ISSA-HR Chapter Meeting 5 March 2024

Opening Remarks

Agenda: Welcome/Membership/Education/Presentation/Business Meeting/Q&A/ Feedback/Adjourn

Organization Chart: Newly addition Desmond G, welcome! Election coming up this year, will need two volunteers for that as we get closer to autumn.

ISSA-HR Professional Association Benefits: Build professional relationships, stay current on developments in areas of information security/risk/privacy, professional development, education opportunities, Earn CPE/CEU continuing education credits, learn practical and best practice solutions, career information and employment opportunities

CPE/CPU: Claim it, and if they question they can refer back to us.

Whether you’re a pre-professional, entry-level, mid-career, senior practitioner or security leader, ISSA offers strategic resources and guidance to successive career levels.
Membership Annual Cost: Professional $95, Student 30, (Chapter Dues $30) Professional = $125 total, Student = $60

New Members: Several people join last month, welcome! Several more have joined since this slide has been updated, as of tonight looks like four.

Education: Resources on website, we are passionate about what resources are out there!
Goals: Provide educational resources, mentorship opportunities, teambuilding/collaboration, hands-on industry tool familiarization, certification tracking/pipeline

Free certification and Training:
Purdue University Northwest (PNW)
Free Online Cybersecurity Workforce Certification Training: Roland himself has done this program! Can pick different levels.

Hatch Apprenticeship Program: 6-month software engineering apprenticeship program offered by Twilio for anyone interested in cybersecurity, normally entry level courses that can progress (On the Job type training) with a chance to be hired.

Reading List: Blog of the Month: “Mother of all Breaches” (January)

A massive data leak, known as the “Mother of All Breaches” (MOAB), had been discovered in January of this year. This leak is believed to be the largest ever, containing 26 billion records and 12 terabytes of information from various platforms like LinkedIn and Twitter. It compiles data from numerous previous breaches and private databases. While initially the source was unknown, a data breach search engine (LeakLookup) claimed ownership and attributed it to a misconfiguration which they have since rectified. The “Mother of All Breaches” (MOAB) leak, though primarily comprised of past breaches, likely contains significant new, unpublished data. The sheer volume (26 billion records across thousands of breaches) suggests this. The owner, possibly a malicious actor or data broker, remains a concern. The aggregated data poses a serious threat as it could fuel identity theft, phishing attacks, targeted cyberattacks, and unauthorized account access.

Everyone should read up on this breach, as a wide range of data may have been affected. Don’t get complicit!

*NEW: ISSA Mentorship program:
Mentorship chair: Desmond Graham
Looking for volunteers, please reach out to us/Desmond if you are interested.
Mentorship Mixers: Want to learn from cybersecurity experts and network with hiring managers. Desmond is currently getting in contact with local companies and universities to find mentors.

*NEW Social Media Resources:
Zeffy is now used for event registrations, we sent an email out if you are signed up for those
with Eventbrite, we were limited a certain number of sign-ups as well as they have began to charge for the service.

Feel free to pitch in and share ideas on our discord!
Discord (QR below), can use QR code, link or search “ISSA-HR” (

Click the QR code (Above), link or search for “Information Systems Security Association – Hampton Roads Chapter”

Be sure to also check out the Meeting recap on the ISSA-HR webpage!

Chapter Meetings and Social Events:
5 March: Barbara Cosgriff ( Threat Modeling, a Practical Approach

2 April: Len Gonzales, (Ally Cyber Investigations LLC): Real-World OSINT Applications

7 May: Alex Reid, NRT Tool Developer: An overview of some recent tool developments

Looking for speakers for 2024 and in-house back-up speaker: please reach out to Evan Larsen (see email list at bottom) if interested or have a purpose speaker. It’s nice to have a contingency if someone cannot be here.

Cyber Social: March 27th 6:30-8:00, it’s a great casual event, always a good turnout. No expectations, great place to network. Definitely a good time.  You can sign up for emails to stay in the know about these events!

After-Meeting Networking Happy Hour: After ISSA meeting at plaza Degollado.

Jobs: Have a job/Need a job: ISSA has a job search page  
Government Jobs: Government job resource: Great resource for fed resumes: federal resume Guidebook by Kathryn Troutman, gives insight to get past the automated system.
To get a government job is nothing like getting a real job.

