Human Security Engineering

we're coming to you live we have someone that traveled all the way from the us to come here this is where we are very excited for him to be here it's a great honor the first thing i did when i saw ira was basically to ask him to sign my books thank you so much for being here it's a great pleasure it's a great honor for us and for everybody [Music]

speaker so it's kind of nice and weird so but anyway thanks for having me it's really appreciated and i'm talking about human security engineering and this is kind of a new term for everybody because i invented it i think you know there probably was something like human security officer in star trek on deep space nine but that doesn't really count here but human security engineering there was a previous on the previous talk they mentioned ransomware and when you mention ransomware everybody looks at it as a user issue they're like why did that stupid user click on these things and so on no matter what we do and the reality of the situation is behind every stupid user is a stupider security

professional that knew basically put the user in a position to click on a message and then after that knew that they were gonna click on it and didn't do enough to stop them so do you blame the user because i'll talk about this going on in a little bit but essentially you're blaming the proximity of where the error was was initiated and i'm using the term the user initiated loss and i'll cover that i only have a half hour and 25 slides so i better start moving so let's talk about the twitter hack you know the sad part is most people have forgotten about the twitter hack but a year ago in ancient cyber history

what happened was there was an attack where somebody a criminal mastermind took over the top accounts on twitter they took over president obama's accounts they took over joe biden's accounts they took over all these accounts with more than a million followers and at the time twitter came out and they called it as an advanced uh social engineering attack a sophisticated social engineering attack and then they mentioned this mastermind and all that sort of stuff and then when they looked into it and they caught the person really really quickly which says he wasn't much of a mastermind he was 17 years old and this year old mastermind outsmarted all of twitter's internal security and so when you stop and think about it

what did the person really do they used lots of social engineering and they determined that what happened was just calling people up they found out that there was administrator tools that basically let any administrator reset people's passwords and it turns out that a thousand people 20 of twitter's employees had access to change this and what made this really really heinous was about uh what was it like two years before some part some person was a german engineer who was a contractor and basically when he resigned from twitter he said screw it and he deleted donald trump's twitter account because donald trump's twitter account is obvious but anyway to that extent you got to stop and think they knew

something can happen so what they do they lock donald trump's twitter account okay what about the other accounts and yes it was a coordinated phishing attack where they went ahead and compromised multi-factor authentication but still why did they allow access to a tool that could compromise thousands of top accounts for pretty much any twitter account except president trump's at the time now i'm going to co-work i'm going to compare this to cloud flare and cloud flare about the same time as the twitter hack all of a sudden went down and took down a significant portion of the websites on the internet and what happened was the in this in the case of twitter what the they put out like a

message from like a mid-level engineer basically was the face of the twitter hack and he was putting out things that said sophisticated social engineering we're improving awareness and everything like that in the case of cloudflare matt prince to his credit came out as the ceo and said we experienced and basically this massive outage occurred because an engineer was re you know basically modifying a routing table and that engineer made an error in how they did that and somebody replied back on twitter and said i would hate to be that engineer and the ceo of cloudflare basically said you know what it's not the engineer's fault his quote was it's a failure of leadership that one

person making one error could take down our entire network that is essentially the right answer a failure of leadership so anyway let's go back to talk about safety science i'm going to talk first about old school safety science safety science a lot of people ignore in cyber security we think we're the first profession ever that had to deal with human error i hate to break it to a lot of cyber security people but we're not the snowflakes we think we are just about every profession in the world has had to deal with human error of one form or another and old school safety science because safety science gets millions and millions of dollars because if a person injures themselves in a

factory the factory could go down if people are injured companies get sued hundreds of millions if not billions of dollars a year are because people do things that injure themselves so safety science came to me and initially old school safety science said if somebody injured themselves on the job why were they stupid enough to injure themselves on the job that was old-school safety science it was the person's fault it was always an analysis of why the user or the other person was wrong sorry i hope everybody's talking back there because i'm not interesting instead of technical errors i'd rather have not interested in technical errors but anyway so this is like essentially blaming a canary for dying

in a in a coal mine canaries are supposed to die in a coal mine they're supposed to die before people die because the environment is unsafe instead in cyber security what do we say we're like we just need better awareness we just need funnier awareness we just need more entertaining videos again that's like saying let's put a gas mask on a canary in a coal mine because the problem isn't the level of awareness the problem isn't the user the problem is the environment the users are in that create all these problems so anyway let's talk about this as operational problems proximity doesn't explain a lot in other words let's say for example a bus driver is

