SlideShare ist ein Scribd-Unternehmen logo

AMW_RAT_2022-04-28 (2).pptx

Als PPTX, PDF herunterladen
S
SaraJayneTerp

Talk on courses on sociotechnical ethical hacking and cognitive security

Bildung
1 von 13
DISARM Foundation 2022 My Year of Teaching Dangerously Sara Sara-Jayne SJ Terp Other AMW RAT 2022-04-28 1
DISARM Foundation 2022 NOT ALL GREAT HACKERS CODE. GREAT HACKERS THINK ABOUT SYSTEMS 2 And we need more of these people Image: https://business.leeds.ac.uk/research-stc/doc/socio- technical-systems-theory
DISARM Foundation 2022 BUT ALL THE INTRO HACKING BOOKS, ALL THE COURSES, ARE BOXES AND WIRES (kudos to “The Car Hacker’s Handbook” and “Practical IoT Hacking” though) Certified Ethical Hacking ● Ethical hacking fundamentals ● Reconnaissance and footprinting ● Scanning and enumeration ● Sniffing and evasion ● Attacking a system ● Hacking web servers and applications ● Wireless network hacking ● Mobile, IoT, and OT ● Security in cloud computing ● Trojans and other attacks, including malware analysis ● Cryptography ● Social engineering and physical security ● Penetration testing 3
DISARM Foundation 2022 HOW DO WE BUILD SYSTEMS HACKERS? A: we teach them. At university. In a very liberal college (yay librarians!). 2021-2022 16-week courses: ● Sociotechnical Ethical Hacking ● Cybersecurity Decision Making ● Cognitive Security ● Technology Innovation ● Privacy, Security, Ethics ● Living with algorithms 4
DISARM Foundation 2022 BUILDING A COGNITIVE SECURITY COURSE Brains, PCs, they’re all belief systems “Cognitive security is the application of information security principles, practices, and tools to misinformation, disinformation, and influence operations. It takes a socio-technical lens to high-volume, high-velocity, and high-variety forms of “something is wrong on the internet”. Cognitive security can be seen as a holistic view of disinformation from a security practitioner’s perspective” 5
DISARM Foundation 2022 Cognitive Security course What we’re dealing with 1. Introduction a. disinformation reports, ethics b. researcher risks 2. fundamentals (objects) 3. cogsec risks Human aspects 1. human system vulnerabilities and patches 2. psychology of influence Building better models 1. frameworks 2. relational frameworks 3. building landscapes Investigating incidents 8. setting up an investigation 9. misinformation data analysis 10. disinformation data analysis Improving our responses 8. disinformation responses 9. monitoring and evaluation 10. games, red teaming and simulations Where this is heading 8. cogsec as a business 9. future possibilities 6
DISARM Foundation 2022 Disinformation as a risk management problem Manage the risks, not the artifacts ● Risk assessment, reduction, remediation ● Risks: How bad? How big? How likely? Who to? ● Attack surfaces, vulnerabilities, potential losses / outcomes Manage resources ● Mis/disinformation is everywhere ● Detection, mitigation, response ● People, technologies, time, attention ● Connections 7 Image: https://www.risklens.com/infographics/fair-model-on-a-page
DISARM Foundation 2022 BUILDING A SOCIOTECHNICAL ETHICAL HACKING COURSE 8 Thinking beyond the technology Getting ready for hybrid attack forms: ● Cyber + cognitive + physical ● Cyber supporting cognitive ● Cognitive supporting cyber ● Cyber attack forms adapted to cognitive ● Etc