Need a Job: If you’re looking for work, now’s your chance to let us know! Let us hear your elevator pitch: an Introduction, summary of what you do: current role and why you are doing well there, relevant experience, Explain your value/what problem you can solve, and a Call to action for what you’d want to do next. Whether you are currently employed or just want to practice, now is a great opportunity.

Optionally, for an extra 30 seconds you can add other details such as clearance status, remote, on-site or relocation preference, additional education/certs not already mentioned, and other short details. We can post your email in the chat if you want, we will ensure it gets to the right people.

Who would like to start?
Charles: doesn’t need a job, but can do a pitch.
Rick: New member, practicing his pitch as he is perhaps looking for a job, worked dod last 20 years, did some cloud based cyber work in that time more recently. Worked closely with devops and security teams. “Chaos testing, third party stuff, risk management” There’s a lot of things I think I can do and I have proven that. I have my masters in cybersecurity but no certifications.

Adam: Just finished his cybersecurity coursework, considered software development but chose cybersecurity. Did some tutoring while studying, groups of 10-20 students, ages 6-15, managing 30 raspberry Pis. Basic electrical engineering, Programming languages, Circuit board basics. Recently got Sec+ certification, right now ubering as a side gig. Five stars! I love to excel at whatever I do and I hope that’s cyber.

Have a Job:
Job title/Company/Type (Contractor, Government, Private sector, Internship, Full time, Part time)/Requirements (Years work experience, Education, Certs, Clearance)/Desired experience, qualifications and any other information desired (keep it short)
Johnnie: works at SAIC! Always looking for people to work the service desk. If it’s broke and belongs to NMCI they take care of it. Gotta qualify for clearance and go through the vetting period.

Presentation: Threat Modeling – A Practical Approach

Speaker: Barbara Cosgriff: served 6 years Army signal soldier, extensive resume, led various teams, managing principal of product security, cybersecurity consultant, certified Software Security Lifecycle Professional (CSSLP) We are very excited to host Barbara’s talk about threat modeling.

Barbara: “How many people here have done threat modeling? I would challenge all of you to say you have done threat modeling: you lock your doors, you took COVID precautions, all of those things are threat modeling. It is the exact same set of techniques. The big difference, you may not be comfortable with cybersecurity. It’s the same concept.

“Threat Modeling is big in cybersecurity right now, to have the skill to come in and assess threats and risks. Assessing critical CVEs and the like; mostly speaking of threat modeling for applications, but everything can benefit from threat modeling concepts.
Usually do threat modeling training over a couple days. This slide deck is from that.
Why do we need to threat model? What threat modeling is, How Threat modeling is done, Common program implementations, what works and what does not, and then for lead security teams or program managers, a practical program implementation, how you engage people.

Why Threat Model?:
It allows you to ID threats during the design phase, and benefits as the DevSecOps spectrum moves to the right. Reducing the risk of production vulnerabilities, and the costs to mitigate them.
“SSDF/SBOM ( )/Zero Trust/CMMC( )  are all examples of government implementations as of late.
The Sarbanes-Oxley of tech,, it’s a long time coming.

“Johnson controls has recently been hacked (scada) it cost a lot. A lot of the time these breaches are investigated is things that “weren’t looked at” or “30 years old”. The world …is watching.

So many things happening, Linkedin, a year and a half ago were breached. Barbara has stopped collecting the notification letters.
Now critical infrastructure, healthcare, many varieties of systems are being targeted. “Imagine if they took out the right critical infrastructure.
We no longer have the ability to separate our software with the advent of APIs.

These vulnerabilities are all around us, smart homes, Teslas, SCADA. It happens in Hollywood (Leave The World Behind, 2023.) and can also happen in real life.
We can sit and write code forever, look at third party repos, etc. Threat Modeling acts as an outside person to give more insight.”

What is threat modeling?:

“A structured approach for analyzing the security of an application, product or system, databases, third party entity’s, servers, and data flow (the critical part), how data gets form one part to another and how we protect the assets in between.”

What does it do for us and how?

optimizes software and/or network security by
>Identifying objectives, modeling the architecture, identifying threats and defining controls to prevent or mitigate effects of threats.
>Maintaining a risk register for threats that are not prevented or mitigated

>Validating implemented controls are effective

 “Imagine architects asking these questions, and saying “wow I didn’t think of that”

Most of these are requirements these days.

