Storytelling as a Service in InfoSec

Storytelling. It’s not just for campfires and young children’s classrooms anymore.

It’s a method of communication that engages the listener and teaches or persuades them, often without them even realizing it. It’s been recognized for a while in the business world as a strategic tool, as evidenced by these headlines:

From Bedtime to the Boardroom: Why Storytelling Matters in Business (Entrepreneur, 11 April 2015)

The Irresistible Power of Storytelling as a Strategic Business Tool (Harvard Business Review, 11 March 2014)

Storytelling: The New Strategic Imperative of Business (Forbes, 04 April 2016)

Which keywords pop out at you from those three articles above? To me, I see the words strategic, imperative, and matters. What else is strategic, imperative, and very much matters? Information Security.

So, why isn’t the InfoSec industry embracing storytelling as a tool? Perhaps the easy answer is that storytelling can arguably fall more into that “soft skill” realm which is dreaded by many tech-brained persons. But, the reality is that communication skills are vital to InfoSec jobs, whether that communication be solely among your team, or externally with end users, vendors, or executives.

Stories make presentations better.
Stories make ideas stick.
Stories help us persuade.
(HubSpot, 01 February 2017)

My wish for the InfoSec community is that more people embrace improved communication and storytelling skills, whether it be written or oral communication. Many of the challenges we face as InfoSec professionals stems from end user behavior or resistance from executives or other departments who don’t understand what we do. If we all got better at communicating, some of those misunderstands or confusion could eventually be alleviated. We do a pretty good job communicating with each other as InfoSec pros, let’s take the next step and put in an effort to communicate with the people around us who are consumers of the security we manage.

It could also help your career. Now more than ever, businesses, workers, and leaders have opportunities to stand out, spread messages, and make change through storytelling. Look at this real job posting:

The skill Jason Haddix described there is storytelling. Notice I called it a skill, versus something innate. Sure, some people will be more naturally gifted storytellers. Some cultures and tribes have long traditions of skilled storytelling as a craft. But, that doesn’t mean that you can’t learn and hone this skill just as you learned and honed a programming language or other technical ability.

Think of a story as a mnemonic device for complex ideas.Annette Simmons

To get you started, here are some resources to put you on the path to being able to persuade, influence, encourage, support, and educate people through weaving words into storytelling.

Humans simply aren’t moved to action by ‘data dumps,’ dense PowerPoint slides, or spreadsheets packed with figures. People are moved by emotion. The best way to emotionally connect other people to our agenda begins with “Once upon a time…”Jonathan Gottschall

Where does your story begin?



Empathy in Incident Response

His email message to the SOC was succinct. “I clicked on a suspicious link,” he wrote, “What do I do now?”

My first reaction wasn’t that of anger or contempt. I was relieved, actually. Relieved that he alerted the team. (I don’t think I even want to know how many clicks on suspicious links go unreported.) I was eager to take on this challenge and I quickly located the email in question and I examined it.

Then, I called him. On the phone. To talk to him. In person.

He seemed nervous to take my call. I could tell, even before he said it, that he had a cold. You could hear it in his voice and in his breathing. He apologized profusely for clicking on the link, that he was sick and wasn’t thinking clearly.

Not only did I channel my transferable skills of dealing with customers/end users from my past careers as a librarian and a travel agent, but also the advice and lessons learned shared by InfoSec pros like Lesley Carhart, Ariel Robinson, Jayson Street, and Swift on Security, to name a few.

I first thanked him for his email and letting us know. I told him that he did a good thing by saying something and that together we would work this out. Since I examined the email in my sandbox, I knew what the end result would be based on his clicks. I asked him to walk me through his actions. I never used the phrase, “what did you do,” because that sounds like blame. I would prompt him to his next step by saying, “and what was  your next action?”

To me, the email looked like an obvious phish. I was curious about his side of the story. Without any prompting, he explained that he was on a lot of cold medicine and used poor judgment. I could hear the stress come back into his voice as he said this, and he apologized profusely.

I walked him through some troubleshooting steps on his computer and based on his answers, coupled with my own findings, and told him that it seemed like he dodged a bullet. I described to him the steps to engage a virus scan, just as a precaution.

I ended the call basically the way it began. I thanked him for alerting us. He sounded less stressed and thanked me. I genuinely told him that it was my pleasure to help. I told him that I hoped he got well soon. I told him to be careful online and to have a cyber safe day.

This entire incident response took less than 10 minutes total. I realize that one can’t take 10 minutes for every end user who clicked on a suspicious link. But, for when you can spare some time, show empathy. The language I used and the steps I took were towards the greater goal of creating a culture of security.

