PG - Pwning the Hapless or How To Make Your Security Program Not Suck - Casey Dunham & Emily Pience

all right so welcome to our talk uh poning to hapless or wire security program sucks we just want to give a quick shout out to bsid for having us to all of you for coming and to our Mentor Martin Fischer for helping us through this and his support guidance and excellent advice and amount of patience so we're going to begin our discussion with a few scenar iios this is Barbara and she works for BDSM which stands for Big Data smart marketing they provide they provide market value to corporate catchphrases so we're not trying and juggle back and forth here but so BDSM small company has a small security staff and they've implemented all the current

blinky light Solutions and now they've devoured started going down the path to developing a security awareness program the program currently consists of your St uh typical fici campaigns against the company the yearly cbts computer-based trainings and other stuff that we would expect so Barbara is a non-tech employee at this company she's gone through the yearly training just like all of her other peers and she uh fre has undergone the computer-based training as well that's required so one thing to keep in mind about Barbara though like many of her peers is that she doesn't really understand the difference between the printer fixers and US security guards we're just all all it to her so she gets this amazing looking email

from a source that she doesn't immediately recognize but it appears to be legit so she clicks the link cuz what's the worst that could happen right well while this probably isn't going to happen otherwise we'd be having a lot more fun we have to ask ourselves why why despite all the money we're spending on training and teaching her not to do this stuff is she doing it or is falling into this trap so this is a simple example of her email inbox you have to keep in mind that at her position she's getting a lot of email from different departments her manager she's got links to click on for her annual reviews she has reports that

Finance is sending her to review she also gets you know the crazy cat videos to click on and see those and my biggest peve and I'm sure all of us have experienced this exact same thing is all those emails click here to activate your account or click here to reset your password so at this point there's she's desensitized to this train there's a cognitive distance between what we are asking her to do don't click in real life this is an experience that's actually happened to me I worked for a large insurance company was a newer employee got a sketchy looking email being a little bit more security minded than your average bear I noted that it

was sketchy I could remember that they told us we had a single point of contact we had to reach out to to forward it couldn't remember who it was of course they didn't give us any handouts so I went to our int website to the I page to see what I could find five six Clicks in still couldn't find it and while I'm dedicated not dedicated enough to sit through a 25 minute CBT to find that one piece of information on the last slide so I called our help desk guy on the end of the phone who's paid you know 725 an hour didn't know people around him didn't know his manager wasn't there for

the day so he told me I should probably click it just cuz he wanted to see what happened so I hung up on him hung up on him cuz that was excellent advice and I looked up our VP of security on Outlook and then instant messaged him for the information he got a little pissy with me about it so I ask you who is going to know what to look for if you're a non-tech employee and not click it know not to click it and then go through all that hassle to find out where to send it so brief intro I'm Emily I'm very non-te um I'm an insurance specialist working in disability I've worked for

three of the top 25 disability companies in the world in the past 10 years where I go by or I answer to hey Emily you know weird stuff answer this um my dad is I grew up my father is an electrical engineer who's worked in computers since the punch card days so like I said I'm a little more security-minded and Keen awareness excuse me I have a keen awareness of the roles computer plays in our lives I currently an active member of tul and I'm working on my masters in social work so I'm Casey and I have been a developer most of my life uh very passionable security also an active member tool frequent volunteer here

besides besides Boston Source Boston so I make it own so we all know that data is our business no matter what your industry is whether it be Financial um medical insurance you are required to safely house and transmit data to and from trusted parties you lose the data lose your customers lose business and lose money working in the field of insurance and disability I've seen multiple train intelligent employees make these mistakes over and over again um these are the numbers that Verizon gave us for 2013 and as you can see of the confirmed breaches which is 2% of reported security incidents 15% of those were due to security lapses 15% of 2% may not seem like a big number but each security

breach affected up to hundreds of thousands of pieces of personally identifiable information or pii which can be sold for money of those breaches 28 were Healthcare breaches that affected 1.1 million records so 1.1 million people had their medical records breached a fourth of the companies that were breached were small companies small company is defined as one to 101 employees and a data breach for a company like that is not just detrimental to their marketing or advertising their Brand's name or their stock value but it can be fatal to them money is also important in this we throw a lot of money in the way of security thinking that it will solve it or Band-Aid it for us in 2013 again $80

