A Theme of Fear: Changing the Paradigm

all right we will go ahead and get started um my name is kathy allman i have a big long title not important um i've been around for a long time i'll talk about that in a second this talk is really going to talk about in part the history of the mess that we're in with cyber security right i mean who here knows that security is kind of a mess anybody know that anybody heard that yeah right security's a disaster what the hell are we doing if you don't know the history of computing and you may know some of the history as far as like apple and microsoft and some of that but if you don't know some of the other pieces of

history it may surprise you to realize that we got where we are because of where we've been so you'll see that the first part of this talk is really intended to give you some of that background so you understand kind of the mess we're in especially when it comes to fud which is you know fear uncertainty and doubt and that's really what we're going to focus on how did we get to this place of fud and then okay now that we're here how can we get move away from it so that's really the underlying theme today these are the topics we're going to talk about i'll talk just a little bit more about me you're welcome to ask me about me but

you don't want to hear about me so if you have questions i'll answer them but i'm not going to spend a lot of time there we're going to talk about the topic of fear in general and what it's supposed to do what people think it does and what it actually does and those are very very different things there's some really misguided information about what fear can do successfully and a lot of marketing folks take advantage of that and it's just not accurate we're going to talk about the cost of using that fear and the history of the fear that we see consequences and then how we can change that paradigm how can we change the

adventure we're on how can we choose our own adventure to make it better um what can we do moving forward and then i'll give you some final thoughts so me i'm a sloth but not really uh this was i need to update this slide actually this was my sloth mini mini was a sloth at the buffalo zoo for many many many years she unfortunately is no longer with us it's probably been five years now i think there is now another sloth at the zoo she was one of five and she was the the one that uh one of the ones that lived the longest there um ethel was the the most recent but uh yeah sloths love sloths so he's really

about me i always like to start with sloths because just because they're fun so like i said do some things speak some places um and i love sloths all right so let's talk about you know this this notion of fear take a look at this advertisement from 1989 1989 was for some of us 20 years ago right because i know for all of us you like grew up in around the 80s time frame the 80s were 20 years ago now let's look at this one really different not so much right what do they have in common fear fear right they're they're both trying to frighten you into doing something they're both marketing campaigns for some kind of technology something

to get you to do stuff they're radically different years it's a huge time span and yet none of it's changed so what can we think what do we think fear can do well we do things like we we think it's going to change behavior if i scare the heck out of you such that you don't want whatever it is you're afraid of maybe you won't do the thing right so we do things like a lot of organizations will do simulated fishing tests because they think if we scare people enough and they see the bad thing it's going to make them stop clicking how many believe it's going to make them stop clicking because they're afraid

nobody's raising their hands funny that right um it's it's an odd thing and somehow it's going to bolster that change but there's a cost associated with that we spend a lot of money on infosec now i updated the slides i haven't given this talk in a number of years the last time i gave this talk we were still in the millions of dollars that was like in 2017-18 we're down to trillions of dollars and that's just in the last couple years the expectation going into 2022 now is even higher we're spending so much money on this stuff to try to be safer guess what it's not working it doesn't matter how much money we're throwing at it

it's not effective and that and part of the reason it's not effective is because some of what we're throwing money at is fear-based so let's talk about something called blinky box syndrome so some of you i know shecky knows chris so chris roberts um probably most infamous for hacking an airplane is a friend of mine who talks a lot about blinky boxes and there's this whole idea that you buy a box that has a bunch of blinky lights and you plug it in and then what happens it's a magic bullet it's a magic bullet what i heard unanswered safe you're safe right blinky boxes are awesome they're the easy button of security okay so we'll come back to that so here's

what fear actually does if you don't scare people enough they get complacent because they're like ah you tried to scare me about the thing i don't really care anymore how many of you watch horror movies anybody in here like horror movies yeah a couple of you if you watch enough horror movies do they become scary after a while not at all why you've seen it all you're defensive you see that you get desensitized you don't care and that's the same thing we see in security if there's too much fear you're so terrified you can't think you can't move you're not gonna act it's not effective so it creates this negative energy it can create an over response right