When I first started at this SOC job four months ago, I used to surprise people by merely letting them know that real humans worked on the security team. I think they assumed a bunch of blinky boxes were involved. But, I am human and I do have empathy for the end user in a time of incident response.



Internet Librarian 2016 – Encryption and Information Security

Thank you for attending the Internet Librarian 2016 session, “Encryption & Information Security.” Tuesday, October 18, 2016 from 11:30 am – 12:15 pm.

Jessy Irwin @jessysaurusrex & Tracy Z. Maleeff @InfoSecSherpa


For a full summary, see Don Hawkins’ article for Information Today.

Here are the resources mentioned during the session:

Federal Trade Commission – When Information is Lost or Stolen (checklist)
Federal Trade Commission – (website)
Federal Trade Commission – Recovering from Identity Theft (blog post)

Proton Mail – Free encrypted email (website)
Signal – Encrypted messaging tool (website)

Tony Porterfield – EdTechInfoSec: Tracking Information Security and Privacy Issues in Education Technology (blog) @edtechinfosec on Twitter

Library Freedom Project – Alison Macrina @flexlibris on Twitter

Hardware-Based Keyloggers Found in the Library of a Canadian University (article)

Hacked: A Case Study from the University of Michigan (blog post)

Troy Hunt – Have I Been Pwned? allows you to search across multiple data breaches to see if your email addresses has been compromised (website) @troyhunt on Twitter

PC Magazine – The Best Password Managers of 2016 (article)
Ars Technica – The Impossible Task of Creating a “Best VPNs” List Today (article)

Miscellaneous infosec-links (PDF) from Tracy’s Internet Librarian 2016 pre-conference workshop, “IT Security 101.”

Podcasts are a great resource to learn more information:
Defensive Security
Brakeing Down Security with Bryan Brake
PVC Security (full disclosure, Tracy is a co-host of this podcast!)
Advanced Persistent Security
Southern Fried Security (hasn’t been updated in a few months, but their older posts are still good)

Thanks for attending this session!

Tactical Edge – Colombia on the Silver Screen

Tactical Edge is the premier information security conference in Latin America! It will take place March 7-8, 2018 in beautiful Bogotá, Colombia. This conference will be rich in security knowledge, in a country that is passionate about their culture.

Colombia on the Silver Screen by Tracy Z. Maleeff (@InfoSecSherpa)

The long history of the cinema in Colombia dates back to 1897. After some decades of turmoil with failed government film industry initiatives, Colombia has come into its own and is becoming more of a player on the international film scene. Bolstered by the Colombia government’s “Law of Cinema” in 2003, the country continues to entice filmmakers and studios with substantial tax breaks to set up production in the country.

One of the most critically acclaimed Colombian films is “Maria Full of Grace.” Catalina Sandino Moreno received a Best Actress Oscar nomination for her role as María Álvarez.

Colombian cinema has made a big name for itself on the world stage. New York City hosts the Colombian Film Festival annually and introduces American audiences to the fine art of Colombian film.

Semana, a weekly magazine of opinion and analysis in Colombia, published a list of the 50 Greatest Films of Colombian Cinema. Variety magazine keep a column updated with news about the Colombian film industry.

The biggest box office success is perhaps “Love in the Time of Cholera” starring Javier Bardem. It is based on the novel by the late legendary Colombian novelist, Gabriel García Márquez.

See the wonders of Colombian film yourself when you are in Bogotá for the Tactical Edge conference, in one of these local theatres!

The 2016 Infosec Reading List by @highmeh

If you liked my August 10th post about InfoSec books for International Book Lovers Day, I have a treat for you!

Twitter user @highmeh sent out a similar call for InfoSec reading material on August 15th.

Great minds think alike. Right, Jayme?!

So, rather than be like, “I ALREADY DID THAT, DUDE!” I took the chill collaborative approach and was like, “Hey! I did something similar, let’s share results!” So here, as promised, is the list of InfoSec reading recommendations that Jayme received and he curated with links.

TwitterSec: Recommended Reading
(Google Docs — or whatever they are calling it these days.)

Thanks, Jayme, for working with me on this. Together, we shall spread the word of InfoSec reading material. Thank you to all the Twitter users who contributed recommendations to my list and Jayme’s!


Book Lovers Day – the InfoSec edition

August 9th is observed as International Book Lovers Day. (Or, is it National Book Lovers Day, just observed internationally?) Anyhow, there are lots of infosec books to love. So, I put the call out on Twitter to see which books the infosec community recommends.