When should I threat Model?:
>Threat modeling happens during the design phase; allowing to address threats early in the software development lifecycle, reducing the cost of mitigation.
>Documenting a products security architecture by creating a threat model are key steps to ensure a product maintains its security assurances and defend itself against external threats.
>a threat model allows to take a structured approach to evaluating the security level of a product, prioritize risks and implement risk-mitigating controls to reach a level of security assurance that falls within an acceptable risk level.

“Are we validating input? Originator? Origin/destination? Threat Modeling should happen in the design phase. Allows threats to be addressed early and up to 10x less expensive. Documenting security architecture, key steps to maintain security assurance, that alone helps to defend against external threats. Establishing and meeting an acceptable rick tolerance level. Policy exceptions. All of these things, ideally someone on the security side has that kind of support when working with developers.”

Reviewing Secure Software Foundation:

“Core concepts of security controls, still regular controls as described in CISSP CBK, CIS triangle.
That is the foundation of all threat modeling, looking at integrity, confidentiality, availability.”

Secure design concepts:

Least Privilege
Separation of Duties
Defense in Depth
Fail Secure
Economy of Mechanisms (KISS)

Complete Mediation

Open Design

Least Common Mechanisms

Psychological Acceptability

Weakest Link

Leveraging Existing components.

“Being able to have this kind of list somewhere can be referred to.”

Relevant terms:
>Probability: The chance that a particular threat can happen
>Impact: The extent of how serious the disruptions to the organization’s ability to achieve its goal
>Exposure Factor: The opportunity for a threat to cause loss
>Controls: Mechanisms by which threats to software and systems can be mitigated. Vulnerabilities are reduced by security controls

Risk Management Conception:
Visual example showing the correlation between elements of risk management concepts like Asset Value, the asset owner’s wish to minimize risk by imposing controls, and those controls reducing risk but may possess vulnerabilities leading to further risk.
Elements of Threat Agents who wish to abuse these assets, materializing threats and exploiting vulnerabilities are also in consideration.

“How many times have you heard “That’ll never happen” understanding threats, how vulnerabilities are associated, as well as risk, help in determining risk appetite.”

There are 3 General approaches to threat modeling:
>Software Centric
>Attacker Centric
>Asset Centric
“Trying to figure out a thought process of a hacker, common goals, abilities. This method is based on whatever you are trying to protect. A little difficult to follow in a broad sense”

CJ: intrigued by asset centric, something might be vulnerable but because of its placement behind certain security layers, is it any more or less vulnerable? Is it like that idea?

“A little different, if you have those controls (defense in depth) it can help, but thinking about human assets, if someone says a vague threat vs threatening a leader or state, different levels of protection will be responded. It’s hard to judge what is considered more worthy of protection.”

Pre-Threat Model work:

Security requirements:
Know your requirements:
>Perform Security Policy & Standards Decomposition
>Review Secure Coding Requirements/Guidelines
>Clarify Product Security Objectives

“We don’t always make it easy, healthcare=HIPPA, FDIC, NYDFS, etc. we will come back to this. Cannot start Threat Modeling without identifying the drivers. Secure coding policy (if you have one), Clarifying Product security objectives.”

The four Phases of threat modeling:

Phase I: Model Application Architecture

Phase II, Decompose application:
>Identify Trust Boundaries
>Identify Entry Points
>Identify Exit Points
>Identify Data Flows
>Identify Privileged Functionality
>Identify Mis-Actors(Threat Agents)
>Determine Potential, Applicable Threats

“Put yourself in the mind of the developer, trying to understand trust boundaries, entry/exit points, documenting all of this in a visual perspective similar to earlier slide, data flows included, privilege functionality, admin access.
Figure out who’s planning to hack this, determine applicable threats.”

Phase III Identify Threats and controls:
2 common ways of identifying your threats:
Attack Tree methodology: Requires a good understanding of how an attacker thinks
categorized Threat List: such as STRIDE; a mnemonic system developed to aid with identification of security threats.