this this overactive response because we're so afraid that we can't do anything so as i said we're going to kind of go back in time here and we're going to see the history of how we got to where we are with the fear marketing that exists it has always been by design this is before we got to technology per se who can tell me what this picture is what are the japanese tournaments the internment camps right in world war ii people were so terrified of japanese americans we threw them in a camp and said we're scared of you we're sticking in this corner and then the marketing that you see on the other side here

we're starting to see some of that now even though it's not really the same we're terrified of the russians right the russians are coming to get us so fear by design is is pretty common unfortunately who remembers the orange book of joy anybody a few people yeah so the orange book anyone want to comment on what the orange book was it was just the standards at the time it was early standards list of things you have to do right what she had to do was a government document and it said if you want to be secure you have to do the following things nowhere in that book to use the words information security cyber security none

of that it was policy stuff controls that's it right so here's the beginning of the internet in the mid-80s you had arpanet starts to expand who can tell me about arpanet anybody remember something about arpanet where it started with what its purpose was go ahead dave the dod funded project for four universities yup dod project for four universities with the idea that they wanted to create this network to back each other up because they were the only ones that had this computing power there's a lot of bizarre myths about this was some sort of weird early cyber defense no they were researchers that's the whole point so these researchers were doing research and if this entity went down this one

wanted to be able to pick up the work yes i also read that it was the government didn't want to buy specialized equipment for all these different universities so they said why can't you share it yeah yeah it was it's certainly a cost saving measure but initially the whole and that's really true as it expanded but initially it was just meant to be like a backup to each other so as it expands you get into something i mentioned bitnet here because this was my first experience at dave's chuckling because he's familiar with this but bitnet was one of the earliest networks that the suny system was on so for those of you not from around here

the state university new york system has a whole bunch of colleges and a bunch of them wound up getting connected to all of this through something called bitnet um then you have the personal computer boom and companies using the internet so i mean this is like really fast forward through time right so where do the earliest security developments come into play well as people start getting connected they start to realize there might be some problems and we have these early viruses brain it was a copyright infringement tool that's all it was meant to do except it actually wiped some files that seems bad right and i'm sure some of you have at least heard the name

mcafee right he's he's no longer with us and he actually in figures out a way to undo what this virus does and he gives it away for free and then goes on to make gazillions of dollars right with with antivirus but he starts out on a bulletin board system giving the solution away for nothing by the late 80s you have more antivirus vendors than viruses which is kind of nuts so that's some of the early technology we see the government jumps in government never over estimates the power of computing right never computing can do all the things it can take over the world so the government gets very very very nervous and they literally publish things that

they call it potentially devastating weapon this is early computing folks this isn't the matrix this isn't the stuff we're seeing today this is 1980s i mean for those of you who've even seen pictures of this we're talking big clunky machines we're not talking anything nuclear we're talking very basic but that was gonna ruin everything uh and especially now that we've had covet i find this particularly interesting the high technology equivalent of germ warfare can you imagine this is like computing covid oh no the morris worm hits which is uh one of the first most devastating worms in 1988 and it crashed one tenth of all the computers on the internet now mind you we're not talking about a ton of

machines because the internet was like this big at that point um and because that was so devastating they set up the first cert which does computer security research at carnegie mellon so there's already fear in place here folks and the government's fueling it in part because they're terrified so not only is there fear but there's now fear of external attack because we're not just talking about something on your on your desk that you're typing stuff into we're talking about connectivity and the cost of malware was getting rid of it was so expensive that the whole idea of spending a few bucks on each machine this doesn't seem unreasonable if if it costs me at the time

