SlideShare una empresa de Scribd logo

AMW_RAT_2022-04-28 (2).pptx

Descargar como PPTX, PDF
S
SaraJayneTerp

Talk on courses on sociotechnical ethical hacking and cognitive security

Educación
1 de 13
DISARM Foundation 2022 My Year of Teaching Dangerously Sara Sara-Jayne SJ Terp Other AMW RAT 2022-04-28 1
DISARM Foundation 2022 NOT ALL GREAT HACKERS CODE. GREAT HACKERS THINK ABOUT SYSTEMS 2 And we need more of these people Image: https://business.leeds.ac.uk/research-stc/doc/socio- technical-systems-theory
DISARM Foundation 2022 BUT ALL THE INTRO HACKING BOOKS, ALL THE COURSES, ARE BOXES AND WIRES (kudos to “The Car Hacker’s Handbook” and “Practical IoT Hacking” though) Certified Ethical Hacking ● Ethical hacking fundamentals ● Reconnaissance and footprinting ● Scanning and enumeration ● Sniffing and evasion ● Attacking a system ● Hacking web servers and applications ● Wireless network hacking ● Mobile, IoT, and OT ● Security in cloud computing ● Trojans and other attacks, including malware analysis ● Cryptography ● Social engineering and physical security ● Penetration testing 3
DISARM Foundation 2022 HOW DO WE BUILD SYSTEMS HACKERS? A: we teach them. At university. In a very liberal college (yay librarians!). 2021-2022 16-week courses: ● Sociotechnical Ethical Hacking ● Cybersecurity Decision Making ● Cognitive Security ● Technology Innovation ● Privacy, Security, Ethics ● Living with algorithms 4
DISARM Foundation 2022 BUILDING A COGNITIVE SECURITY COURSE Brains, PCs, they’re all belief systems “Cognitive security is the application of information security principles, practices, and tools to misinformation, disinformation, and influence operations. It takes a socio-technical lens to high-volume, high-velocity, and high-variety forms of “something is wrong on the internet”. Cognitive security can be seen as a holistic view of disinformation from a security practitioner’s perspective” 5
DISARM Foundation 2022 Cognitive Security course What we’re dealing with 1. Introduction a. disinformation reports, ethics b. researcher risks 2. fundamentals (objects) 3. cogsec risks Human aspects 1. human system vulnerabilities and patches 2. psychology of influence Building better models 1. frameworks 2. relational frameworks 3. building landscapes Investigating incidents 8. setting up an investigation 9. misinformation data analysis 10. disinformation data analysis Improving our responses 8. disinformation responses 9. monitoring and evaluation 10. games, red teaming and simulations Where this is heading 8. cogsec as a business 9. future possibilities 6
DISARM Foundation 2022 Disinformation as a risk management problem Manage the risks, not the artifacts ● Risk assessment, reduction, remediation ● Risks: How bad? How big? How likely? Who to? ● Attack surfaces, vulnerabilities, potential losses / outcomes Manage resources ● Mis/disinformation is everywhere ● Detection, mitigation, response ● People, technologies, time, attention ● Connections 7 Image: https://www.risklens.com/infographics/fair-model-on-a-page
DISARM Foundation 2022 BUILDING A SOCIOTECHNICAL ETHICAL HACKING COURSE 8 Thinking beyond the technology Getting ready for hybrid attack forms: ● Cyber + cognitive + physical ● Cyber supporting cognitive ● Cognitive supporting cyber ● Cyber attack forms adapted to cognitive ● Etc
