Threat modeling: Breaking the design with pen, paper and creativity
Go deep into the weeds of Threat Modeling with Infosec Skills author Geoffrey Hill. He shares his Arnold Schwarzenegger impersonation, waxes rhapsodic about the Radio Shack TRS-80 computer and explains threat modeling as a controlled form of sci-fi storytelling: "you can imagine a completely different world every day." He also provides excellent insight into the day-to-day duties of a threat modeler.
Geoffrey Hill has been in the IT industry since 1990, when he wrote and sold C++ based solutions to measure risk in the commodities markets in New York City. Since then he has worked around the world, specifically New York, Sydney, Tokyo, Emmerich-am-Rhein and London. In the mid-2000s, He was the main custodian of the Microsoft Security Development Lifecycle (SDL) initiative in the UK and then international services organization as part of the Microsoft Security Center of Excellence (SCOE). From 2013 – 2018, he worked as the sole application security architect for Visa Europe in London, where he started Tutamantic Ltd, a producer of software risk automation. Geoff is the inventor of the Rapid Threat Model Prototyping (RTMP) methodology. This threat model methodology allows for quick modelling in Agile and DevOps environments.
[00:00] Chris Sienko: Cyber Work is celebrating its next major milestone. As of July 2020, Cyber Work has had over a quarter a million listeners. We’re so grateful to all of you that have watched the videos on our YouTube page, commented on live release feeds, left ratings and reviews on your favorite podcast platform, redeemed bonus offers, or just listened in the comfort of your own home. Thank you to all of you.
Because our listenership is growing so quickly and because Cyber Work has big plans for the second half of 2020 and beyond, we want to make sure that we’re giving you what you want to hear. That’s right. We want to hear specifically from you. So please go www2.infosecinstitute.com/survey. That’s www2.infosecinstitute.com/survey. The survey is just a few questions and it won’t take you that long, but it would really help us to know where you are in your cybersecurity career and what topics and types of information you enjoy hearing on this podcast. Again, that’s www2.infosecinstitute.com/survey. Please respond today and you could be entered to win a $100 Amazon gift card. That’s www2.infosecinstitute.com/survey.
Thanks once again for listening, and now on with the show.
[01:18] CS: Welcome to this week’s episode of the Cyber Work with Infosec Podcast. Each week, I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals while offering tips for those trying to break-in or move up the ladder in the cybersecurity industry.
As you heart at the promo at the top of the show, infosec skills is going to be a big part of our educational offering for 2020 and beyond. Infosec skills is an interactive learning platform that hosts 500+ cybersecurity courses featuring cloud-hosted cyber ranges, hands-on projects, customizable certification, practice exams, skills assessments and more.
Apart from all of these other educational and technical achievements, Geoffrey Hill has written one of our infosec skills paths about threat modeling. For those new to the concept, threat modeling is a process to identify security weaknesses in software design and architecture. It’s a very good course of study and career path if you’re interested in aspects of cybersecurity that don’t specifically have to involve the nuts and bolts hands-on interaction with hackers and threats. You’re essentially packing safety into standards operations upfront, or maybe I’ve just completely misrepresented it. If so, Geoffrey is going to educate me as well as you.
Geoffrey Hill has been in the IT industry since 1990 where he wrote and sold C++-based solutions to measure risk in the commodities market in New York City. Since then, he has worked around the world, specifically New York, Sydney, Tokyo, Emmerich-am-Rhein and London. In the mid-2000s, he was the main custodian of the Microsoft Security Development Lifecycle initiative in the UK and then International Services Organization as part of the Microsoft Security Center of Excellence, SCOE.
From 2013 to 2018, he worked as the sole application security architect for VC Europe in London where he started at Tutamantic Ltd., a producer of software risk automation. Geoff is the investor of the rapid threat model prototyping methodology. We’ll, he’s the inventor. Not the investor.
[03:10] Geoff Hill: I’m also the main investor on that too.
[03:11] CS: Yes. You’re not only the president. You’re also a client.
[03:14] GH: Exactly. Show me a shaver.
[03:17] CS: This threat model methodology allows for quick modeling in agile and DevOps environments. Geoffrey, thank you for coming to Cyber Work today.
[03:25] GH: Thank you. Thank you.
[03:25] CS: To start with, when and how did you first get interested in cybersecurity and tech? Is this sort of always part of your life or did you come to it later on in your career?
[03:36] GH: I think when I realized when I was probably about 11 or 12 years old and I realized I couldn’t be a lawyer, then I got my first – Thank God for that. Yes.
[03:44] CS: Yeah, sure.
[03:46] GH: I got my first computer back around then. It was a TRS-80, and I was fascinated by it. They froze all the time. If you look at them, they froze. But when you could create a program, and you could create these things out of nothing, out of lines of code, I got absolutely fascinated. So that got me into development. And then from there, it was a pretty easy jump to get into cybersecurity, because the idea was like, “Well, how do I go about protecting us against people who want to be like me who want to get into things?”
[04:12] CS: Right. Who want to be a prankster? Yeah, exactly.
[04:14] GH: Exactly. In those days it was pranking.