a gazillion dollars in my corporation have this removed from the machines that are there then doesn't it seem reasonable that if i had to pay five to ten bucks a machine to prevent that this is you know worth the cost to do in business so we start to see pictures like that there are books like this and and these are some of the first uh books we see on internet firewalls because now we're having we're starting to connect all the things right and there's this fear of the outside coming in and the outside of course being on the other side of the firewall so we start to see these things in the early 90s who can tell me why this is important

go ahead checky first world wide web browser first world wide web browser but but what did that mean more people were accessible it was graphical in nature so people could actually see things and it made it easier for the general public to actually navigate the internet exactly so now your mother and your brother and your cousins and your uncles and your aunts and anyone who could afford a computer is now starting to get online we're not talking about universities we're not talking about places of research we're not just talking about the government we're talking about everyone so the world really changes in 93. because everybody starts getting online and don't you know virus protection is

just a matter of trust so here we are fast forward a little bit and we're still seeing the same kind of messaging about those blinky boxes we talked about so here's the beginning of your blinky box right we're so worried about attackers coming in we need to put a blinky box in place to keep the attackers out these are your early firewalls so long before what we think of this firewall we had this deck sealed it was a gateway it was literally a door essentially it kept attackers out and it was considered a fail-safe protection yay and then in 95 nick was like hold this right and he attacks the super computing center firewall who cares

and at that point we have more panic so how about today fast forward to today which is of course many more than 20 years later so the initial blinky box not so effective because we had somebody like nitpick who was able to get around it we now have even more technology we're now spending even more money we have all the money and we have all the blinky boxes is it any better yeah no let's look at the numbers here i just got this off the most recent report so 68 from 20 20 to 2021 that's bad so it doesn't matter we're putting more blinky boxes in place we're doing all the things we're spending all the money

and we're getting nowhere that seems like a bad place to be so what are the consequences well but i mentioned this in the very beginning right lots of marketing strategies using fud they're providing this information which we never hear about today um there's discouragement of of a competitor so don't buy x you should buy us because we're so much better um there's the story of ibm versus gene pomdahl does anybody know that story yeah well amdahl made a machine that basically did the same thing the ibm 360 did for a lot less money and ibm said no you can't do that but there's another piece to it what else did they use about that what specifically did they use to

try to say you shouldn't buy amdahl's product so amdahl designed a computer that didn't have a fan in it why did he do that because he put the fan on the outside of the box or he puts a he put the power supply excuse me on the outside of the box if the power supply is on the outside of the box do you need a fan cooling it on the inside of the box no the whole point of the fan was to cool the power supply so he actually designed it in such a way that it would be more efficient ibm came along and said you don't want to buy this thing you'll burn your house down because

there's no fan no misinformation there right i mean it's crazy uh and i love this quote from from rich smith of duo the security industry generates fud in order to sell hope and i think that's pretty accurate so here's another uh quick example um this is an actual ad which about emc and you know ibm so i don't know if you if you see this is an actual ibm thing so this is if you look carefully it's internal use only but you know it was on the interwebs so whatever so this is an example about competitors and this is very very common we have a really serious problem with fear and it's not just the words we're

using it's also the images and we fear what we don't understand who's ever seen anything like this

i want to know who hacks like this because that's pretty amazing can't see anything you can't feel the

but even mr robot doesn't do that right he just pulls his hoodie up maybe he's cold i mean you know i have a hoodie too and it's a black baby so this brings up the point and and i i mentioned this i know in some cases i'm i'm preaching to the choir here dave's heard this a million times my husband's heard this million times the media loves to use the word hacker in a pejorative way which is bad because the whole idea of being a hacker is understanding how something actually works not just the way it's intended to work it's important to realize that the media is what's twisted that and while it is really hard to change that

because getting the media to listen to anything is is difficult it's important to understand especially within the context of security that there are a lot of us who are hackers who are very proud of that we enjoy what we do we love to learn it's it's a passion for us and that's a good thing i bring this up because of fear hackers are bad no in the dev world my husband here is a developer and he sees issues in the debt world if you don't do it right and you blow up your your company essentially because your code is bad and you blow up the product that's terrifying so there's fear in all of these places

