How do these lessons align to real business goals?
- Start where you are
Students are taught to ‘start where they are’ no matter what, and take the first step towards something.
In business, we will be tasked with overtaking new challenges, and we may not have someone to hold our hand along the way.
The C-Suite expects us to build our own teams. By constantly ‘starting where we are’ we can bring our teams up together by creating a positive learning environment where it’s ok to ask tough questions and grow together.
- What can you do with what you have?
Students are taught the importance of using what they have in front of them to get the job done.
In business, we may be forced to find a way to make things work given what we have to work with.
A different approach would be flexiblity in our solutions. You want to have at least one option or alternative, and try not to limit yourself to a single way, or single point of failure.
In bug hunting, a matured bounty program may ask you this question after a disclosure that doesn’t immediately appear to affect any of the CIA apsects of a company’s security posture. What can you do with what you have?
- Use what you have to move forward any way you can
Students are taught that you may not always have everything you need to succeed at first.
When we’ve got a big project and there is a lot at stake, we may find ourselves “up a creek” to say.
Sometimes a project can cost thousands and thousands of dollars just to keep it “floating” – even while everyone is standing still.
This limitation could come in the form of not enough people to do the job the best way, or maybe it could be a limited budget.
Whatever the reason, when we find ourselves strapped, we look back at how far we’ve come, gather our resources, and use we have to move forward however we can.
- Consider the perspective opposite from your own, and search for answers there
Students are taught to look at things from a different perspective; or even to try things backwards. This will challenge the inside-the-box mentality and help their minds grow.
When teams are storming, oftentimes we will find ourselves at ends with eachother. By being the best teammate you can possibly be, you are setting everyone up for success, including yourself.
This is also useful when you are considering the limitations of a security system! Consider the architect or attacker’s perspective!
- Dig deeper, dinosaur
Students are taught to dig everywhere, and to seek out ‘fossils’ or tokens of information in unlikely places, using basic digital forensic techniques. This will get them used to finding valuable pieces of information even if they are obfuscated.
Security through obscurity is not a magic bullet.
- There is always a key
Students are taught the importance of protecting credentials; how a root key or certificate works with a cryptosystem, and how public key infrastsructure works.
Some systems are inherently designed to be ultra-resilient. In cases like this, the easiest, or even the only known way in, is though a leaked credential or secret, or other authentication misconfiguration.
Other times you can snatch these very trinkets directly from a web transmission in the form of an obfuscated token or cookie.
Password spraying, man in the middle attacks, and cookie/session hijacking are a real problem.
Breaches resulting from credential leakage can be a real tweet.
- Build it like a STONE with the NoShitSecurity BREACH Framework
Students are taught the value of Zero Trust; building with a breach in mind, and how to utilize the MITRE ATT&CK framework and tabletop exercises to better prepare for breach events.
Highly resilient Zero Trust architecture in practical application
MFA, CAP, RBAC, LP/ZTA, JIT, and Implicit Deny
For more information about STONE and BREACH click here.