DISARM Foundation 2022 Sociotechnical Ethical Hacking course First, do no harm 1. Ethics = risk management 2. Don’t harm others (harms frameworks) 3. Don’t harm yourself (permissions etc) 4. Fix what you break (purple teaming) It’s systems all the way down 1. Infosec = systems (sociotechnical infosec) 2. All systems can be broken (with resources) 3. All systems have back doors (people, hardware, process, tech etc) Psychology is important 1. Reverse engineering = understanding someone else’s thoughts 2. Social engineering = adapting someone else’s thoughts 3. Algorithms think too (adversarial AI) Be curious about everything 1. Curiosity is a hacker’s best friend 2. Computers are everywhere (IoT etc) 3. Help is everywhere (how to search, how to ask) 4. CTFs, bounties, and competitions Cognitive security 14. Yourself (recon & systems thinking) 15. Social media (social engineering) 16. Elections (OSINT & mixed security modes) Physical security 14. Locksports (vulnerabilities) 15. Buildings and physical (don’t harm self) Cyber security 14. Web, networks, PCs (RE, malware) 15. Machine learning (adversarial AI) 16. Maps and algorithms (back doors) 17. Assembler (microcontrollers) 18. Hardware (IoT, badges) 19. Radio (AISB, SDRs etc) Systems that move 14. Cars (canbuses and bypasses) 15. Robotics / automation (inc don’t harm others) 16. Aerospace & Marine (reverse engineering big systems) 17. Satellites (remote commands) 9
DISARM Foundation 2022 Keeping ‘em safe ● Teach ethics and the law. Not just “hey behave yourselves please” ● Continuing safely: Introduce them to places to practice, that will be around long after the course finishes ● Mentoring: introduce them to hackers I value, who can talk about why not to be on the dark side ● Purple team, not red team. ● Keep pushing the message of “here’s a safe place to try this; don’t do it anywhere you don’t have permission / understand the potential consequences” Safe places to practice: ● Tryhackme.com ● Hack The Box ● RingZer0 CTF ● https://www.hackthebox.com/ ● CTFTime - live ● picoCTF - practice ● Micro Corruption - one of the original CTFs ● Top 10 Cyber Hacking Competitions - competitive CTF (cash prizes etc) Bug bounties: ● https://www.bugcrowd.com/bug-bounty-list/ ● https://hackerone.com/bug-bounty-programs ● https://www.guru99.com/bug-bounty-programs.html Help: ● Look for reddit and discord groups ● IppSec for techniques ● https://ctf101.org/ - tips and tricks ● Beginner's Guide to Capture the Flag (CTF)- tips, tricks, links to more online CTFs ● Capture-The-Flag Competitions: all you ever wanted to know! 10
DISARM Foundation 2022 I also fell a bit in love with the Parkerian Hexad Confidentiality, integrity, availability ■ Confidentiality: data should only be visible to people who authorized to see it ■ Integrity: data should not be altered in unauthorized ways ■ Availability: data should be available to be used Possession, authenticity, utility ■ Possession: controlling the data media ■ Authenticity: accuracy and truth of the origin of the information ■ Utility: usefulness (e.g. losing the encryption key) 11 Image: https://www.staffhosteurope.com/blog/2019/03/cybersecurity-and-the-parkerian-hexad
DISARM Foundation 2022 Other work over the past year… Communities ● CogSecCollab ● CTI League disinformation team ● Ukraine Collaborations ● DISARM Foundation (inc MITRE, FIU, EU etc) ● Community-level behaviour tagging (UW) ● Disinformation response coordination: European Union (51 countries), UNDP (170 countries), individual countries (3 english-speaking ones), (WHO Europe&Central Asia: 51+ countries) ● Defcon Misinfo Village (inc CredCo / MisinfoCon) ● Atlantic Council / Vanguards Mentoring ● Individuals and organisations ● Book sub-editing ● Machine learning in infosec PhD advisors ● Nonprofit boards (RealityTeam, SocietyLibrary etc) Research ● Risk-based Cognitive Security ○ AMITT model set (DISARM, EU, NATO, etc) ○ AMITT-SPICE model merge (with MITRE, FIU) ○ Extensions to FAIR etc ○ Community disinfo behaviour tagging (UW) ○ iVerify extensions (UN) ● Machine learning for cognitive security ○ Disinfo OSINT (country) ○ Community-based disinfo response (UN) ○ Extremism tracking (country) ● One-off research ○ Disinformation market models (DARPA) ○ Assessing disinformation training systems (State Dept) ○ Disinformation social ecological models (ARLIS) ○ Etc 12
THANK YOU SJ Terp @bodaceacat http://www.overcognition.com http 13

