Tools vs threats model: making the conscious use of tools for trainees

From IFF Wiki
Jump to: navigation, search

Session Description

Usual situation: after the digital security training an average participant know lots of new tools, but actually doesn't realize what tool is doing what; and (extremely important) what the tool does not. Here in DSS380 (Digital security school Ukraine) we have started to pay a lot of attention to threat modeling, and for now we think that the model "polisy - threat model - mechanism" really works and makes everything much more clear. I would like to do a small 45-minutes session with an example of how it could be done at the training; to take a one tool, or a mechanism (to choose just right there at the beginning of the session) and to bring it inside the "polisy - threat model - mechanism" model.

Tools vs threats model: making the conscious use of tools for trainees
Presenter/s Mykola Kostynyan
Bio/s 32 yo leading trainer of the DSS380.ORG - Digital security school in Ukraine (established by in summer 2015), before - independent DS trainer, worded with OSCE, IWPR, Europeum, Internews Network, ISC project and others.
Language English (not the best one)

Session Comments

    1. Security != tools

Big problem, trainees expect tools / silver bullet - it's not a training w/o tool learning

but also so many tools; overlapping and confusing; need better understanding of threat models

good allegory of people taking pills w/o doctor input; taking random pills, get conflicting Rx's

    1. How to deal?

Discuss threat models of personas

asset-based threat modeling - talking about data/assets and adversaries

Operational risks; starting even with travel and seat belts; moving in to risk assessment and priority setting

flow diagram to show the the exceptional security and "normal" daily level pair with threat model immersive exercise that shows how things travel, starts with sending a letter