driving a bus and a tire falls off do you blame the bus driver well in some rare cases maybe the bus driver drove over a curb into a wall or something like that then yes you played the bus driver it had certain conditions that there were not mechanical errors generally if a bus driver a wheel falls off the bus that's because of poor maintenance on the bus poor inspections on the bus and everything like that and what they do is they do post-mortems in the medical profession for example every time somebody dies in a hospital the hospital sits down on a regular basis and says okay why in the last week these people died what could we have done better was

there some malfeasance or were there a series of errors that occurred somebody actually went through safety science people looked at the medical profession and they determined that for example when people die in surgery because of what's considered and error by the doctor doing the surgery they found why did the doctor do that specific act and at the time the doctor did that specific act in general it was the right decision the problem was there was a chain of events before that which led to that decision being made and they had to look back in the chain of events and say okay early on in that chain of events what could have been done different that the doctor wouldn't have made that

decision at that point which led to the death and that requires a full postmortem from start to finish as to what happened in every step along the way when we look at new school safety science which took this into account you know they're essentially the user is really just the process and i'm using cyber security now i'm going to transition and make parallels between safety science and cyber security pretty much a user is just part of the system a user is not i frankly awareness is awesome but awareness professionals are well meaning but sometimes they have this poly and of you hopefully pollyanna translates i think it's a european story but you know they have this idealistic

view of the user we want to make the user you know the paragon of virtue and everything that's just not going to happen a user no matter how much you think of them is still just a part of the system much like a bus driver is part of the bus essentially much like any of those sorry doctors part of a surgery team they're just a part of the system and what they realize is that a safety suck in safety science if the user makes a mistake that's a failure of the whole system because the user just didn't magically come into being and make an error the user was put in a system that presented the user with a condition

and the user acted on the condition maybe it was a lack of awareness maybe it was you know a malice whatever it happened to be the user failed in their thing would set off the chain of events that caused the failure now what they do is they review all enabling factors and again it uses just the proximity of the error and the proximity is just a symptom of the overall problem with the system like ransomware the problem is not the user clicked on the message why was the user stupid enough to click on ransomware the thing was why did the system fail that allowed ransomware to lock up the whole network and again user error is just the symptom

what's wrong so uh well most people would not know this but i am certified as a master scuba diver trainer i love scuba diving i can't go scuba diving at the moment but such is life so anyway this the reason i have this picture this is actually what i'm assuming is a training a certification class where they're doing an exercise known as a fin pivot in a thin pivot basically you just show you can go up and down having neutral buoyancy and what happens is this is likely the instructor over here and that instructor as you see is watching that now when you stop and think about the first time i ever heard this expression

you can't stop stupid was when i was going through scuba instructor training the courses the course director basically said you can't stop stupid and i was sitting there thinking wait a second this whole class i'm taking is essentially how to stop stupid you know when you look at scuba diving because scuba diving there's countless ways you can kill yourself literally countless ways i've done it myself on many occasions well not as any as an instructor i should say i've never done it but the reality is i've done some stupid things but when you stop and look at the diet industry the diet industry relies upon people living and what they've done is scuba say you

know scuba skills aren't taught by you know paddy's professional association of diving instructors ssi a few others and all these organizations have basically gone through a whole bunch of diet injuries and figured out why do these diet injuries happen we need them not to happen because we need a safe dive industry and nobody will go diving so you basically look at the scuba skills and they're taught before a student comes into my class they have to go through and they have to essentially take a medical to make sure that they're not going to die of a heart attack or something then we put them in a pool and they're supposed to swim a little bit and float

a little bit we don't really care if you can swim that's what all the dive equipment's for then the reality is we just care you're not going to freak out in water because freaking out in water is what really kills people at the end of the day so we need to make sure that then before they actually go in the water they have to take like dozens of hours of training on how not to kill themselves then when we put them in the water we check all their equipment they we teach them to check their equipment and then we go ahead and put them in a shallow end of the pool and slowly take them deeper then what we

know they can do everything we need them to do in you know in the real world then we take them to the real world in a very you know like for example you can see the bubbles are going straight up which says there really is an occurring you know reasonably good visibility and all that sort of stuff but the thing you know like this person could only go ahead and look at one person at a time but click the button please what you don't see here is and you can barely see this i'm thinking here is there was this another person that they brought along as an assistant instructor or dive master to watch the rest of the people to make sure

these people don't kill themselves in the process i was once that instructor and what happened was one of the people over here decided hey what's actually under the platform and look i caught them in the corner of my eye but luckily the assistant instructor was pulling them out before i did that people will do stupid things but anyway even if they do stupid things we know where the hospitals are the barometric chambers are you know have insurance on everybody and so on but anyway that's diving and the reason i put that there there should be a lot of parallels to house how safe diving is compared to cyber security so anyway where does blame actually fall

