 [ad_2]

🚀Service Design: ¿Qué es y por que debería importarte en 2021?💙 ☑️El término “Service Design” fue acuñado por Lynn Shostack en su artículo How to Design A Service en el European Journal of Marketing en 1982. Casi 40 años después, el diseño de servicios se ha convertido en una disciplina de diseño distinta con sus propios procesos, herramientas y definiciones. 👉Nuevo post en mi blog, link en mi bio. 📣 #servicedesign #design #service #designthinking #workshop #today #userexperience #thinking #principles #user #experience #looking #businessdesign #morning #day #customerexperience #impact #services #team #ux #research https://www.instagram.com/p/CWIUUWTrdaH/?utm_medium=tumblr

Eileen Shostack Death - Obituary | Eileen Shostack Dead - Passed Away

Eileen Shostack Death - Dead,  Obituary, Funeral, Cause Of Death, Passed Away: On May 19th, 2021, InsideEko Media learned about the death of Eileen Shostack through social media publications made on Twitter. Click to read and leave tributes

Eileen Shostack Death – Dead,  Obituary, Funeral, Cause Of Death, Passed Away: On May 19th, 2021, InsideEko Media learned about the death of Eileen Shostack through social media publications made on Twitter. InsideEko is yet to confirm Eileen Shostack’s cause of death as no health issues, accident or other causes of death have been learned to be associated with the passing. This death has caused…

View On WordPress

short report 9

“Usable security matters because people are an important element in the security of any system. If you donâ€t consider how people will use your system, the odds are against them using it well. The security usability community is learning to model people, the sorts of decisions you need them to make, and the sorts of scenarios in which they act.” (Shostack, p. 293) Chapter 15 list several…

View On WordPress

Computer Science homework help

Computer Science homework help

1.The Open Group has created an Enterprise Security Architect certification. One of their first certified architects has subsequently created a few enterprise security reference architectures.

2.The SANS Institute hosted three “What Works in Security Architecture” Summits.

3.The IEEE initiated a Center for Secure Design. The Center published a “Top 10 Design Flaws” booklet.

4.Adam Shostack…

View On WordPress

#AppSecCali 2019 - A Seat at the Table - Adam Shostack https://t.co/Lot0AcXn5w #DevOps #Security #OWASP

— codetalks.tv (@codetalkstv) April 10, 2020

via: https://ift.tt/1GAs5mb

“Adam Shostack's New Thing” Mailing List

Adam Shostack is a leading cyber security specialist currently serving as the President of Shostack & Associates, which launched in 2017 in the Greater Seattle Area. 

He’s passionate about his field and has earned an excellent reputation among clients and colleagues alike over the years. On his website, he offers a mailing list known as “Adam Shostack’s New Thing” for those who’d like the latest on his books, games and other projects.

If you’d like to join “Adam Shostack’s New Thing” mailing list, click here to be directed to the sign-up page on his site. There, you can sign up for quality content, and Mr. Shostack assures readers that he’ll never spam them. 

He promises fewer than thirteen messaging per year. “If I break the ‘less than 13 messages a year’ promise,” he states, “I'll give $1,000 to a charity (EFF, ACLU or the Tor Project) per message over 12.”

Would you like more information about Adam Shostack and his upcoming speaking events, or the latest with Shostack & Associates? If so, click here to check out his Twitter page.

Jordan Maxwell and the Reptilians Explained

Jordan Maxwell and the Reptilians Explained

Jordan Maxwell and the Reptilians Explained

“Jordan Maxwell continues as a preeminent researcher and independent scholar in the field of occult / religious philosophy. His interest in these subjects began as far back as 1959. He served for three and a half years as the Religion Editor of Truth Seeker Magazine, America’s oldest Freethought Journal (since 1873). His work exploring the hidden…

View On WordPress

When it comes to password managers, there is no good one size fits all HKS approach

“Passwords are the worst authentication technology imaginable, except for all those others that have been tried from time to time.” 

- Threat Modeling: Designing for Security by Adam Shostack

Summary

I would not recommend making LastPass mandatory for all. However, I would identify a target group that is the most important for HKS security and make the use of LastPass mandatory for them. My main concern regarding the policy is the issue of liability and potential costs versus the security benefits.

What is the goal of making LastPass mandatory for all?  

The goal is to minimize the security risk for HKS stemming from stolen passwords. HKS can be an attractive target for adversaries who aim to gain access to sensitive information or attack it for political reasons. In my opinion, the main motivations come from diplomacy and warfare, politics, world-view, and potentially self-promotion reasons.

What role do passwords of users play for HKS?

Based on the STRIDE method from The Threat Modeling book by Adam Shostack, password protection is important to prevent spoofing and information disclosure. Each student, staff, or faculty is, to some extent, a pathway into Harvard’s IT system.

Password managers allow users to choose longer and stronger passwords and prevent “dictionary attacks” of easily remembered passwords. As Bruce Schneier writes in one of his blogs, “Pretty much anything that can be remembered can be cracked.”

Who to target with mandatory LastPass policy, and how?

Not all users are the same. Some of them represent a higher risk due to their access to research or other sensitive information and websites that others don’t. These users should be the main target group for the mandatory LastPass policy.  

Before the policy implementation, the target users should finish training that would enable them to use the password manager effectively.  

They should be able to make an informed decision regarding which passwords store in the password manager, what devices to use it on, how to balance potential losses of convenience and raise awareness about the risks of re-using passwords. They should also have a good understanding of the fact that password managers make it easier to lose all passwords and have a recovery strategy.

What could go wrong with making the LastPass mandatory for all?

An important challenge to consider is the potential liability of HKS in case LastPass faces a successful security breach. Also, as Bruce Schneier’s blog post shows, there are limitations to the extent to which password managers can prevent password leakage on host computers and open up password managers to attacks. Lastly, by making LastPass mandatory, students might depend on the premium version of the subscription after they finish their studies, and HKS could face vendor lock-in accusations. For these reasons, I would not recommend making it mandatory for all and recommend consulting the liability challenge with HKS lawyers. 

Conclusion: Yes, but…

We should target the most vulnerable groups with mandatory LastPass policy and maintain the current policy for the rest. Before making the final decision, I suggest using The Security Cards to identify whether the Dean, the Head of IT, and I agree on the evaluation of the threat HKS model and re-evaluate how big is the risk stemming from passwords leaks compared to other security concerns for HKS.

#DPI662

(513 words) 

Sources:

-       Schneier on Security, Risks of Password Managers, https://www.schneier.com/blog/archives/2019/06/risks_of_passwo.html

-       Schneier on Security, On the Security of Password Managers, https://www.schneier.com/blog/archives/2019/02/on_the_security_1.html

-       Stuart Schechter, Before You Use a Password Manager, https://medium.com/@stuartschechter/before-you-use-a-password-manager-9f5949ccf168  

-       Schneier on Security, Security of Password Managers, https://www.schneier.com/blog/archives/2014/09/security_of_pas.html

-       Schneier on Security, Choosing Secure Passwords, https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

-       The Security Cards, A Security Threat Brainstorming Toolking, http://securitycards.cs.washington.edu/cards.html  

-       Forbes, Harvard Got Hacked, Again, https://www.forbes.com/sites/abigailtracy/2015/07/02/harvard-got-hacked-again/#14ca5f92214e

-       Shostack, Adam: Threat Modeling: Designing for Security