Screaming in the Cloud

In this Replay of Screaming in the Cloud, we revisit our inspiring conversation with Jackie Singh. At the time, she had recently served as a senior cybersecurity staffer at the Biden campaign. But her venerated career is considerably more than that alone. Jackie’s time spent in the Army, at the DoD, and eventually at work in the commercial world allows her to bring an adroit sensibility to her work and to this episode. Jackie goes into detail on her time spent at the Biden campaign and the intricacies of working in such highly politicized, and short term, environment. The cyber security threats she faced there were paramount, to downplay it, and have given Jackie a rich and constantly developing perspective on security. That in combination with her career has helped her develop a perspective that she has kindly discussed in detail during this episode! Tune in for the whole story.


Show Highlights
(0:00) Intro
(1:16) Backblaze sponsor read
(1:42) Working for the 2020 Biden Campaign
(4:45) The high-stakes world of political information security
(10:08) Breaking down Jackie’s impressive resume
(12:38) Being the target of a far-right tabloid hit piece
(16:24) Contemporary politics, bad faith discourse, and its role in tech
(23:34) Common Fate sponsor read
(24:03) The ethics of reporting InfoSec vulnerabilities
(31:13) Explaining “threat modeling”
(36:49) Where you can find more from Jackie


About Jackie Singh
Jackie Singh is an Information Security professional with more than 20 years of hacking experience, beginning in her preteen. She began her career in the US Army, and deployed to Iraq in 2003. Jackie subsequently spent several years in Iraq in cleared roles for the Department of Defense.
She is now an independent consultant. Her passion extends to evangelizing best practices, writing and research for her blog, tweeting informative content, speaking at conferences, contributing to podcasts, and collaborating with fellow journalists and security professionals.


Links:


Original Episode:
https://www.lastweekinaws.com/podcast/screaming-in-the-cloud/security-challenges-and-working-for-president-biden-with-jackie-singh/



Sponsors
Backblaze: https://www.backblaze.com/
Common Fate: http://commonfate.io/

What is Screaming in the Cloud?

Screaming in the Cloud with Corey Quinn features conversations with domain experts in the world of Cloud Computing. Topics discussed include AWS, GCP, Azure, Oracle Cloud, and the "why" behind how businesses are coming to think about the Cloud.

Jackie: We have to ask ourselves who we want to be at the end of the day and what type of energy we want to put out into the world, and that’s a choice that we make every day.

Corey: Welcome to Screaming in the Cloud. I’m Corey Quinn. The best part about being me—well, there’s a lot of great things about being me, but from my perspective, the absolute best part is that I get to interview people on the show who have done awesome and impressive things. Therefore by osmosis, you tend to assume that I’m smart slash know-what-the-living-hell-I’m-talking-about. This is proveably untrue, but that’s okay.

Even when I say it outright, this will fade into the depths of your mind and not take hold permanently. Today is, of course, no exception. My guest is Jackie Singh, who’s an information security professional, which is probably the least interesting way to describe who she is and what she does. Most recently, she was a senior cybersecurity staffer at the Biden campaign. Thank you so much for joining me. What was that like?

Jackie: Thank you so much for having me. What was that like? The most difficult and high-pressure, high-stress job I’ve ever had in my life. And, you know, I spent most of my early 20s in Iraq and Africa. [laugh]

Sponsor: Backblaze B2 Cloud Storage helps you scale applications and deliver services globally. Egress is free up to 3X of data stored, and completely free between S3-compatible Backblaze and leading CDN and compute providers like Fastly, Cloudflare, Vultr, and CoreWeave. Visit backblaze.com to learn more. Backblaze—cloud storage built better.

Corey: It’s interesting, you’re not the first person to make the observation that, “Well, I was in the military, and things are blowing up all around, and what I’m doing next to me is like—‘oh, the site is down and can’t show ads to people?’ Bah, that’s not pressure.” You’re going the other direction. It’s like, yeah, this was higher stress than that. And that right there is not a common sentiment.

