How InfoSec skills can help you survive a pandemic

[Music] uh hi everybody i'm spam uh this is how infosec skills can help you survive a pandemic um thank you so much josh and janice for uh for the introduction um and uh gonna talk a little bit about uh i guess infosec and hacker culture and how you can use the skills you already have uh to go ahead survive and thrive in a pandemic some of this stuff is gonna be a little bit stream of consciousness a little bit off the cuff um you know bear with me a little bit as with regards to that uh but i think that there's a lot that hackers can bring to the table a lot of skills a lot of mindset that can be really

really applicable uh for reacting to a pandemic uh so some of this uh talk came about from conversations i had before the pandemic just discussing how for a lot of individuals uh in the hacker community there's a lot of commonalities that we see that are totally outside of infosec uh strictly so uh obviously a lot of folks know a lot of you know culture media whatever movies music tv shows stuff like that a lot of a lot of similarities but there's also a lot of hobbies that i think you see folks uh getting interested in for similar reasons that they're interested in hacking so uh one thing that i found particularly interesting in terms of a hobby is a lot of folks who are

into hacking were into magic when they were younger and i think the reason that folks were into magic tricks maybe they're younger and some for a lot of folks also today is for the almost exact same reasons they are uh you see something that is interesting astounding you don't quite understand it but it's really really cool so you want to be able to do that yourself and you want to be able to tear it apart and understand how it works see how you could innovate on it see what else you can do but that mindset that thinking is something that is intriguing to folks in the hacker community and the mindset is one of the things

that's hardest to kind of teach people and i think that mindset can be applied for reacting to a pandemic and make things you know way way better for everybody so a lot of what we see in reaction to the pandemic is stuff like this american catastrophe how do we get here oh there's here's the news the news is going to give me the answer to all of my you know what i'm looking for um we know that this is not true and unfortunately in a lot of cases there's a lot of fun out there um a lot of what we're seeing is just breeding fear uncertainty and doubt um and i think we want to a cut through

it uh and also see how we can bring a little bit of well certainty a little bit of control but also see where there's possibilities for innovation but with that being said one disclaimer no one knows what they're doing so i don't know what i'm doing most people alive today have never lived through a pandemic so everybody's trying new things so things aren't going to be perfect but that's fine you know this is this is absolutely i think where hackers thrive we know that we're not going to understand all of what we're doing we're going to figure it out as we go we'll get some stuff right we'll get some stuff wrong but we will figure it out and we shouldn't get

discouraged if some aspect of what we're looking at is potentially failing along the way we just go ahead and keep at it and make sure that we're going to go ahead and learn from the experience so with that uh without the the thing that i see overwhelmingly in people's approach outside of the hacker community to the pandemic that i think could use improvement is threat modeling basic threat modeling if you look at how folks were preparing for the pandemic and how folks have approached their responses to dealing with the pandemic where it was just critically obvious that folks were not taking the right things into account is threat modeling individuals threat modeling skills are way off and even if i thought that

they were not necessarily where they should be the pandemic has proven without a shadow of a doubt that the average person is not great at threat modeling but hey as infosec professionals as hackers you can go ahead and do this uh and actually as i was uh preparing my slides yesterday i came across this tweet from lee honeywell on twitter which really summarizes a lot of what i've been thinking about and people's approach to risk management and threat modeling as it relates to pandemic so this is in response to tweets somebody talking about hey there's going to be people need to prepare for another round of shelter and place orders in different states and different

countries uh says it says something that basically none of my professional peers and security people whose job it is to manage risk ever stopped sheltering in place we have the advantage of being able to work from home and most jobs require it but the risk has yet to drop enough to stop sheltering there's you know it's right there it summarizes so much of what i think i want to talk about here where you go ahead and being able to step back and not just take a look at what's you know the the that's out there but taking a real look based on the evidences out there the actual guidelines and saying okay here is what i do here is where my