billion was spent on fraud awareness half of that 40 billion was spent on medical identity prevention alone that's a lot of money that's how much the feds cut from food stamp reform in 2013 it's like swimming duck money so why is all this still failing us so before we move further on I just want to address a couple of myths about security awareness I feel particularly strong about and contrarian to Bruce schne one I do not believe that employees are stupid and two I most importantly do not believe training is useless I do however believe that most of the security awareness programs we have in place are useless they don't achieve their intended results they

don't attract the attention of the business its employees and most importantly to me do not create a culture of care around the security issues which we'll talk about later there are changes we can do to make this better they are not quick not easy and definitely not as much fun as riding around on a fire breathing goic horn playing a trumpet so we all know here we can get anyone to click a link it's not easy or it's not hard it's actually pretty easy to do if we have employees at RSA Google and who knows what other Tech Giants are consistently falling for the same issues how do we expect employees at a non-tech company who are non-technical to not

fall for the same stuff it's Insanity to expect that so going back to Barbara how can we we make it better for her and her other non-tech employees we want you to think about your security training program as an excellent marketing tool or advertising tool you're advertising security you're advertising what it is how to prevent lapses in it and how your employees can benefit from it your message is competing with a lot of noise every day not just what people do for a living and all the emails and phone calls that they get but all the things that they can access from their computers at work Pinterest Facebook and their iPhones are sitting right there

too so why they going to listen to your message when they can get to level 98 of Candy Crush or you know how to knit the coolest mustache for hipsters on Pinterest so keep in mind that you are thinking again about advertising marketing these have a few things in common and someone we know actually touched on this Bob rudus did a great talk at source Boston in 2012 where he touched on that um your security training should be the four C's so the first SE that we going to talk about here is creative you have to have a creative program and we all like most people when beginning a security awareness program maybe start with the

companywide fishing and stuff like that that's great let's kind of move beyond that what if we so one example is what if we created a piece of fake malware that we attach to that stuff if possible this isn't going to be true for all Industries but might be make it work it could do something inous add a popup or just you know change the desktop background but what we're actually using this for is to see what happens does the user report it does the the user reported and helped us or whatever ticketing system or uh program you have set up does it get worked on does it just get dropped or ignored you want to

know about those things often these are signs that something else is wrong and you want users to be aware of it and to report it also one thing I found great effect uh very effective is if there is something in the news about a breach or some type of security lapse or just an interesting article if it is at all relevant to your business or industry write something up on it and email it to your staff just if it's a breach for instance maybe add some stuff about how it is or is not relevant to your technology stack or what you've done to prevent this from happening or if this did happen how you would remediate it employees like that

and one thing I've done as I'm sure most of us here do we I watch data dumps I look for my personal accounts and my information out there now not everyone's going to be able to do this trolling Twitter for these archive releases but Troy hunt has a great site have ipone.com and you can register a domain like at company and you can get notified if any of your company's emails are in in these data dumps I actually did this for our company and then sent an email to the staff saying hey this is what I've done and you know just watching out that led to further conversations about it people started asking questions about

the site and why I was doing it and they left away they left that conversation then went on to sign themselves up for it or their friends or their personal accounts so it's an opportunity to create a discussion around that that's going to be more poignant and more to the point than any of your Norm noral emailings or anything else you would do so this also leads to using all of your mediums available not just digital because we know email newsletters are all too easy to ignore in everyday life um think about what you can do to print out and discussions as well create an easy recognizable logo again back to marketing that everybody can recognize

easy recognizable and put it on all of your Communications print out something that has your security contexts on it what to look for so they can put it next to their phones and their computers if it's at their fingertips they're going to use it they don't have to search for it it's right there um this is where it starts to affect their workflow and your security and also you're keeping track of all of this information from the fishing campaigns and everything else so why not print it or publish it internally annually like spider Labs does or Verizon does externally um infographics are great for this they're really popular right now huge colorful ones posted in common Community spots

are great so second second C is compelling you have to make it matter good advertising is a call to action if you want your employees to be involved in a security program you need to make them want to be if you make your security awareness program more about making sure the employees themselves are secure and not primarily just a company thing then they're going to be more inclined to trust you and that means maybe helping them out with some personal stuff too if you have time but it's worth doing because they will really appreciate it and most of the time they're actually looking for help on this anyways in order to be involved they need to