Recomendados

Disarm vanguards 2022-02-25 (3)
Disarm vanguards 2022-02-25 (3)Disarm vanguards 2022-02-25 (3)
Disarm vanguards 2022-02-25 (3)SaraJayneTerp
 
Sj terp emerging tech radar
Sj terp emerging tech radarSj terp emerging tech radar
Sj terp emerging tech radarSaraJayneTerp
 
2022-08-13_cogsec_defcon.pptx
2022-08-13_cogsec_defcon.pptx2022-08-13_cogsec_defcon.pptx
2022-08-13_cogsec_defcon.pptxSaraJayneTerp
 
How fluently do you speak data
How fluently do you speak dataHow fluently do you speak data
How fluently do you speak dataMary Aviles
 
Digital Age-Preparing Yourself
Digital Age-Preparing YourselfDigital Age-Preparing Yourself
Digital Age-Preparing Yourselfjkl0202
 
Charan Resume
Charan ResumeCharan Resume
Charan ResumeCharan Mukkamala
 
Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace Aladdin Dandis
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityOlivier Busolini
 

Recomendados

Disarm vanguards 2022-02-25 (3)
Disarm vanguards 2022-02-25 (3)Disarm vanguards 2022-02-25 (3)
Disarm vanguards 2022-02-25 (3)SaraJayneTerp
 
Sj terp emerging tech radar
Sj terp emerging tech radarSj terp emerging tech radar
Sj terp emerging tech radarSaraJayneTerp
 
2022-08-13_cogsec_defcon.pptx
2022-08-13_cogsec_defcon.pptx2022-08-13_cogsec_defcon.pptx
2022-08-13_cogsec_defcon.pptxSaraJayneTerp
 
How fluently do you speak data
How fluently do you speak dataHow fluently do you speak data
How fluently do you speak dataMary Aviles
 
Digital Age-Preparing Yourself
Digital Age-Preparing YourselfDigital Age-Preparing Yourself
Digital Age-Preparing Yourselfjkl0202
 
Charan Resume
Charan ResumeCharan Resume
Charan ResumeCharan Mukkamala
 
Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace Aladdin Dandis
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityOlivier Busolini
 
1427 Women in Cybersecurity-Taking Charge and Protecting the World
1427 Women in Cybersecurity-Taking Charge and Protecting the World1427 Women in Cybersecurity-Taking Charge and Protecting the World
1427 Women in Cybersecurity-Taking Charge and Protecting the WorldCareer Communications Group
 
Ist curriculum
Ist curriculumIst curriculum
Ist curriculumMelissa Hicks
 
Abso lutely!
Abso lutely!Abso lutely!
Abso lutely!De La Salle-College of Saint Benilde
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsDinesh O Bareja
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...Aladdin Dandis
 
Top Ten Challenges of Securing Smart Infrastructure
Top Ten Challenges of Securing Smart InfrastructureTop Ten Challenges of Securing Smart Infrastructure
Top Ten Challenges of Securing Smart InfrastructureNiloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
Etl523 pres jj jarick
Etl523 pres jj jarickEtl523 pres jj jarick
Etl523 pres jj jarickjamesjarick
 
The Digital Dilemma - Igor Verhoeven, Bindung
The Digital Dilemma - Igor Verhoeven, BindungThe Digital Dilemma - Igor Verhoeven, Bindung
The Digital Dilemma - Igor Verhoeven, BindungDigiMarCon - Digital Marketing, Media and Advertising Conferences & Exhibitions
 
Cyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutionsCyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutionsinLabFIB
 
Fontys Eric van Tol
Fontys Eric van TolFontys Eric van Tol
Fontys Eric van TolTalentEvent
 
What Are Script Kiddies.pdf
What Are Script Kiddies.pdfWhat Are Script Kiddies.pdf
What Are Script Kiddies.pdfuzair
 
Trustworthy Computational Science: A Multi-decade Perspective
Trustworthy Computational Science: A Multi-decade PerspectiveTrustworthy Computational Science: A Multi-decade Perspective
Trustworthy Computational Science: A Multi-decade PerspectiveVon Welch
 
Privacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of ThingsPrivacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of ThingsJason Hong
 
Algocracy and the state of AI in public administrations.
Algocracy and the state of AI in public administrations.Algocracy and the state of AI in public administrations.
Algocracy and the state of AI in public administrations.Sandra Bermúdez
 
Intro to Android, IOT, Hacking & Web Designinng
Intro to Android, IOT, Hacking & Web DesigninngIntro to Android, IOT, Hacking & Web Designinng
Intro to Android, IOT, Hacking & Web DesigninngI am Cipher
 
Opportunities with data science
Opportunities with data scienceOpportunities with data science
Opportunities with data scienceAshiq Rahman
 
Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfDigital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfMahdi_Fahmideh
 
Road map for actionable threat intelligence
Road map for actionable threat intelligenceRoad map for actionable threat intelligence
Road map for actionable threat intelligenceabhisheksinghcs
 