they don't teach security foundations in most cs programs that's a problem for developers and if you need extra time for code review for security stuff heaven help you because a lot of companies don't want to spend the time doing that so even in the dev world we have this issue it's a growth area it is a growth area it needs to grow exponentially um consistency has been our been a flaw for us so unlike a lot of other entities uh where consistency is a good thing right so like especially in an area say like banking or medical care consistency is really important um consistency winds up being a flaw for us because it's a business after thought

we keep doing this the same way we buy a blinky box because we think it's going to fix things we work against the folks who are actually doing jobs in our organizations and we're not teaching security to cs folks so that seems kind of like insanity to me we're going to do the same thing over and over and we want different results and the same goes for the fear messaging when we don't understand something and we're really scared it becomes anger we get angry about what we don't understand and uh that turns to hate so that's really not ideal if you're using fear to try to get folks to do what you want them to do

that way leads to the dark side we don't want to do that all right how many of you in here are in the business in some capacity of cyber security a good chunk of you right so nope this is this is a heart but it says hate you call that right away all right so this is going back a little ways this particular study but these are ways in which security departments are thought of have you ever heard these things since you're in security right we're do mongers we're called the department of no the department of no and i took that very seriously um we are a very very small department at the university of buffalo and i made

it my mission when i moved into that office to make it the department of yes but which is a much better message because it tells the folks i'm working with i'm not here to tell you no i want to understand your business process i want to help you do what you're doing and i want you to do it more safely so how can we achieve that right but this is the messaging that people often get or policemen

when we put new rules in place they're seeing in a negative light we don't explain what they are we're reactive we're not an asset and we just keep the lights on which is pretty cool because you know what it doesn't work when the lights are on or off it doesn't really matter so i think this is a fun definition of what's that

yeah i can tell you from a personal note that uh one of the best things about moving into security is i don't do pc support anymore sorry i can't help you so how can we change this overall paradigm how can we get away from the fear-mongering the wrong kind of messaging so that we're seen in a better light so that we're more effective in what we do we're going to overcome it in a number of ways we need to be honest with the folks we're working with about risk and sometimes less is more so they don't when we're communicating risk especially to folks who are not in security and not in i.t and even people

who are in i.t but aren't insecurity they don't need to know everything we know think about that with your messaging like we may know um how many of you know there was say a microsoft zero day recently anybody hear about that just a few of you okay i don't start panicking my i.t teams going oh my god end of the world right this is not effective i don't even tell them how easy it is to do the thing i explain to them this is a problem we are at significant risk from this problem so let's talk about what we can do about it they don't need to know the details at that moment they have eyes they can research it you

don't need to spend lots and lots and lots of time on this and the more you go down that chain into the user space the more important that is they really don't need to understand some of this they need to understand what they need to know for their jobs most folks in end user positions want to know how it impacts them if it doesn't impact them it doesn't matter to them and that's okay and that's really hard to grasp when your brain is always in that space right you're always like okay risk risk risk risk risk but they don't care and that's okay we need to provide power empowering messages how folks can help themselves and you to

make things better be an advocate and get folks to advocate with you if you can create advocates in like where you know we're a huge shop if you're in a place that has a lot of a lot of different departments and you can find folks that are like security champions that's huge so if you can encourage best practices and you can do it in this positive way you're going to have a much much much better outcome there is this notion of us versus them security is this everyone else is that nope we're all in this together don't care if you're in security don't care if you're a cafeteria worker or bus driver it doesn't matter

we're all in this together and we all have different roles to play one of my favorite stories um from my past so i worked with actual rocket scientists folks that made rockets go into space and you know what those people are freaking brilliant you know what they're not really good at well not even just security explaining themselves well but it depends on what you're asking them about what rocket scientists are not particularly good at necessarily pcs are not their wheelhouse that is not what they do it is a tool to do what they do but pcs is not their bread and butter and so i had to explain to folks who were in many ways way smarter than i was