know how to and so start the basics just set up a email catchall security at whatever.com and just get your employees to start sending stuff to it it may mean triaging of more stuff but you set up a can response and just send hey thanks for your input we'll take a look at it Etc they getting them to acknowledge issues and to report them is the first step of the battle you don't want to lose it before it starts which kind of like Emily's story is another really good point is do not give them for doing so if they reach out to you and they feel like they're wasting your time or you're making them feel stupid for

doing it you failed your is no security program the ones that are reaching out to you are going to be your evangelists they will actually be able to spread your program or your trainings further along than you are going to be able to do friends trust friends it's also a good point to embed the security staff with all of their departments within your uh company uh have them go to different meetings have them do job Shadows of ride alongs if your employees know who your security staff and can recognize them they're going to know who to call whose face they need to look at when they have a question or a concern um so the third C

is continuous the most successful advertising campaigns are the ones so ingrained in our society that we don't even notice they're there or if they're horribly misspelled on a slide um Coca-Cola is the second most recognizable phrase in the World Behind okay and 94% of the world's population recognizes the logo but that doesn't prevent them from spending more annually on advertising and marketing than Apple and Microsoft combined $2.9 billion doar in 2010 despite these numbers so your infoset training like good advertising should not just be given annually but on an ongoing continuous basis it should be available to everybody who wants access to it everybody who needs access to it and everybody who doesn't but needs it

anyway um multiple it should also be available in multiple places and part of their everyday workflow they shouldn't have to go outside of their normal workflow to find out what to do the program itself also needs to be updated and changed and bettered on a continuous basis you can't use the same can slides every year I've done this I've gone to Hippa training the first slide date changed everything else the same it didn't really make a really great impact on me um so again um be the department that's is available and annoying and present as sales and marketing because if they know you they know your face they'll know who to go to they can't just see you once a year when

you have to complete a CBT or when you screw something up really badly because then they're not going to like that the fourth SE is cupcakes that's actually my my daughter wanted to help so we let her do that one cupcakes are awesome the forc is actually customized make it your own make it different for your your industry what matters in medical is not going to matter for financial Etc stop buying can cbts and email campaigns from third-party vendors we don't like them we don't pay attention to them um customize it also per your departments because what matters again to financial or sales is not going to matter to customer service reps remember specifically who your audience is the

senior VP of sales and finance doesn't even see the same UI or the same information or have access to the same things as customer service representation um stop using stock images I don't know about you guys but I've never actually worked with that really toothy Smiley brunette with the headset anybody else no I didn't think so um and stop using stock videos because if those worked we wouldn't really have to worry about sexual harassment and we know that still goes on so depending on where you work in your industry you may still have some type of annual training that's required or some type of Compu Based training that's required that's great get your employees into it and out of it as quick

as possible especially if they're required to do it on their own time which is stupid but anyways the just like the PCI is not your security program the neither neither is the CBT your security awareness program moving on to our next scenario we have Brad Brad is a cooworker of Barber and has a really busy day he wants to get out early because the Red Sox going to be kicking ass against the Yankees and he wants his $1 pbrs and 50 cent wings so he despite policies and all these controls that might be in place he emails some customer records to his personal email account so you can work on them from his iPad or whatever at

home now why does he do this despite you know supposedly all the training and everything else CU he's awesome um so to quote Bill Gates I will always choose a lazy person to do a difficult job because he will find the easy way to do it I'm going to actually better that by saying a lazy person will find the easy way to do any job not just a lazy one and anybody who's raised an 8-year-old knows this to be true at least in our house anyway so another reason why Brad doesn't do this the proper way he doesn't log in VPN to his work email from his work laptop Etc is they're extra steps it's cumbersome I've used

some pretty crappy VPN programs and I don't blame him for that but you need to keep this in mind when you're reviewing applications that you're using your company both internal and external is to how people are going to work around them what are the lazy ways to do the job or not to do it you have to keep that in mind this will also let you know what other people might be doing before it bites you in the ass later so again another scenario actually happened I saw it at a different insurance company I had a clinician a nurse I was working with and she had to get out early so she sent herself medical files to her Gmail account cuz

that you know safe recipient it's just her she completed a medical review saved it in a Word document with a lot of pii at the top name date of birth medical record identification number all of that then she attached it to the original email sent it back to herself at work where she then forwarded it through the department because hey why not let everybody know we screwed up so she didn't understand what was wrong so she couldn't care about it how can you know not to do something if you don't you don't know what you don't know so there's no Bulletproof solu for this there's no technology you can buy that's going to fix this but if you have