[04:16] CS: Yeah, I feel like, yeah, it is hard to overstate how the TRS-80 was just such a game changer in that regard. It was relatively inexpensive. It was everywhere. I remember, our fifth grade class had a TRS-80 in the back of the room, and same thing, we would program the 4X=1 to 5000, and then make a noise. So like midway into class you’d get a “bralalala”, like 15 minutes after recess was over. Yeah, exactly. But yeah, I mean, that was such a great gateway in terms of like, yeah, you can do anything from there.
[04:47] GH: Yeah. Exactly. I mean, the graphics are horrible.
[04:50] CS: Sure. Sound was horrible, graphics were horrible. Like you said, it froze at a heartbeat. Yeah, tell us about some of the other jobs or tasks you’ve been involved into up to this point. I had mentioned some of them in the bio here, but you’ve had quite the global adventure over the years. Tell me about your progression from job type to job type and some of the skills and projects that you worked on along the way to get you to the point where you’re at now.
[05:12] GH: A lot of it fell into my lap. So when I was working on the commodities floor, I definitely wanted to work in the commodities floor. Again, after being influenced by the movie trading places. And I got on to the commodities floor. I was there. And then they were on these sheets. They had these sheets that somebody had made out about figuring out the fair value of auctions. How can I do that? I didn’t know how to program, so I taught myself how to program, and then I started selling sheets. That kind of thing. An things, I just kind of fell into things in the early part a lot of times. And then eventually it became one point where some guy came walking on to the floor, and this was back in I think late 80s or late 90s and he had a cellphone, mobile phone with a big wand at the end and I said, “How do you get one of those?” He said, “What?” He said, “You got to earn at least 80 grand a year.” I thought, “How do I do that?”
So I went out there and I basically became a contractor, a developer contractor in C++ and a round of different banks, and it all the time just continuously I was talking to data – Learning how to do this. Learning how to program. And then also learning about the security parts. Because people said, “Oh, can you encrypt this? Can you do this? How can you go about protecting my data?” “Hmm. Okay. “
I think, originally, if I were to look at some of this stuff in the early days that I did, it’d be pretty pitiful, things like Ceasar cipherer, like swapping the first character and the last character and that kind of thing.
[06:33] CS: There you go. Oh, yeah.
[06:35] GH: But hey, I was on top of it. And it was interesting. Everything just kind of developed from there. I then went over to London initially in the early 90s, worked for Disney as a contractor and a number of things over here. That also was the case where I was learning more security along the way, although not directly, indirectly I was. How do I go about making these functions more protected? That kind of thing. And then from there, I progressed down to Australia. I spent a number of years down in Australia working for banks down there. Eventually, and then a finance company, and then in Japan for a year. I worked in Japan as a DBA. Again, they said, “Well, how do you lockdown the database?” “I don’t know. Let me find out.” So I learned about how to do all that right there.
I got on all these different skillsets along the way, and when I came back to London, well I did a research during the .com to .bomb. Literally, I went over for about I think a year over to San Francisco. Rode the .com briefly and it crashed up like everyone else.
[07:39] CS: Six months in, six months out. Yeah.
[07:40] GH: Exactly. And then at one point, one of the guys came out and said, “Hey, if anyone wants to –” This is etrade, by the way. And then someone came out and said, “Hey, if anyone wants to quit right now, we’re more than happy to do it. We’ll throw you a 3-months pay plus 20 grand.” And I raised my hand and I said, “I’m out of here.”
So I packed up all my stuff and I took off and I went traveling six months in India. I was backpacking and didn’t look back. And then all of a sudden like 9/11 happened. That was a totally different story. Not a good one. Coming back to London, got working for Microsoft. And then I morphed into the app dev and then app sec.
Now, at that point in time, they didn’t have any application security. I mean, there were a lot of application security consultants. Don’t get me wrong. But they didn’t really have them as foundation people inside the companies. Microsoft had a lot of infrastructure consultants, security consultants, but not application development or application security development. One of my friends said to me, a very close friend of mine, he said, “Look.” he said, “There’s a big need for it. I know you know this stuff. Why don’t you jump in and throw your hat in the ring?” And I did. And next, I became the application security consultant for Microsoft over the UK. And then I joined up with the Security Center of Excellence.
There’s a little story about the Security Center of Excellence. Bill Gates mentioned our name on point. We’re an international group. We had a person from Japan, couple of group from Australia, a couple of group from South America. A person from Russia and a couple of Americans and a couple of Brits. We have a really well-rounded group. And at one point apparently, Bill Gates was inside in one of the rooms and it was during one of the points where they had yet another exploitation. Pissed off. He’s like yelling at people, like, “I can’t believe that during this – Don’t we have a group inside of Microsoft did this? Blah-blah-blah-blah.” And then one person kind of cautiously raised his hand and said, “Well, sir. We do. We have a group called SCO.” Apparently, filtering around it. I don’t know. He said, “Who the … is SCO?” So we wanted to get a T-shirt that said, “Who is the F is SCO?”
[09:43] CS: Yeah. Yeah, absolutely. Wow! I was going to say, your moment in the sunlight. Not the one you wanted though.