Eric van tol
Eric van tolEric van tol
Eric van tolBigDataExpo
 
2021 GeoConvergence: Ethics presentation
2021 GeoConvergence: Ethics presentation2021 GeoConvergence: Ethics presentation
2021 GeoConvergence: Ethics presentationPLACE
 
Guidance note: Advancing Infodemic Management within Risk Communication and C...
Guidance note: Advancing Infodemic Management within Risk Communication and C...Guidance note: Advancing Infodemic Management within Risk Communication and C...
Guidance note: Advancing Infodemic Management within Risk Communication and C...SaraJayneTerp
 
CSW2022_08_behaviours.pptx.pdf
CSW2022_08_behaviours.pptx.pdfCSW2022_08_behaviours.pptx.pdf
CSW2022_08_behaviours.pptx.pdfSaraJayneTerp
 

Más contenido relacionado

Similar a AMW_RAT_2022-04-28 (2).pptx

1427 Women in Cybersecurity-Taking Charge and Protecting the World
1427 Women in Cybersecurity-Taking Charge and Protecting the World1427 Women in Cybersecurity-Taking Charge and Protecting the World
1427 Women in Cybersecurity-Taking Charge and Protecting the WorldCareer Communications Group
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsDinesh O Bareja
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...Aladdin Dandis
 
Etl523 pres jj jarick
Etl523 pres jj jarickEtl523 pres jj jarick
Etl523 pres jj jarickjamesjarick
 
Cyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutionsCyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutionsinLabFIB
 
Fontys Eric van Tol
Fontys Eric van TolFontys Eric van Tol
Fontys Eric van TolTalentEvent
 
What Are Script Kiddies.pdf
What Are Script Kiddies.pdfWhat Are Script Kiddies.pdf
What Are Script Kiddies.pdfuzair
 
Trustworthy Computational Science: A Multi-decade Perspective
Trustworthy Computational Science: A Multi-decade PerspectiveTrustworthy Computational Science: A Multi-decade Perspective
Trustworthy Computational Science: A Multi-decade PerspectiveVon Welch
 
Privacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of ThingsPrivacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of ThingsJason Hong
 
Algocracy and the state of AI in public administrations.
Algocracy and the state of AI in public administrations.Algocracy and the state of AI in public administrations.
Algocracy and the state of AI in public administrations.Sandra Bermúdez
 
Intro to Android, IOT, Hacking & Web Designinng
Intro to Android, IOT, Hacking & Web DesigninngIntro to Android, IOT, Hacking & Web Designinng
Intro to Android, IOT, Hacking & Web DesigninngI am Cipher
 
Opportunities with data science
Opportunities with data scienceOpportunities with data science
Opportunities with data scienceAshiq Rahman
 
Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfDigital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfMahdi_Fahmideh
 
Road map for actionable threat intelligence
Road map for actionable threat intelligenceRoad map for actionable threat intelligence
Road map for actionable threat intelligenceabhisheksinghcs
 
2021 GeoConvergence: Ethics presentation
2021 GeoConvergence: Ethics presentation2021 GeoConvergence: Ethics presentation
2021 GeoConvergence: Ethics presentationPLACE
 

Similar a AMW_RAT_2022-04-28 (2).pptx (20)

1427 Women in Cybersecurity-Taking Charge and Protecting the World
1427 Women in Cybersecurity-Taking Charge and Protecting the World1427 Women in Cybersecurity-Taking Charge and Protecting the World
1427 Women in Cybersecurity-Taking Charge and Protecting the World
 
Ist curriculum
Ist curriculumIst curriculum
Ist curriculum
 
Abso lutely!
Abso lutely!Abso lutely!
Abso lutely!
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...
 
Top Ten Challenges of Securing Smart Infrastructure
Top Ten Challenges of Securing Smart InfrastructureTop Ten Challenges of Securing Smart Infrastructure
Top Ten Challenges of Securing Smart Infrastructure
 
Etl523 pres jj jarick
Etl523 pres jj jarickEtl523 pres jj jarick
Etl523 pres jj jarick
 
The Digital Dilemma - Igor Verhoeven, Bindung
The Digital Dilemma - Igor Verhoeven, BindungThe Digital Dilemma - Igor Verhoeven, Bindung
The Digital Dilemma - Igor Verhoeven, Bindung
 
Cyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutionsCyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutions
 
Fontys Eric van Tol
Fontys Eric van TolFontys Eric van Tol
Fontys Eric van Tol
 
What Are Script Kiddies.pdf
What Are Script Kiddies.pdfWhat Are Script Kiddies.pdf
What Are Script Kiddies.pdf
 
Trustworthy Computational Science: A Multi-decade Perspective
Trustworthy Computational Science: A Multi-decade PerspectiveTrustworthy Computational Science: A Multi-decade Perspective
Trustworthy Computational Science: A Multi-decade Perspective
 
Privacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of ThingsPrivacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of Things
 
Algocracy and the state of AI in public administrations.
Algocracy and the state of AI in public administrations.Algocracy and the state of AI in public administrations.
Algocracy and the state of AI in public administrations.
 