in safety science they've gone ahead and done a lot of things and figured out hey why do people injure themselves on the job 90 percent of that turns out to be the environment that the people are in for example i work you know when i do awareness programs for large companies sometimes there's a factory or manufacturing areas and things like that i walked around with safety science people and one time they were showing me you see this yellow line on the floor we were walking around the warehouse and they said we used to have approximately 100 injuries a year where forklifts were driving into people walking through the factory and we did all these studies and finally

we figured out we're going to draw a line on the floor and people stay to one side forklift stay to the other side and that took care of almost every injury resulting from forklifts and other things and what happened was they still had an injury every so often and when they did that they figured out well that was a person on their iphone walking down and and accidentally burying into the wrong side or a driver not paying attention on their iphone crashing into people so these things happen but generally 90 is the environment around the user you know 10 is the user themselves because think about it can a user actually click on ransomware if it's not in their inbox

you know nobody thinks of that one so what is the other 10 and you got to look at the 10 the 10 includes carelessness it might include blatant ignorance it could be a lack of training something else a lot of people don't consider is malice and this is something like when people say we need more awareness for ransomware if you if you think you know more awareness is the complete solution you're going to get your organization killed because malice according to the verizon data breach report was responsible for 28 of all attacks in a recent day i can't remember which year it wasn't the latest at every the latest they're all essentially the same thing

with slightly different numbers you all know that but anyway this is where awareness and training might fit in that last 10 but still it's only ten percent of the overall problem that awareness can satisfy this means as cyber security people we gotta figure out how to address that ninety percent so now i've talked about safety science before let's talk counterterrorism and counter-terrorism there's a concept they call boom boom is actually the attack itself and so then you have people professionals who encounter terrorism that specialize in left the boom and ridicule if you think about it on the timeline from let the boom starts when terrorists are planning the attacks writing boom is after the attack how do

you respond and try to prepare the organization so what is boom essentially like i said counter terrorism strategy but left the boom includes prevention and protection right boom is response recovery resiliency so if we're talking about prevention and protection prevention might be for example the people in terrorism who specialize in identifying potential terrorists trying to hunt them down trying to stop them whatever protection other people they don't really know exactly who the terrorists are they're not going to necessarily stop them but they're responsible for example for hardening buildings they'll stay there they'll be like okay i need to have an evacuation plan i need to have like cement pillars in front of buildings and so on

but those people specialize in protection while other people specialize in stopping the attacks from happening in the first place then we have at the point of whom boom at the point of boom is like how do you hard in a facility so if we're going back well it's almost ancient history these days 20 years to the september 11th attacks everybody remembers the world trade center attack because it's very visible terrorists really care primarily about visibility you know having images of like towers falls one thing a lot of people don't remember that the pentagon was attacked on the same day now that sounds bad but the way i say it only about 100 people were killed inside

the pentagon when they flew a plane in the building but a good portion of that was because they actually hardened the pentagon before the attack just because they were concerned about a bomb going off inside so they hardened the walls they put more fire protection so when the plane actually went in it actually caused very limited damage to what it could have been because the whole building was harder so anyway that's at the point of whom you can do things like that strength and concrete doors and so on or another example then in response recovery and resiliency you have to for example train first responders not to rush right into an environment because it sounds counterintuitive but

if there's poisonous deaths in the environment that there's radiation or biological weapons there's the potential for secondary explosion so you have to know how to respond quickly you have to make sure there's a hospitals in the area enough hospitals to take care of the concerns and so on and they have to figure out how to rebuild when we look at these principles for cyber security i came up with a concept of what i call user initiated loss because at the end of the day a user doesn't cause the damage even if the user clicks on ransomware the user doesn't go into a hard drive and encrypt every bit the computer encrypts every bit of the

computer itself the computer is essentially committing suicide the user doesn't do it the user just takes an action that results in there just because the user does something it doesn't mean it has to do something and also i'd say user initiated loss instead of user error because again likewise it might be malice it could be not a lack of awareness i mean it could be the user intends to do something it could be that you know the user just wants to do something that's wrong but either way i'd like to take out the cause and cause it user initiated loss but acknowledge that the user again is just initiating the loss and again it just creates the

