Screaming in the Cloud - Security Challenges and Working for President Biden with Jackie Singh
Episode Date: September 30, 2021About JackieJackie Singh is an Information Security professional with more than 20 years of hacking experience, beginning in her preteen years. She began her career in the US Army, and deploy...ed to Iraq in 2003. Jackie subsequently spent several years in Iraq and Africa in cleared roles for the Department of Defense.Since making the shift to the commercial world in 2012, Jackie has held a number of significant roles in operational cybersecurity, including Principal Consultant at Mandiant and FireEye, Global Director of Incident Response at Intel Security and McAfee, and CEO/Cofounder of a boutique consultancy, Spyglass Security.Jackie is currently Director of Technology and Operations at the Surveillance Technology Oversight Project (S.T.O.P.), a 501(C)(3), non-profit advocacy organization and legal services provider. S.T.O.P. litigates and advocates to abolish local governments' systems of mass surveillance.Jackie lives in New York City with her partner, their daughters, and their dog Ziggy.Links:Disclose.io: https://disclose.ioTwitter: https://twitter.com/hackingbutlegal
Transcript
Discussion (0)
Hello, and welcome to Screaming in the Cloud, with your host, Chief Cloud Economist at the
Duckbill Group, Corey Quinn.
This weekly show features conversations with people doing interesting work in the world
of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles
for which Corey refuses to apologize.
This is Screaming in the Cloud.
This episode is sponsored in part by our friends at VMware.
Let's be honest, the past year has been far from easy due to, well, everything.
Caused us to rush cloud migrations and digital transformation,
which of course means long hours refactoring your apps, surprises on your cloud bill, misconfigurations, and headaches for everyone trying to manage disparate and fractured cloud environments.
VMware has an answer for this. Organizations have the choice, speed, and control to migrate and optimize applications seamlessly without recoding,
take the fastest path to modern infrastructure, and operate consistently across the data center, the edge, and any cloud.
I urge you to take a look at VMware.com slash go slash multicloud.
You know my opinions on multicloud by now, but there's a lot of stuff in here that works on any cloud.
But don't take it from me. That's VMware.com slash go slash multi-cloud, all one word. And my thanks
to them again for their sponsorship of my ridiculous nonsense. This episode is sponsored
in part by you, Gabite. Distributed technologies like Kubernetes are great, citation very much needed, because they
make it easier to have resilient, scalable systems. SQL databases haven't kept pace, though. Certainly
not like no SQL databases have, like Route 53, the world's greatest database. We're still, other than
that, using legacy, monolithic databases that require ever-growing instances of compute.
Sometimes we'll try and bolt them together to make them more resilient and scalable,
but let's be honest, it never works out well.
Consider UgaByteDB.
It's a distributed SQL database that solves basically all of this.
It is 100% open source, and there's no asterisk next to the open on that one.
And it's designed to be resilient and scalable out of the box,
so you don't have to charge yourself to death.
It's compatible with Postgres SQL, or Postgresqueel, as I insist on pronouncing it,
so you can use it right away without having to learn a whole new language and refactor everything.
And you can distribute it wherever your applications take you,
from across availability
zones to other regions, or even other cloud providers should one of those happen to exist.
Go to yugabyte.com, that's Y-U-G-A-B-Y-T-E dot com, and try their free beta of Yugabyte Cloud,
where they host and manage it for you. Or see what the open source project looks like,
its effortless distributed SQL for global apps.
My thanks to you, Gabite, for sponsoring this episode.
Welcome to Screaming in the Cloud.
I'm Corey Quinn.
The best part about being me,
well, there's a lot of great things about being me,
but from my perspective, the absolute best part
is that I get to interview people on the show
who have done awesome and impressive things.