Jackie: I couldn’t anticipate, when I was contacted for the role—for which I had applied to through the front door like everyone else, sent in my resume, thought it looked pretty cool—I didn’t expect to be contacted. And when I was interviewed and got through the interviews and accepted the role, I still did not properly anticipate how this would change my life and how it would modify my life in the span of just a few months; I was on the campaign for five to six months.

Corey: Now, there’s a couple of interesting elements to this. The first is it’s rare that people will say, “Oh, I had a job for five to six months,” and, a, put it on their resume because that sounds like, “Ah, are you one of those job-hopper types?” But when you go into a political campaign, it’s very clearly, win or lose, we’re out of jobs in November. Ish. And that is something that is really neat from the perspective of career management and career planning. Usually is, “Hey, do you want a six-month job?” It’s, “Why? Because I’m going to rage quit at the end of it. That seems a little on the weird side.” But with a campaign, it’s a very different story. It seems like a different universe in some respects.

Jackie: Yes, absolutely. It was different than any other role I’d ever had. And being a political dilettante, [laugh] essentially, walking into this, I couldn’t possibly anticipate what that environment would be like. And, frankly, it is a bit gatekept in the sense that if you haven’t participated on a campaign before, you really don’t have any idea what to expect, and they’re all a bit different to, like, their own special snowflake, based on the people who are there, and the moment in time during which you are campaigning, and who you are campaigning for. And it really does change a perspective on civic life and what you can do with your time if you chose to spend it doing something a little bigger than your typical TechOps.

Corey: It also is a great answer, too, when people don’t pay close enough attention. “So, why’d you leave your last job?” “He won.” Seems like a pretty—

Jackie: [laugh] .

Corey: —easy answer to give, on some level.

Jackie: Yes, absolutely. But imagine the opposite. Imagine if our candidate had lost, or if we had had data walk out the door like in 2016. The Democratic National Convention was breached in 2016 and some unflattering information was out the door, emails were hacked. And so it was difficult to anticipate… what we had control over and how much control we could actually exert over the process itself, knowing that if we failed, the repercussions would be extremely severe.

Corey: It’s a different story than a lot of InfoSec gigs. Companies love to talk like it is the end of the universe if they wind up having a data breach, in some effect. They talk about that the world ends because for them it kind of does because you have an ablative CSO who tries to also armor themselves with ablative interns that they can blame—if your SolarWinds. But the idea being that, “Oh yeah, if we get breached we are dunzo.”

And it’s, first, not really. Let’s not inflate the risks here. Let’s be honest; we’re talking about something like you’re a retailer; if you get breached, people lose a bunch of credit card numbers, the credit card companies have to reissue it to everyone, you get slapped with a fine, and you get dragged in the press, but statistically, look at your stock price a year later, it will be higher than at the time of the breach in almost every case. This is not the end of the world. You’re talking about something though that has impacts that have impossible-to-calculate repercussions.

We’re talking about an entire administration shift; US foreign policy, domestic policy, how the world works and functions is in no small part tied to data security. That’s a different level of stress than I think most security folks, if you get them honest enough, are going to admit that, yeah, what I do isn’t that important from an InfoSec perspective. What you did is.

Jackie: I appreciate that, especially having worked in the military. Since I left the military, I was always looking for a greater purpose and a larger mission to serve. And in this instance, the scope of work was somewhat limited, but the impact of failing would have been quite wide-ranging, as you’ve correctly identified. And walking into that role, I knew there was a limited time window to get the work done. I knew that as we progressed and got closer and closer to election day, we would have more resources, more money rolls in, more folks feel secure in the campaign and understand what the candidate stands for, and want to pump money into the coffers. And so you’re also in an interesting situation because your resourcing is increasing, proportional to the threat, which is very time-bound.

