sincera's pandora

How do these lessons align to real business goals?

Students are taught to ‘start where they are’ no matter what, and take the first step towards something.

In business, we will be tasked with overtaking new challenges, and we may not have someone to hold our hand along the way.

The C-Suite expects us to build our own teams. By constantly ‘starting where we are’ we can bring our teams up together by creating a positive learning environment where it’s ok to ask tough questions and grow together.

Students are taught the importance of using what they have in front of them to get the job done.

In business, we may be forced to find a way to make things work given what we have to work with.

A different approach would be flexiblity in our solutions. You want to have at least one option or alternative, and try not to limit yourself to a single way, or single point of failure.

In bug hunting, a matured bounty program may ask you this question after a disclosure that doesn’t immediately appear to affect any of the CIA apsects of a company’s security posture. What can you do with what you have?

Students are taught that you may not always have everything you need to succeed at first.

When we’ve got a big project and there is a lot at stake, we may find ourselves “up a creek” to say.

Sometimes a project can cost thousands and thousands of dollars just to keep it “floating” – even while everyone is standing still.

This limitation could come in the form of not enough people to do the job the best way, or maybe it could be a limited budget.

Whatever the reason, when we find ourselves strapped, we look back at how far we’ve come, gather our resources, and use we have to move forward however we can.

Students are taught to look at things from a different perspective; or even to try things backwards. This will challenge the inside-the-box mentality and help their minds grow.

When teams are storming, oftentimes we will find ourselves at ends with eachother. By being the best teammate you can possibly be, you are setting everyone up for success, including yourself.

This is also useful when you are considering the limitations of a security system! Consider the architect or attacker’s perspective!

Students are taught to dig everywhere, and to seek out ‘fossils’ or tokens of information in unlikely places, using basic digital forensic techniques. This will get them used to finding valuable pieces of information even if they are obfuscated.

Security through obscurity is not a magic bullet.

Students are taught the importance of protecting credentials; how a root key or certificate works with a cryptosystem, and how public key infrastsructure works.

Some systems are inherently designed to be ultra-resilient. In cases like this, the easiest, or even the only known way in, is though a leaked credential or secret, or other authentication misconfiguration.

Other times you can snatch these very trinkets directly from a web transmission in the form of an obfuscated token or cookie.

Password spraying, man in the middle attacks, and cookie/session hijacking are a real problem.

Breaches resulting from credential leakage can be a real tweet.

Students are taught the value of Zero Trust; building with a breach in mind, and how to utilize the MITRE ATT&CK framework and tabletop exercises to better prepare for breach events.

Highly resilient Zero Trust architecture in practical application

MFA, CAP, RBAC, LP/ZTA, JIT, and Implicit Deny

For more information about STONE and BREACH click here.

*The STONE and BREACH open frameworks are products of NoShitSecurity