[09:50] GH: Exactly. Exactly. Then I went from there. And each time I kind of gained more experience. And I jumped to a small cybersecurity consultancy, kind of a boutique consultancy, which is now owned by Synopsys. They were digital. And then I gained more experience from there. And then I made the move into Visa. And Visa was lots of fun, and I was the only application security person right there for the longest time. There’s another gentleman who came along, and then he left, and he’s actually – He’s actually doing really well in the business right now too. And then that’s when I decided to go off on my own, and that’s where I stand right now.
[10:26] CS: Okay. Yeah. I mean, you’re really at this sort of headwaters, even the idea of app sec. It was literally at that point where it was sort of happening around you.
[10:36] GH: Yeah. Although it’s interesting, because I know a lot of people who’ve been – I never get the hubris that a lot of people do. And I said, “There’s always somebody out there who’s a lot smarter than I am, and I know a lot of them, and I know a lot of these guys who are cracker.” They’re so good at what they do. These guys would look at things and they say, “I can –” Basically like a Rubik’s cube, “I can basically get into this in minutes.” That kind of thing. And I learned a lot from them. And these are guys who’ve been in the app sec industry. They weren’t called application security people at that point. They’re just called white hats at that point, white hat hackers. It’s interesting to see where they are now. A lot of them now are CTOs, are higher up CISOs, that kind of thing, or presidents of their own companies.
[11:23] CS: Yeah. Moving on to the heart of the talk today, I wanted to hear more about your work with infosec skills and your threat modeling course path. Have you created other types of class work or collateral for other places in the past? Is this something you’d like about teaching as supposed to a more hands-on cybersecurity work you’ve done in the past?
[11:40] GH: I’ve done training ever since 2008 or 2007. A lot of it with Microsoft. I started off with creating a lot of collateral and then getting my ideas from threat modeling then. What works? What doesn’t work? Originally, it was like getting people in front of a whiteboard and talking, and it still is that, but there’s a lot more organization around it. So I started developing upon that. I do a lot of local training over here in the UK. I have a lot of collateral build up from that. But infosec skills, actually, what it allowed me to do is put that down in a very comprehensive manner. And I’ve got this set up that when it clicked for me, these hour-long breaks, or hour-long modules, bang bang bang into one day. Very, very neat kind of clicks in almost like Lego in a way that I really enjoyed. Yeah.
[12:32] CS: So as someone who’s worn a lot of different hats in the industry, do you have any recommendations you have to help people get in to cybersecurity who might have an interest, but don’t have previous experience or background? I know you were sort of, like you say, in the right place at the right time and sometimes as well. But what types of skills or certs or practical experiences should new comers be working on to get their food in the door?
[12:54] GH: I think developing is a best skill. If you’re a developer, you have an innate idea of what can and can’t be done. What you can and can’t do with the actual underlying and with the code. A lot of the hacks these days are done through the code. Yes. I mean, a lot of done through infrastructure. But exploitation usually is done via code. If you know how to manipulate the code and if you’re very good at it, that makes you one of the prime candidates to be actually very good at app sec. And then it’s an easy move to go upwards and to scale, understanding about architecture and about design, which then you can go into the threat modeling, of course.
[13:33] CS: Right. Let’s jump into it. What will your students learn with your threat modeling study path?
[13:39] GH: Well, basically, I’ll give more overview. And I’ll say why would you want to know threat modeling? And then I go into a number of different frameworks, because I don’t think people utilize the frameworks that are out there. There are a lot of open source frameworks that are very good that give you an overall idea. There are a few that are almost taxonomies, but I call them frameworks, because they give you very good idea of what you can look for. It’s like if you’re a writer and you sit down and you go to write a piece of paper. And let’s say you’re going to write a novel and you don’t know where to start. You got a blank piece of paper right there. A lot of times what they do these days is they kind of give you a kick start and they say, “He’s walking over the billowing winds,” or something like that. “Oh, okay.” Yeah, they give you props. So these frameworks were kind of props too. They allow the security person or the non-security person to kick start those ideas. And I train the people that throughout the different courses. I tell them, “Okay. Here are the frameworks and here are the interrelations between those frameworks.” I don’t think enough people do that.
Enough people out there don’t say, “I’ve got framework X and framework Y. How do they relate to each other?” And I get the students to do that on their own so they understand what the different relations are. Once they get that, the key turns and clicks and they say, “Oh, I get it. Now I can start mapping these frameworks between each other,” and it’s a very powerful way to go about using against app sec and infrastructure security, network security, the whole smash.” Because they get this whole relation between these and they can use all of them.
Finally, of course, I give RTMP, which is rapid threat model prototyping. That’s a shameless plug.
[15:19] CS: Sure. You can you sort of walk us through kind of like a sample? Like threat modeling session? Like you said, you’ve got these sort of these templates and so forth. But for people who are – Because we have people who might be hearing the words threat modeling for the first time here. Just give us a quick ramp up here of like what you’re doing with this kind of thing.
[15:38] GH: Threat modeling, it is a way to do penetration testing in a very cheap way possible. Now, normally, penetration testing is you’d get into an actual codebase, you dig in there and you destroy stuff and you go back and you say, “Hey, I broke your code.” And then people go, “Oh! No.” And they pay a lot of money to fix the code.