exposure is here's my personal things whether you're you know compromise or have other things that put you potentially at risk and you act accordingly some folks have not necessarily done that early on in the pandemic and maybe they you know they've relaxed over time but if you are looking at things in a reasonable and responsible way i think you're you're more likely to have gone ahead and done your risk analysis and realize that the risk has been fairly consistent and so your approach has been fairly consistent i know some friends of mine have actually said friends who are not in infosec have said like hey you know like we oh we're all doing this stuff and you're not you're doing the

exact same thing you were months ago i'm like well yeah i have my i have my approach i have my lines i look at it and i'm not afraid of reevaluating it but the overall risk has not changed so my approach isn't necessarily going to change unless there's some other factor that's coming into play um and with some of this i know folks can get bound up there's a lot of you know emotional attachment to certain things and sometimes it can be difficult to separate you know to to bring in aspects of personal to business business to personal with respect to this but i think we'll all be better off if we can you know i guess detach a tiny

bit to do an actual analysis of the risk if you're not already doing that and make sure that your approach incorporates that when you're going ahead and figuring out how you're going to deal with something during a pandemic and in terms of what we're doing in a response fundamentals fundamentals are key whether it's in infosec or in how we're dealing with the pandemic so many corporations get compromised not from somebody dropping oday on them most most folks are not looking at their threat model doesn't include a nation state where they're going to be dropping oda on them and you know to either cve whatever to go ahead and compromise them it's the fundamentals where they fail

and they get compromised and this is absolutely the same when it comes to approaches to a pandemic pretty early on folks were saying uh in the medical community that if people did things like washing their hands making sure they didn't touch their face which admittedly i won't say that well it may be fundamental it's very difficult to train yourself not to do and wear masks and social distance we can go ahead and absolutely kneecap this virus not in that we'll eliminate it but that we will completely contain the spread for that time and early on folks were talking about it as a way to give the hospitals time to react uh but it also now what we're facing you

know people call a second or a third wave it can give a bit of a reset and allow us to ease restrictions now they may come back but it is absolutely key to doing that and if you look at how people approach the fundamentals early on focus people weren't focusing on that stuff they were focusing on bright and shiny objects what's a new medical treatment what's a new way to sanitize and other things you would go to a store and you'd see folks who had a uh they were doing runs on toilet paper or runs on um uh runs on hand sanitizer um the runs on toilet paper i don't know what people were thinking maybe they're

thinking they could eat the toilet paper uh because the way people stocked up and continued to stock up it's just it's crazy but on the hand sanitizer people were looking at like i think the labels on handstands i was like oh it's 99.99 effective i better get this stuff because it's gonna kill all the things i spray it on stuff and it's going to be you know it's going to be magical well it's not magical you know in i think in a lot of cases they found that hand washing with soap for 20 or 30 seconds can be even more effective hand sanitizer is a tool for when you don't have access to the other thing

but people were focused on the hand sanitizer and not getting soap i know when i went uh i would go to like a drug store and i'd see people frantically searching for hand sanitizer and then like in desperation they'll go and they'll buy an anti-bacterial soap yet the the shelves were stocked with regular soap and folks were just passing it by like no no no i don't need that i need this other stuff because this is going to be more more effective when they weren't actually stopping and realizing no what's the fundamentals yes there is a certain level of efficacy that you may get with the uh you know a hand sanitizer or an antibacterial soap but the

fundamentals of those basics are what's going to be key the fundamentals aren't necessarily always the most enjoyable thing and it's it's difficult to maintain that long term for a lot of folks but they are absolutely key so you know i hope we can all keep that in mind as we go through this stuff and the game has changed with regards to that but it really hasn't um i'm going to flip the script here a little bit in that i think this is something that infosec has seen uh to a certain degree with companies reactions to the pandemic so if you used to go into an office every day rather than working from home suddenly you need to be able to work