“Not just thinking like an attacker but being an attacker. STRIDE is one of the most common mnemonic systems of categorization: shown below what the acronym and for and what they affect:
>S: Spoofing- Processes, External Entities
>T: Tampering- Processes, Data Stores, Data Flows
>R: Repudiation- Processes, Data Stores, External Entities

>I: Information Disclosure- Processes, Data Stores, Data Flows
>D: Denial of Service- Processes, Data Stores, Data Flows
>E: Elevation of Privilege- Processes

Threat Category, Violated security principle
>Spoofing: Authentication
>Tampering: Integrity
>Repudiation: Non-Repudiation
>Information Disclosure:  Confidentiality
>Denial of Service: Availability
>Elevation of Privilege:  Authorization

STRIDE List, Example Threats:
>Spoofing: Cookie Replay, Session Hijacking, CSRF
>Tampering: XSS, SQL Injection
>Repudiation: Audit Log Deletion, Insecure Backup
>Information Disclosure: Eavesdropping Verbose Exception, Output Caching
>Denial of Service: Website Defacement
>Elevation of Privilege: Logic Flaw

“If you continue with threat modeling, Shostack is like the Godfather of Threat Modeling. They have tried to implement a P. STRIDEP…. Does not roll off the tongue as well
some info shown has came out of Shostack’s book or when he was at Microsoft. Not definitive.

I know my Threats, now what?

>Ultimately a good Threat Model provides information needed to identify, prioritize, and implement controls that help to reduce risk to an acceptable level in order to support core security concepts (Confidentiality, Integrity, Availability, Authentication, Authorization, and Accountability (Non-Repudiation.)
>Prioritize Threats
>Identify Controls
>Implement Controls

“Also need to know if you have. A threat that is in here that is critical/high, if you will not mitigate and why you won’t mitigate, all of this while you are developing.”

Prioritizing Threats-Ranking:
Three common ways to rank threats
>Average ranking – (D+R+E+A+Di)/5:
   – Damage
   – Reproducibility
   – Exploitability

   – Affected users
   – Discoverability
“Calculate one through five, one to ten and see where the number falls. Things you need to focus on first.”

>Probability x Impact (PxI) ranking:
   – P = (R+E+DI)

   – I = (D+A)

>Delphi ranking,(though Barbara has never seen it done)

Sample Threat Mitigations: Spoofing
Mitigations for Authentication Principle Violation:

>Authenticate Users: Basic authentication, Digest authentication, Cookie authentication Windows authentication, Kerberos authentication, PKI systems such as SSL/TLS and certificates, IPSec, Digitally signed packets.

>Authenticate Code or Data: Digital signatures, Message Authentication Codes, Hashes.

Sample Threat Mitigations:
Violated security principle/Mitigation

Integrity: ACLS, Digital Signatures, message authentication codes
Confidentiality: Encryption, ACLs.

Availability: ACLs, Filtering, Quotas, Authorization, High availability design.
Non-Repudiation: Strong authentication, Secure logging and auditing, Digital signatures, Secure timestamps, Trusted 3rd Parties.

Phase IV, Validate & Document:

Document Artifacts:
While much of the work done goes into building the Threat Modeling Diagram, there are some artifacts that should persist:

>Architecture model Diagram demonstrating attack surface
>Data access control matrix
>Data flow diagrams
>Attack Surface
>Threat/Control Table
>Risk Matrix

Residual Risk Register:
Table format Categorized by Threat ID(1-5),
Stance(Ignore, Accept, Avoid, Transfer)
and Justification.
>Identified threats and controls should be viewed as requirements that drive the security Assurance Plan
>Security test cases should be captured in the same test case repository that functional and other non-functional test cases reside

>The Security Assurance Plan section of Threat Model document should refer to the test case repository that security test cases reside in

>Security test cases should have some type of metadata that allows them to be retrieved through reporting
>Security test cases should be executed and reported on during functional testing

“Developers putting this together sometimes take the strategy for granted, a tester comes in and calls out missing links, not that it was missed intentionally, but missed.
Even accepted or ignored risks need to go into a security assurance plan for validation. Need to make sure it was thought of. Should be in the same repository as data regression.
The threat modeling document should note the location of that.
Security test cases should have some kind of metadata reporting. It’s hard to show otherwise what was prevented/corrected.”