So what if I told you that threat modeling is a cheap way of doing that where I hand over a design to you and I say, “Break the design.” It’s like a CAD/CAM. If you remember CAD, where you build the cars in three-dimension. Imagine if I said to you, “You break this design,” and you break it. I say, “That’s great. You’ve cost me the time of one person, my architect.” My architect goes back, he or she then changes the design. You go back. You break it again. We do this back and forth again in an iterative way until you come to a design that both disagree with. And we say, “Look. Now we’ve got our mitigations in place,” and then we bake those mitigations into the code. Now you no longer have a flawed design, because flaws versus bugs – A flaw in a design means that no matter how good you are, you’ll always come out with flawed code. Because you’re following design perfectly. It’s like baking a cake without proper rising flour or anything like that.
[16:51] CS: Okay.
[16:53] GH: Whereas a bug means that you looked at the – You answer and you said, “I’m going to bake a cake.” So I said, “Why don’t you use flour?” You said, “Ahh! The hell with that. I don’t want to use flour. I’ll use this. I’ll use sawdust.” “Okay. You’re going to come up with a bad cake,” but it’s your fault. It’s an implementation issue. It’s not a design issue.
[17:10] CS: Yeah. Salt instead of sugar.
[17:11] GH: Exactly. Exactly. In that case right there, threat modeling goes after the design and after the actual flaws as supposed to the implementation issues.
[17:21] CS: Is this something that’s happening kind of move before the system is in place then? You’re looking at the system before it’s even launched. It’s not just that you’re not breaking the system with penetration testing. It’s that you’re bulletproofing it before it begins.
[17:37] GH: Exactly. If you thought of it another way, it’s like if you and I will sit down and we wanted to create a bank building. And we said, “Okay. Fine. We don’t know much about it.” So we created a bank building and we created a transit window that’s open to the vault and we say, “You know what? No one is going to get in to the vault area. So we’re not going to bother to lock it.” Someone goes into the transit window, gets into the vault, steals the money. You and I have a lot of egg in our faces. Why? Because we didn’t do a penetration test on that design and we didn’t say like, “Look, there’s a transit down there. Why is that there?” “I don’t know. Jeff, got it down there.” “Oh, okay.” That kind of thing. So it’s the same kind of concept. Yeah.
[18:14] CS: Yeah. Yeah. Yeah. What level of cybersecurity understanding should potential students have to get started? Do they need to have a techy background? Or is this something that just problem solving people can jump right into?
[18:25] GH: That’s an interesting question. I was going to jump in and I was going to say techy background, only because techy background will help you. But if you’re good at problem solving and if you can pick up stuff for things, then you can walk through this and you could probably pick it up pretty quickly.
Especially, I think the main thing is if you’re interested in it. If you’re not interested in it, you’re not going to pick it up. But if you’re fascinated by it, then you’ll dig in here and you’re going to find salient, you’ll find the different information and you’ll pick it up pretty quickly.
[18:52] CS: Okay. For people who might want to sign up for your class, and I will remind our listeners that they can use promo code cyberwork to get a free month of infosec skills. What tips would you have for someone who wants to get the most out of the class?
[19:07] GH: In preparation, I’d say probably read about some of the threat modeling stuff out there. There’s a lot of blog articles and everything like that. We have a lot of knowledgeable people out there. Read. Also, maybe if you want to understand what rapid software prototyping is all about, and have a background in agile and DevOps.Agile is a big way. It’s been brewing for a while. It’s over 10 years old. But it’s a way of rapidly producing code. And most people are going over to Agile shops right now. Most of the smaller development shops and a lot of the big ones are moving over to that, because as people move into the cloud, they’re trying to move faster their development paradigms. So DevOps, development operations, very fast moving, continuous integration, continuous deployment, Agile, Agile methodology. Very quick sprints. Very quick development… Those are the things that they should understand as they come into this. If they have a good understanding of that and they have a ground-based security, you’re good to go.
[20:09] CS: Okay. Moving past that, what other areas of study would you recommend next to sort of build on what you learned in this threat modeling class?
[20:17] GH: So if you follow on from that, then I’d say dig in further into things such as the attack kill chain. Learn more about the OSI model, which is a model, the infrastructure model where the operation interconnectivity model. Where basically what it says is that if you’ve got a number of different infrastructure layers, and layer 7, which is generally like – The computer or the program is applying to you. And then all the different communication layers below. But understand that communications that different modern systems can do. Understand cloud architecture. Go out and learn this afterwards and say, “How can I, knowing about cloud architecture, knowing how free it is, how can I go about doing a threat model against something that I’m basically putting my information out to a foreign repository or a foreign endpoint? How can I go about doing that?”
[21:08] CS: Okay. Could you tell me a little bit about what a career in threat modeling looks like? What are some of the day-to-day tasks of a threat modeler? And is it a job position in itself or is it sort of an add-on to things like pen testing and so forth?
[21:20] GH: You know what’s interesting? I have to laugh about this. I’ve been this since 2003. And I basically learned a lot from Adam Shostack. Adam Shostack is considered to be the grandfather, the grand opus of – He literally wrote the book on threat modeling. Put it that way. He and I did – We did some presentations together. I’ve known him for a number of years. Really nice guy. Well, there never existed a position called a threat modeling position at all, threat modeler, right?
[21:47] CS: Right. I was wondering. Yeah.