Corey: An inherent challenge is that unlike in a corporate environment, in many respects, where engineers can guard access to things and give the business clear lines of access to things and handle all of it in the background, one of the challenges with a campaign is that you are responsible for data security in a variety of different ways, and the interfaces to that data explode geometrically and to people with effectively no level whatsoever of technical sophistication. I’m not talking about the candidate necessarily—though that’s of course, a concern—but I’m talking organizers, I’m talking volunteers, I’m talking folks who are lifelong political operatives, but they tend not to think in terms of, “Oh, I should enable multi-factor authentication on everything that I have,” because that is not what they are graded on; it’s pass-fail. So, it’s one of those things where it is not the number one priority for anyone else in your organization, but it is yours and you not only have to get things into fighting shape, you have to furthermore convince people to do the things that get them there. How do you approach that?

Jackie: Security awareness [laugh] in a nutshell. We were lucky to work with Bob Lord, who is former CSO at Yahoo, OAuth, Rapid7, and has held a number of really important roles that were very wide in their scope, and responsible for very massive data sets. And we were lucky enough to, in the democratic ecosystem, have a CSO who really understood the nature of the problem, and the way that you described it just now is incredibly apt. You’re working with folks that have no understanding or very limited understanding of what the threat actors were interested in breaching the campaign, what their capability set is, and how they might attempt to breach an organization. But you also had some positives out of that.

When you’re working with a campaign that is distributed, your workforce is distributed, and your systems are also distributed. And when you lose that centralization that many enterprises rely on to get the job done, you also reduce opportunities for attackers to compromise one system or one user and move laterally. So, that was something that we had working for us. So, security awareness was incredibly important. My boss worked on that quite a bit.

We had an incredible IT help desk who really focused on connecting with users and running them through a checklist so everyone in the campaign had been onboarded with a specific set of capabilities and an understanding of what the security setup was and how to go about their business in a secure way. And luckily, very good decisions had been made on the IT side prior to the security team joining the organization, which set the stage for a strong architecture that was resistant to attack. So, I think a lot of the really solid decisions and security awareness propagation had occurred prior to myself and my boss joining the campaign.

Corey: One of the things that I find interesting is that before you started that role—you mentioned you came in through the front door, which personally I’ve never successfully gotten a job like that; I always have to weasel my way in because I have an eighth-grade education and my resume—

Jackie: [laugh] .

Corey: —well, tenure-wise, kind of, looks like a whole bunch of political campaigns. And that’s fine, but before that, you were running your own company that was a focused security consultancy. Before that, your resume is a collection of impressive names. You were a principal consultant at Mandiant, you were at Accenture. You know what you’re talking about.

You were at McAfee slash Intel. You’ve done an awful lot of corporate world stuff. What made you decide to just wake up one day and decide, “You know what sounds awesome? Politics because the level of civil discourse there is awesome, and everyone treats everyone with respect and empathy, and no one gets heated or makes ridiculous arguments and the rest. That’s the area I want to go into.” What flipped that switch for you?

Jackie: If I’m completely honest, it was pure boredom. [laugh] . I started my business, Spyglass Security, with my co-founder, Jason [Shore] . And our purpose was to deliver boutique consulting services in a way that was efficient, in a way that built on prior work, and in a way that helped advance the security maturity of an organization without a lot of complex terminology, 150-page management consulting reports, right? What are the most effective operational changes we can make to an organization in how they work, in order to lead to some measurable improvement?

And we had a good success at the New York City Board of Elections where we were a subcontractor to a large security firm. And we were in there for about a year, building them a vulnerability management program, which was great. But generally speaking, I have found myself bored with having the same conversations about cybersecurity again and again, at the startup level and really even at the enterprise level. And I was looking for something new to do, and the role was posted in a Slack that I co-founded that is full of digital forensics and information security folks, incident responders, those types of people.