how to make a pc go and so what i wanted doing is we traded information i would explain to them why something mattered and they would go oh and then they would explain to me a little bit about rapid sciences what they do and why what they do matters and this exchange of ideas is huge and it's so much more effective you have to be patient with folks if they ask you a question and you need to do follow-through make sure you follow through the worst thing you can do is go yeah yeah i'll get back to you on that and drop them all because you lose trust and the minute you lose their trust

now you've ruined that path so the idea here is to illuminate folks and help build that community of trust make sure you're communicating with them at the level they both understand and can relate to and in many many cases that means telling stories and i hate the concept dumbing it down because it's not about dumbing it down it's about exploring the world wherever they are and if they're not technical or they're not in this piece of technology or they're you know uh the end user just trying to get their job done again you need to think about where they are and coming into their space and talking to them in a way they will understand

because everything else is ineffective trying to scare the crap out of them does not work this is not effective right somebody screaming at you probably you're never going to hear them so we want to replace fear with a help healthy skepticism we don't want people to be afraid being afraid is not effective being skeptical is and one of the things i always respond to people i'm responsible for abuse at buffalo.edu please don't spam me with crap because we get enough of it already but you know i am one person and i'm the one who answers all the queries that come into that address if somebody sends me something and they've realized it's bad or they're

asking is this bad i always respond with thank you for being skeptical and suspicious because it says to that person hey you did the right thing you reached out and asked the question i always tell folks i would so much rather you ask than oops right because if you ask i can help educate you if you hoops now i have to help clean the mess up which doesn't mean they won't oops it means they're less likely to lose and you're building that trust where they're more likely to ask if they feel like they're going to be somehow persecuted for asking the question or you know doing the wrong thing they're never gonna ask they're gonna

they're gonna fall into that space of fear where they're paralyzed i don't want anybody to think i'm doing the wrong thing and i don't want to say anything because i don't want to gail that so i'll just do nothing yeah there's always going to be people who oops so you have to make it comfortable for them to come forward yes and say hey i made this oops yep they're always getting absolutely 100 comment was if you didn't hear it they're always going to be people who oops that's just the nature of the beast but if you can make it comfortable enough for them to come forward when that happens so much better so much better and

if you're in an organization where you feel like you have to do self-fishing type exercises because i hear this i this is an ongoing discussion in a variety of of online spaces i'm in fishing exercises are crap well we have to do them well they don't do any good yes some organizations have to do that yes they can be crap but what is the goal with your self-fishing exercise the goal of the self-fishing exercise should never be to see how many people you can catch that is not the point what you want with self-fishing if you need to do it is you want people to talk about it hey i got this message it looks like crap this looks like

garbage i'm suspicious of this you shouldn't click on that and even if it's a test that's awesome the more people talk about it the less likely you're going to have people clicking on it it doesn't mean they'll never click but getting the word out means it will probably find out that much faster so communicating is key so get people to be skeptical get them to ask questions play devil's advocate words appropriate so i think this is kind of fun so arthur cornyn doyle one of his sherlock holmes stories he talks about the difference between seeing and observation can anybody tell me what that distinction might be

how many of you work in a building that has stairs one two okay handful of people how many of you can tell me how many stairs there are between when you walk into the building and when you sit down at your desk you don't care all right how many of you see those stairs like five days a week or at least you used to maybe you know pretty regularly yeah most of us see the stairs but we're not making that acute observation we're not paying attention to those finer details and that's a big difference so we need to teach folks how to start paying attention those fine details so that they start to pay attention to

those fine details which can be tricky it's not their job to be security analysts they're not going to pick apart an email header but they should recognize and something looks a little funky so we want them outside of infosec generally speaking and this goes for everybody we want folks to start questioning stuff on websites don't just believe everything you see right question legitimate legitimacy of an email if it came from somebody who looks like your boss but this message looks weird maybe you should go maybe this isn't legit we get uh spoofs of folks all the time they're gift card scams this is like a regular thing we get employment scams that come through that