really created a culture of care that permeates the business and specifically the employees that you're targeting then they will be more inclined to take some of those extra steps if they really care about what's going on and understand why that's the way it's not can work all the time but it will work if someone should be aware of a policy you need to make them care about it you can't just send them a giant email with a bunch of you know A8 Point font and get them understand it have it but that's not what you needed disseminate to them you also need to look out for no oh okay I'm sorry so the easy way

to do something should also be the secure way it shouldn't be extraneous or an external step to what they do every day look at for impediments to getting the job done safely and securely and then work to remove those because you're not only helping make things more secure you're also making their business easier and removing complexity if a release of Pi is done accidentally and they report it give them Kudos do not blame them do not give them detriment um this is really important again there're your evangelists you don't want to burn them if somebody has gone through the training though and continues to do irresponsible purposeful disclosure or release that should affect their job

performance if you have the information at your fingertips on how to do something correctly you've read the set standards it should affect your job performance it should be just like any other policy this is something that you'll have to communicate to business but it's important so we've talked a little bit about security awareness from the user perspective and I'm going to briefly touch on security awareness as to the developers this isn't entirely talk on its own which I probably will be planning but very brief here this this is Chrissy Chrissy likes shoes she works for BSM she's also stealing data now she's putting the company at considerable risk more so she reselling it to funer Sho haveit so she's

potentially putting the company at far more risk than any external attacker can do it's also in a way that's going to be extremely difficult to catch if not after the fact she needs access to information to do her job often times the application she's using is providing way too much now what can we do about this what can we as security People Help do about this so one thing we can do is we can work with the developers and be another voice against the business saying no we don't need access to information instead of making tasks data Centric let's try and make them task Centric examine that workflow and what they're actually trying to do it'll help you identify

what data they actually need to access and I don't care what the business says not everyone needs to see all the data all the time on every screen so this is an actual screenshot of an application I've used um also remember that people will give out information if it's there in front of them we know this from social engineering discussions if they have it available to them they're going to give it out because sitting there so this is especially true for low trained lowp paid employees keep that in mind when creating UI so and to follow up that I've actually done social engineering against a company that I was using to get the last four social of some people just by

simply saying no that's not my social my social is like 6742 why do you have that wrong so so we can help streamline this if you need to validate information don't let the person just read the information off and for like restrictions upon like putting the information in just like we do with passwords don't tell them what's wrong with it just say no it's wrong that will also restrict them from being able to fish for information by by just going to different accounts and grabbing the information out make this like an impediment to actually accessing the information at least on the part side of the application where they should be on a phone with an actual

user so to summarize thinking about successful marketing campaigns your security program is going to be a successful marketing campaign so it needs to be the for Seas it needs to be creative compelling continuous and customized so actually I think there's five C's and the fifth one is communication all of the other four C's depend upon communication the greatest security program in the world is going to fail if it cannot be communicated effectively Marketing in effect is communication if you effectively communicate your message and what your purpose is people will understand it thinking back through all of our scenarios that first one Barbara if she had been communicated what to look for and when and who to contact she wouldn't

have clicked the link if Brad had been communicated why he wasn't a safe recipient and who to contact so he could safely access his information from home he wouldn't afforded himself pii and risked that information and on the third one if developers and business and security had effectively communicated with each other they would have been able to determine who needs what information when and Chrissy wouldn't have been able to access pii unnecessarily so we just want to finish up by saying thank you thank you to biz for having us thank you to our Mentor Martin for helping us out and most importantly thank you to all for coming and watching our talk you are making bze

what it is and we really appreciate that so thank again thank [Applause] you so we will be releasing this the slides and stuff here and along with citations and reference is for our stuff um it's not up yet and I'm going to have a really busy week so it might not be up until next week or so but uh feel free to follow us on Twitter um I'll announce it there uh we have a few more minutes but I mean if anyone has any questions we'll take them but otherwise we're going to go to the bar if you don't like the art screw you you guys didn't have to draw yeah Emily Drew all of these slides and we were

writing this talk at like Thursday night and I was working Friday and we drove to Virginia which is like 9h hour flight or drive and then flew to here so we basically finished this talk a few days ago and I've been like I really want to rewrite everything but we can't so thank you guys we appreciate [Applause] it