possibility of a loss that doesn't have to be realized could be ignorance if you want to stop the potential for the loss in other words you want to do something like the boom and then you want to stop the actual initiation of the loss which comes out to right of course but then you want to mitigate the loss afterwards again assuming that the loss did occur in some way so when we start talking about user-initiated laws from the left to boom perspective you want to really stop the user from being in the position to click on things if we're talking ransomware you don't want to put ransomware in the user's box you want to block the user for example

from going to websites that might be dangerous and so on so perhaps you want to take away capability of decision making a lot of people like no we want to empower the users no you don't you want the users to do just the things they need to do with the capabilities they need to do it you know protection detection reaction you will need to create a culture of consequences and a lot of people say well gee no we don't want to blame the user it's like you know users are limited you got to acknowledge that users are busy users have a variety of different issues to you know address but you want to essentially create a culture where they

do the right things i tell the story when i worked in nsa you know i worked in national security agency for people who don't know and there was one time i was working shift work and this guy working with me uh well he's irrelevant until i start telling this story but i was working on this plotter that threw maps out and i had to take my badge off because the plotter would you know wrap the badge up if you didn't have safety of course and then what happened was i had to run to the toilet and i basically ran out to the toilet forgot my bandage which i realized when i ran into a security guard in the hall

doing his rounds and the car's like where's your pants i go right probably on my desk he's like we're going to your desk and i'm like you're not allowed anywhere near my desk so anyways like i'll wait by the door so i go he waits by the door go to my desk and all of a sudden i'm like looking around can't find the badge and my co-worker said are you looking for something i don't know like where is my so i don't want to curse on youtube i don't know why but anyway i go where's my fm badge and all of a sudden the guard you know and the guy said the guard's like is there a problem yelling from the

door and i'm like and finally the guy do you think i ever forgot that badge again you know that was a culture where again everything was put in place the guards were doing rounds and all that sort of stuff next is governance and this is a part that a lot of people ignore governance everybody thinks okay write policies procedures basically most organizations treat it like they write these documents they get put on the shelf and so the auditor shows up they take them off the shelf the order says okay great you have a policy you're done you know but government should really define how an organization does things from start to finish you know what is the policy what do

people what are people supposed to do it every step along the way you don't normally see that done in a lot of organizations in other words how is it like you always tell people make sure that it's not from a hacker make sure that this is it's like they never tell people how to do that they basically just say check an email they don't say how for example but anyway the user actions are there by default you have to make sure you document these actions and that's what's left out in a lot of cases so at the point of boom the user at this case you know we're talking about the users presented with the opportunity to initiate a loss

we could be talking about phishing and ransomware we could be talking about usb drops we could be talking about a user filling in an email address and it could be the wrong address or so on but either way they have the opportunity what do they do do they do it for detected do they present prevent it do they sound the alarm and remember this can be from any cause whether it's accident careless willful malicious whatever because think about it a lot of people could say oh you know somebody shows up and they might want to send the message to the wrong michael and they might be emailing out for example critical design documents and then you go to the first

oh yeah no i i meant the other michael not the one i not the criminal i sent it to you know i mean those things happen but it really doesn't matter why they wanted to send it to the wrong michael or whether it was an accident or on purpose so anyway this is the point that the user has the opportunity what do they do what's the guidance on how to do this and so on so and here's policies and governance again i love awareness but i simultaneously hate how it's practiced i'll give you that and what i mean by that is we're generally do people know element blood here in greece okay people know elmore but if you don't

know apparently there's a new space jam movie because shaquille o'neal is out and kobe bryant is in but anyway there's a new space chat movie with elmer bucks elmer fudd was always on the lookout for bugs funny trying to hunt bugs funny and if both bunny would put on a dress elbert bud would never recognize bugs funny it was that bad and that made it funny for some reason but the reality is that's our users they're all we're training them how to look out somebody gets an email and they remember the big o is this that hacker i saw in the video trying to trick me or is this really the ceo of the company

who needs something desperately and it's like you don't want this case you don't want because here's the concept when you're looking at an email a lot of them look amateurist but you're basically taking your lowest level user and putting them at odds with a potentially untrained sociopath organized crime you know we saw the shadow brokers and the nutshell what was the latest one a dark side with the colonial pipeline incident and all those things these people are still criminals they're gonna find a way to trick people but you gotta go ahead and tell the users how to do things the right way not what to be afraid of and then you know gotta figure out

are all their actions necessary tell them what actions are necessary what or not but don't rely upon the user as your first line of defense your user is not your first line of defense your users not your last line of defense and if they are you have failed as a security professional so right a loss has been initiated but the good part is just because somebody initiates a loss doesn't mean the loss has to be realized does the environment expect it for example if the users don't have admin privileges they might not be able to download malware if there's empty malware on the system ransomware should not be able to load in general you know are there additional