Intro to Android, IOT, Hacking & Web Designinng
Intro to Android, IOT, Hacking & Web DesigninngIntro to Android, IOT, Hacking & Web Designinng
Intro to Android, IOT, Hacking & Web Designinng
 
Opportunities with data science
Opportunities with data scienceOpportunities with data science
Opportunities with data science
 
Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfDigital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
 
Road map for actionable threat intelligence
Road map for actionable threat intelligenceRoad map for actionable threat intelligence
Road map for actionable threat intelligence
 
Eric van tol
Eric van tolEric van tol
Eric van tol
 
2021 GeoConvergence: Ethics presentation
2021 GeoConvergence: Ethics presentation2021 GeoConvergence: Ethics presentation
2021 GeoConvergence: Ethics presentation
 

Más de SaraJayneTerp

Guidance note: Advancing Infodemic Management within Risk Communication and C...
Guidance note: Advancing Infodemic Management within Risk Communication and C...Guidance note: Advancing Infodemic Management within Risk Communication and C...
Guidance note: Advancing Infodemic Management within Risk Communication and C...SaraJayneTerp
 
CSW2022_08_behaviours.pptx.pdf
CSW2022_08_behaviours.pptx.pdfCSW2022_08_behaviours.pptx.pdf
CSW2022_08_behaviours.pptx.pdfSaraJayneTerp
 
CSW2022_03_threat_environment.pptx.pdf
CSW2022_03_threat_environment.pptx.pdfCSW2022_03_threat_environment.pptx.pdf
CSW2022_03_threat_environment.pptx.pdfSaraJayneTerp
 
CSW2022_02_info_response_environments.pptx.pdf
CSW2022_02_info_response_environments.pptx.pdfCSW2022_02_info_response_environments.pptx.pdf
CSW2022_02_info_response_environments.pptx.pdfSaraJayneTerp
 
CSW2022_06_influence.pptx.pdf
CSW2022_06_influence.pptx.pdfCSW2022_06_influence.pptx.pdf
CSW2022_06_influence.pptx.pdfSaraJayneTerp
 
CSW2022_07_narratives.pptx.pdf
CSW2022_07_narratives.pptx.pdfCSW2022_07_narratives.pptx.pdf
CSW2022_07_narratives.pptx.pdfSaraJayneTerp
 
CSW2022_10_risk_prioritisation.pptx.pdf
CSW2022_10_risk_prioritisation.pptx.pdfCSW2022_10_risk_prioritisation.pptx.pdf
CSW2022_10_risk_prioritisation.pptx.pdfSaraJayneTerp
 
CSW2022_11_hotwash.pptx.pdf
CSW2022_11_hotwash.pptx.pdfCSW2022_11_hotwash.pptx.pdf
CSW2022_11_hotwash.pptx.pdfSaraJayneTerp
 
CSW2022_09_riskassessment.pptx.pdf
CSW2022_09_riskassessment.pptx.pdfCSW2022_09_riskassessment.pptx.pdf
CSW2022_09_riskassessment.pptx.pdfSaraJayneTerp
 
CSW2022_01_introduction.pptx.pdf
CSW2022_01_introduction.pptx.pdfCSW2022_01_introduction.pptx.pdf
CSW2022_01_introduction.pptx.pdfSaraJayneTerp
 
CSW2022_05_data collection.pptx.pdf
CSW2022_05_data collection.pptx.pdfCSW2022_05_data collection.pptx.pdf
CSW2022_05_data collection.pptx.pdfSaraJayneTerp
 
CSW2022_04_project_setup.pptx.pdf
CSW2022_04_project_setup.pptx.pdfCSW2022_04_project_setup.pptx.pdf
CSW2022_04_project_setup.pptx.pdfSaraJayneTerp
 
