Main

Threat modeling self-driving cars was “like science fiction” | Cyber Work Podcast

Self-driving cars, bank robberies and escaping law enforcement — that's what you can expect in one of Geoffrey Hill's threat modeling sessions, as he explains in this clip from the Cyber Work Podcast. – Watch the full episode: https://www.youtube.com/watch?v=f5eTfx-KCns – Enter code “cyberwork” to get 30 days of free training with Infosec Skills: https://www.infosecinstitute.com/skills/ – View transcripts and additional episodes: https://www.infosecinstitute.com/podcast Geoffrey Hill has been in the IT industry since 1990, when he wrote and sold C++ based solutions to measure risk in the commodities markets in New York City. Since then he has worked around the world, specifically New York, Sydney, Tokyo, Emmerich-am-Rhein and London. In the mid-2000s, He was the main custodian of the Microsoft Security Development Lifecycle (SDL) initiative in the UK and then international services organization as part of the Microsoft Security Center of Excellence (SCOE). From 2013 – 2018, he worked as the sole application security architect for Visa Europe in London, where he started Tutamantic Ltd, a producer of software risk automation. Geoff is the inventor of the Rapid Threat Model Prototyping (RTMP) methodology. This threat model methodology allows for quick modelling in Agile and DevOps environments. About Infosec At Infosec, we believe knowledge is the most powerful tool in the fight against cybercrime. We help IT and security professionals advance their careers with a full regimen of certifications and skills development training. We also empower all employees with security awareness and training to stay cybersecure at work and home. Founded by smart people wanting to do good, Infosec educates entire organizations on how to defend themselves from cybercrime. That’s what we do every day — equipping everyone with the latest security skills so the good guys win. Learn more at infosecinstitute.com.

Infosec

3 years ago
i had a fantastic threat modeling session that i trained a number of people over at denver bench a number of years ago so went over to s in germany and i spent three days training them and on the third day what i did was i said we're going to have we're going to get together we're going to take one of your self-driving cars and we're going to throttle the self-driving car oh yeah so we got out there and we had a verbal session we had a whiteboarding session we went through and we threatened all
the different things you could do to a self-driving car with all the different and we came up with some fantastic stuff it was like going into science fiction land it was amazing like we were writing our own uh schwarzenegger movie i mean he's been older but you know what i mean it's like or sylvester stallone you know i mean it's like a science fiction i guess i i guess it'd be colin calling uh farrell telling birth colin firth yeah we call him first doing something like that you know one of th
ose guys like one of the newer guys but it literally like we had things you and i are so the same age trs 80 yes [Laughter] exactly and so so yeah you will hack this car yeah right right they had they had a wonderful attack where we said if one of the threat model one of the threat model outputs was what if we could break into the radio signals we could convince all because what i've said but what they're planning on doing is they're creating radio signals so if you have an ambulance and it goes
flying through the town all the lights change yeah right and the ambulance goes straight through great idea let's hack it so we went there and the threat was we hack into that that signal and i won't go into any detail about how we did it but we broke into how we'd hack into that signal and we convinced all the all the lights that we actually were an ambulance but we were actually just finished robbing a bank oh yeah and we tore off we did the whole thing right there you know from and it was it
was almost like there was a movie just recently came out with general butler about about robbing one of the federal reserves over in l.a okay and i forget the name of it but but but it was almost like that like all the lights changed you know in our in our threat model and we got under anything you know we went underneath a bridge where the radio signal wouldn't go we switched over cars and the whole thing right there and it was fun but it showed them the power of threat modeling in that sense
right there yeah granted there are a lot of more mundane ones you know you're breaking you're going and you're doing stuff like there are a number of different companies that kids have a lot of insurance companies and finance companies but they're still interesting because what they do is what you know what i love saying is i love seeing people's eyes light up yeah we go through and we i say whiteboard it okay walk me through this okay you as a team tell me what you think is important on that bo
ard and they tell me and i sit back and i let them tell me okay we're finished with that now let's walk through this and let's see what kind of holes we can poke in and also be like oh oh i didn't realize that could happen right oh my god there's a direct line from the outs outside into this particular crucial piece of machinery and one guys oh we need that for for reporting purposes if we're not putting any kind of where where are the protections on it and then everyone goes oh like that that's
what i'd love to see yeah you're expanding their world basically yeah and then they get it and i always try like oh one of the things i always try to do is always try to relate to them in that sense like okay look this is what's this is what it is and and they then they get it and when they get it you see the light bulbs come off in their head and they go okay and then they turn around and here's the beauty about it is they turn around they use the tools and well they're one of two ways of doin
g it either they come back to you like oh you're so great or more commonly because i'm a contractor a lot of times in these places is they say like i had the greatest idea i'm using this thing called stride and threat volume like i thought of that i taught that to you uh-huh but then i know that i got through somewhere my wife always says to me look you won okay sit down and calm down you won have a beer let him have the win yeah you won i'm like yeah we both know who actually won new episodes o
f cyber work are available every monday at 1 pm central and don't forget to claim your free month of infosec skills sign up using the code cyberwork and you'll get unlimited access to hundreds of courses hands-on labs certification practice exams skills assessments and more use code cyberwork for infosec skills

Related articles

Comments