But, first, *shameless plug klaxon* check out this ebook that dropped today, “Beginner’s Guide to Information Security: Kickstart Your Security Career with Insight from InfoSec Experts.” While I would hardly call myself an expert, I did write the first chapter about how to get started. I used my own experiences as a guideline. Go check out this Peerlyst publication!

Now, to the results of my informal Twitter poll. Here are infosec books recommended by infosec peeps. Listed in MLA format, in the order in which they were sent to me. The person who recommended the title will be listed, along with any comments.

Cherkashin, Victor, and Gregory Feifer. Spy Handler: Memoir of a KGB Officer – The True Story of the Man Who Recruited Robert Hanssen and Aldrich Ames. Basic Books, 2005. [@rootsecdev called it, “A good read on insider threats.”]

Stephenson, Neal. Cryptonomicon. Avon Press, 1999. [@secitup called it, “An oldie, but a goodie.”]

Zalewski, Michal. Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks. No Starch Press, 2005. [@wendyck]

Jaquith, Andrew. Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison-Wesley Professional, 2007. [@wendyck]

Seitz, Justin. Gray Hat Python: Python Programming for Hackers and Reverse Engineers. No Starch Press, 2009. [@wendyck]

Poulsen, Kevin. Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground. Crown Publishers, 2011. [@anseljh first recommended this book, then @NSQE added, “And also I second this. This was a tremendous book.”]

Zetter, Kim. Countdown to Zero Day : Stuxnet and the Launch of the World’s First Digital Weapon. Crown Publishers, 2014. [@anseljh]

Clark, Ben. RTFM: Red Team Field Manual. CreateSpace Independent Publishing Platform, 2014. [@willasaywhat said, “[It’s] a great field guide for pentesters without Google.” @secitup and @andMYcode agreed.]

Hubbard, Douglas W. The Failure of Risk Management: Why It’s Broken and How to Fix It. Wiley, 2009. [@maliciouslink]

Hayden, Lance. IT Security Metrics: A Practical Framework for Measuring Security & Protecting Data. McGraw Hill, 2010. [@maliciouslink]

Sikorski, Michael, and Andrew Honig. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press, 2012. [@maliciouslink]

Seitz, Justin. Black Hat Python: Python Programming for Hackers and Pentesters. No Starch Press, 2015. [@maliciouslink]

Shostack, Adam. Threat Modeling: Designing for Security. Wiley, 2014. [@maliciouslink]

Jacobs, Jay, and Bob Rudis. Data Driven Security: Analysis, Visualization, and Dashboards. Wiley, 2014. [@maliciouslink]

Erickson, Jon. Hacking: The Art of Exploitation. 2nd ed., No Starch Press, 2008. [@maliciouslink and @wendyck]

Freund, Jack, and Jack Jones. Measuring and Managing Information Risk: A FAIR Approach. Butterworth-Heinemann, 2014. [@maliciouslink]

Ligh, Michael Hale, et al. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Wiley, 2014. [@maliciouslink]

Engebretson, Patrick. The Basics of Hacking and Penetration Testing. 2nd ed., Syngress, 2013. [@andMYcode]

Murdoch, Don. Blue Team Handbook: Incident Response Edition: A condensed field guide for the Cyber Security Incident Responder. 2nd ed., CreateSpace Independent Publishing Platform, 2014. [@andMYcode]

Sanders, Chris. Practical Pocket Analysis: Using Wireshark to Solve Real-World Network Problems. 2nd ed., No Starch Press, 2011. [@andMYcode]

Strand, John, et al. Offensive Countermeasures: The Art of Active Defense. CreateSpace Independent Publishing Platform, 2013. [@maliciouslink]

Blunden, Bill. The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System. 2nd ed., Jones & Bartlett Learning, 2012. [@maliciouslink]

Zenko, Micah. Red Team: How to Succeed by Thinking Like the Enemy. Basic Books, 2015. [@maliciouslink]

Anderson, Ross J. Security Engineering: A Guide to Building Dependable Distributed Systems. 2nd ed., Wiley, 2008. [@maliciouslink]

Stoll, Cliff. The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Pocket Books, 2005. [@bond_alexander]

Wu, Tim. The Master Switch: The Rise and Fall of Information Empires. Vintage, 2011. [@NSQE commented, “It’s not infosec, but understanding control of the network is crucial for security.”]

Sanders, Chris, and Jason Smith. Applied Network Security Monitoring: Collection, Detection, and Analysis. Syngress, 2013. [@kwestin]

Gomzin, Slava. Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions. Wiley, 2014. [@kwestin]

That’s a good start of a reading list for infosec book lovers! Thank you to all the Tweeps who replied. Reading is fundamental.