WG-misinfosec report out to CredCo.pdf
WG-misinfosec report out to CredCo.pdfWG-misinfosec report out to CredCo.pdf
WG-misinfosec report out to CredCo.pdfSaraJayneTerp
 
CanSecWest_cogsec_course_01_introduction.pdf
CanSecWest_cogsec_course_01_introduction.pdfCanSecWest_cogsec_course_01_introduction.pdf
CanSecWest_cogsec_course_01_introduction.pdfSaraJayneTerp
 
2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformationSaraJayneTerp
 

Más de SaraJayneTerp (15)

Guidance note: Advancing Infodemic Management within Risk Communication and C...
Guidance note: Advancing Infodemic Management within Risk Communication and C...Guidance note: Advancing Infodemic Management within Risk Communication and C...
Guidance note: Advancing Infodemic Management within Risk Communication and C...
 
CSW2022_08_behaviours.pptx.pdf
CSW2022_08_behaviours.pptx.pdfCSW2022_08_behaviours.pptx.pdf
CSW2022_08_behaviours.pptx.pdf
 
CSW2022_03_threat_environment.pptx.pdf
CSW2022_03_threat_environment.pptx.pdfCSW2022_03_threat_environment.pptx.pdf
CSW2022_03_threat_environment.pptx.pdf
 
CSW2022_02_info_response_environments.pptx.pdf
CSW2022_02_info_response_environments.pptx.pdfCSW2022_02_info_response_environments.pptx.pdf
CSW2022_02_info_response_environments.pptx.pdf
 
CSW2022_06_influence.pptx.pdf
CSW2022_06_influence.pptx.pdfCSW2022_06_influence.pptx.pdf
CSW2022_06_influence.pptx.pdf
 
CSW2022_07_narratives.pptx.pdf
CSW2022_07_narratives.pptx.pdfCSW2022_07_narratives.pptx.pdf
CSW2022_07_narratives.pptx.pdf
 
CSW2022_10_risk_prioritisation.pptx.pdf
CSW2022_10_risk_prioritisation.pptx.pdfCSW2022_10_risk_prioritisation.pptx.pdf
CSW2022_10_risk_prioritisation.pptx.pdf
 
CSW2022_11_hotwash.pptx.pdf
CSW2022_11_hotwash.pptx.pdfCSW2022_11_hotwash.pptx.pdf
CSW2022_11_hotwash.pptx.pdf
 
CSW2022_09_riskassessment.pptx.pdf
CSW2022_09_riskassessment.pptx.pdfCSW2022_09_riskassessment.pptx.pdf
CSW2022_09_riskassessment.pptx.pdf
 
CSW2022_01_introduction.pptx.pdf
CSW2022_01_introduction.pptx.pdfCSW2022_01_introduction.pptx.pdf
CSW2022_01_introduction.pptx.pdf
 
CSW2022_05_data collection.pptx.pdf
CSW2022_05_data collection.pptx.pdfCSW2022_05_data collection.pptx.pdf
CSW2022_05_data collection.pptx.pdf
 
CSW2022_04_project_setup.pptx.pdf
CSW2022_04_project_setup.pptx.pdfCSW2022_04_project_setup.pptx.pdf
CSW2022_04_project_setup.pptx.pdf
 
WG-misinfosec report out to CredCo.pdf
WG-misinfosec report out to CredCo.pdfWG-misinfosec report out to CredCo.pdf
WG-misinfosec report out to CredCo.pdf
 
CanSecWest_cogsec_course_01_introduction.pdf
CanSecWest_cogsec_course_01_introduction.pdfCanSecWest_cogsec_course_01_introduction.pdf
CanSecWest_cogsec_course_01_introduction.pdf
 
2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation
 

Último

CLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptxCLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptxAnupam32727
 
ARTERIAL BLOOD GAS ANALYSIS........pptx
ARTERIAL BLOOD GAS ANALYSIS........pptxARTERIAL BLOOD GAS ANALYSIS........pptx
ARTERIAL BLOOD GAS ANALYSIS........pptxAneriPatwari
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQuiz Club NITW
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQuiz Club NITW
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Association for Project Management
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvRicaMaeCastro1
 
Sulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their usesSulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their usesVijayaLaxmi84
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...Nguyen Thanh Tu Collection
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptxmary850239
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptxmary850239
 