remotely all the time so companies that were prepared for it and had formal ways for all of their employees to work remotely they may if they were actually well prepared they will have gone and said okay go home make sure your internet connection's okay make sure you know how to access anything that may have been on-prem that you need and we'll be good to go companies that didn't have a way to deal with that and didn't have a way to scale were frantically going ahead and potentially um setting themselves up for compromise by just opening everything up to the world you know like open up rdp to the world because i got to access this box it's only accessible

on-prem and we don't have a secure way to do it but the business is going to die if we don't do this and in some cases they may have decided that the risk was justified in those cases but i think they haven't necessarily made the proper preparations what we are seeing today this isn't the 90s you know we have seen the need for this growing steadily over the past decade and now we're seeing that come to a head everything that we've seen up until now is just getting intensified um and sped up by the pandemic but it really hasn't changed the overall approach that we should have it may change the rollout we may need to scale

in a different way but it's really the same as what we've been dealing with for quite a while now and on that i think big thing is being prepared we can all be good boy scouts and make sure that we're properly prepared for what's what's going on uh but as infosec professionals or hackers we want to hope for the best but plan for the worst um if we go ahead and plan for the worst and we don't need to go ahead and use it great but having that in our back pocket is fantastic i know when the pandemic started for myself i went ahead and i uh a couple days into me being at home working remotely

i took my edc and i kind of like splayed it all out on a table and i started looking okay what was in my edc because it was a decent tool to be used on occasion on the go one of my you know certainly took out all the battery packs and everything else i needed only if i wasn't you know somewhere near an outlet thankfully plenty of outlets at home separated okay this is going to be useful some stuff i'm going to need to replace and it may have been something as simple as just getting a decent microphone um which i only uh kept at home a you know kind of a cheapo headset getting a decent microphone and

revisiting um some skills that i hadn't touched in a while in terms of dealing with audio and video but it can be lots of other stuff as well on the on the pandemic side strictly um i started taking a look and doing an inventory of what i had that would help me respond should i need to self-isolate uh and i said okay what are the recommendations what do i need so immediately ordered a pulse oximeter made sure i had a um some sort of temperature sensing equipment um you know my my uh i don't i don't have like a child at home so i don't necessarily have a bunch of thermometers and whatnot uh and i actually realized that the

best thermometer i had was a meat probe thermometer that i use in my oven um so hacker in me was like okay well let's see how accurate this is and if it would work in a pinch turns out the accuracy of my meat thermometer was enough but it's not something i want to rely on okay so i ordered that stuff and then i went out and i also stocked up on um just basic medical supplies um again these are not the most exciting things to do go out and buy um you know antihistamines and just stuff like i know tylenol advil ibuprofen stuff like that um making sure based on medical recommendations that they said hey

if you think you have covid at least early on they weren't recommending that you go out to get testing they were saying hey be in touch with the medical professional and you should be prepared to have some basic medications at home and my you know track your temperature and if conditions worsen then you might need to go to a hospital so having those on hand would allow me to react appropriately it turned out that um i guess fates were aligned i needed to take advantage of that stuff uh within a few hours uh because actually only a couple hours of from when i got home from going out to shop for different things i got a call

that let me know that a friend of mine who was one of the early cases in new jersey um i had been exposed to him about half a week beforehand and so based on the fact that i was you know in the same space as that person uh within within about 10 feet of them for about an hour i now needed to shelter in place for another week and a half since it had been half a week since i was exposed and if i hadn't had my two weeks of food and everything else you know there would have been i would have freaked out then but at that point i'm like hey i'm happy i went out the last thing i

had to get were those you know basic drugs but i had that in place um and so the anxiety over needing to to collect these supplies was you know much lower because of that um so you know proper preparations whether it's a you know formal run book or just going out and getting these basic supplies the same things we want in infosec is ways that you can help address your needs during a pandemic and along the way hopefully you pick up a few new skills i know uh like i said i've revisited some audio visual skills i did like college radio and did some video production work when i was younger um i've revisited a bunch of that stuff