Identifying Controls:

Make it Make Sense:
>Execute an Inherent Risk Assessment (IRA) against all in scops: applications, products, systems.
>Cross-reference IRA results with all relevant regulatory, statutory, and contractual security >requirements.
>Inform teams where to find security requirements.
>Build a source code repository to store all Threat Models.

>Require inclusion of control validation in QA/QE testing

>Start all threat models with a interview

>Provide teams with turnkey resources that teach them to identify threat and controls.

“No one wants to do threat modeling typically, unless you are on the security team responsible. It may not be your number one job. It may fall to someone low on the totem pole. There can be things missing when that job is delegated. We case aside the Threat Modeling manifesto, or even never verify it’s working properly.

What are other companies doing? You have to get your “Ducks in a row” as a security team, coming in as a third-party consultant, you have to make it easy for them. Consider home automation/smartphones, it’s all easy.
All things in scope should have a regular inherent risk assessment and log those risks. What can be answered inherently without even knowing the product. What is it transmitting? Protecting? Is it externally accessible? “

CJ: the list of questions you would ask without having to think too hard about it.
You establish this calculation. Categorize critical/high/medium/low, do they need to be pentested every year/release?

“Cross reference the inherent risk assessment with regulated security controls.
Don’t just give a questionnaire, build the relationship by having a conversation with therm. Boost that morale. Inform the teams where they can find security requirements. Can store threat models in a source code repository to pull from. Also the risk register and threat model in source code.

Don’t just tell them to do it. Get your ducks in a row!
Require inclusion of control validation in QA/QE testing. Start all threat models with an interview, talk about external entities, make it a conversation and it will be better appreciated. Doesn’t have to be perfect the first time.
Lastly, provide teams with turnkey resources that teach them to identify threats and controls…
And recognize them!!

influence the culture but also bring the knowledge in. Secure-By-design. If you are doing those things, there are few things you have to do still to redact your risk further, if you validate input, encode output, don’t allow untrusted data or don’t let it make any decisions and redact the surface. Added cross site request forgery, trusting things and making sure they’re secure. The problem is we are working off of decades decades of nobody thinking security mattered in software, or companies that don’t upgrade they’re software and it doesn’t seem to matter until the breach.”

Resources to assist identifying threats:
>Checklists: Secure Development Standards/Guidelines,
>Weakness Lists: OWASP top 10, Common Vulnerabilities and Exploits (CWE)
>Attack Trees & Frameworks,
>Attack DBs: CAPEC

“By telling your team, now they have a list. But just telling them may actually make it worse. Show them checklists, secure development standards and guidelines. Can be pulled from resources, OWASP, MITRE ATT@CK Framework, good way to get into the mindset of an attacker, weakness lists, all of these things can provide good examples. There are now top 10’s for everything. Top 25s, etc. Broken down and explained. Going through and looking through their works. Going through CVEs happening. Vulnerabilities have CWEs attached to them. Can take the CWE, observe what has been exploited, having the conversation as a security person with the development team. CAPEC Common attack patterns and Protection (MITRE), how attack patterns work, gives examples what level the person using these attacks would have to have. Great for identifying threats.”

Resources for implementing controls:
>Checklists: OWASP Top 10 Proactive Controls/OWASP ASVS
>Countermeasure Graph: D3FEND (MITRE)
>Attack DBs: CAPEC
“Working to be proactive about security. D3FEND Answers what to do, they all map back and forth.”

Threat Modeling Resources:
Threat Modeling: A Process To Ensure Application Security (SANS whitepaper download):
ISC2 CSSLP study resources:
Threat Modeling: Designing for Security by Adam Shostack:

“Good list If getting into software at all, to also include Adam Shostack’s book.”

Barbara’s Contact:


Thanks Barbera!

Business Meeting:

Old business/New business (Mentorship program, Conference Participation)/Secretary Meeting Minutes/Membership Updates/Treasury Report/Social media Updates

Old Business: *Special Event* Cyber Range Live Fire Attack Simulation Workshop tform/cyber-range/

CyberForge 2024: was a great time!

Social Event – Casual Pint, Feb 28

New Mentorship Program

New Business:
Tidewater Science & Engineering Fair: March 10th 2024, there’s a slide for this
ISSA Mentorship Program: Lead by Desmond GrahamConferences
Volunteer Events: Volunteer Events: What would members like to participate in? Who can volunteer to lead?

