BSidesCharm - 2017 - Chris Niemira - Teaching Evil

for you guys it's also the only place that was close enough for me to drive we're rolling okay all right so i'll get into it i'm as i said i'm here to talk about talk about teaching evil and so you're probably wondering what what on earth do i mean by teaching evil and of course from the title of the talk you're probably going to guess that i'm just talking about offensive security training but that's not quite it the topic is a little bit different what i'm really talking about is a motivational strategy for raising awareness about informational security and yes my slides are all this gimmicky i'm one of those guys so hopefully we can all agree that

awareness is important in fact according to all the reports that keep coming out and including this one from isaca from just last year the most prevalent successful attack types continue to hinge on the human factor i'm not even going to bother showing any more supporting evidence or supporting data because i think we can all pretty much agree at this point that the weakest link in the security chain continues to be people right we've known this for years it's been true for a long time and it's still true today right so that's what i'm going to assert that another unacceptably weak link in the chain is what we're doing about it right for example take a report from ibm

from this year in a passage talking about threats to the health care sector in particular they say that organizations should focus on educating employees using a variety of approaches and require training at intervals to make the risk clear and this is actually better advice than most of these kind of reports give out but if you think about it there's really no depth to it it's really just kind of empty so we know that humans are the weakest link in the security chain and the only advice we keep on giving out is tell them don't be a weak link anymore right if you've got problems with your people just just train them better cool right but that leaves us with the natural

question when it comes to fixing people how do we train them better of course the answer i've come up with is well let's teach them evil of course it's it's not at all revolutionary to to teach offensive techniques to would-be trainers and it's certainly not revolutionary at all to consider that everyone in your org has to be considered a defender that's why all we're really doing or that's why it's not enough to say that we want to get people to to do the right thing because we're already there right people already want to do the right thing and that's part of the problem right bad guys know that people want to be helpful every social engineer knows

this that's why confidence tricks work right so my concept of teaching evil is about reconceptualizing what the right thing is right the core idea is not to motivate people to want to do the right thing the core idea is to motivate people to want to do the security conscious thing what we want them to do because of course if you can do that you get everything right you can have meaningful conversations about phishing and social engineering and secure coding and all of the above so when i talk about awareness that's what i mean it's not just cognizance of a problem awareness of a problem instilling that problem hi folks iron geek here unfortunately we had an audio problem

right about here because the new capture device decided it didn't want to cooperate so fast forward to about the four minute mark and audio should resume sorry for the inconvenience

so

maybe we're just not teaching to everyone's understanding so knowing all of this i decided to do a little bit of research and come up with a way to help me communicate my message and what i found what i based a lot of what i ended up building was based on white paper from the merits institute entitled the neuroscience of learning a new paradigm of corporate education and it's full of wonderful quotes that look great on slides but my favorite is this one it says when developing training for business environments we spend most of our time focusing on the content we want people to learn the content we want them to know rather than how they will learn

as a result we fail to engage them fail to keep them engaged and fail to help them transfer knowledge into action now the good part is that this is in the problem statement at the beginning of that paper and they do go on to say things like good instructional design can go a long way towards fixing it and then of course there's all that neuroscience that they titled that they promised in the title which is really fascinating but again i don't have time to get into it and i want to focus on good instructional design anyway and in particular i want to think about what we can do to engage our students right what what can we do to keep them

engaged and what can we do to help them transfer knowledge so to solve the instructional design problem and possibly even get back to talking about security i want to take a step back and consider why people learn things ask yourself what not only what is the goal of learning and why do we learn new things but why do we teach other people new things of course the answer that i like is to increase a person's knowledge and abilities right so if what we're doing is we're teaching evil our desire of course is that the person whom we're teaching become capable of doing evil things right but more than that we want them to become capable of recognizing

and understanding evil things and that's what we're looking for so we know what we're trying to teach it's security awareness training and we know that we have to teach it in a certain way to the understanding of our students the question now becomes how do we teach this stuff and we've got a few options today most organizations turn to self-paced computer-based training right if you're talking about a massive open online course or a webinar or some silly flash thing that you click through and skip until you get to the questions at the end regardless i'm going to lump all of that stuff unfairly into the category of cbt computer-based training while i generally like computers in

computer-based training i do not like them for security awareness training i'm gonna harp on this for a second particularly because it's so damn popular to use this stuff for security awareness training the popularity is easy to understand it makes a certain kind of sense it's very appealing to people whose job it is to track compliance right your hr department your governance council your auditors right computer-based training has a lot of things going for it right for starters it's easy to administer you give out a link and you get a report back so we say it's efficient it's very light on logistics everyone's got a laptop you don't need to book a conference room so we say that it's flexible you can buy

it off the shelf or you know off the website so we think that it's widely available so that's awesome and the incremental costs are very very low it doesn't cost any more to deliver it to 10 000 people than it does to 10 regard you know depending on your vendor's pricing model it doesn't actually cost anymore once the training has been produced so we say that it's really cost effective unfortunately computer-based training doesn't work for the kind of awareness training that i'm talking about right it just doesn't solve the problem that i want to solve the packages you can buy and certainly every single one of the dozen or so that i've personally looked at