[21:49] GH: Yeah, in the last year and a half, and maybe in the last two years, recruiters have been contacting me and saying, “Hey, we think you’d be great for a junior threat modeler position.” Of course, I sneakered. But then I think, “A what? A threat modeler position? What the hell is that?” It’s like I’ve never heard it beforehand. Generally, you have your cloud ops engineers, your security app sec engineers, that kind of thing. Your dev sec ops engineers. I get it. But a threat modeler? It’s actually becoming a position, because as we’re getting more and more complicated, situations and solutions and systems, we’re of course becoming more specialized. Part of this specialization is a threat modeling position. I would recommend people don’t become threat modelers. They become threat modelers only as part of their other jobs. I strongly still believe, if you’re in security, try to learn as much as you can across a number of different disciplines. If you want to become an architect, great, a security architect. Learn threat modeling. But don’t make threat modeling your only focus. Don’t pigeonhole yourself.
If you want to know some engineering, you want to know a broad set of skills. I know infrastructure, I would call myself an infrastructure security person when I can do it. I can do network security. Although, again, I wouldn’t call that my forte. App sec is my forte. And then threat modeling on top of that, and then security architecture. It’s a number of layers. Now, if you want to have a forte, fine. Have a forte in threat modeling, but I would still say probably become more of a security architect than a threat modeler, if that makes sense.
[23:23] CS: Yeah. That was going to be my next question, is if there’s not really a threat modeling position, what’s the most adjacent thing that if you want to do a lot of that kind of thing, where should you be sort of like putting your focus?
[23:34] GH: Security design and architecture. Yeah, security design. If they don’t have that, a lot of companies don’t have the concept of security architect, then you’re going to go to app sec. You’re the app sec guy. If they don’t have that, then you’re going to become a security champion. You’re going to make yourself a security champion and you’re the lead security guy within an app dev team, but they don’t actually have a position. I’m the security champion. Believe me, we need that. Or I should say, “We need you,” kind of thing.
[24:01] CS: Yeah. No. We’ve had a couple of people talk to security champions program on here before. It’s important and it’s underutilized and it’s one of those things that companies need to sort of have someone twist their arm a little bit. It seems like a lot of them are a little resistant or –
[24:15] GH: Well, I get it at my company too. What I don’t understand is – And my company is now starting to understand it, because I’m one resource and I keep telling them, “Look. I’m one resource, and I spread myself across a number of different projects. If you want me to work at high capacity, allow me to dig in to each one of those different teams and have a local representative there, which then allows me to spread my knowledge. That way, I can scale.” That’s a big thing for driving a security champion, because it allows the security people to scale at a proper rate.
[24:47] CS: There you go.
[24:50] GH: And everyone minimizes – Well, what they do is it ends up being that you have less work overall across everyone. I think it’s sort of a win-win.
[24:58] CS: Yeah, yeah, and more accountability. Now, again, we’re talking about sort of threat modeling is as it’s sort of its own discreet thing, even though it’s obviously not a career path. But like what are some of the fun parts of doing that kind of job? What do you like most about doing that kind of thing?
[25:15] GH: I’m going to tell you. I had a fantastic threat modeling session that I trained a number of people over at Daimler Benz a number of years ago. I went to Essen Germany and I spent three days training them. And on the third day what I did was I said, “We’re going to get together. We’re going to take one of your self-driving cars and we’re going to threat model the self-driving car.”
So we got out there and we had a verbal session. We had a whiteboarding session. We went through and we threat modeled all the different things you could do to a self-driving car with all the different – And we came out with some fantastic stuff. It was like going into science fiction land. It was amazing, we were writing our own Schwarzenegger movie. I mean, he’s old. But you know what I mean. Or Sylvester Stallone. Do you know what I mean? It’s like a science fiction. I guess it’d be Collin – Not Farrell.
[26:02] CS: Collin Firth?
[26:02] GH: Collin Firth. Yeah. It’d be Collin Firth doing something like that. One of those guys. One of the newer guy. Literally, we had things –
[26:09] CS: You and I are so the same age. TRS-80, Schwarzenegger.
[26:11] GH: Yes! Exactly. Yeah. “You will hack this car.” They had a wonderful attack where we said – One of the threat model outputs was what if we could break in to the radio signals and we could convince all – One of them said, what they’re planning on doing is there creating radio signals. If you have an ambulance and it goes flying through the town, all the lights change and the ambulance goes straight through. Great idea. Let’s hack it.
The threat was we hack into that signal, and I won’t go into any detail about how we did it. We broke in to how we’d hack into a signal and we convinced all the lights that we actually were an ambulance, but we actually just finished robbing a bank.
[27:00] CS: Oh yeah.
[27:02] GH: And we tore off and we did the whole thing right there. It was almost like there’s a movie just recently came out with Gerard Butler about robbing one of the federal reserves over at LA. And I forgot the name of it. But it was almost like all the lights changed in our threat model and we got underneath It. We went underneath a bridge where the radio signal wouldn’t go. We switched over cars and the whole thing right there, and it was fun. But it showed them the power of threat modeling in that sense right there. You gotta give them credit. There are a lot of more mundane ones. You’re going in and you’re doing something, but there are a number of different companies that can’t tell. There are all these insurance companies and finance companies. But they’re still interesting, because what they do is – You know what I love saying is I love saying people’s eyes light up. When we go through and I say whiteboard it. Okay. Walk me through this. Okay. You as a team, tell me what you think is important on that board. And they tell me. And I sit back and I let them tell me. Okay, we’re finished with that. Now, let’s walk through this and let’s see what kind of holes we can poke in. And all of a sudden they’re like, “Oh! I didn’t realize that could happen.” “Oh my God! There is a direct line from the outside into this particular crucial piece of machinery.” And one guy is, “Oh! We need that for reporting purposes.” “Yeah, but we’re not putting any kind of – Where are the protections on it?” And then everyone goes, “Oh my God! That’s what I love to see.”