Therefore, by osmosis, you tend to assume that I'm smart slash know what the living hell I'm
talking about. This is provably untrue, but that's okay. Even when I say it outright,
this will fade into the depths of your mind and not take hold permanently. Today is, of course,
no exception. My guest is Jackie Singh, who's an information security professional,
which is probably the least interesting way to describe who she is and what she does. Most
recently, she was a senior cybersecurity staffer at the Biden campaign. Thank you so much for
joining me. What was that like? Thank you so much for having me. What was that like? The most difficult and high
pressure, high stress job I've ever had in my life. And, you know, I spent most of my early 20s in
Iraq and Africa. It's interesting that you're not the first person to make the observation that,
well, I was in the military and the things are blowing up all around. And what I'm doing next
to me is like, oh, the site is down and can't show ads to people?
Ah, that's not pressure.
You're going the other direction.
It's like, yeah, this was higher stress than that.
And that right there is not a common sentiment.
I couldn't anticipate when I was contacted for the role for which I had applied through the front door, like everyone else sent
in my resume, thought it looked pretty cool. I didn't expect to be contacted. And when I was
and interviewed and got through the interviews and accepted the role, I still
did not properly anticipate how this would change my life and how it would modify my life in the span of just a few months.
You know, I was on the campaign for five to six months.
Now, there's a couple of interesting elements to this. The first is it's rare that people will say,
oh, I had a job for five to six months and, A, put it on their resume because that sounds like,
ah, are you one of those job hopper types? But when you go into a political campaign, it's very clearly win or lose. We're out of jobs in November-ish. And that
is something that is really neat from the perspective of career management and career
planning. Usually it's, hey, do you want a six-month job? It's, why? Because I'm going to
rage quit at the end of it? That seems a little on the weird side. But with a campaign, it's a
very different story. It seems like a different universe in some
respects. Yes, absolutely. It was different than any other role I'd ever had. And being a political
dilettante, essentially, walking into this, I couldn't possibly anticipate what that environment
would be like. And frankly, it is a bit gatekept in the sense that if you
haven't participated on a campaign before, you really don't have any idea what to expect.
And they're all a bit different to like their own special snowflake based on the people who are
there and the moment in time during which you are campaigning and who you are campaigning for.
And it really does change a perspective on civic life
and what you can do with your time
if you chose to spend it doing something a little bigger
than your typical tech ops.
It also is a great answer too
when people don't pay close enough attention.
So why'd you leave your last job?
He won.
Seems like a pretty easy answer to give on some level.
Yes, absolutely.
But imagine the opposite.
Imagine if our candidate had lost or if we had had data walk out the door like in 2016.
The Democratic National Convention was breached in 2016 and some unflattering information was out the door.
Emails were
hacked. And so it was difficult to anticipate what we had control over and how much control
we could actually exert over the process itself, knowing that if we failed, the repercussions would
be extremely severe. It's a different story than a lot of InfoSec gigs.
It's, companies love to talk
like it is the end of the universe
if they wind up having a data breach in some effect.
They talk about that the world ends
because for them it kind of does
because you have a blative CISO
who tries to also armor themselves
with a blade of interns that they can blame
if your solar winds.
But the idea being that, oh yeah, if we get breached, we are donezo. And it's first,
not really. Let's not inflate the risks here. Let's be honest. We're talking about something
like you're a retailer. If you get breached, people lose a bunch of credit card numbers.
The credit card companies have to reissue it to everyone. You get slapped with a fine and you get
dragged in the press. But statistically, look at your stock price a year later, it will be higher than at the time of the breach in almost every case. This is not the end of the world. You're talking about something, though, that has impacts that are impossible to calculate repercussions. We're talking about an entire administration shift, U.S. foreign policy, domestic policy, how the world works and functions is in no small part
tied to data security. That's a different level of stress than I think most security folks,
if you get them honest enough, are going to admit that, yeah, what I do isn't that important from
an InfoSec perspective, but you do it is. I appreciate that, especially having worked
in the military. Since I left the military, I was always looking for a greater purpose and a larger mission to serve. And in this instance, the scope of work was a limited time window to get the work done.