DISARM Foundation 2022 Sociotechnical Ethical Hacking course First, do no harm 1. Ethics = risk management 2. Don’t harm others (harms frameworks) 3. Don’t harm yourself (permissions etc) 4. Fix what you break (purple teaming) It’s systems all the way down 1. Infosec = systems (sociotechnical infosec) 2. All systems can be broken (with resources) 3. All systems have back doors (people, hardware, process, tech etc) Psychology is important 1. Reverse engineering = understanding someone else’s thoughts 2. Social engineering = adapting someone else’s thoughts 3. Algorithms think too (adversarial AI) Be curious about everything 1. Curiosity is a hacker’s best friend 2. Computers are everywhere (IoT etc) 3. Help is everywhere (how to search, how to ask) 4. CTFs, bounties, and competitions Cognitive security 14. Yourself (recon & systems thinking) 15. Social media (social engineering) 16. Elections (OSINT & mixed security modes) Physical security 14. Locksports (vulnerabilities) 15. Buildings and physical (don’t harm self) Cyber security 14. Web, networks, PCs (RE, malware) 15. Machine learning (adversarial AI) 16. Maps and algorithms (back doors) 17. Assembler (microcontrollers) 18. Hardware (IoT, badges) 19. Radio (AISB, SDRs etc) Systems that move 14. Cars (canbuses and bypasses) 15. Robotics / automation (inc don’t harm others) 16. Aerospace & Marine (reverse engineering big systems) 17. Satellites (remote commands) 9
DISARM Foundation 2022 Keeping ‘em safe ● Teach ethics and the law. Not just “hey behave yourselves please” ● Continuing safely: Introduce them to places to practice, that will be around long after the course finishes ● Mentoring: introduce them to hackers I value, who can talk about why not to be on the dark side ● Purple team, not red team. ● Keep pushing the message of “here’s a safe place to try this; don’t do it anywhere you don’t have permission / understand the potential consequences” Safe places to practice: ● Tryhackme.com ● Hack The Box ● RingZer0 CTF ● https://www.hackthebox.com/ ● CTFTime - live ● picoCTF - practice ● Micro Corruption - one of the original CTFs ● Top 10 Cyber Hacking Competitions - competitive CTF (cash prizes etc) Bug bounties: ● https://www.bugcrowd.com/bug-bounty-list/ ● https://hackerone.com/bug-bounty-programs ● https://www.guru99.com/bug-bounty-programs.html Help: ● Look for reddit and discord groups ● IppSec for techniques ● https://ctf101.org/ - tips and tricks ● Beginner's Guide to Capture the Flag (CTF)- tips, tricks, links to more online CTFs ● Capture-The-Flag Competitions: all you ever wanted to know! 10
DISARM Foundation 2022 I also fell a bit in love with the Parkerian Hexad Confidentiality, integrity, availability ■ Confidentiality: data should only be visible to people who authorized to see it ■ Integrity: data should not be altered in unauthorized ways ■ Availability: data should be available to be used Possession, authenticity, utility ■ Possession: controlling the data media ■ Authenticity: accuracy and truth of the origin of the information ■ Utility: usefulness (e.g. losing the encryption key) 11 Image: https://www.staffhosteurope.com/blog/2019/03/cybersecurity-and-the-parkerian-hexad
DISARM Foundation 2022 Other work over the past year… Communities ● CogSecCollab ● CTI League disinformation team ● Ukraine Collaborations ● DISARM Foundation (inc MITRE, FIU, EU etc) ● Community-level behaviour tagging (UW) ● Disinformation response coordination: European Union (51 countries), UNDP (170 countries), individual countries (3 english-speaking ones), (WHO Europe&Central Asia: 51+ countries) ● Defcon Misinfo Village (inc CredCo / MisinfoCon) ● Atlantic Council / Vanguards Mentoring ● Individuals and organisations ● Book sub-editing ● Machine learning in infosec PhD advisors ● Nonprofit boards (RealityTeam, SocietyLibrary etc) Research ● Risk-based Cognitive Security ○ AMITT model set (DISARM, EU, NATO, etc) ○ AMITT-SPICE model merge (with MITRE, FIU) ○ Extensions to FAIR etc ○ Community disinfo behaviour tagging (UW) ○ iVerify extensions (UN) ● Machine learning for cognitive security ○ Disinfo OSINT (country) ○ Community-based disinfo response (UN) ○ Extremism tracking (country) ● One-off research ○ Disinformation market models (DARPA) ○ Assessing disinformation training systems (State Dept) ○ Disinformation social ecological models (ARLIS) ○ Etc 12
THANK YOU SJ Terp @bodaceacat http://www.overcognition.com http 13