purport to come from somebody at ub they need to be aware of these online risks and it can't just be once a year so the more often and this is a conversation we're having right now because we're going to be moving toward some sort of university-wide training cyber security training and i have told my boss in no uncertain terms this cannot be a one and done it's you know sexual harassment training is fine you can do that one and done it's important to be reminded this message needs to come in different ways at different times where you don't just sit and go click click click click click click so how can we do that and that's really important

there needs to also be healthy skepticism within infosec so it's not just them it's also us and again we're all in this together we need to be skeptical of marketing materials that say things like you know protects you from all the badness can stop all zero days that's one of my favorites because i know it stops all zero days i'm good if i buy that blinky box what's the most can anybody uh think of so if your original blinky box is the firewall what was one of the next blinky boxes well pixels was was a fancier version of the firewall yeah what what came after that ids yeah ids exactly so we had you know ids

and then now now where are we what kinds of blinky boxes do we buy now ai overlords ai overlords right especially ai so so chris roberts the one i mentioned earlier he is fond of saying nothing is a.i until it can tell me what kind of tea it likes it can be machine learning but it's not tree eye until it can tell you that so be skeptical of that stuff you know speak out against that negative image because those of us who are hackers i think have a lot to give and we're excited about what we do we love what we do and we want to give back so don't shut us down and avoid relying on

scary words because we never we never hear this right advanced persistent threat that's like never a thing i just love when the news media is like oh it was an apt how do most apts start like fishing okay i'm an apt what does that mean nation state potentially nation state but but what does the apt part of apt really mean your act you're they're hanging out inside your network now that doesn't sound as scary as apt right advanced persistent threat just means they're hanging on your network okay not good but not nearly as scary sounding there is no apt it's just persistent threats the advancement is the worst part of it yeah i mean there's this idea that you

know that this is this is some kind of advanced terrible horrible thing and the reality is it's probably the same thing that's been going on i can tell you i've been in this business a long time i get asked all the time how do you stay on top of all this stuff and i'm like it hasn't changed in 40 years folks it really hasn't it's the same stuff yes okay definitely there are some twists but the core of this stuff hasn't changed in a long time so staying on top of it is really just sort of like oh they turned it on their head this way and they turn on its head that way and

once you kind of get that core it just doesn't change much so we go to this idea of nuanced learning so change your verbiage we're not going to catch people we're going to partner with them remove the us versus them language use things like we we together are stronger and it sounds lame i get it but it matters it really does so when you're doing any kind of like reporting what i tell people is if you're doing some sort of phishing reporting don't report on who clicked the link tell me who didn't click the link i don't need to know any individuals but if i'm giving you messaging if i'm saying to you in the business

community we had 25 of our people clicked the link that sounds pretty bad right like a quarter of your people click the link what if i said to you 75 of your people didn't click the link which one of those two messages is likely to get more people to not click the link and even the tools we buy like know before in some of these packages their reporting shows up with all this negative crap and it's terrible but it's all this fun that we've grown up with so obviously yeah um so a lot of some of my role is for clients all to do phishing campaigns and i really want to highlight exactly what you said these are the people that

did not click but my clients frequently ask i want to know who did and i'll tell them um don't let why don't we focus on the good things i know in your mind one even one click is bad um but at the end of the day they're paying me and some people will say i don't want to work with you if i don't give back do you have any thoughts on how to frame this so that i can not throw people under the bus and praise me before they do it well so i would tell them two things i would say i am happy to give you statistics that provide what you're looking for because i think it's okay for them to

understand that they do have a percentage that click but i think it's also important for them to understand there's always going to be a percentage that clicks and it is a much better message to say today we have 75 of our people who didn't click tomorrow we want 80 percent of our people who didn't click so it's not that you can't tell them that there's that 15 it's that we want you to understand this in a way that you can get your people to not click right and the way you're going to get them to not click is for them to want to be reinforcing a positive message always is more effective than reinforcing a negative message

