Post thumbnail
People sometimes ask me about my recording setup, and I wanted to share some thoughts about recording good learning content. The most important thing I’ve learned is the importance of conceptualizing what you want it to look like. The other thing I’ve learned is that the more expensive gear is usually more expensive for decent…
Read More Recording Lectures
Post thumbnail
I have been lucky through these unprecendented and challenging times, and I’m grateful to have avoided many of the awful problems that others have faced. In my own little way, I spent a lot of time worried that delivering threat modeling training was only possible with us in the same room together. Through the pandemic,…
Read More Threat Modeling Classes
Post thumbnail
I haven’t talked about it much, but I spent the first few months of the pandemic learning how to deliver effective training in a distributed (online) model. I’m really proud that our distributed class NPS customer satisfaction scores are now comparable to our in-person classes. Also it’s been a lot of hard work, and in…
Read More Training: Threat Modeling for Security Champions
Post thumbnail
So Chris Romeo has a blog post, “Threat modeling: better caught than taught.” In it, he advocates for threat modeling being a skill passed on informally. And, like many things in threat modeling, that’s attractive, sounds fun, and is utterly wrong. Let’s threat model this: What are we working on? Scaling threat modeling across all…
Read More Better Taught Than Caught!
Post thumbnail
At Blackhat this summer, I’ll be offering threat modeling training at Blackhat. Last year, these sold out quickly, so don’t wait! This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start threat modeling early on day 1, followed by an understanding of traps that they…
Read More Threat Modeling Training at Blackhat 2020
NorthSec CTF 2019 in Montreal
Looking at what is popular with smaller niche crowds can give greater insight into the “next thing”. This natural selection of attention can inspire an evolution of methods and practices. Capture the Flag Events (CTFs) and electronic Sports (eSports) are good examples of a relatively new trend. I’ve had the chance to be front row…
Read More Capture the Flag events and eSports
Post thumbnail
Chris Eng said “Someone should set up a GoFundMe to send whoever wrote the hit piece on password managers to a threat modeling class.” And while it’s pretty amusing, you know, I teach threat modeling classes. I spend a lot of time crafting explicit learning goals, considering and refining instructional methods, and so when a…
Read More What Should Training Cover?
Post thumbnail
SANS has announced a new boardgame, “Pivots and Payloads,” that “takes you through pen test methodology, tactics, and tools with many possible setbacks that defenders can utilize to hinder forward progress for a pen tester or attacker. The game helps you learn while you play. It’s also a great way to showcase to others what…
Read More Pivots and PayloadsI’d like to nominate Xfinity’s “walled garden” for the worst user experience in computer security. For those not familiar, Xfinity has a “feature” called “Constant Guard” in which they monitor your internet for (I believe) DNS and IP connections for known botnet command and control services. When they think you have a bot, you see…
Read More The Worst User Experience In Computer Security?