I knew that as we progressed and got closer and closer to election day we would have more
resources, more money rolls in, more folks feel secure in the campaign and understand what the
candidate stands for and want to pump money into the coffers. And so you're also in
an interesting situation because your resourcing is increasing proportional to the threat, which is
very time-bound. An inherent challenge is that unlike in a corporate environment in many respects
where engineers can guard access to things and give the business clear lines of access to things
and handle all of it in
the background. One of the challenges with a campaign is that you are responsible for data
security in a variety of different ways. And the interfaces to that data explode geometrically
and to people with effectively no level whatsoever of technical sophistication. I'm not talking about
the candidate necessarily, though that's of course a concern, but I'm talkingation. I'm not talking about the candidate necessarily,
though that's of course a concern, but I'm talking organizers, I'm talking volunteers,
I'm talking folks who are lifelong political operatives, but they tend not to think in terms
of, oh, I should enable multi-factor authentication on everything that I have, because that is not
what they are graded on. It's pass-fail. So it's one of those things where it is not the number one priority for anyone else in
your organization, but it is yours.
And you not only have to get things into fighting shape, you have to furthermore convince people
to do the things that get them there.
How do you approach that?
Security awareness in a nutshell.
We were lucky to work with Bob Lord, who's a former CISO at Yahoo, Oath, Rapid7, and has held a number of really important roles that were very wide in their scope and responsible for very massive data sets. And we were lucky enough to, you know, in the democratic ecosystem,
have a CISO who really understood the nature of the problem in the way that you described it just
now is incredibly apt. You know, you're working with folks that have no understanding or very
limited understanding of what the threat actors who are interested in breaching the
campaign, you know, what their capability set is and how they might attempt to breach an organization.
But you also had some positives out of that. When you're working with a campaign that is distributed,
your workforce is distributed and your systems are also distributed. When you lose that
centralization that many enterprises rely on to get the job done,
you also reduce opportunities for attackers
to compromise one system or one user and move laterally.
So that was something that we had working for us.
So security awareness was incredibly important.
My boss worked on that quite a bit.
We had an incredible IT help desk
who really focused on connecting with users and running them through a checklist.
So everyone in the campaign had been onboarded with a specific set of capabilities and an understanding of what the security setup was and how to go about their business in a secure way. And luckily, very good decisions
had been made on the IT side prior to the security team joining the organization,
which set the stage for a strong architecture that was resistant to attack. So I think a lot
of the really solid decisions and security awareness propagation had occurred prior to myself and my boss joining
the campaign. One of the things that I find interesting is that before you started that
role, you mentioned you came in through the front door, which personally, I've never successfully
gotten a job like that. I always have to weasel my way in because I have an eighth grade education
and my resume, well, tenure-wise, kind of looks like a whole bunch of political campaigns and that's fine. But before that, you were running your own company
that was a focused security consultancy. Before that, your resume is a collection of impressive
names. You were a principal consultant at Mandiant. You were at Accenture. You know what
you're talking about. You were at McAfee slash Intel. You've done an awful lot of corporate
world stuff. What made you decide to just wake up one day and decide, you know what?
Sounds awesome politics because the level of civil discourse there is awesome. And everyone
treats everyone with respect and empathy and no one gets heated or makes ridiculous arguments
and the rest. That's the area I want to go into. What flipped that switch for you?
If I'm completely honest, it was pure boredom. I started my business, Spyglass Security, with my co-founder, Jason Shore. And our purpose was to deliver boutique consulting services in a
way that was efficient, in a way that built on prior work, and in a way that built on prior work and in a way that helped advance the security maturity
of an organization without a lot of complex terminology, 150-page management consulting
reports, right? What are the most effective operational changes we can make to an organization
and how they work in order to lead to some measurable improvement. And we had a good success at the New York City
Board of Elections, where we were a subcontractor to a large security firm. And we were in there
for about a year building them a vulnerability management program, which was great. But
generally speaking, I have found myself bored with having the same conversations about cybersecurity
again and again again at the startup
level and really even at the enterprise level. And I was looking for something new to do. And
the role was posted in a Slack that I co-founded that is full of digital forensics and information
security folks, incident responders, those types of people. And I didn't hear of anyone else
applying for the role. And I just thought,
wow, maybe this is the kind of opportunity that I won't see again. And I honestly sent my resume
in and didn't expect to hear anything back. So it was incredible to be contacted by the
chief information security officer about a month after he was hired.