so i i think the trick is to tell them that you'll tell them what they want to know but encourage them when they're sharing messaging with their organization if they want people to improve and and i can send you if you hit me up i can send you some studies that talk about this because i got a lot of this from jessica barker who's written a fair amount about this um there have been a number of psychological studies that show that the more you provide positive reinforcement you are significantly more likely to get that outcome than with a negative reinforcement and the and the fear and the negativity are not going to get them what they want so i guess that's part of

it right ask them what their goal is and if their goal is ultimately for people to be better then that's what they that's why it's important for them to focus on if they want to focus on what's bad okay but what does it buy them and i think that's a question i would ask like okay i i'll tell you that 15 of your folks clicked great what are you gonna do with that how are you going to make that better and if their answer is well you know we have to put the hammer down ask them how they think that's going to you know affect the org can terminate folks who are repeat clickers yep and

then on paper they can show hey we're more secure because we got rid of our which is an absolutely terrible thing because you're always going to have records i mean you're right if people do that and it's terrible and then you hire more people it turns closer yeah it's so terrible and that's why my main hesitation is when they ask specifically for names of people i don't want to give you this i want to give you statistics um here's here's where you did well here are statistics these ones in new grade i've had a couple orgs that say we want to know specific names and i've made a verbal agreement that i will give you

these names under the agreement that this is not going to be something for termination i'm not throwing you people under the bus yeah um and that has worked well but i would love to give them here's here's another way to frame it so maybe i might take you up on some of those studies that i can send yeah yeah just hit me up and i'll send you sure i i would like some of that information as well um it's important to make the environment comfortable for the people making mistakes yep yep kind of touched on that before because they're gonna it's gonna happen yeah so you have to make it comfortable for them to say oh i clicked on that yep

yep and the people in the organizations want to know because they need they want to know who needs additional training or maybe didn't take the training or you know just didn't i mean so typically you're going to have two categories of people you're going to have people who don't care and no matter what you do they're not going to care at the end of the day and you have people who are just ignorant you can help the people who are ignorant you can't help the people who don't care of course that's just the way it is and there's only so much you can do so in the cases of the people who don't care you can put in whatever mitigations

you can put in that's those are your options right you can fire them which i think is ridiculous or you know maybe you set them up so that they work they do all their web browsing work in a vm and when they blow up the vm you just replace that pm with another vm i mean there's a bunch of ways you can do it but it's complicated so we're wrapping up here a little bit um operationally we need to look at some of these basics which i say basic but they're really fundamental it doesn't mean they're easy you need to know where the stuff is and that is the data and the systems you know remove the easy ways in

which you know like rdp um there needs to be log monitoring we need to fix the the things we can fix that are reasonably simple but don't let the goal of perfection override the good if you can't do it perfectly you shouldn't be like well i can't do it perfectly so i'm not doing it at all nope no one can do anything perfectly i'm a big fan of this idea that security is a verb anyone heard that before other than my husband security is a verb folks it's not a place you can get to it's not a state you're never going to be secure it's something that's doing it's a being it's something that we constantly work at

but you're never going to get to this mythical place of security and thinking anything else is pointless we need to get back to the basics of education we need to get that stuff into the curriculum you know al i know is is working on some of that as hard as i can yep uh and dave as well so um you know we ub is very fortunate we have a network defense course that starts to teach kids in all different it's a it's a joint thing between the computer science and the school management but we have kids from all different students from all different areas that participate which is awesome you know we we want self-evaluation for cs type stuff and

communication security issues you know more for expertise and moving forward change is hard and we kind of started the talk with these ideas right infosec's a mess we haven't had any eureka moments why is that well we're trying to change people and changing people is really hard because we're creatures of habit but be aware that a bunch of little changes can be really beneficial even if they're small and these small changes can snowball but that doesn't mean that it makes them easy