[28:23] CS: Yeah, you’re expanding their world, basically.
[28:24] GH: Yeah.
[28:25] CS: You’re expanding the possibilities.
[28:25] GH: And then they get it, and I always try – One of the things I always try to do is I always try to relate to them in that sense, like, “Okay. Look. This is what it is,” and then they get it. And when they get it, you see the light bulbs come off in their head and they go, “Okay.” And then they turn around, and here’s the beauty about it, they turn around it, they use the tools and – Well, there are one or two ways they’re doing it. Either they come back to you and they go like, “Oh! You’re so great.” Or more commonly, because I’m a contractor a lot of times in these places is they say, “I had the greatest idea. I’m using this thing called stride threat modeling. I thought of it. I talked that to you.” But then I know that I got through somewhere. My wife always says to me, “Look, you won. Okay. Sit down. Calm down. You won. Have a beer.”
[29:08] CS: Let them have the win.
[29:11] GH: You won. I’m like, “Okay. I get it.”
[29:12] CS: Yeah. We both know who actually won. Right. Right.
[29:15] GH: Yeah.
[29:16] CS: Okay. Talk about online training. It’s obviously becoming more ubiquitous, and we’re obviously in favor of it. But what are your thoughts on skills-focused training versus boot camps for your academic study. Are there benefits or disadvantages to each type of learning in 2020?
[29:30] GH: I think that – Well, funny enough we’ve got COVID. That’s changed everything.
[29:35] CS: Oh, for sure.
[29:38] GH: Granted you and I would still be doing this online, but I’m not delivering training online. In some case, where before how the CEO is all haptic. Now it’s only a little haptic. I think that there are a number of different things. I think that we’re very busy individuals in security. And therefore we find it hard to find times where we can go and we could do the delivery of things. And so having a course like infosec skills where you can go in and go out, go in and go out. I’ve done that beforehand, and they’re very useful, because I can now break it up into very bite-size pieces. And I can digest them and I don’t need to like spend a tremendous amount of time. Time is very limited. Until we figure out how to get into the fourth dimension, time is still very limited to us.
We then have to basically work upon that. And then what we do is like if you could break up those things into bite-size pieces, that’s the advantage of having an online course. And I’ve done a number of them that way. And I think also you could stop. You could rewind. You can go over it again. You can go over it again and you have to keep on doing that.
[30:39] CS: Yeah. And you have to embarrassed about asking the same question over and over. Yeah.
[30:42] GH: Yeah, exactly. Exactly. Until you get it. And I think that’s a very powerful thing. I think if you have things such as boot camps, they have their place too. A boot camp or inline course or in-person course, they’ll have their different advantages and disadvantages. In-person course, advantage, you’ve got the person right there. You’ve got the teacher right there. Disadvantage, you might not be too cautious or not courageous enough to raise your hand and ask questions.
I did a ton of course out in Thailand. I was out in Malaysia, in Kuala Lumpur, and it was the most amazing thing. I taught this entire course, and in morning, every morning I come in and say, “Okay, class. Anytime we want to ask a question, just raise your hand.” Throughout the entire day, nobody raised any hands. At the end of the day, I’m ready to go home. I’m done. I’m exhausted. And these people are coming up and like standing in a queue in orderly little queue at my desk asking me questions. Asking what they do.
[31:38] CS: It’s just a different way of doing things.
[31:41] GH: Exactly. They would probably be more in line to doing like an online course, because they could kind of repeat it and they wouldn’t have to ask me embarrassing questions and all that.
[31:50] CS: Gotcha. Okay. The other side of that is that without a professor assigning daily or weekly tasks or being in a 14-hour concentration situation, it can be maybe hard for some to stay on track to meet your learning objectives. Do you have any tips to help life-long learners stay focused on training, especially when you’re sort of basically given this entire sort of blob of stuff? And unless you have like an immediate issue at work or whatever, it’s hard to take that hour in the evening or whatever. Do you have any tips for keeping people on path that way?
[32:22] GH: Can I be fictitious or serious? Because Microsoft had this – When I was working at Microsoft, they had this joke video they did where they electric shocked a chair. It was almost like one of those – What was the old show that you and I used to watch where they did a joke which they take in and put a roadblock on the entrance of Delaware and they videotaped people walking up then going, “I’m sorry. Delaware is closed for the weekend.”
[32:50] CS: Delaware is closed. Yeah. Practical joke show or something.