And I didn’t hear of anyone else applying for the role. And I just thought, “Wow, maybe this is the kind of opportunity that I won’t see again.” And I honestly sent my resume and didn’t expect to hear anything back, so it was incredible to be contacted by the chief information security officer about a month after he was hired.

Corey: One of the things that made it very clear that you were doing good work was the fact that there was a hit piece taken out on you in one of the absolute worst right-wing rags. I didn’t remember what it was. It’s one of those, oh, I’d been following you on Twitter for a bit before that, but it was one of those okay, but I tend to shortcut to figuring out who I align with based upon who yells at them. It’s one of those—to extend it a bit further—I’m lazy, politically speaking. I wind up looking at two sides yelling at each other, I find out what side the actual literal flag-waving Nazis are on, and then I go to the other side because I don’t ever want someone to mistake me for one of those people. And same story here. It’s okay, you’re clearly doing good work because people have bothered to yell at you in what we will very generously term ‘journalism.’

Jackie: Yeah, I wouldn’t refer to any of those folks—it was actually just one quote-unquote journalist from a Washington tabloid who decided to write a hit piece the week after I announced on Twitter that I’d had this role. And I took two months or so to think about whether I would announce my position at the campaign. I kept it very quiet, told a couple of my friends, but I was really busy and I wasn’t sure if that was something I wanted to do. You know, as an InfoSec professional, that you need to keep your mouth shut about most things that happened in the workplace, period. It’s a sensitive type of role and your discretion is critical.

But Kamala really changed my mind. Kamala became the nominee and, you know, I have a similar background to hers. I’m half Dominican—my mother’s from the Dominican Republic and my father is from India, so I have a similar background where I’m South Asian and Afro-Caribbean—and it just felt like the right time to bolster her profile by sharing that the Biden campaign was really interested in putting diverse candidates in the world of politics, and making sure that people like me have a seat at the table. I have three young daughters. I have a seven-year-old, a two-year-old, and a one-year-old.

And the thing I want for them to know in their heart of hearts is that they can do anything they want. And so it felt really important and powerful for me to make a small public statement on Twitter about the role I had been in for a couple of months. And once I did that, Corey, all hell broke loose. I mean, I was suddenly the target of conspiracy theorists, I had people trying to reach out to me in every possible way. My LinkedIn messages, it just became a morass of—you know, on one hand, I had a lot of folks congratulate me and say nice things and provide support, and on the other, I just had a lot of, you know, kind of nutty folks reach out and have an idea of what I was working to accomplish that maybe was a bit off base.

So yeah, I really wasn’t surprised to find out that a right-wing or alt-right tabloid had attempted to write a hit piece on me. But at the end of the day, I had to keep moving even though it was difficult to be targeted like that. I mean, it’s just not typical. You don’t take a job and tell people you got a job, [laugh] and then get attacked for it on the national stage. It was really unsurprising on one hand, yet really quite shocking on another; something I had to adjust to very quickly. I did cry at work. I did get on the phone with legal and HR and cry like a baby. [laugh] .

Corey: Oh, yeah.

Jackie: Yeah. It was scary.

Corey: I guess this is an example of my naivete, but I do not understand people on the other side of the issue of InfoSec for a political campaign—and I want to be clear, I include that to every side of an aisle—I think there are some quote-unquote, “Political positions” that are absolutely abhorrent, but I also in the same breath will tell you that they should have and deserve data security and quality InfoSec representation. In a defensive capacity, to be clear. If you’re—“I’m the offensive InfoSec coordinator for a campaign,” that’s a different story. And we can have a nuanced argument about that.

Jackie: [laugh] .

Corey: Also to be very clear, for the longest time—I would say almost all of my career until a few years ago—I was of the impression whatever I do, I keep my politics to myself. I don’t talk about it in public because all I would realistically be doing is alienating potentially half of my audience. And what shifted that is two things. One of them, for me at least, is past a certain point, let’s be very clear here: silence is consent. And I don’t ever want to be even mistaken at a glance for being on the wrong side of some of these issues.