so we need everybody to participate we mentioned this a little earl i mentioned a little earlier we need to we need to partner with folks it's not i.t and infosec it's us together working to be more secure generally so think about it as a neighborhood watch we need to partner with the next generation right kids that are coming up seven eight nine they're smart they're very smart and we need to teach them early we need to get them involved and i'll tell you i'm not a huge fan of all the stem things because i think that excludes a lot of other key important things but anywhere that we can get that generation engaged we have a summer camp that is

coming up where we're we're working with kids that are like middle school age but even younger just depending on where you can engage them they're you know less said in their ways it's just a lot easier so here are some ways uh you know depending on the age of the kid bring them to b sides there are things like coder dojos there's cyber camps like what we have odyssey the mind hacks for kids any kind of mentoring this is really important so here are some final thoughts to me security is about education that is my number one job and it doesn't matter whether i'm educating an end user a sys admin a fellow security person

we are there to educate not adjudicate we are not there to pass judgment we are not there to say you did the bad thing we are there to say oh okay this this could be problematic but but let's talk about it let's see how we can you know make it better or how this is going to impact because as you mentioned on multiple occasions if you can't open that door of communications people are not going to come to you when they oops and that is a much much bigger risk to an organization learn what you know and trade the knowledge like what i said about you know the folks i work with who are rocket science

and be that change you want to see in the world because if you don't no one else will and with that my handle on twitter is investigator chick because apparently chick which is my full handle is one letter to one any questions yes well one a lot of what you say sounds like you know you're dealing with like people at the university or something like that or organization and i'm also thinking about the poor folks at home so absolutely um i have an anecdote real quick just to show you how um so my husband is i've taught him i said don't click on emails don't do this don't do that you know ask me like you say and so he does i mean

things pop up and he asked me and so forth one day i called him up and i said how are you today he says i'm on the phone i'm talking to tech support oh no and my blood just ran cold i didn't have a car i found a friend who took me home and i raced in there to hear an indian voice on the phone and i you know oh my gosh it was it was like talk about fear yeah about had a heart attack that day unfortunately he had just downloaded any desk and had not logged on his bank account yet but i was like oh my god it was over the top so you know they're in same thing

happened to my mother too microsoft called up and said we need your credit card because social engineering's tough oh it's horrible it is no it's just but you know and you hear these stories on the news right and and it's very easy to sit to say to loved ones oh my god you know what the heck's wrong with you why did you do this and the reality is they don't do this for a living this is not their wheelhouse how will they know if you don't educate them so yeah i mean that it's a it's a great example and and i try to use um so even folks that i i used to desktop support

for some of them i'm friends with on facebook and i periodically get opportunities to educate them um and i do that in very public spaces because i i figure other people are probably reading um but you're right uh it doesn't matter whether in a corporate environment or you're at home it's the same kind of messaging you don't want to scare the heck out of people it's not a fact and then the last thing i want to mention is that i think the fear factor is going up because we're getting more and more crap all the time yep i'm getting text messages saying you know we've renewed your uh geek squad right yeah subscription yeah we get it from

all angles all the time and that's the whole point of the healthy skepticism right is it doesn't matter where it comes from it doesn't matter what mechanism comes in you should be questioning what you see even if it's not a personal device even if it's a place you always go even even even start asking those questions so instead of just being terrified of all the things going wrong be more observant and do less seeing and more observing here's a question in my security class i was trying to explain about social networking is as old as human interaction and you can see the same kind of strategies used in a social networking campaign as you see in

a book on ninjas how to get guards to walk away from their posts sure yeah yeah social networking you know social engineering in all cases has been around forever and um and it's definitely not new it's just put into new contexts yeah so i want to wrap up because shecky's up next but thank you so much for coming and hearing what i have to say and feel free to to reach out i'm reasonably easy to find twitter is probably the easiest but you can you know feel free to find me at the university as well so thank you so much just let your