Heriot-Watt University in Scotland is hosting a “Workshop on Serious Games for Cyber Security,” May 21-22.
At RSA, I’ll be speaking 3 times at the conference, and once at a private event for Continuum:
- “2028 Future State: Long Live the Firewall?” with Jennifer Minella, Harry Sverdlove and Marcus Ranum. March 5 | 1:00 PM – 1:50 PM | Moscone West 3001
- Threat modeling brunch with IriusRisk March 6 | 10 – 11 AM | See site for registration
- How to Measure Ecosystem Impacts with Jay Jacobs. March 7 | 1:30 PM – 2:20 PM | Moscone West 2011
- Threat Modeling in 2019. March 8 | 8:30 AM – 9:20 AM | Moscone South 205
Wow. Blackhat, Defcon, I didn’t even make the other conferences going on in Vegas. And coming back it seems like there’s a sea of things to follow up on. I think a little bit of organization is helping me manage better this year, and so I thought I’d share what’s in my post-conference toolbox. I’m also sharing because I don’t think my workflow is optimal, and would love to learn from how others are working through this in 2018 with its profusion of ways to stay in touch.
First, I have a stack of queues to process:
- Email. My inbox, but I also have a folder called “followup.” I move a lot out of my inbox to the followup folder so I can see it when I’m back from travel. (I also have a set of monthly sub-folders: followup/august, followup/september, they let me say “I’ll get back to you in three months.”)
- iMessage. For both of these, I go back through the conversations I’ve had, see if I had followups or if I dropped the ball on someone.
- Linkedin. I get a lot of linkedin requests, and I’m a fairly open networker. Sadly, the UI works very poorly for me. I would love to hear about tools that allow me to effectively move messages to something other than a LIFO queue.
- Workflowy. I’m experimenting with this as a note taking tool, and it’s not bad.
It’s a bit of a pain to extract the data (for example, I can’t email myself a branch of the tree), but copy and paste from the website is decent.It turns out the website has great export, but still learning.
- Business cards. I go through the whole stack of cards for todo items. I try to write notes on business cards. I discovered I did that on one of 6 cards where I remembered something. That’s not very good odds, and forces me to consider what I might have missed. Still exploring how to make best use of cards without notes. Advice really welcome here.
- Slack channels. Go through, look at DMs and channels. I suppose I should use some feature to note that I intend to followup. Is the Slack way to say “come back to this” to star a message?
- Calendar. For each meeting, think about the meeting, check my notes, see if I remember followups or things that didn’t make it to an email/workflowy note. And yes, there were several discussions that I know we discussed followups that I re-discovered by looking at my calendar.
- Photos. Photographs are the new note-taking, and so going back through pictures you took is important.
- Twitter, Facebook. I’m trying to break from Twitter, and don’t use Facebook, but I figured I’d include them here because they’re maybe worth remembering.
After the queues, as a consultant, I have customer work to get back to and sales contacts to followup on. I have expenses. I haven’t found an expense app that I really like, and so I stuff receipts in an envelope each evening, and then deal with them when I get home.
If I missed any followups, I’m sorry. Please reach out!
But more, I’m curious what works for you? What’s in your toolbox?
Photo: Patrick Perkins.
The slides from my Blackhat talk, “Threat Modeling in 2018: Attacks, Impacts and Other Updates” are now available either as a PDF or online viewer.
Since I wrote my book on the topic, people have been asking me “what’s new in threat modeling?” My Blackhat talk is my answer to that question, and it’s been taking up the time that I’d otherwise be devoting to the series.
As I’ve been practicing my talk*, I discovered that there’s more new than I thought, and I may not be able to fit in everything I want to talk about in 50 minutes. But it’s coming together nicely.
The current core outline is:
- What are we working on
- The fast moving world of cyber
- The agile world
- Models are scary
- What can go wrong? Threats evolve!
- Machine Learning
And of course, because it’s 2018, there’s cat videos and emoji to augment logic. Yeah, that’s the word. Augment. 🤷♂️
Wednesday, August 8 at 2:40 PM.
* Oh, and note to anyone speaking anywhere, and especially large events like Blackhat — as the speaker resources say: practice, practice, practice.
So this week’s threat model Thursday is simply two requests:
- What would you like to see in the series?
- What would you like me to cover in my Blackhat talk, “Threat Modeling in 2018?”
“Attacks always get better, and that means your threat modeling needs to evolve. This talk looks at what’s new and important in threat modeling, organizes it into a simple conceptual framework, and makes it actionable. This includes new properties of systems being attacked, new attack techniques (like biometrics confused by LEDs) and a growing importance of threats to and/or through social media platforms and features. Take home ways to ensure your security engineering and threat modeling practices are up-to-date.”
My friends at Continuum Security have some cool swag here at RSA. Go get some at South 2125 (the Spanish Pavilion). Their meet us blog post.
I really enjoyed being part of this panel. I felt we had a good mix of experience and some really interesting conversations.
As a member of the BlackHat Review Board, I would love to see more work on Human Factors presented there. The 2018 call for papers is open and closes April 9th. Over the past few years, I think we’ve developed an interesting track with good material year over year.
I wrote a short blog post on what we look for.
The BlackHat CFP calls for work which has not been published elsewhere. We prefer fully original work, but will consider a new talk that explains work you’ve done for the BlackHat audience. Oftentimes, Blackhat does not count as “Publication” in the view of academic program committees, and so you can present something at BlackHat that you plan to publish later. (You should of course check with the other venue, and disclose that you’re doing so to BlackHat.)
If you’re considering submitting, I encourage you to read all three recommendations posts at https://usa-briefings-cfp.blackhat.com/
Jean Camp and Yoshi Kohno are organizing an interesting workshop upcoming at the University of Washington on “Best Practices In The IoT:”
Our agenda begins with a presentation on the Federal Government initiatives in
the IoT. When collecting the reading materials for emerging standards, we found
nearly a thousand pages once all governmental materials are brought together…The product of the workshop will be a summary document identifying (i) a consensus set of graduated best practices for security and privacy for IoT in the home, and (ii) any gaps where best practices cannot yet be identified.
(I believe that the workshop organizers might agree with me regards the term “best practices,” but are driven by funders to use it.)
Also, they are searching for a few more sponsors if you can help in that department.