Empfohlen

Disarm vanguards 2022-02-25 (3)
Disarm vanguards 2022-02-25 (3)Disarm vanguards 2022-02-25 (3)
Disarm vanguards 2022-02-25 (3)
SaraJayneTerp
 
Sj terp emerging tech radar
Sj terp emerging tech radarSj terp emerging tech radar
Sj terp emerging tech radar
SaraJayneTerp
 
2022-08-13_cogsec_defcon.pptx
2022-08-13_cogsec_defcon.pptx2022-08-13_cogsec_defcon.pptx
2022-08-13_cogsec_defcon.pptx
SaraJayneTerp
 
How fluently do you speak data
How fluently do you speak dataHow fluently do you speak data
How fluently do you speak data
Mary Aviles
 
CYBERCRIME INVESTIGATION AND ANALYSIS.pptx
CYBERCRIME INVESTIGATION AND ANALYSIS.pptxCYBERCRIME INVESTIGATION AND ANALYSIS.pptx
CYBERCRIME INVESTIGATION AND ANALYSIS.pptx
Olusegun Mosugu
 
Digital Age-Preparing Yourself
Digital Age-Preparing YourselfDigital Age-Preparing Yourself
Digital Age-Preparing Yourself
jkl0202
 
Charan Resume
Charan ResumeCharan Resume
Charan Resume
Charan Mukkamala
 
Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace
Aladdin Dandis
 

Empfohlen

Disarm vanguards 2022-02-25 (3)
Disarm vanguards 2022-02-25 (3)Disarm vanguards 2022-02-25 (3)
Disarm vanguards 2022-02-25 (3)
SaraJayneTerp
 
Sj terp emerging tech radar
Sj terp emerging tech radarSj terp emerging tech radar
Sj terp emerging tech radar
SaraJayneTerp
 
2022-08-13_cogsec_defcon.pptx
2022-08-13_cogsec_defcon.pptx2022-08-13_cogsec_defcon.pptx
2022-08-13_cogsec_defcon.pptx
SaraJayneTerp
 
How fluently do you speak data
How fluently do you speak dataHow fluently do you speak data
How fluently do you speak data
Mary Aviles
 
CYBERCRIME INVESTIGATION AND ANALYSIS.pptx
CYBERCRIME INVESTIGATION AND ANALYSIS.pptxCYBERCRIME INVESTIGATION AND ANALYSIS.pptx
CYBERCRIME INVESTIGATION AND ANALYSIS.pptx
Olusegun Mosugu
 
Digital Age-Preparing Yourself
Digital Age-Preparing YourselfDigital Age-Preparing Yourself
Digital Age-Preparing Yourself
jkl0202
 
Charan Resume
Charan ResumeCharan Resume
Charan Resume
Charan Mukkamala
 
Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace
Aladdin Dandis
 
icon-aiincs-obusolini201809131800-190310184140.pptx
icon-aiincs-obusolini201809131800-190310184140.pptxicon-aiincs-obusolini201809131800-190310184140.pptx
icon-aiincs-obusolini201809131800-190310184140.pptx
yugandharadahiphale2
 
icon-aiincs-obusolini201809131800-190310184140.pptx
icon-aiincs-obusolini201809131800-190310184140.pptxicon-aiincs-obusolini201809131800-190310184140.pptx
icon-aiincs-obusolini201809131800-190310184140.pptx
yugandharadahiphale2
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and Cybersecurity
Olivier Busolini
 
1427 Women in Cybersecurity-Taking Charge and Protecting the World
1427 Women in Cybersecurity-Taking Charge and Protecting the World1427 Women in Cybersecurity-Taking Charge and Protecting the World
1427 Women in Cybersecurity-Taking Charge and Protecting the World
Career Communications Group
 
Ist curriculum
Ist curriculumIst curriculum
Ist curriculum
Melissa Hicks
 
Abso lutely!
Abso lutely!Abso lutely!
Abso lutely!
De La Salle-College of Saint Benilde
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Dinesh O Bareja
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...
Aladdin Dandis
 
Top Ten Challenges of Securing Smart Infrastructure
Top Ten Challenges of Securing Smart InfrastructureTop Ten Challenges of Securing Smart Infrastructure
Top Ten Challenges of Securing Smart Infrastructure
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
Etl523 pres jj jarick
Etl523 pres jj jarickEtl523 pres jj jarick
Etl523 pres jj jarick
jamesjarick
 
The Digital Dilemma - Igor Verhoeven, Bindung
The Digital Dilemma - Igor Verhoeven, BindungThe Digital Dilemma - Igor Verhoeven, Bindung
The Digital Dilemma - Igor Verhoeven, Bindung
DigiMarCon - Digital Marketing, Media and Advertising Conferences & Exhibitions
 
Cyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutionsCyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutions
inLabFIB
 
Fontys Eric van Tol
Fontys Eric van TolFontys Eric van Tol
Fontys Eric van Tol
TalentEvent
 