um it has turned into kind of its own little hobby um helping friends and family members with some stuff um and it is uh it maybe you know i think hackers love picking up new skills and while these skills may not be as directly relatable to hacking as um as something like lock picking or i don't know anything else like that um i think there's still useful skills and the the great thing about hackers is that we are constantly looking to pick up new skills and test those new skills so you know don't be afraid of that uh i embrace it uh as we go ahead and react uh and we're going ahead and forming how

we're going to respond to things we want to make sure that we understand that what we're really doing here is we're looking to reduce risk by its very nature we're not going to be able to eliminate risk entirely that's true in infosec and it's true in regards to how we're dealing with the pandemic um i i know for myself i'm certainly not a medical professional and i've been learning a lot about how you know they're saying hey we don't know the exact uh effectiveness rates of these um particular precautions but we know that taking certain precautions basics when you're dealing with stuff in the pandemic it reduces the overall likelihood and we can reduce the risk to an acceptable

level now that acceptable level is going to be different for everyone for some folks they may only be comfortable outside more than six feet apart from everybody other folks may be able to say listen i don't have any immunocompromise issues don't have family members who are at a higher risk either so maybe i'll be willing to go indoors um there's a lot of stuff that's going on with restaurants taking different approaches you have to reduce risk to a level that's acceptable to you but also understand that you're not going to eliminate risk entirely excuse me and anyone who's coming along and saying that they're going to be able to eliminate the risk entirely is probably lying to you and

just like if a vendor comes in and says you know 100 percent effective against all hackers and the apts you know it's not it's not real and understanding that reality uh and to take something from from the military in a certain sense embracing the suck a little bit understanding that this is going to be with us for a little while um is is important as well but as we're going through this we need to make sure that we maintain balance to quote thanos what we are looking for is perfectly balanced as all things should be uh and as we're going ahead and crafting how we're going to approach a pandemic we need to make sure that we maintain

usability because usability matters um what we're we're in here for is you know an extended period i think a lot of folks early on in the pandemic did not view this as say a new normal viewed it as something where hey we could be through this in the next month or two be through the worst of it and then things will ease so i'm gonna act as if that's the amount of time that i need to take on these precautions for so let me structure it that way well as you know as hackers as infosec professionals we know that that's not really the way threats work threats do not go away instantaneously they may lessen

over time but it's going to potentially take a while and we need to make sure that we are prepared to maintain that for a long time and we need to make sure that that we have that usability so that we can fight burnout this is a marathon not a sprint um i think some folks thought that hey maybe it might not be over in a month or so but six months seven months in we'd probably be in a place where we had reached um call it a new normal call it an accepted level acceptable level of risk or extra precautions but it turns out that we haven't um and i think if you had taken on

extra restrictions for yourself and other or others that were a little too tight you may find yourself sliding to a place where you almost just give up uh and we see this in infosec all the time if you go ahead and put two tight restrictions on folks in a in an enterprise environment a corporate environment you're going to see folks react negatively to it and figure out ways around it so in some some cities where they've put heavily restrictive um you know impositions on folks they have reacted strongly and gone ahead and said hey i'm not doing this and they may be hiding it from you know the public but they're going ahead and working around the restrictions

so having something that is going to work for you that's going to work for the long term it's you know it's really something we need to keep in mind um and it is uh in the same way that it's going to be different for each individual but we also need to be proactive and make sure that it's working for the folks you know in our direct orbit um and that starts bringing me to i think some of the more proactive measures we want to be proactive rather than reactive so in a network environment we might have network segmentation well that works that's perfectly applicable to what we're dealing with in a pandemic on a basic level what we're propos what

a lot of medical professionals are proposing with social distancing well that's complete network segmentation every individual node is completely segmented from one another so it's highly unlikely that somebody's going to be able to pivot from one system to another and that's great but as time has gone on well there's a balance that has needed to be struck that's not full-on network segmentation so what have we seen well hey maybe you need particular machines to be able to talk to one another on the network but you don't want all machines to talk to each other if you take a look at what some schools and other places have done they've used what they're calling pods um so what's a school's approach with a