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...DhatriParmar
 
How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17Celine George
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17Celine George
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
Expanded definition: technical and operational
Expanded definition: technical and operationalExpanded definition: technical and operational
Expanded definition: technical and operationalssuser3e220a
 

Último (20)

CLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptxCLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptx
 
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of EngineeringFaculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
 
ARTERIAL BLOOD GAS ANALYSIS........pptx
ARTERIAL BLOOD GAS ANALYSIS........pptxARTERIAL BLOOD GAS ANALYSIS........pptx
ARTERIAL BLOOD GAS ANALYSIS........pptx
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
 
Sulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their usesSulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their uses
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
 
prashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Professionprashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Profession
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx
 
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
 
How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
Expanded definition: technical and operational
Expanded definition: technical and operationalExpanded definition: technical and operational
Expanded definition: technical and operational
 

AMW_RAT_2022-04-28 (2).pptx

  • 1. DISARM Foundation 2022 My Year of Teaching Dangerously Sara Sara-Jayne SJ Terp Other AMW RAT 2022-04-28 1
  • 2. DISARM Foundation 2022 NOT ALL GREAT HACKERS CODE. GREAT HACKERS THINK ABOUT SYSTEMS 2 And we need more of these people Image: https://business.leeds.ac.uk/research-stc/doc/socio- technical-systems-theory
  • 3. DISARM Foundation 2022 BUT ALL THE INTRO HACKING BOOKS, ALL THE COURSES, ARE BOXES AND WIRES (kudos to “The Car Hacker’s Handbook” and “Practical IoT Hacking” though) Certified Ethical Hacking ● Ethical hacking fundamentals ● Reconnaissance and footprinting ● Scanning and enumeration ● Sniffing and evasion ● Attacking a system ● Hacking web servers and applications ● Wireless network hacking ● Mobile, IoT, and OT ● Security in cloud computing ● Trojans and other attacks, including malware analysis ● Cryptography ● Social engineering and physical security ● Penetration testing 3
  • 4. DISARM Foundation 2022 HOW DO WE BUILD SYSTEMS HACKERS? A: we teach them. At university. In a very liberal college (yay librarians!). 2021-2022 16-week courses: ● Sociotechnical Ethical Hacking ● Cybersecurity Decision Making ● Cognitive Security ● Technology Innovation ● Privacy, Security, Ethics ● Living with algorithms 4
  • 5. DISARM Foundation 2022 BUILDING A COGNITIVE SECURITY COURSE Brains, PCs, they’re all belief systems “Cognitive security is the application of information security principles, practices, and tools to misinformation, disinformation, and influence operations. It takes a socio-technical lens to high-volume, high-velocity, and high-variety forms of “something is wrong on the internet”. Cognitive security can be seen as a holistic view of disinformation from a security practitioner’s perspective” 5
  • 6. DISARM Foundation 2022 Cognitive Security course What we’re dealing with 1. Introduction a. disinformation reports, ethics b. researcher risks 2. fundamentals (objects) 3. cogsec risks Human aspects 1. human system vulnerabilities and patches 2. psychology of influence Building better models 1. frameworks 2. relational frameworks 3. building landscapes Investigating incidents 8. setting up an investigation 9. misinformation data analysis 10. disinformation data analysis Improving our responses 8. disinformation responses 9. monitoring and evaluation 10. games, red teaming and simulations Where this is heading 8. cogsec as a business 9. future possibilities 6
  • 7. DISARM Foundation 2022 Disinformation as a risk management problem Manage the risks, not the artifacts ● Risk assessment, reduction, remediation ● Risks: How bad? How big? How likely? Who to? ● Attack surfaces, vulnerabilities, potential losses / outcomes Manage resources ● Mis/disinformation is everywhere ● Detection, mitigation, response ● People, technologies, time, attention ● Connections 7 Image: https://www.risklens.com/infographics/fair-model-on-a-page