ISSA Website SSL Issue: Big ISSA is no longer responsible for SSL on the chapter level.
Big ISSA Handles the Hosting, which we need access to in order to handle this.

70th ANNUAL TIDEWATER SCIENCE & ENGINEERING FAIR: It’s. shame out budget isn’t more
The regional Tidewater Science and Engineering Fair will be held on Sunday, March 10, 2024.
Judges’ registration 8AM-8:25AM, Judging concluding around 11:30AM.
Registration Link: (Google Forms), will get an email when form is received. Your expertise and support of student research is important to the success of the Tidewater Science and Engineering Fair. Thank you for Your continued Support!

We have been trying to brainstorm, it is short notice (This Sunday) They have two categories, middle school and high school.
In the past we have prizes 200 for seniors, 100 for juniors, gift cards, Raspberry Pis, we love to give awards. It’s very fulfilling. Definitely want to get out finances up to be able to contribute better next year.

Mentorship program:
Desmond is reaching out to schools in the area, if interested in mentoring please let us kno

Conferences: (Slide 26)
CyberScape Summit: March 7th in Reston VA: $20-$349,

TechNet Emergence: March 11th in Reston VA: $0-,

ATARC’s Federal Zero trust Sumit 2024: March 13th in Washington D.C.: $0 (for DoD)- $495,

Cloud Safe Task Force Summit: March 19th in McLean VA: $0-,

Cybsafe’s Impact Conference 2024: March 21st in McLean VA: $0 FREE

Baltimore Cybersecurity Summit: April 4th in Baltimore MD: $195-,

Cybersecurity Roadshow: April 18th in Richmond VA: $0-,

5th Annual Digital Forensics for National Security Symposium: May 15th-16th in national Harbor MD: $0-$1,290,

HammerCon 2024: May 16th in Laurel MD: $0-$150,

Gartner Security & Rish Management Summit: June 3rd-5th in National Harbor MD: $3825-,

RVASEC: June 4th-5th in Richmond VA: $375-,

TECH YEAH Conference: June 19th-20th in Morgantown WV: $0-(DoD $199),

TECHSPO 2024: July 1st-2nd in Washington D.C.: $0-,

BSides Roanoke 2024: July 12th in Roanoke VA: Pricing unav. At time of writing, used to be free. If you want to guarantee getting in for free, or after tickets are no longer available, volunteer!

DC Metro Cybersecurity Summit: July 18th in McLean VA: $195-$250,

DISA J6 Cyber Awareness Forum 2024: July 25th in Alexandria VA: $Free, but DoD only.

Black Hat USA 2024: August 3rd-8th in Las Vegas, NV: $1,895-, CON 32: August 8th-11th in Las Vegas, NV: $300-,

Armed forces communications and electronics, Maritime IT summit, in Norfolk coming up in June. 4th through 6th. Will be on list at next meeting.

Kenn: Tracelabs is having an online CTF in April.

Membership Update:
Number of members: 50/ New since last meeting: Members 9/Visitors 11, some expiring members have renewed, if you have not you should be seeing an email from Charles.

February 6 Meeting Minutes:

Meeting recap on website:
Presentation: Kenn Jensen with Understanding the essence of OSINT: A Strategic Guide for Uncovering Insights When Looking for your Dream Home.
Chapter updates including mentorship program, Income and Sponsorship Committee, $4,256.97 recorded.

Treasurer Report:
Balance: still $4256.97 plus balance fees, Been getting hit with bank of America fees for being under 5k.

Income and Sponsorship Committee: Our numbers are dwindling so we are trying to figure out how to get back to $5,000.
Johnnie has seen something called the “Happy Hour fund”, you can brad about something but you got to pay a nominal fee, has seen it in use.

Kenn remembers when he worked at a fire department, a pool would come together like a lottery, winner would get half the pot and the rest would go back to the department.

2024 Events Calendar:

Social Media:

Discord growing quite a bit! Having discussions and scheduling meetups, great way to stay in the know.

Email Addresses: May not be currently to date (Community and mentorship addresses currently not working)

After Meeting:
Plaza Dellogado

Please give us feedback!: What did you like? Recommendations for future meetings? What could make your experience better?
Send your feedback to President @ ISSA-HR. org

Thank you for coming out!