What Are Script Kiddies.pdf
What Are Script Kiddies.pdfWhat Are Script Kiddies.pdf
What Are Script Kiddies.pdf
uzair
 
Trustworthy Computational Science: A Multi-decade Perspective
Trustworthy Computational Science: A Multi-decade PerspectiveTrustworthy Computational Science: A Multi-decade Perspective
Trustworthy Computational Science: A Multi-decade Perspective
Von Welch
 
Privacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of ThingsPrivacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of Things
Jason Hong
 
Algocracy and the state of AI in public administrations.
Algocracy and the state of AI in public administrations.Algocracy and the state of AI in public administrations.
Algocracy and the state of AI in public administrations.
Sandra Bermúdez
 
Intro to Android, IOT, Hacking & Web Designinng
Intro to Android, IOT, Hacking & Web DesigninngIntro to Android, IOT, Hacking & Web Designinng
Intro to Android, IOT, Hacking & Web Designinng
I am Cipher
 
Opportunities with data science
Opportunities with data scienceOpportunities with data science
Opportunities with data science
Ashiq Rahman
 
Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfDigital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
Mahdi_Fahmideh
 
Guidance note: Advancing Infodemic Management within Risk Communication and C...
Guidance note: Advancing Infodemic Management within Risk Communication and C...Guidance note: Advancing Infodemic Management within Risk Communication and C...
Guidance note: Advancing Infodemic Management within Risk Communication and C...
SaraJayneTerp
 
CSW2022_08_behaviours.pptx.pdf
CSW2022_08_behaviours.pptx.pdfCSW2022_08_behaviours.pptx.pdf
CSW2022_08_behaviours.pptx.pdf
SaraJayneTerp
 

Weitere ähnliche Inhalte

Ähnlich wie AMW_RAT_2022-04-28 (2).pptx

icon-aiincs-obusolini201809131800-190310184140.pptx
icon-aiincs-obusolini201809131800-190310184140.pptxicon-aiincs-obusolini201809131800-190310184140.pptx
icon-aiincs-obusolini201809131800-190310184140.pptx
yugandharadahiphale2
 
icon-aiincs-obusolini201809131800-190310184140.pptx
icon-aiincs-obusolini201809131800-190310184140.pptxicon-aiincs-obusolini201809131800-190310184140.pptx
icon-aiincs-obusolini201809131800-190310184140.pptx
yugandharadahiphale2
 
1427 Women in Cybersecurity-Taking Charge and Protecting the World
1427 Women in Cybersecurity-Taking Charge and Protecting the World1427 Women in Cybersecurity-Taking Charge and Protecting the World
1427 Women in Cybersecurity-Taking Charge and Protecting the World
Career Communications Group
 
What Are Script Kiddies.pdf
What Are Script Kiddies.pdfWhat Are Script Kiddies.pdf
What Are Script Kiddies.pdf
uzair
 
Trustworthy Computational Science: A Multi-decade Perspective
Trustworthy Computational Science: A Multi-decade PerspectiveTrustworthy Computational Science: A Multi-decade Perspective
Trustworthy Computational Science: A Multi-decade Perspective
Von Welch
 

Ähnlich wie AMW_RAT_2022-04-28 (2).pptx (20)

icon-aiincs-obusolini201809131800-190310184140.pptx
icon-aiincs-obusolini201809131800-190310184140.pptxicon-aiincs-obusolini201809131800-190310184140.pptx
icon-aiincs-obusolini201809131800-190310184140.pptx
 
icon-aiincs-obusolini201809131800-190310184140.pptx
icon-aiincs-obusolini201809131800-190310184140.pptxicon-aiincs-obusolini201809131800-190310184140.pptx
icon-aiincs-obusolini201809131800-190310184140.pptx
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and Cybersecurity
 
1427 Women in Cybersecurity-Taking Charge and Protecting the World
1427 Women in Cybersecurity-Taking Charge and Protecting the World1427 Women in Cybersecurity-Taking Charge and Protecting the World
1427 Women in Cybersecurity-Taking Charge and Protecting the World
 
Ist curriculum
Ist curriculumIst curriculum
Ist curriculum
 
Abso lutely!
Abso lutely!Abso lutely!
Abso lutely!
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...
 