One of the things that made it very clear that you were
doing good work was the fact that there was a hit piece taken out on you in one of the absolute
worst right-wing rags. I don't even remember what it was. It's one of those, oh, I've been following
on Twitter for a bit before that, but it was one of those, okay, I tend to shortcut to figuring out
who I align with based upon who yells at them. It's one of those, to, I tend to shortcut to figuring out who I align with based upon who
yells at them. It's one of those, to extend it a bit further, I'm lazy, politically speaking. I
wind up looking at two sides yelling at each other. I find out what side the actual literal
flag-waving Nazis are on, and then I go to the other side because I don't ever want someone to
mistake me for one of those people. And same story here. It's, okay, you're clearly doing good work
because people have bothered to yell at you in what we will very generously term journalism.
Yeah, I wouldn't refer to any of those folks. It was actually just one quote unquote journalist from a Washington tabloid who decided to write a hit piece the week after I announced on Twitter that I'd had this role. And I took
two months or so to think about whether I would announce my position at the campaign. I kept it
very quiet, told a couple of my friends, but I was really busy and I wasn't sure if that was
something I wanted to do. You know, as an InfoSec professional, that you need
to keep your mouth shut about most things that happen in the workplace, period. It's a sensitive
type of role and your discretion is critical. But Kamala really changed my mind. Kamala became the
nominee. And, you know, I have a similar background to hers. I'm half Dominican. My mother's from the
Dominican Republic and my father is from India. So I have a similar background to hers. I'm half Dominican. My mother's from the Dominican Republic and my father is from India. So I have a similar background where I'm South Asian and
Afro-Caribbean. And it just felt like the right time to bolster her profile by sharing that
the Biden campaign was really interested in putting diverse candidates
in the world of politics and making sure that people like me have a seat at the table.
I have three young daughters. I have a seven-year-old, a two-year-old, and a one-year-old.
And the thing I want for them to know in their heart of hearts is that they can do anything they want. And so it felt really
important and powerful for me to make a small public statement on Twitter about the role I had
been in for a couple of months. And once I did that, Corey, all hell broke loose. I mean,
I was suddenly the target of conspiracy theorists. I had people trying to reach out to me in every possible way.
My LinkedIn messages, it just became a morass of, you know, on one hand, I had a lot of folks congratulate me and say nice things and provide support.
And on the other, I just had a lot of, you know, kind of nutty folks reach out and have an idea of what I was working to accomplish that maybe was a bit
off base. So yeah, I really wasn't surprised to find out that a right wing or alt-right tabloid
had attempted to write a hit piece on me. But at the end of the day, I had to keep moving,
even though it was difficult to be targeted like that. I mean, it's just not typical, right?
You don't take a job and tell people you got a job
and then get attacked for it on the national stage.
It was really unsurprising on one hand,
yet really quite shocking on another.
Something I had to adjust to very quickly.
I did cry at work.
I did get on the phone with
Legal and HR and cry like a baby. Oh, yeah. Yeah, it was scary.
I guess this is an example of my naivete, but I do not understand people on the other side of
the issue of InfoSec for a political campaign. And I want to be clear, I include that to every
side of an aisle.
I think there are some quote-unquote political positions that are absolutely abhorrent,
but I also, in the same breath, will tell you that they should have and deserve data security
and quality InfoSec representation in a defensive capacity. To be clear, if I'm the offensive
InfoSec coordinator for a campaign, that's a different story and we
can have a nuanced argument about that. Also, to be very clear, for the longest time, I would say
almost all of my career until a few years ago, I was of the impression that whatever I do,
I keep my politics to myself. I don't talk about it in public, because all I would realistically be doing is alienating potentially
half of my audience. And what shifted that is two things. One of them, for me at least, is the
past a certain point, let's be very clear here, silence is consent. And I don't ever want to be
even mistaken at a glance for being on the wrong side of some of these issues. On another, it's,
I don't accept, frankly, that a lot of the
things that are currently considered partisan are in fact political issues. I can have a nuanced
political debate on either side of the aisle on actual political issues, talking about things like
tax policy, talking about foreign policy, talking about how we interact with the world
and how we fund things we care about
and things that we don't.