  • 8. DISARM Foundation 2022 BUILDING A SOCIOTECHNICAL ETHICAL HACKING COURSE 8 Thinking beyond the technology Getting ready for hybrid attack forms: ● Cyber + cognitive + physical ● Cyber supporting cognitive ● Cognitive supporting cyber ● Cyber attack forms adapted to cognitive ● Etc
  • 9. DISARM Foundation 2022 Sociotechnical Ethical Hacking course First, do no harm 1. Ethics = risk management 2. Don’t harm others (harms frameworks) 3. Don’t harm yourself (permissions etc) 4. Fix what you break (purple teaming) It’s systems all the way down 1. Infosec = systems (sociotechnical infosec) 2. All systems can be broken (with resources) 3. All systems have back doors (people, hardware, process, tech etc) Psychology is important 1. Reverse engineering = understanding someone else’s thoughts 2. Social engineering = adapting someone else’s thoughts 3. Algorithms think too (adversarial AI) Be curious about everything 1. Curiosity is a hacker’s best friend 2. Computers are everywhere (IoT etc) 3. Help is everywhere (how to search, how to ask) 4. CTFs, bounties, and competitions Cognitive security 14. Yourself (recon & systems thinking) 15. Social media (social engineering) 16. Elections (OSINT & mixed security modes) Physical security 14. Locksports (vulnerabilities) 15. Buildings and physical (don’t harm self) Cyber security 14. Web, networks, PCs (RE, malware) 15. Machine learning (adversarial AI) 16. Maps and algorithms (back doors) 17. Assembler (microcontrollers) 18. Hardware (IoT, badges) 19. Radio (AISB, SDRs etc) Systems that move 14. Cars (canbuses and bypasses) 15. Robotics / automation (inc don’t harm others) 16. Aerospace & Marine (reverse engineering big systems) 17. Satellites (remote commands) 9
  • 10. DISARM Foundation 2022 Keeping ‘em safe ● Teach ethics and the law. Not just “hey behave yourselves please” ● Continuing safely: Introduce them to places to practice, that will be around long after the course finishes ● Mentoring: introduce them to hackers I value, who can talk about why not to be on the dark side ● Purple team, not red team. ● Keep pushing the message of “here’s a safe place to try this; don’t do it anywhere you don’t have permission / understand the potential consequences” Safe places to practice: ● Tryhackme.com ● Hack The Box ● RingZer0 CTF ● https://www.hackthebox.com/ ● CTFTime - live ● picoCTF - practice ● Micro Corruption - one of the original CTFs ● Top 10 Cyber Hacking Competitions - competitive CTF (cash prizes etc) Bug bounties: ● https://www.bugcrowd.com/bug-bounty-list/ ● https://hackerone.com/bug-bounty-programs ● https://www.guru99.com/bug-bounty-programs.html Help: ● Look for reddit and discord groups ● IppSec for techniques ● https://ctf101.org/ - tips and tricks ● Beginner's Guide to Capture the Flag (CTF)- tips, tricks, links to more online CTFs ● Capture-The-Flag Competitions: all you ever wanted to know! 10
  • 11. DISARM Foundation 2022 I also fell a bit in love with the Parkerian Hexad Confidentiality, integrity, availability ■ Confidentiality: data should only be visible to people who authorized to see it ■ Integrity: data should not be altered in unauthorized ways ■ Availability: data should be available to be used Possession, authenticity, utility ■ Possession: controlling the data media ■ Authenticity: accuracy and truth of the origin of the information ■ Utility: usefulness (e.g. losing the encryption key) 11 Image: https://www.staffhosteurope.com/blog/2019/03/cybersecurity-and-the-parkerian-hexad
  • 12. DISARM Foundation 2022 Other work over the past year… Communities ● CogSecCollab ● CTI League disinformation team ● Ukraine Collaborations ● DISARM Foundation (inc MITRE, FIU, EU etc) ● Community-level behaviour tagging (UW) ● Disinformation response coordination: European Union (51 countries), UNDP (170 countries), individual countries (3 english-speaking ones), (WHO Europe&Central Asia: 51+ countries) ● Defcon Misinfo Village (inc CredCo / MisinfoCon) ● Atlantic Council / Vanguards Mentoring ● Individuals and organisations ● Book sub-editing ● Machine learning in infosec PhD advisors ● Nonprofit boards (RealityTeam, SocietyLibrary etc) Research ● Risk-based Cognitive Security ○ AMITT model set (DISARM, EU, NATO, etc) ○ AMITT-SPICE model merge (with MITRE, FIU) ○ Extensions to FAIR etc ○ Community disinfo behaviour tagging (UW) ○ iVerify extensions (UN) ● Machine learning for cognitive security ○ Disinfo OSINT (country) ○ Community-based disinfo response (UN) ○ Extremism tracking (country) ● One-off research ○ Disinformation market models (DARPA) ○ Assessing disinformation training systems (State Dept) ○ Disinformation social ecological models (ARLIS) ○ Etc 12