Top Ten Challenges of Securing Smart Infrastructure
Top Ten Challenges of Securing Smart InfrastructureTop Ten Challenges of Securing Smart Infrastructure
Top Ten Challenges of Securing Smart Infrastructure
 
Etl523 pres jj jarick
Etl523 pres jj jarickEtl523 pres jj jarick
Etl523 pres jj jarick
 
The Digital Dilemma - Igor Verhoeven, Bindung
The Digital Dilemma - Igor Verhoeven, BindungThe Digital Dilemma - Igor Verhoeven, Bindung
The Digital Dilemma - Igor Verhoeven, Bindung
 
Cyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutionsCyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutions
 
Fontys Eric van Tol
Fontys Eric van TolFontys Eric van Tol
Fontys Eric van Tol
 
What Are Script Kiddies.pdf
What Are Script Kiddies.pdfWhat Are Script Kiddies.pdf
What Are Script Kiddies.pdf
 
Trustworthy Computational Science: A Multi-decade Perspective
Trustworthy Computational Science: A Multi-decade PerspectiveTrustworthy Computational Science: A Multi-decade Perspective
Trustworthy Computational Science: A Multi-decade Perspective
 
Privacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of ThingsPrivacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of Things
 
Algocracy and the state of AI in public administrations.
Algocracy and the state of AI in public administrations.Algocracy and the state of AI in public administrations.
Algocracy and the state of AI in public administrations.
 
Intro to Android, IOT, Hacking & Web Designinng
Intro to Android, IOT, Hacking & Web DesigninngIntro to Android, IOT, Hacking & Web Designinng
Intro to Android, IOT, Hacking & Web Designinng
 
Opportunities with data science
Opportunities with data scienceOpportunities with data science
Opportunities with data science
 
Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfDigital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
 

Mehr von SaraJayneTerp

CanSecWest_cogsec_course_01_introduction.pdf
CanSecWest_cogsec_course_01_introduction.pdfCanSecWest_cogsec_course_01_introduction.pdf
CanSecWest_cogsec_course_01_introduction.pdf
SaraJayneTerp
 

Mehr von SaraJayneTerp (15)

Guidance note: Advancing Infodemic Management within Risk Communication and C...
Guidance note: Advancing Infodemic Management within Risk Communication and C...Guidance note: Advancing Infodemic Management within Risk Communication and C...
Guidance note: Advancing Infodemic Management within Risk Communication and C...
 
CSW2022_08_behaviours.pptx.pdf
CSW2022_08_behaviours.pptx.pdfCSW2022_08_behaviours.pptx.pdf
CSW2022_08_behaviours.pptx.pdf
 
CSW2022_03_threat_environment.pptx.pdf
CSW2022_03_threat_environment.pptx.pdfCSW2022_03_threat_environment.pptx.pdf
CSW2022_03_threat_environment.pptx.pdf
 
CSW2022_02_info_response_environments.pptx.pdf
CSW2022_02_info_response_environments.pptx.pdfCSW2022_02_info_response_environments.pptx.pdf
CSW2022_02_info_response_environments.pptx.pdf
 
CSW2022_06_influence.pptx.pdf
CSW2022_06_influence.pptx.pdfCSW2022_06_influence.pptx.pdf
CSW2022_06_influence.pptx.pdf
 
CSW2022_07_narratives.pptx.pdf
CSW2022_07_narratives.pptx.pdfCSW2022_07_narratives.pptx.pdf
CSW2022_07_narratives.pptx.pdf
 
CSW2022_10_risk_prioritisation.pptx.pdf
CSW2022_10_risk_prioritisation.pptx.pdfCSW2022_10_risk_prioritisation.pptx.pdf
CSW2022_10_risk_prioritisation.pptx.pdf
 
CSW2022_11_hotwash.pptx.pdf
CSW2022_11_hotwash.pptx.pdfCSW2022_11_hotwash.pptx.pdf
CSW2022_11_hotwash.pptx.pdf
 
CSW2022_09_riskassessment.pptx.pdf
CSW2022_09_riskassessment.pptx.pdfCSW2022_09_riskassessment.pptx.pdf
CSW2022_09_riskassessment.pptx.pdf
 
CSW2022_01_introduction.pptx.pdf
CSW2022_01_introduction.pptx.pdfCSW2022_01_introduction.pptx.pdf
CSW2022_01_introduction.pptx.pdf
 
CSW2022_05_data collection.pptx.pdf
CSW2022_05_data collection.pptx.pdfCSW2022_05_data collection.pptx.pdf
CSW2022_05_data collection.pptx.pdf
 
