BSides Leeds 2019: Weaponising Layer 8 - Khae

and hello besides leads thanks for coming to my talk which if you have read through the abstract is not that technical in nature but I think it is still very relevant to us as the security industry and the fun thing if you just have attended so eesti note is that I think some of the parts I'm talking about will fit in nicely with what she was talking about so I think if you have been in the industry long enough you've heard people calling users losers users layer eight problem PAP CAC which is problem exists between keyboard and chair we found a lot of condescending ways to talk about the funny antics of those people without

really ever thinking about how to make it better or how to make them relevant for security so putting box after box after box in your network is something that when does info security and other conferences want you to do because it's the next box it's going to address your next problem and so on and so forth if you're on the happy position that your company is doing that and buying box after box then your Security Operations Center will look a lot like that some people with lots of dashboards with some kind of information that might be relevant or it might not be relevant and I don't see an end to this cycle because there's a new books coming out every

year probably every every month and in the end I think that humans matter this is a talk I archana did with Brian fight and this is also his motto for for his conference and humans matter in a lot of different ways and they are our users they are our police and we need to get them on board and I'm going to use the word cyber and I know that some of you in the industry hate the word cyber that I can only kindly ask you to watch a talk by dr. Jessica Parker from visas London in 2016 I think and it is about us the InfoSec industry not really embracing that word but all our customers using that word mostly

exclusively and trying to meet them halfway and this is also how wet where this talk is roughly going so you might not have heard about the big pizza wars in Germany about five years ago so the thing was when you try to order some fast food why are the internet why the web on a Saturday chances right well where you didn't get any because the biggest chains were ddosing each other at prime time so that they could get the orders but they were all doing it so as an effective person who was hungry you couldn't get any food and of course there was one a cry or still is I guess which effects lives as well mainly it

hit hospitals in Britain but there were a lot of people affected by that as well and one very specific example I would like to tell you is it's about swatting so swatting is a word I didn't really know existed until a few years ago and swat is for the special weapons and the small teams in the United States and the act of swatting is you call the SWAT team on somebody else so to be fair when I was young it was funny to call something some delivery service see them how they pulled up at the neighbor's driveway and the neighbor was very confused because he didn't know or anything that's fun when you're 14 years

old but in this case two people person a and person B were heckling about one dollar and fifty over a skin for call of duty which is an online game personally was so disgruntled that person B didn't pay up that he hired person C to swat that's me what person C did he called the police he acted as if it was a very violent situation as if the Sun had already murdered parts of his family I think his father and was now threatening to kill the rest so if you are the police you don't have a choice you have to act upon that because you don't know whether it's a prank or not and usually this is the

kind of prank that nobody in their right mind does so they pulled up to a house and they rang the bell or knocked and somebody opened and that somebody was very surprised because it was not person B because person B give it false address basically so it was a dope innocent person and he saw the police staring at him and for reasons unknown he reached for his waistband maybe to stretch his ass or something like that but people thought he was reaching for a gun so they killed him so you have a situation about $1 in 50 where somebody who was not even playing online games who I think he owned a computer but he didn't

do a lot with her with it who was totally innocent got shot by a police officer and to be fair that police officer has to deal with a trauma as well so you impact a lot of innocent lives so it's not a question of how cyber impacts the physical domain it does and it doesn't matter whether you are online or not because in the case of wanna cry and others you are affected whether you are a person who likes to surf the internet or not the thing is the one thing where I think we can make a difference is to give our police and I still call them users in the presentation but the point that Zoe made

or that the person asking the question made was very good it should be empowering colleagues because users has this negative connotation to it this is our way out this is our way out of the misery that we face in the secured industry we really need to get those people on board or we will constantly fail because basically I don't know whether you agree with me but as doing security for everything and securing everything we are kind of in a rat race and we are not really succeeding in winning and putting an end to it and saying hey now we are secure we don't need to do anything anymore and I think getting the users on board is a big step

so how do we do work to do that I'm guessing that a lot of you have heard that pentesters tail off if you want to get into a network you just drop a USB Drive at the parking lot somebody will plug it in and you get access to the network has more or less everybody heard that story I hope so at least some of you are not in I take that SAS so what do you do when you find something like a USB Drive as an attacker you can be very creative so you can target different kinds of emotions first thing would be you put a little plushie a little teddy bear to the USB