On another, it’s, I don’t accept, frankly, that a lot of the things that are currently considered partisan are in fact, political issues. I can have a nuanced political debate on either side of the aisle on actual political issues—talking about things like tax policy, talking about foreign policy, talking about how we interact with the world, and how we fund things we care about and things that we don’t—I can have those discussions. But I will not engage and I will not accept that, who gets to be people is a political issue. I will not accept that treating people with respect, regardless of how high or low their station, is a political issue. I will not accept that giving voice to our worst darkest impulses is a political position.

I just won’t take it. And maybe that makes me a dreamer. I don’t consider myself a political animal. I really don’t. I am not active in local politics. Or any politics for that matter. It’s just, I will not compromise on treating people as people. And I never thought, until recently, that would be a political position, but apparently, it is.

Jackie: Well, we were all taught the golden rule is children.

Corey: There’s a lot of weird things that were taught as children that it turns out, don’t actually map to the real world. The classic example of that is sharing. It’s so important that we teach the kids to share, and always share your toys and the rest. And now we’re adults, how often do we actually share things with other people that aren’t members of our immediate family? Turns out not that often. It’s one of those lessons that ideally should take root and lead into being decent people and expressing some form of empathy, but the actual execution of it, it’s yeah, sharing is not really a thing that we value in society.

Jackie: Not in American society.

Corey: Well, there is that. And that’s the challenge, is we’re always viewing the world through the lens of our own experiences, both culturally and personally, and it’s easy to fall into the trap that is pernicious and it’s always there, that our view of the world is objective and correct, and everyone else is seeing things from a perspective that is not nearly as rational and logical as our own. It’s a spectrum of experience. No one wakes up in the morning and thinks that they are the villain in the story unless they work for Facebook’s ethics department. It’s one of those areas of just people have a vision of themselves that they generally try to live up to, and let’s be honest people fell in love with one vision of themselves, it’s the cognitive dissonance thing where people will shift their beliefs instead of their behavior because it’s easier to do that, and reframe the narrative.

It’s strange how we got to this conversation from a starting position of, “Let’s talk about InfoSec,” but it does come back around. It comes down to understanding the InfoSec posture of a political campaign. It’s one of those things that until I started tracking who you were and what you were doing, it wasn’t something really crossed my mind. Of course, now you think about, of course there’s a whole InfoSec operation for every campaign, ever. But you don’t think about it; it’s behind the scenes; it’s below the level of awareness that most people have.

Now, what’s really interesting to me, and I’m curious if you can talk about this, is historically the people working on the guts of a campaign—as it were—don’t make public statements, they don’t have public personas, they either don’t use Twitter or turn their accounts private and the rest during the course of the campaign. You were active and engaging with people and identifying as someone who is active in the Biden campaign’s InfoSec group. What made you decide to do that?

Jackie: Well, on one hand, it did not feel useful to cut myself off from the world during the campaign because I have so many relationships in the cybersecurity community. And I was able to leverage those by connecting with folks who had useful information for me; folks outside of your organization often have useful information to bring back, for example, bug bounties and vulnerability disclosure programs that are established by companies in order to give hackers a outlet. If you find something on hardwarestore.com, and you want to share that with the company because you’re a white hat hacker and you think that’s the right thing to do, hopefully, there’s some sort of a structure for you to be able to do that. And so, in the world of campaigning, I think information security is a relatively new development.

It has been, maybe, given more resources in this past year on the presidential level than ever before. I think that we’re going to continue to see an increase in the amount of resources given to the information security department on every campaign. But I’m also a public person. I really do appreciate the opportunity to interact with my community, to share and receive information about what it is that we do and what’s happening in the world and what affects us from tech and information security perspective.