[32:52] GH: Yeah. And exactly same thing where people would sit in this chair and if they try to type in the wrong thing, they get – I’d say, like – In all seriousness, how do you keep on track? Especially if you’re tired and everything – Well, first of all, don’t make unrealistic goals for yourself. Don’t say, “I’m going to get this done in three days.” Look at your schedule, look at your own schedule and say, “Realistically, what can I do?” And then reduce that time by half for imponderables. You get it all the time. I get it all the time. Things happen to us all the time that we have no control over. And then you say, “Okay. You know what? In actuality, I only have one or two hours a week I can spend on this.” But be realistic about this. Be hardcore realistic about it.
Now, one of the things about working from home as helpdesk is that we have more time at home. So we don’t have a commute time. The downside seems to be that our companies – Our companies aren’t putting explicit pressure on this, but we’re putting implicit pressure on ourselves to not be seen as being slackers. So we’re working longer hours.
[33:56] CS: Yup.
[33:58] GH: I guess I warn people like don’t overstretch yourself. If you start overstretching yourself and then you try to go into that extra phase of doing this threat modeling, you’re going to burn yourself out and you’re not going not going to want to learn threat modeling, and I want you to learn threat modeling.
[34:12] CS: Right. We want you to keep trying and keep working at it.
[34:15] GH: Exactly. Be realistic about the time that you have available.
[34:19] CS: Okay. Yeah. Yeah, I like it.
[34:22] GH: I was going to say, like eat three squared a day, listen to your mother.
[34:26] CS: Drink some water.
[34:28] GH: Drink 8 pints of water a day. You know? That good stuff.
[34:31] CS: Yeah. Yeah. Good enough sleep. Yeah. No one gets that.
[34:35] GH: It’s a wellness course.
[34:36] CS: No one gets that. Yeah. No. Exactly. Yeah. Yeah. As we wrap up today, do you have any sort of predictions for where like the concept of threat modeling is going in the years to come in terms of like different tools, techniques?
[34:50] GH: The automation is coming. Back in the late 90s, the automation came for testing, penetration testing. And everyone back then, if you and I remember, everyone said like, “Oh! I can’t ever automate that.” And now they probably automate it. Along came the coding and automated – The initial ones are very clunky and people said, “No one could ever automate that.” And it took a while, but now they’re doing it. There’s still a lot of white noise, but they’re doing it.
What’s next? Architecture. Threat modeling. Now, there are a lot of tools out there that – And it’s busy landscape, though not overwhelmed yet. And a lot of the different tools took the approach of we’re going to create the modeling tool and you’re going to come to us and you’re going to use our modeling tool. And then they built all these tools before the advent of continuous integration, continuous deployment, and DevOps, and now all of a sudden they’re realizing they’re caught out because their tools were taking too long. So their next step it to automate that process.
So what I see happening in the future of threat modeling is, is that you have a point in time where people are going to start to almost like CAD. They’re going to start designing a lot of these networks. They need to design these networks. They’re going to automatically create the code, create everything and they’re doing that right now. It’s called Terraform. Terraform is literally infrastructure and networking as code. So you put this all out there and there are other forms, cloud formation and everything like that. So what you do is you put a lot out there.
Now where I’m seeing in the future of threat modeling is, is that the threat model meditating gets put into that. So when they run it through, they’re running tests against it and they’re checking to see if that Terraform architecture, which doesn’t actually exist, has any holes in it. Or if on the other hand software architecture is same way, has any holes in it, because they’re going to do that. It’s going to be all automated all the way through and you’re going to have pinpoints where human beings come in and say like, “Oh, yeah. We’re going to change this, change that.” But a large part, a lot of this can become automated where point A and point B are going to be passing information between each other and it’s all behind the scenes. And that’s where I see threat modeling happening.
[36:55] CS: Okay. Now, do you – That brings up another question. Everyone always sort of worries about their job getting automated out of existence. Do you feel like there’s still going to be a human element to threat modeling and sort of – Yeah. What is the thing that we bring that machine can’t do?
[37:10] GH: Have you ever heard of the term, to err is human. To really file-up requires a computer.
[37:17] CS: Yes. Oh, yeah.
[37:20] GH: Everywhere I look, they said at one point that factories would come in and would automate people out code development. That the factories will develop the code. But what it is, we’re just moving to a higher plane. Human beings are not creating the factories. Now they can actually build in the flaws, because if human beings screws up and builds in a flaw in a factor, the factory will build up flawed code all over the place. So it moves one higher level. Human beings are still going to be highest plane, because we’re going to be the ones attaching 8X. It’s a funny symbol. In other words, we could still make that relation. Machines at this point in time, I’ll say the ma chine can’t do that. Obviously they’re working towards AI and all that other malarkey in a way. But I don’t see in the near future AI going like, “Hey, I’m going to show you guys off and I’m going to turn it into the terminator –
[38:17] CS: Right. Exactly.
[38:19] GH: I don’t see it happening in the near future.
[38:20] CS: Yeah. The hyper-intelligent super computer isn’t this close as we think it is.
[38:24] GH: No. It’ll end up being like Big Dog from Boston Dynamics. Well, it’s smart. It’s scary, but it’s not that. What I’m saying for the threat modelers, we’re still going to be the people who are sitting above and the threat modelers are going to look at the entire scope of everything, because like how does everything start? It’s a bunch of human beings sitting down and saying like, “We want to do X. How do we do it? Let’s take a big whiteboard and let’s draw that one.”