I can have those discussions,
but I will not engage and I will not accept
that who gets to be people is a political issue.
I will not accept that treating people with respect,
regardless of how high or low their station,
is a political issue.
I will not accept that giving
voice to our worst, darkest impulses is a political position. I just won't take it.
And maybe that makes me a dreamer. I don't consider myself a political animal. I really don't.
I am not active in local politics or any politics for that matter. It's just,
I will not compromise on treating people
as people. And I never thought until recently that that would be a political position,
but apparently it is. Well, we were all taught the golden rule as children.
There's a lot of weird things that were taught as children that it turns out don't actually
map to the real world. The classic example of that is sharing. It's so important that we teach kids to share and always share your toys and the rest. And now that we're adults,
how often do we actually share things with other people that aren't members of our immediate
family? Turns out not that often. It's one of those lessons that ideally should take root and
lead into being decent people and expressing some form of empathy. But the actual execution of it,
yeah, sharing is not really a thing
that we value in society.
Not in American society.
Well, there is that.
And that's the challenge,
is we're always viewing the world
through the lens of our own experiences,
both culturally and personally.
And it's easy to fall into the trap
that it's pernicious, and it's always there.
That our view of the world is objective and correct,
and everyone else is seeing things
from a perspective that is not nearly as rational or logical as their own.
It's a spectrum of experience.
No one wakes up in the morning and thinks that they are the villain in the story unless they work for Facebook's ethics department.
It's one of those areas of just people have a vision of themselves that they generally try to live up to. And let's be honest, when people fail to live up to their own vision of themselves, it's the cognitive dissonance thing
where people will shift their beliefs
instead of their behavior
because it's easier to do that and reframe the narrative.
It's strange how this,
but we got to this conversation from a starting position
of let's talk about InfoSec,
but it does come back around.
It comes down to understanding
the InfoSec posture of a political campaign.
It's one of those things that until I started tracking who you were and what you were doing, it wasn't something that really crossed
my mind. Of course, now you think about it, of course there's a whole InfoSec operation for
every campaign ever, but you don't think about it. It's behind the scenes. It's below the level
of awareness that most people have. Now, what's really interesting
to me, and I'm curious if you can talk about this, is historically, the people working on the guts of
a campaign, as it were, don't make public statements. They don't have public personas.
They either don't use Twitter or turn their accounts private or the rest during the course
of the campaign. You were active and engaging with people and identifying as someone who was active in the Biden campaign's InfoSec group. What made you decide to do that?
Well, on one hand, it did not feel useful to cut myself off from the world during the campaign
because I have so many relationships in the cybersecurity community. And I was able to
leverage those by connecting with folks who had useful information for me.
Folks outside of your organization often have useful information to bring back.
For example, bug bounties and vulnerability disclosure programs that are established by companies in order to give hackers a outlet.
If you find something on hardwarestore.com and you want to share that with the company
because you're a white hat hacker and you think that's the right thing to do, hopefully
there's some sort of a structure for you to be able to do that.
And so in the world of campaigning, I think information security is a relatively new development.
It has been maybe given more resources in this past year at the presidential level than ever before.
I think that we're going to continue to see an increase in the amount of resources
given to the Information Security Department on every campaign.
But I'm also a public person.
You know, I really do appreciate the opportunity to interact with my community,
to share and receive information about what it is that we do and what's
happening in the world and what affects us from a tech and information security perspective.
It's just astonishing for me to see from the outside because you are working on something
that is foundationally critically important. Meanwhile, people working on getting people to
click ads or whatnot over at Amazon have to put opinions my own in their Twitter profile,
whereas you were very outspoken about what you believe and who you are. And that's a valuable
thing. I think it's important. I think we often allow corporations to dictate our personality.