protections for example is there daily prevention are there behavioral um and behavioral based empty malware to try to stop ransomware once it starts running that stop systems from encrypting itself and then also write a boom do you go back and go ahead and analyze incidents after the fact to figure out why these things happen was it a failure of policies was it a failure of technology was it a value of awareness or whatever else maybe you can have your users do more additional things and so on here's essentially a mapping i went ahead and you know hopefully i don't think i apologize to the people in the room it's a bad angle for this but i went ahead and mapped out what has

to happen for a phishing message to be successful and from start to finish and when you look at this what happens is and i'll hopefully [Music] just happen okay anyway so what happens is a malicious actor they have to start with a body and somehow the entire security community on the internet has to allow that botnet to exist then they send an email message out the message goes to a perimeter device and if the perimeter device for example is running dmarc you might be able to prevent that message from getting any further because the site comes from was unauthenticated as it was from the sentence so the the sender then from the perimeter device it goes to the mail server the

actual mail server itself if the mail server is running good anti-malware mail service running good anti-spams and other things again the mail server should potentially should directly stop the message from getting any further but if the mail server um fails then it gets to the email client then the email client frankly should stop the message itself but if the email client doesn't stop the message then you have it either goes to an inbox or a spam box on things like outlook or other email clients and then it becomes a user interface then the user at this point basically has to decide whether or not the user has to decide whether or not they actually want to go

ahead and open a message but it's a different user experience if it's in its inbox because it might be assumed to be safe while something in the spam box should be assumed to be not saved and so on but anyway then the user now makes the decision and the user in that environment should have nudges maybe that includes a little signs maybe that includes like banners a lot of a lot of email servers now but banners say this comes from outside the company there's a lot of companies now working on nudges they us have awareness where hopefully policies be procedures where the procedures then be the awareness efforts and so on and then the user then has that then

once the user makes their decision they take an action now hopefully if hopefully they don't take the action but if they take the action there's a lot of user interfaces now that say hey that message goes to that link goes to an unsafe site that message might you know do you really want to open this message up it looks dangerous and so on and then the user should be able to go ahead and say no well let's say the user says screw it i want to go ahead and enter that or look at that message anyway and take the action in that case you should have anti-malware filters you should have or or what i'm sorry

this then what are the three potential actions usually for phishing messages they might want to load malware like ransomware they might want you to send out sensitive materials or they might want to compromise credentials like say log on to this website and enter your email credentials so then what happens if there's malware first thing that should happen are permissions that user doesn't have permission to download files and install software for example and then if that fails then there should be empty malware on the system that says we're not going to let you load this file because this file's malware on the other hand let's say there's sensitive materials and it asks please send out your latest documents or

your tax forms or whatever and that should go into daily prevention maybe the user doesn't have permission to access the positive question daily prevention should also stop it compromise credentials there should be web content filters that say hey wait a second you're not going to a legitimate log on site as an example and this all should mitigate this but when you look at it the user just takes one action here after the one for loss to be realized basically your whole technology infrastructure has to fail to begin with and then you have to have a really bad technology infrastructure to allow all that to be realized so when you look at user security engineering i kind of

came up with a model of visualizing it one of my friends said to call this a bow tie and say because what has to happen is governance should drive your entire infrastructure governance should say here is specifically what my security policies are here's the technology i need and so on and so what happens is government speeds the technology infrastructure like the perimeter devices then you have the endpoint technology endpoint technologies might include anti-malware includes permissions it includes whatever else there is to stop users from doing stuff then you have what this example user experience user experience is how our input power is information presented to the user how can you go ahead and tell the user

this is potentially harmful lead the users to the right decisions with a series of nudges and awareness then the user takes the action but at the same time once the user takes the action it should have to go through all these layers on the way out so for example the system should say hey wait a second that's not a good idea do you really want to still do it then the user says yeah i still want to do it then the endpoint technology should say no you're not allowed and if the endpoint technology allows them the technology infrastructure like daily prevention like all anti-malware on hard storage drives can or sorry all anti-malware on all the

drives around the organization are protected themselves and so on and again governance then goes back and figures out why did the attack get as far as it did so most important takeaway your user is essentially just your canary in the coal mine they're not really aware of security if the user fails you know the user fails it's a problem with your whole system you know they're not your first line of defense or your last line defense they essentially are a part of the system and if they do something wrong it's a failure of the system as a whole so anyway everybody should buy my awesome book people here it looks like some people will get my book

and that's me any questions