pod well we want to have students be able to return to in-person learning but there's a unacceptable level of risk if every individual student is allowed to interact as they would normally with one another so by creating pods of individual classes of students and keeping them together so they have they try to maintain social distancing as much as possible but they're going to have ultimately we know there's going to be closer interactions between those groups of students but an individual class is not interacting with another class they're only interacting with their own class so if there is an outbreak it is more likely to be able to be contained to that class and the whole school does

not need to shut down perhaps an individual class may need to shut down but the whole school doesn't this is i mean it's to me it's clear as day it's exactly the same as what we are do what we would try to do in network segmentation um and so let's look at other proactive measures that are uh i guess kind of similar well vaccines um i i think there is uh when it comes to vaccines uh when it comes to vaccines you know we really should look at it as patch management for humans um you know there's a patch it took it took some time took a couple months for different drug companies to develop

and test their patch for humans to give us uh sufficient antibodies to fight this um to fight this disease but now we're hearing that hey there's some vaccines that are in development but the vaccines are not perfectly efficient you know they're not going to give us 100 effectiveness um i think before the pandemic i i pretty much would have just assumed that hey they've tested it and maybe it's not 100 affected but it's 99.99 uh but we're learning that this pfizer vaccine is can is potentially one of the most uh effective vaccines that folks have seen um because it's going to be 90 effective well that means one out of 10 people it's not going to be effective

for well that's where that network segmentation comes into play because if we go ahead and we apply the patches to the folks that we can and we have that network segmentation that's that's what's going to hopefully get us to reduce the overall risk um and uh like patch management's in an infosec situation where we're applying the patches how we're applying the patches and what priority we apply the patches are all going to become vitally important i think it's going to be interesting over the next few months to see how the vaccine is rolled out um and listen you may need to do uh it may not sound like the most comfortable thing of the world but

you're you're on inventory management to to understand this um who am i going to interact with let's say i get the vaccine but my friends and family have not am i going to go ahead and keep an inventory of who has it and who doesn't and what's my overall risk and am i going to be willing to accept that risk um but assuming that we have vaccines and we can layer some network segmentation on top of that well now we've gotten to what they call herd immunity but in a certain sense i think it's defense and depth um uh and i see somebody in chat saying yeah the side effects there are definitely going to be side

effects and i think that's going to delay the roll out as well um we're going to see that's why herd immunity has been is is accomplished by defense in depth because you're not going to be able to patch every system you're not going to you need certain availability on certain systems so you need to be able to have different approaches depending on what we're dealing with so by layering these different things we can have that defense in depth and develop a situation even with straight vaccination if you have 90 effectiveness i think they say overall you need to mainta you need to get about 80 percent of a population with somewhere about 75 percent effectiveness of a vaccine

in order to get to herd immunity um so there's different ways that we can go ahead and do this so in in the case of uh you know tying it back to defense and depth and patch management you may not you'll patch certain systems but you may turn off services on other systems because you can't patch it or there is no patch for a particular system but it's still vulnerable so you may there may be some folks who there is you know a 20 chance of an adverse medical effect so they'll continue social distancing mask wearing and other things until a point where everybody has reached herd immunity because they cannot be patched yet or maybe they'll never be able to be

patched um if you look at traditionally way hurt immunity is relied upon there's always some folks who are going to be unable to get to be vaccinated um and some folks who the vaccine will never be able to have an effect on uh so you know it is you know direct parallels between the two there

um and to that end i think education uh is is really key um i i think some of what we've seen in response to the pandemic education in some cases has been lacking and listen we we see that in infosec a lot um security awareness training and continuing education for users users are the first line of defense and it comes down to them to ultimately work with us or work against us to accomplish what we need to do going back earlier to the the general concept for medical professionals um we go ahead and we say hey if everybody wears their masks and just does these basic precautions we can kneecap this virus take it out but end users were unwilling