Corey: It’s just astonishing for me to see from the outside because you are working on something that is foundationally critically important. Meanwhile, people working on getting people to click ads or whatnot over at Amazon have to put ‘opinions my own’ in their Twitter profile, whereas you were very outspoken about what you believe and who you are. And that’s a valuable thing.

Jackie: I think it’s important. I think we often allow corporations to dictate our personality, we allow our jobs to dictate our personality, we allow corporate mores to dictate our behavior. And we have to ask ourselves who we want to be at the end of the day and what type of energy we want to put out into the world, and that’s a choice that we make every day. So, what I can say is that it was a conscious decision. I can say that I worked 14 hours a day, or something, for five, six months. There were no weekends; there was no time off; there were a couple of overnights.

Corey: “So, what do you get to sleep?” “November.”

Jackie: Yeah. [laugh] . My partner took care of the kids. He was an absolute beast. I mean, he made sure that the house ran, and I paid no attention to it. I was just not a mom for those several months, in my own home.

Sponsor: With Common Fate, unlock secure, self-serve cloud access workflows for your engineers. Safely provision access based on configurable access policies and contextual checks, such as on-call status or an employee's department. Teams using Common Fate enable a state of zero standing privilege, where no one has write or data read access into production environments. Check out commonfate.io to learn more.

Corey: Back in 2019, I gave a talk at re:Invent—which is always one of those things that’s going to occasion comment—and the topic that we covered was building a vulnerability disclosure program built upon the story of a vulnerability that I reported into AWS. And it was a decent enough experience that I suggested at some point that you should talk about this publicly, and they said, “You should come talk about it with us.” And I did and it was a blast. But it suddenly became very clear, during the research for that talk and talking to people who’ve set those programs up is that look, one way or another, people are going to find vulnerabilities in what you do and how you do them. And if you don’t give them an easy way to report them to you, that’s okay.

You’ll find out about them in other scenarios when they’re on the front page of the New York Times. So, you kind of want to be out there and accessible to people. Now, there’s a whole story we can go into about the pros and cons of things like bug bounties and the rest, and of course, it’s a nuanced issue, but the idea of at least making it easy for people to wind up reporting things from that perspective is one of those key areas of outreach. Back in the early days of InfoSec, people would explore different areas of systems that they had access to, and very often they were charged criminally. Intel wound up having charges against one of their—I believe it was their employee or something, who wound up founding something and reporting it in an ethical way.

The idea of doing something like that is just ludicrous. You’re in that space a lot more than I am. Do you still see that sort of chilling effect slash completely not getting it when someone is trying to, in good faith, report security issues? Or has the world largely moved on from that level of foolishness?

Jackie: Both. The larger organizations that have mature security programs, and frankly, the organizations that have experienced a significant public breach, the organizations that have experienced pain are those that know better at this point and realize they do need to have a program, they do need to have a process and a procedure, and they need to have some kind of framework for folks to share information with them in a way that doesn’t cause them to respond with, “Are you extorting me? Is this blackmail?” As a cybersecurity professional working at my own security firm and also doing security research, I have reported dozens of vulnerabilities that I’ve identified, open buckets, for example. My partner at Spyglass and I built a SaaS application called Data Drifter a few years ago.

We were interviewed by NBC about this and NBC followed up on quite a few of our vulnerability disclosures and published an article. But what the software did was look for open buckets on Azure, AWS, and GCP and provide an analyst interface that allows a human to trawl through very large datasets and understand what they’re looking at. So, for example, one of the finds that we had was that musical.ly—musical-dot-L-Y, which was purchased by TikTok, eventually—had a big, large open bucket with a lot of data, and we couldn’t figure out how to report it properly. And they eventually took it down.

But you really had to try to understand what you were looking at; if you have a big bucket full of different data types, you don’t have a name on the bucket, and you don’t know who it belongs to because you’re not Google, or Amazon, or Microsoft, what do you do with this information? And so we spent a lot of time trying to reconcile open buckets with their owners and then contacting those owners. So, we’ve received a gamut of ranges of responses to vulnerability disclosure. On one hand, there is an established process at an organization that is visible by the way they respond and how they handle your inquiry. Some folks have ticketing systems, some folks respond directly to you from the security team, which is great, and you can really see and get an example of what their routing is inside the company.