We allow our jobs to dictate our personality. We allow corporate mores to dictate our behavior.
And we have to ask ourselves who we want to be at the end of the day and what type of energy we want to put out into the world.
And that's a choice that we make every day.
So what I can say is that it was a conscious decision.
I can say that I worked 14 hours a day or something for five, six months.
There were no weekends.
There was no time off.
There were a couple of overnights.
So when do you get to sleep?
November.
My partner took care of the kids.
He was an absolute beast.
I mean, he made sure that the house ran and I paid no attention to it.
I was just not a mom for those several months in my own home.
This episode is sponsored by our friends at Oracle HeatWave,
a new high-performance query accelerator for the Oracle MySQL database service,
although I insist on calling it MySquirrel.
While MySquirrel has long been the world's most popular open-source database,
shifting from transacting to analytics required way too much
overhead and, you know, work. With HeatWave, you can run your OLAP and OLTP, don't ask me to
pronounce those acronyms ever again, workloads directly from your MySquirrel database and
eliminate the time-consuming data movement and integration work while also performing 1,100 times faster than Amazon Aurora and two and a
half times faster than Amazon Redshift at a third the cost. My thanks again to Oracle Cloud for
sponsoring this ridiculous nonsense. Back in 2019, I gave a talk at reInvent, which is always one of
those things that's going to occasion comment. And the topic that we covered was building a vulnerability disclosure program built upon
the story of a vulnerability that I reported in to AWS.
And it was a decent enough experience that I suggested at some point that you should
talk about this publicly.
And they said, you should come talk about it with us.
And I did.
And it was a blast.
But something that became very clear during the research for that talk and talking to
people who'd set those programs up is that, look, one way or another,
people are going to find vulnerabilities in what you do and how you do them. And if you don't give
them an easy way to report them to you, that's okay. You'll find out about them in other scenarios
when they're on the front page of the New York Times. So you kind of want to be out there and accessible to people.
Now, there's a whole story we can go into about the pros and cons of things like bug
bounties and the rest.
And of course, it's a nuanced issue.
But the idea of at least making it easy for people to wind up reporting things from that
perspective is one of those key areas of outreach.
Back in the early days of InfoSec, people would explore different
areas of systems that they had access to. And very often they were charged criminally. Intel wound up
having charges against one of their, I believe it was their employee or something, who wound up
founding something and reporting it in an ethical way. The idea of doing something like that is just
ludicrous. You're in that space a lot more than I am. Do you still see that sort of chilling effect slash completely not getting it when someone is trying to, in good faith, report security issues?
Or has the world largely moved on from that level of foolishness?
Both.
The larger organizations that have mature security programs, frankly, the organizations that have experienced a significant
public breach, the organizations that have experienced pain are those that know better
at this point and realize they do need to have a program. They do need to have a process and a
procedure, and they need to have some kind of framework for folks to share information with them
in a way that doesn't cause them to respond with,
are you extorting me? Is this blackmail? As a cybersecurity professional working at my own
security firm and also doing security research, I have reported dozens of vulnerabilities that
I've identified. Open buckets, for example. My partner at Spyglass and I built a SaaS application called Data Drifter a few years ago.
We were interviewed by NBC about this, and NBC followed up on quite a few of our vulnerability discCP, and provide an analyst interface that allows a human to trawl through
very large data sets and understand what they're looking at. So for example, one of the finds that
we had was that Musical.ly, which was purchased by TikTok eventually, had a big, large open bucket
with a lot of data.
And we couldn't figure out how to report it properly.
And they eventually took it down.
But you really had to try to understand what you were looking at. If you have a big bucket full of different data types, you don't have a name on the bucket.
You don't know who it belongs to because you're not Google or Amazon or Microsoft.
What do you do with
this information? And so we spent a lot of time trying to reconcile open buckets with their owners
and then contacting those owners. So we've received a gamut of ranges of responses to
vulnerability disclosure. On one hand, there is an established process at an organization that is
visible by the way they respond and how they handle your inquiry.