to accept that uh i think part of it comes down to education and if there is a better education uh it can go ahead and make the effect better um i'd like to suggest that we should all take on some of this education um different communication methods are gonna work better for different folks so you know please speak with your friends and family and see hey are they understanding this are they are they doing their own threat modeling but also do they understand what's going on with a vaccination somebody's nervous about a vaccine like hey maybe i can point you towards some real information about the whether this is the correct approach for you or not um when it uh when it comes this

the the unfortunate side effect in the real world is that we also have to combat misinformation uh and to me that means you know education isn't the end it's the beginning it's exactly the same way in infosec just because somebody attends security awareness training doesn't mean that they're now aware and they never need to revisit it the threats are constantly evolving our approach needs to be constantly evolving uh and it needs to go on over time combating misinformation uh and combating just um incorrect interpretations of information is going to be key uh so please speak with your friends and loved ones uh and help them understand point them towards resources that they can use and maybe offer to

help walk them through that if you're comfortable with it saying hey here's what we know here's what we understand and let's go ahead and figure out an approach that works for you and if it's uh you're a family member and hey maybe we want to be able to interact more maybe we want to form if it's just a friend and hey we want to form a little pod and we want to know that our overall risk level is going to be acceptable let's make sure we're all on the same page let's make sure that we all understand the actual risks that we're dealing with and this is where i think uh hackers also um just by necessity have to re-evaluate

and constantly incorporate new information and research skills being able to learn new things uh is vitally important and this is something the general public has sometimes struggled with when uh early on in the pandemic there's certain advice that's come out from medical professionals and then later on they say well hey we've changed our advice and you should do things a little bit differently now well some folks would look at it and be like see the medical people know nothing well hey we know they they knew certain things at the time and additional research has revealed different approaches and different uh um may i see the last results of your vulnerability assessment before i let you on prem yeah it's

it's there's you know new new things have come to light man um there's uh there's a lot of new information always coming out at the time and just because current information is contradicting something in the past doesn't mean that it's untrue it's fine to be skeptical of it but we should have a way to verify the information and incorporate new information and have you know trusted news sources and trusted folks that we can consult to be able to get at the real information and differentiate what's going to be potentially misinformation from you know true information uh right after pfizer announced the efficacy of their vaccine all of a sudden russia was announcing well are our vaccines like was it 92 93

effectiveness see more effective than the us vaccine well maybe it's true maybe it's not uh but for me from the sources that i trust i don't see any way of being able to verify that that vaccine is um is as effective as what they're saying and certainly no information on verifying if it's uh anywhere near as safe as what pfizer has developed um so incorporate new information but make sure that you're doing it in a way that is intelligent and takes into account all of your knowledge as an infosec professional um and let's see if we can incorporate least privilege you want to constantly lease privilege limiting your exposure by limiting who has access um well hey that's directly applicable

here um in a corporate environment you see a lot of folks talk about leased privilege as an approach that's going to be not something you're going to turn on immediately uh it's a least privileged journey and it may just be you know that's the sort of thing that sounds nice but that least privileged journey is real um you you want to go ahead and take a look hey here's the access i have is there another way i could do it that's potentially more secure or is this something that i don't really explicitly need um obviously we need to have that balance but that balance may be different hey maybe this is the general guidelines but

because of my own approach to things i can be more restrictive for myself um uh you know i love going to movies but i'm not going to movies during the pandemic because while the risk of infection at a movie theater is probably fairly low as long as there's social distancing and everything else it's not a risk that i need to take i can sit at home and watch a movie on tv and that's perfectly acceptable to me for for the foreseeable future i'd love to see tenet but i'm not gonna be able to see it and you know that sucks but hey this is something i'm willing to live with um it may be that hey i'm i'm unwilling to