CSW2022_04_project_setup.pptx.pdf
CSW2022_04_project_setup.pptx.pdfCSW2022_04_project_setup.pptx.pdf
CSW2022_04_project_setup.pptx.pdf
 
WG-misinfosec report out to CredCo.pdf
WG-misinfosec report out to CredCo.pdfWG-misinfosec report out to CredCo.pdf
WG-misinfosec report out to CredCo.pdf
 
CanSecWest_cogsec_course_01_introduction.pdf
CanSecWest_cogsec_course_01_introduction.pdfCanSecWest_cogsec_course_01_introduction.pdf
CanSecWest_cogsec_course_01_introduction.pdf
 
2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation
 

Kürzlich hochgeladen

Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
MateoGardella
 

Kürzlich hochgeladen (20)

Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 

AMW_RAT_2022-04-28 (2).pptx

  • 1. DISARM Foundation 2022 My Year of Teaching Dangerously Sara Sara-Jayne SJ Terp Other AMW RAT 2022-04-28 1
  • 2. DISARM Foundation 2022 NOT ALL GREAT HACKERS CODE. GREAT HACKERS THINK ABOUT SYSTEMS 2 And we need more of these people Image: https://business.leeds.ac.uk/research-stc/doc/socio- technical-systems-theory
  • 3. DISARM Foundation 2022 BUT ALL THE INTRO HACKING BOOKS, ALL THE COURSES, ARE BOXES AND WIRES (kudos to “The Car Hacker’s Handbook” and “Practical IoT Hacking” though) Certified Ethical Hacking ● Ethical hacking fundamentals ● Reconnaissance and footprinting ● Scanning and enumeration ● Sniffing and evasion ● Attacking a system ● Hacking web servers and applications ● Wireless network hacking ● Mobile, IoT, and OT ● Security in cloud computing ● Trojans and other attacks, including malware analysis ● Cryptography ● Social engineering and physical security ● Penetration testing 3
  • 4. DISARM Foundation 2022 HOW DO WE BUILD SYSTEMS HACKERS? A: we teach them. At university. In a very liberal college (yay librarians!). 2021-2022 16-week courses: ● Sociotechnical Ethical Hacking ● Cybersecurity Decision Making ● Cognitive Security ● Technology Innovation ● Privacy, Security, Ethics ● Living with algorithms 4
  • 5. DISARM Foundation 2022 BUILDING A COGNITIVE SECURITY COURSE Brains, PCs, they’re all belief systems “Cognitive security is the application of information security principles, practices, and tools to misinformation, disinformation, and influence operations. It takes a socio-technical lens to high-volume, high-velocity, and high-variety forms of “something is wrong on the internet”. Cognitive security can be seen as a holistic view of disinformation from a security practitioner’s perspective” 5
  • 6. DISARM Foundation 2022 Cognitive Security course What we’re dealing with 1. Introduction a. disinformation reports, ethics b. researcher risks 2. fundamentals (objects) 3. cogsec risks Human aspects 1. human system vulnerabilities and patches 2. psychology of influence Building better models 1. frameworks 2. relational frameworks 3. building landscapes Investigating incidents 8. setting up an investigation 9. misinformation data analysis 10. disinformation data analysis Improving our responses 8. disinformation responses 9. monitoring and evaluation 10. games, red teaming and simulations Where this is heading 8. cogsec as a business 9. future possibilities 6
  • 7. DISARM Foundation 2022 Disinformation as a risk management problem Manage the risks, not the artifacts ● Risk assessment, reduction, remediation ● Risks: How bad? How big? How likely? Who to? ● Attack surfaces, vulnerabilities, potential losses / outcomes Manage resources ● Mis/disinformation is everywhere ● Detection, mitigation, response ● People, technologies, time, attention ● Connections 7 Image: https://www.risklens.com/infographics/fair-model-on-a-page
  • 8. DISARM Foundation 2022 BUILDING A SOCIOTECHNICAL ETHICAL HACKING COURSE 8 Thinking beyond the technology Getting ready for hybrid attack forms: ● Cyber + cognitive + physical ● Cyber supporting cognitive ● Cognitive supporting cyber ● Cyber attack forms adapted to cognitive ● Etc