The minute they do that, you can create a threat model on it. No. No. No. You don’t want to do this because of this, this and this. And then you distill that further down until you hit the point of making factories and then you’ve already baked it in. So there’s going to be a need for threat modelers.
[39:04] CS: Yeah. All right. That’s always encouraging to hear as cybersecurity worries about its skills gap and having enough people.
[39:12] GH: We need you. We need you, cybersecurity people. We need more.
[39:16] CS: Yeah. You heard it here first. There’s plenty to go around. One last question today, if our listeners want to know more about Geoffrey Hill and your other activities, where can they go online?
[39:25] GH: I would say, initially, you can go to LinkedIn or to Twitter. Tutamantic_sec. I’m fairly active on Twitter, LinkedIn also. I do quite a bit of broadcasting on LinkedIn. They can also do a search on YouTube for a number of videos. You just type in Geoff Hill threat modeling, or threat model Geoff Hill. You’ll find a bunch of videos I do. Obviously, 2020 has been a bit weird, because I have to do a lot of them and I’ve gone kind of underground. But I do have lots in 2019. And I plan to of course be doing a lot of this stuff in 2021 and further on. I’m going to start – I have a blog that I’ve just set up. And so I’m going to be posting on that blog. And I’ll be posting the URLs to both Twitter and to LinkedIn.
[40:12] CS: Okay. That’s lots to look for. You all have an assignment here. Go find Geoffrey. He’s on the internet somewhere.
[40:18] GH: Where’s Waldo?
[40:19] CS: Where is Waldo? All right. Well, Geoffrey, thank you again for your time and thanks for your insights today.
[40:24] GH: Thank you very much for your time too. I have to ask you a question.
[40:28] CS: Sure.
[40:29] GH: You have a lot of books behind you.
[40:30] CS: I do. Yeah.
[40:31] GH: I’m fascinated by those.
[40:33] CS: Okay.
[40:33] GH: I can’t see what they are, but are the themes you have behind there?
[40:37] CS: This is my dining room and these are the sort of nonfiction section. Depending on where you look, like those are sort of like essay collections up there. This is kind of – I call it sort of non-time-specific history stuff. Like history of drinking or history, whatever. Like over here is like memoirs and biographies. And then we have down here it starts going into the sort of like humor. And then we have sort of graphic novels, and then art books down there and stuff about cities of Chicago and New York over here, and lit crit, whatever. A little bit of everything.
[41:14] GH: Wow! Fantastic. You got me on history, and history of drinking.
[41:20] CS: I have my history separated into time delaminated and time-specific. And so you have the sort of like the war books over here and then you have the sort of like generalized histories over here. I love sub-separating things like that.
[41:35] GH: Well, I can finish off. A quick thing is like with regards to histories, in part of the course, anybody who loves history, I’ve actually managed to inject history into the threat modeling course. But you have to take the course.
[41:50] CS: Oh, okay. Ah! Give us a hint.
[41:50] GH: It has to do with defense in dev and how did people in the middle ages deal with the concept. It’s not a new concept. It’s been around since the beginning of humankind. And whenever a bunch of you came and wanted to steal your stuff, how did you defend against it in a best way possible. That’s the beginning of threat modeling.
[42:12] CS: Aha. All right. Well, you heard it here and if you want to know more –
[42:16] GH: I’ll give you one thing you can take a look at. There’s a castle called Krak des Chevaliers, and it’s in Syria and it’s an old crusader castle. K-R-A-K des Chevaliers. Look it up. And I’m hopefully opening up a big wide book for you till you’re like – We’d get off here and be like, “I’m going to find out about this.”
[42:36] CS: Oh, yeah.
[42:38] GH: And you’ll look at it and if you look at the videos, if you look at the pictures of it, you’ll be blown away.
[42:42] CS: Wow! Okay. You all heard what he said. This is your first assignment. And after that, we’re going to take you in the world of threat modeling on infosec skills. Thank you again, Geoffrey.
[42:53] GH: Thank you very much.
[42:54] CS: And thank you all for listening and watching today. If you enjoyed today’s video, you can find many more on our YouTube page. Just go to youtube.com and type in Cyberwork with Infosec. Check out our collection of tutorials, interviews and past webinars. If you’d rather have us in your ears during your work day, all of our videos are also available as audio podcasts. Just search Cyberwork with Infosec in your podcast catcher of choice and we really been appreciating the ratings and reviews you’ve been giving. So please keep it up. We really like it.
For a free month of the Infosec Skills platform discussed in today’s show and for an opportunity to try out Geoffrey’s threat modeling course for yourself, just go to infosecinstitute.com/skills and sign up for an account. In the coupon line, type cyberwork, all one word, all small letters, no spaces, and get your free month. Thank you once again to Geoffrey Hill and thank you all for watching and listening. We’ll speak to you next week.
Cyber Work listeners get a free month of Infosec Skills.
Use code “cyberwork” to get access to hundreds of IT and security courses today.
About Cyber Work
Knowledge is your best defense against cybercrime. Each week on Cyber Work, host Chris Sienko sits down with a new industry thought leader to discuss the latest cybersecurity trends — and how those trends are affecting the work of infosec professionals. Together we’ll empower everyone with the knowledge to stay one step ahead of the bad guys.