uh fans of going to uh you know live theater uh hey i i'm not willing to give that up but maybe i'm not willing to give that up because i i can find a way to do that safely can't do an indoor theater but now there are theater companies that are conducting outdoors um so hey i can substitute that where i have a less risky alternative so please try to apply the concept of least privilege and don't be afraid of hey i've pared back and i'm saying i'm not doing this stuff then making a little more exception you it's not going to always be perfect this is going to be a learning situation you're going to adjust and adapt over

time if we you know we can be super super restrictive you can go and live in your basement with some canned food and a bucket in the corner and never interact with another human being for the next year theoretically you can but what's that going to do to your mental health and are you really prepared to do that probably not there's always going to be gradations of what we're willing to do what we're willing to accept so even if you're going ahead and staying at home and only getting deliveries there is a certain amount of risk to doing that and in certain situations it may be less risky for you to go out and go grocery

shopping once every two weeks then get delivery every day take a hard look at it and don't be afraid to revisit it and you know make sure you understand what your own risk tolerance is as you're going ahead and taking a look at this stuff last thing i want to bring up is tabletops uh proper preparation prevents poor performance um that's that's why we do tabletops um but i think when it comes to the pandemic we can use tabletops um to uh to take a look at what we're likely to encounter now i don't expect everybody to have a covered response um ir playbook uh but you're if you can go ahead and tabletop different scenarios that you're likely

to encounter i think you're more likely to have less anxiety about decision making in the moment and you're more likely to go ahead and actually act in situations where hey you might have wished you reacted differently after the fact you know tabletop scenario if you're just simple something that everybody pretty much is doing going to the grocery store occasionally if i'm in line at the grocery store checking out and somebody's encroaching on the six feet between people is that a level of risk i'm willing to accept if that person is wearing a mask versus not wearing a mask what is the level where hey this is an increased level of risk but i'm okay with it versus this is an

increased level of risk and i'm gonna walk away know what your limit is ahead of time and if you walk into a grocery store and you see everybody's not wearing masks and you're not okay with that okay that's the point where i'm gonna put the grocery uh you know put the basket down and i'm gonna walk out and hopefully not have anxiety over it because i've gained it out ahead of time um when we go ahead and also think through conversations you're gonna have uh with uh thanksgiving and other holidays coming up a lot of folks are gonna have what unfortunately i think are some uncomfortable conversations with friends and family members uh if a family member says hey i haven't

seen you in so long you know please come come for thanksgiving want to go ahead and see you um think through that ahead of time everybody has their own threat model everybody has their own risks that they're willing to accept so understanding ahead of time if you go ahead and know that hey okay i'm willing to go ahead and go to this family member's home uh but i'm not willing to eat inside well hey i i live in new jersey it's getting pretty cold outside the likelihood that we're going to be able to uh to eat outside based on how cold it is it's pretty unlikely if you live out in sunny southern california yeah that may

work uh and and that may work for you but think through it ahead of time uh because in the moment there's gonna be all sorts of stuff flowing through your head um so you know please think about it make sure you understand how you're going to react why you're going to react and there's going to be scenarios that you're not going to think through but think through as many of them as you can um and and i think tabletops also bring into play all of the different skills that we've that i've been bringing up throughout this whether it be you know threat modeling risk analysis how you're going to deal with network segmentation and all the rest it kind of ties

everything together and i think the more aspects of life that we can go ahead and take that hacker mindset and apply it to we'll be better off for it and we won't just survive we'll thrive uh and so with that uh that is the presentation uh thank you so so much uh for uh you know for having me speak here uh it's great to be back at b-sides delaware always enjoy my time at b-sides delaware i'm really looking forward to the conference as a whole thank you everybody for working so hard to to play this out i'm really super excited to see things succeed see things fail uh learn and innovate from it uh so

i'm spam if you want to reach me online that's my contact info uh have a great con everybody you