Some folks have ticketing systems. Some folks respond directly to you from the security team,
which is great. And you can really see and get an example of what their routing is inside the
company. And then other organizations really have no point of reference for that kind of thing.
And when something comes in to either their support channels or even directly into the cybersecurity team, they're often scrambling for an effective way to respond
to this. And it could go either way. It could get pretty messy at times. I've been threatened
legally and I've been accused of extortion even when we weren't trying to offer some type of a
service. I mean, you really never
walk into a vulnerability disclosure scenario and then offer consulting services because they are
going to see it as a marketing ploy and you never want to make that a marketing ploy. I mean, it's
just not, it's not effective and it's not ethical. It's not the right thing to do. So it's been
interesting. I would recommend if you are a person listening to this podcast who has some sort of pull in the information security department at your organization,
I would recommend that you start with disclose.io, which was put together by Casey John Ellis and some other folks over at Bug Crowd and some other volunteers. It's a really great starting point for understanding how to implement a vulnerability disclosure program and making sure that you are able to receive the information in a
way that prevents a PR disaster. My approach, and it is controversial, I know this, but I believe
that the way that you're approaching this was entirely fatally flawed of trying to report to people that they have an open S3 bucket.
The proper way to do it is to upload reams of data to it, because my operating theory
is that they're going to ignore a politely worded note from a security researcher,
but they're not going to ignore a $4 million surprise bill at the end of the month from AWS.
That'll get fixed tootsweet. To be clear to the audience, I am kidding on this. Don't do it. There's a great argument that you can be charged criminally for
doing such a thing. I'm kidding. It's a fun joke. Don't do it. I cannot stress that enough. We now
go to Jackie for her laughter at that comment. There we go. I'm on cue. Well, the great thing about Data Drifter, that SaaS application that allowed analysts to review the contents of these open buckets, was that it was all JavaScript on the client side.
And so we weren't actually hosting any of that data ourselves.
So they must have noticed some transfer fees that were excessive. But if you're not looking at security and you have an infrastructure that
isn't well monitored, you may not be looking at costs either. Costs are one of those things that
are very aligned spiritually with security. It's a trailing function that you don't care about until
right after you really should have cared about it. With security, it's a bit of a disaster when it hits,
whereas with the surprise bill, it's,
oh, okay, we wasted some money.
That's usually A, not front page material.
And B, it's, okay, let's be responsible
and fix that up where it makes sense.
But it's something that can be, that is never a priority.
It's never a summon the board story
for anything short of complete and utter disaster.
So I do feel a sense of spiritual alignment here.
I can see that. That makes perfect sense. Before we call this an episode,
one other area that you've been active within is something called threat modeling. What is it?
So threat modeling is a way to think strategically about cybersecurity. You want to defend effectively by understanding your organization as a collection of people, and you want to help non-technical staff support the
cybersecurity program. So the way to do that is potentially to give a human-centric focus to
threat modeling activities. Threat modeling is a methodology for linking humans to an effective set
of prioritized defenses for the most likely types of adversaries that they might face.
And so essentially the process is identifying your subject and defining the scope of what you would like to protect, right?
Are you looking to protect this person's personal life?
Are you exclusively protecting their professional life or what they're doing in relation to an organization?
And you want to iterate through a few questions and document an attack tree.
Then you would research some tactics and vulnerabilities and implement defensive controls.
So in a nutshell, we want to know what assets does your subject have or have access to
that someone might want to spy, steal, or harm. You want to get an
idea of what types of adversaries you can expect based on those assets or accesses that they have.