all focus on knowledge transfer and they can be very good at that but they hardly touch skill building which in general computer-based training period isn't very good at and while there is a lot of progress towards moving towards artificially artificial intelligence-based computer-based training um the tldr here is that we're just not there yet right so if computer-based training is off the table what's left and of course the answer is workshops right monster the sort of vocational training that you probably all thought that i would be talking about the entire time if you actually look at the title of this of the talk after all well this style of education is very much oriented around skill building and

that's perfect because i'm going to argue that really that's what we're trying to do is skill building all right now hopefully haven't gone too far off the deep end and remember i'm really just trying to solve for awareness training right and while i'd asked this sort of tactical question earlier and we went into a little bit about how learning and unlearning may or may not happen what i haven't yet touched is the concept of motivation and i do want to talk for a second about motivation but i don't want to go in into any of the science so i'm just going to pull out the big gun if you don't recognize the face hopefully this looks more familiar

that's abraham maslow and this is the hierarchy of basic needs for our purposes it's enough to know that something on the bottom more foundation lower on the pyramid is a stronger motivator than something higher up right the problem that we have today is that almost all professional workspace training focuses on relatively less pre-potent motivators that is to say stuff higher on the pyramid right largely professional performance enhancement training focuses on your sense of self actualization which is what maslow says is what we can be instead of what we must be because let's face it from a learner's perspective the reason that you take professional training is to be better at your job you can be and that's absolutely the

very top bucket on the pyramid and that's unfortunate but knowing all of this we can start to put the pieces together and we can think about how we might motivate people better the answer is right there in the title evil in particular it's an evil trick called bait and switch take the very first class that i put together for awareness training the very first one when i first started designing classes it was called intro to web hacking just like i put the title uh the key word in the title there just like i did in my talk right hacking right the concept of hacking is vague and mysterious remember we're talking about layman here we all know the word is horribly

overloaded with meaning but to the layman learning to hack is an opportunity to learn some mystical dark art and that fact alone immediately helps you target a motivator that's lower on the pyramid esteem because this isn't a workshop that you take to be better at your job remember we're talking about layman here this is a workshop that you take to be cool and there's no two ways about it if you're the resident a hacker in an accounting department you're a rock star right so that's the bait to get them in the door now we have to pull the switch but we have to do this really subtly as we start to progress throughout the workshop what we're going to do

is we're going to teach the students how easy it is to be a hacker and indeed the basics of something like web hacking are actually pretty simple and can be taught very trivially in particular what we want them to do is to learn how realistic the threat is what we're trying to do here is step further down the pyramid and make the concepts of hacking and being hacked more real to the student more understandable because by teaching somebody how to attack a computer system the goal is to help the student understand how it can happen to them and that's the switch we're essentially using fear as a motivator but only to get them to the point where they ask the big

question how do i protect myself and indeed what i found throughout quite a while teaching this stuff is that the most common follow-up question i get is how do i stop bad guys from doing this and of course that question is much much harder but you can certainly count it as a huge win if you can motivate somebody to get to this point on their own because now they're interested in having the conversation now you're not an obstacle anymore now they want to think about security and that was the goal the entire time so how do we facilitate this how does it all actually work i've gone through roughly 200 slides believe it or not

uh including the background of educational theory and a little bit about motivation i can finally answer the question how do we teach evil this is the point where i stop lecturing in philosophy and science and for the rest of my time i start prescribing behaviors so how do we facilitate teaching evil the answer that i've come up with isn't revolutionary at all it's just a blended learning style i use video lectures and more traditional workshop style classroom component that's very very hands-on some amount of lecture is unavoidable of course but by very hands-on i mean roughly 50 lab time just remember we need to maximize the amount of time the students are given to incorporate

the material that they've been given but if there's a secret sauce i've already told you what it is the secret sauce the most important part is about getting the students into the right mindset so that they ask that big question and then you can teach whatever you want and they'll learn it okay remember the whole time i've only been focusing on awareness raising awareness and motivating the interest in doing a secure thing be a shame if you went through this kind of trouble and didn't do further training i'm almost done i do have one further thing to get into and i do have one big question that i haven't really answered imagine at least somebody's looking for

it can you prove that this has an impact to the business and the answer is no i have no quantitative data that suggests that my methods contribute to anybody's bottom line but what i do have is a couple of anecdotes and i'll share two of them quickly first in my very first session my very first hacking class i had a dev who showed up this was a typical software engineer who was developing javascript that had to run in all the imaginable possible browser environments and because of that what his primary focus on was portability and he developed a technique for debugging which he'd hidden in his code as a sort of back door and it never

crossed the guy's mind about the kind of tools and techniques that a hacker might use until he learned to attack his own code and how to discover the vulnerability and how to attack it and then after a brief period of reflection we had a major vulnerability remediated that day after a two-hour class as a second analogy one of my other classes that i like teaching is sabotaging workplace productivity i love this topic because it's so damn much fun to teach and watch everyone's eyes get really wide in my very first session of that class i had a project manager who showed up and recognized so much of what i said and was so surprised that i was describing known sabatorial

techniques that they started bringing in an overseer to all of their meetings from then on exclusively to squash time wasting behaviors so i can't explicitly quantify that my methods generate or save dollars i'm still pretty confident that they do i've certainly followed up with many of many of my students and had them tell me that they're that my classes have changed the way that they think about security and in the end that's all i was really going for so hopefully you'll give it a try and meet with more success than i did and thank you for letting me fill in and putting up with me instead of learning about exports i might have time for a question unless

they throw me off the stage thank you am i doing any of the