And then other organizations really have no point of reference for that kind of thing, and when something comes into either their support channels or even directly into the cybersecurity team, they’re often scrambling for an effective way to respond to this. And it could go either way; it could get pretty messy at times. I’ve been threatened legally and I’ve been accused of extortion, even when we weren’t trying to offer some type of a service. I mean, you really never walk into a vulnerability disclosure scenario and then offer consulting services because they are going to see it as a marketing ploy and you never want to make that a marketing ploy. I mean, it’s just not… it’s not effective and it’s not ethical, it’s not the right thing to do.

So, it’s been interesting. [laugh] . I would recommend, if you are a person listening to this podcast who has some sort of pull in the information security department at your organization, I would recommend that you start with disclose.io, which was put together by Casey John Ellis and some other folks over at Bugcrowd and some other volunteers. It’s a really great starting point for understanding how to implement a vulnerability disclosure program and making sure that you are able to receive the information in a way that prevents a PR disaster.

Corey: My approach is controversial—I know this—but I believe that the way that you’re approaching this was entirely fatally flawed, of trying to report to people that they have an open S3 bucket. The proper way to do it is to upload reams of data to it because my operating theory is that they’re going to ignore a politely worded note from a security researcher, but they’re not going to ignore a $4 million surprise bill at the end of the month from AWS. That’ll get fixed tout suite. To be clear to the audience, I am kidding on this. Don’t do it. There’s a great argument that you can be charged criminally for doing such a thing. I’m kidding. It’s a fun joke. Don’t do it. I cannot stress that enough. We now go to Jackie for her laughter at that comment.

Jackie: [laugh] .

Corey: There we go.

Jackie: I’m on cue. Well, a great thing about Data Drifter, that SaaS application that allowed analysts to review the contents of these open buckets, was that it was all JavaScript on the client-side, and so we weren’t actually hosting any of that data ourselves. So, they must have noticed some transfer fees that were excessive, but if you’re not looking at security and you have an infrastructure that isn’t well monitored, you may not be looking at costs either.

Corey: Costs are one of those things that are very aligned spiritually with security. It’s a trailing function that you don’t care about until right after you really should have cared about it. With security, it’s a bit of a disaster when it hits, whereas with those surprise bills, “Oh, okay. We wasted some money.” That’s usually, a, not front-page material and, b, it’s okay, let’s be responsible and fix that up where it makes sense, but it’s something that is never a priority. It’s never a ‘summon the board’ story for anything short of complete and utter disaster. So, I do feel a sense of spiritual alignment here.

Jackie: [laugh] . I can see that. That makes perfect sense.

Corey: Before we call this an episode, one other area that you’ve been active within is something called ‘threat modeling.’ What is it?

Jackie: So, threat modeling is a way to think strategically about cybersecurity. You want to defend, effectively, by understanding your organization as a collection of people, and you want to help non-technical staff support the cybersecurity program. So, the way to do that is potentially to give a human-centric focus to threat modeling activities. Threat modeling is a methodology for linking humans to an effective set of prioritized defenses for the most likely types of adversaries that they might face. And so essentially the process is identifying your subject and defining the scope of what you would like to protect.

Are you looking to protect this person’s personal life? Are you exclusively protecting their professional life or what they’re doing in relation to an organization? And you want to iterate through a few questions and document an attack tree. Then you would research some tactics and vulnerabilities, and implement defensive controls. So, in a nutshell, we want to know what assets does your subject have or have access to, that someone might want to spy, steal, or harm; you want to get an idea of what types of adversaries you can expect based on those assets or accesses that they have, and you then want to understand what tactics those adversaries are likely to use to compromise those assets or accesses, and you then transform that into the most effective defenses against those likely tactics.