And you then want to understand what tactics those adversaries are likely to use to compromise
those assets or accesses. And you then transform that into the most effective defenses against those likely
tactics. So using that in practice, you would typically build a attack tree that starts with
the human at the center and lists out all of their assets and accesses. And then off of those,
each of those assets or accesses, you would want to map out their adversary personas. So for example, if I work at a bank and I work on wire
transfers, a likely adversary would be a financially motivated cyber criminal, right? Pretty standard
stuff. And we want to understand what are the methods that these actors are going to employ in
order to get the job done, right? So in a common case, in a business email compromise context,
folks might rely on a signer at a company to sign off on a wire transfer. And if the threat actor
has an opportunity to gain access to that person's email address or the mechanism by which they make
that approval, then they may be able to redirect funds to their own wallet that
was intended for someone else or a partner of the company. Adversaries tend to employ the least
difficult approach. Whatever the easiest way is what they're going to employ. I mean, we spend a
lot of time in the field of information security and researching the latest vulnerabilities and attack
paths and what are all the different ways that a system or a person or an application can be
compromised. But in reality, the simplest stuff is usually what works, and that's what they're
looking for. They're looking for the easiest way in. And you can really observe that with ransomware,
where attackers are employing a spray and pray methodology. They're looking for the easiest way in. And you can really observe that with ransomware, where attackers are employing a spray and pray methodology. They're looking for whatever they can find in terms of open attack surface on the net. And then they're targeting organizations based on who they can compromise after the fact. So they don't start with an organization in mind. They might start with a type of system that they know they can easily compromise, and then they look for those. And then they decide whether they're going to ransomware that organization or
not. So it's really a useful way when you're thinking about human-centric threat modeling,
it's really a useful way to completely map your valuables and your critical assets to
the most effective ways to protect those. I hope that makes sense.
It very much does. It's understanding
the nature of where you start, where you stop, what is reasonable, what is not reasonable. Because
like a lot of different areas, DR, for example, security is one of those areas you could hurl
infinite money into and still never be done. It's where do you consider it reasonable to start,
where do you consider it reasonable to stop? And without having an idea of what the model
of threat you're guarding against is,
the answer is all the money,
which it turns out boards are surprisingly reluctant
to greenlight.
Absolutely.
We have a recurring problem in information security
where we cannot measure return on investment.
And so it becomes really difficult
to try to validate a negative, right?
It's kind of like the TSA.
The TSA can say that they've spent a lot of money and that nothing has happened or that any incidents have been limited in their scope due to the work that they've done.
But can we really quantify the amount of money that DHS has absorbed for the TSA's mission and turn that into, you know, a really wonderful and measurable understanding
of how we spent that money and whether it was worth it.
No, we can't really.
And so we're always struggling with that insecurity,
and I don't think we'll have an answer for it
in the next 10 years or so.
No, I suspect not on some level.
It's one of those areas where I think the only people
who are really going to have a holistic perspective on this
are historians. I agree. And sadly, I'm going to have a holistic perspective on this are historians.
I agree.
And sadly, I'm not a cloud historian.
I'm a cloud economist, a completely different thing I made up.
Well, from my perspective, I think it's a great title.
And I agree with your thought about historians.
And I look forward to finding out how they felt about what we did in the information
security space, both political and nonpolitical, 20, 30, and 40 years from now.
I hope to live long enough to see that.
Jackie, thank you so much for taking the time to speak with me today.
If people want to learn more about what you're up to and how you view things,
where can they find you?
You can find me on Twitter at HackingButLegal.
Great handle. I love it. Thank you so much for having me of course it is always
great to talk with you jackie singh principal threat analyst and incident responder at the
biden campaign obviously not there anymore i'm cloud economist cory quinn and this is screaming
in the cloud if you've enjoyed this podcast please leave a five-star review on your podcast provider of choice whereas if you've hated this, please leave a five-star review on your podcast provider of choice. Whereas if you've hated this podcast, please leave a five-star
review on your podcast platform of choice, along with a comment expressing an incoherent, bigoted
tirade that you will of course classify as a political opinion and get you evicted from said
podcast provider. If your AWS bill keeps rising and your blood pressure is doing the same,
then you need the Duck Bill Group. We help companies fix their AWS bill by making it
smaller and less horrifying. The Duck Bill Group works for you, not AWS. We tailor recommendations to your business and we get to the point.
Visit duckbillgroup.com to get started.
This has been a HumblePod production.
Stay humble. this has been a humble pod production stay humble