  • 9. DISARM Foundation 2022 Sociotechnical Ethical Hacking course First, do no harm 1. Ethics = risk management 2. Don’t harm others (harms frameworks) 3. Don’t harm yourself (permissions etc) 4. Fix what you break (purple teaming) It’s systems all the way down 1. Infosec = systems (sociotechnical infosec) 2. All systems can be broken (with resources) 3. All systems have back doors (people, hardware, process, tech etc) Psychology is important 1. Reverse engineering = understanding someone else’s thoughts 2. Social engineering = adapting someone else’s thoughts 3. Algorithms think too (adversarial AI) Be curious about everything 1. Curiosity is a hacker’s best friend 2. Computers are everywhere (IoT etc) 3. Help is everywhere (how to search, how to ask) 4. CTFs, bounties, and competitions Cognitive security 14. Yourself (recon & systems thinking) 15. Social media (social engineering) 16. Elections (OSINT & mixed security modes) Physical security 14. Locksports (vulnerabilities) 15. Buildings and physical (don’t harm self) Cyber security 14. Web, networks, PCs (RE, malware) 15. Machine learning (adversarial AI) 16. Maps and algorithms (back doors) 17. Assembler (microcontrollers) 18. Hardware (IoT, badges) 19. Radio (AISB, SDRs etc) Systems that move 14. Cars (canbuses and bypasses) 15. Robotics / automation (inc don’t harm others) 16. Aerospace & Marine (reverse engineering big systems) 17. Satellites (remote commands) 9
  • 10. DISARM Foundation 2022 Keeping ‘em safe ● Teach ethics and the law. Not just “hey behave yourselves please” ● Continuing safely: Introduce them to places to practice, that will be around long after the course finishes ● Mentoring: introduce them to hackers I value, who can talk about why not to be on the dark side ● Purple team, not red team. ● Keep pushing the message of “here’s a safe place to try this; don’t do it anywhere you don’t have permission / understand the potential consequences” Safe places to practice: ● Tryhackme.com ● Hack The Box ● RingZer0 CTF ● https://www.hackthebox.com/ ● CTFTime - live ● picoCTF - practice ● Micro Corruption - one of the original CTFs ● Top 10 Cyber Hacking Competitions - competitive CTF (cash prizes etc) Bug bounties: ● https://www.bugcrowd.com/bug-bounty-list/ ● https://hackerone.com/bug-bounty-programs ● https://www.guru99.com/bug-bounty-programs.html Help: ● Look for reddit and discord groups ● IppSec for techniques ● https://ctf101.org/ - tips and tricks ● Beginner's Guide to Capture the Flag (CTF)- tips, tricks, links to more online CTFs ● Capture-The-Flag Competitions: all you ever wanted to know! 10
  • 11. DISARM Foundation 2022 I also fell a bit in love with the Parkerian Hexad Confidentiality, integrity, availability ■ Confidentiality: data should only be visible to people who authorized to see it ■ Integrity: data should not be altered in unauthorized ways ■ Availability: data should be available to be used Possession, authenticity, utility ■ Possession: controlling the data media ■ Authenticity: accuracy and truth of the origin of the information ■ Utility: usefulness (e.g. losing the encryption key) 11 Image: https://www.staffhosteurope.com/blog/2019/03/cybersecurity-and-the-parkerian-hexad
  • 12. DISARM Foundation 2022 Other work over the past year… Communities ● CogSecCollab ● CTI League disinformation team ● Ukraine Collaborations ● DISARM Foundation (inc MITRE, FIU, EU etc) ● Community-level behaviour tagging (UW) ● Disinformation response coordination: European Union (51 countries), UNDP (170 countries), individual countries (3 english-speaking ones), (WHO Europe&Central Asia: 51+ countries) ● Defcon Misinfo Village (inc CredCo / MisinfoCon) ● Atlantic Council / Vanguards Mentoring ● Individuals and organisations ● Book sub-editing ● Machine learning in infosec PhD advisors ● Nonprofit boards (RealityTeam, SocietyLibrary etc) Research ● Risk-based Cognitive Security ○ AMITT model set (DISARM, EU, NATO, etc) ○ AMITT-SPICE model merge (with MITRE, FIU) ○ Extensions to FAIR etc ○ Community disinfo behaviour tagging (UW) ○ iVerify extensions (UN) ● Machine learning for cognitive security ○ Disinfo OSINT (country) ○ Community-based disinfo response (UN) ○ Extremism tracking (country) ● One-off research ○ Disinformation market models (DARPA) ○ Assessing disinformation training systems (State Dept) ○ Disinformation social ecological models (ARLIS) ○ Etc 12