So, using that in practice, you would typically build an attack tree that starts with the human at the center and lists out all of their assets and accesses. And then off of those, each of those assets or accesses, you would want to map out their adversary personas. So, for example, if I work at a bank and I work on wire transfers, my likely adversary would be a financially motivated cybercriminal, right? Pretty standard stuff. And we want to understand what are the methods that these actors are going to employ in order to get the job done.

So, in a common case, in a business email compromised context, folks might rely on a signer at a company to sign off on a wire transfer, and if the threat actor has an opportunity to gain access to that person’s email address or the mechanism by which they make that approval, then they may be able to redirect funds to their own wallet that was intended for someone else or a partner of the company. Adversaries tend to employ the least difficult approach; whatever the easiest way in is what they’re going to employ. I mean, we spend a lot of time in the field of information security and researching the latest vulnerabilities and attack paths and what are all the different ways that a system or a person or an application can be compromised, but in reality, the simplest stuff is usually what works, and that’s what they’re looking for. They’re looking for the easiest way in. And you can really observe that with ransomware, where attackers are employing a spray and pray methodology.

They’re looking for whatever they can find in terms of open attack surface on the net, and then they’re targeting organizations based on who they can compromise after the fact. So, they don’t start with an organization in mind, they might start with a type of system that they know they can easily compromise and then they look for those, and then they decide whether they’re going to ransomware that organization or not. So, it’s really a useful way, when you’re thinking about human-centric threat modeling, it’s really a useful way to completely map your valuables and your critical assets to the most effective ways to protect those. I hope that makes sense.

Corey: It very much does. It’s understanding the nature of where you start, where you stop, what is reasonable, what is not reasonable. Because like a lot of different areas—DR, for example—security is one of those areas you could hurl infinite money into and still never be done. It’s where do you consider it reasonable to start? Where do you consider it reasonable to stop? And without having an idea of what the model of threat you’re guarding against is, the answer is, “All the money,” which it turns out, boards are surprisingly reluctant to greenlight.

Jackie: Absolutely. We have a recurring problem and information security where we cannot measure return on investment. And so it becomes really difficult to try to validate a negative. It’s kind of like the TSA; the TSA can say that they’ve spent a lot of money and that nothing has happened or that any incidents have been limited in their scope due to the work that they’ve done, but can we really quantify the amount of money that DHS has absorbed for the TSA’s mission, and turned that into a really wonderful and measurable understanding of how we spent that money, and whether it was worth it? No, we can’t really. And so we’re always struggling with that insecurity, and I don’t think we’ll have an answer for it in the next ten years or so.

Corey: No, I suspect not, on some level. It’s one of those areas where I think the only people who are really going to have a holistic perspective on this are historians.

Jackie: I agree.

Corey: And sadly I’m not a cloud historian; I’m a cloud economist, a completely different thing I made up.

Jackie: [laugh] . Well, from my perspective, I think it’s a great title. And I agree with your thought about historians, and I look forward to finding out how they felt about what we did in the information security space, both political and non-political, 20, 30, and 40 years from now.

Corey: I hope to live long enough to see that. Jackie, thank you so much for taking the time to speak with me today. If people want to learn more about what you’re up to and how you view things, where can they find you?

Jackie: You can find me on Twitter at @hackingbutlegal.

Corey: Great handle. I love it.

Jackie: Thank you so much for having me.

Corey: Oh, of course. It is always great to talk with you. Jackie Singh, principal threat analyst, and incident responder at the Biden campaign. Obviously not there anymore. I’m Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you’ve enjoyed this podcast, please leave a five-star review on your podcast provider of choice, whereas if you’ve hated this podcast, please leave a five-star review on your podcast platform of choice along with a comment expressing an incoherent bigoted tirade that you will, of course, classify as a political opinion, and get you evicted from said podcast provider.