Drive and a set of keys so people will think that is the key chain of somebody who lost just his key stays home and will try to return it how do you do that you have a look at the USB drive to see what's on it maybe there are photos names something to help you to help the person because I also think that humans at the basic level will try to help each other normally nobody is going to agree on that and that's fine but it's okay or you can target greed so label it dispenses yeah that's so 2018 label it no its 2017 actually I was going to say label it Bitcoin wallet but I'm not

really sure whether a Bitcoin plays such a big role but last year at that time if you were playing with a Bitcoin wallet somebody would plug it in and you know without a show of hands just go inside yourself and ask yourself a question if I found a USB Drive that piques my interest would I plug it in Oh yeah of course but you in this room and others would do it in a very safe environment and our users probably wouldn't do that so why not give them the safe environment this is something we built at our company so apologies because it's German desktop it says wires detention station more or less so we built this not to deter attackers but

this is a very positive and good side effect the initial idea is a tale of very unnecessary complicated processes and I'm giving you insight into the pain of working for a really big company so when you were preparing a presentation on a USB Drive for example at home and you brought the drive with you to the office on the next day you couldn't plug it in because it's forbidden to plug in USB drives to your PC which is sensible which is good so you put it in an envelope you handed it over to the secretary she handed it over or he threw the internal postal service's they would drive it to a different building it

would be scanned some magic would happen and the process would go vice versa and the USB Drive would land safely on your desk about for workplace later so when we're talking for work days that is not really a trial that is not really something you want to deal with I mean we are slow in our processes but this was ridiculous so police came up with the idea of that armoires detention station where basically you plug in any kind of USB Drive if you see then you can list the contents and you can say this file and that file I'd like to have in my inbox at work or a link to a network share basically and then it gets

transported by our sandbox is why our virus scanners and why different ways the magic that happened here basically happens elsewhere without human involvement and the time it takes you from going upstairs from that wires detention station to your workplace you would already have the link so you can just continue to work and we found out hey that's cool because basically now people can plug in any drive they want even if they found it even if this is a pen testers or an attackers attempt to get into the network they could do that so because we're a big company let me tell you what our current processes if somebody finds an unknown USB Drive they are supposed to hand it over to

building security so what's your guess what building security will do with that looking no it's far more ridiculous they are going to hand it over to the local lost and found which is about don't know two or three miles away and nobody will bother to go there and say you know I've lost my USB Drive yeah what does it look like blank so we are trying it apparently we are trying to get that process to work that they actually plug it in into the virus detention station so because it's it's perfectly safe the next thing we are doing wrong since a long time is the handling of phishing emails I think so if I ask you which of

those links was malicious what's your answer potentially all but basically none because I forgot what the first one is I just remembered it is safe so you have to take my word on that and I know that he won't do that that Amazon come with a zero instead of a no is actually redirecting Jamison and the last one is just the IP address of our website from our company so the point I'm trying to make is even as researchers even as people who know this their stuff it has become terribly hard to say what is the phishing link and what is not because if you go to link shorteners like bitly or others how can you actually tell without

clicking it where it we are redirects to you basically can't so Brian and I came up with something we like to call indicators of I apologize for the language but if you know me and talk to me in person I'm very mild on this presentation so one of the indicators of and this is meant to be for our employees when you get an email you don't look at the headers you don't try to force them to read in May and headers because yeah that could help you understand whether it's a fish or not but it's a skill they don't want to have and they don't want to learn so why force them to but as

soon as there's money involved anywhere in that email that is one indicator of and why is that so because at the end of the day all the bad guys want money in one form or the other maybe they want your data that's different piece that very often money is involved and the next indicator of course are threats very often combined with with money they might be subtle because it might be something like yeah you know we found out you were streaming this and that video which is illegal but we are going for a settlement of just 150 euros or pounds sterling or Thomas whatever if you just pay now else we have to go to

the court and it will potentially cost you two thousand years or well that's very subtle but it is a threat and if you reflect on the regular business emails you get threats are very rarely involved and if they are then you know why so this comes when this comes out of the blue this is an indicator and another thing and I use the word very loosely Romans assuming you get an email out of the blue from a nice Russian lady with pictures attached that she really is she found your profile online which one I've got thousands of sock puppets should be specific and if you get that email you also know you know in a

business that's probably not really something that's going to be real even if I wanted to maybe but it's not and I forgot to say something in the beginning when we talk to our users and kalise very often we give them tips and hints for their private cybersecurity it's not really business-related it's just you know if you get spam or phishing emails at home they look the same and probably you get more at home because we're filtering stuff in corporate email already and if you know how to how to differentiate them from regular emails from emails you are expecting then you have that skill and you will use that skill at work as well and people tend to listen a lot lot

closer if they think they are personally affected they have more interest so it's more likely you get a romance email at home and finally the fourth and last indicator is always some kind of urgency because the way our brains work is they shut down a little bit if you put pressure on them if you ask somebody what is your favorite color then they will think about that and they will give you an answer eventually but if you say something like what is your favorite color you've got three seconds three two one brain just shuts down and if you need to say something you will yell something because it doesn't matter in the end and again with the urgency if you tie it in

with the threats and the money if you say you know if you don't pay chess now if you pay any later than in 24 hours it's going to be $2,000 yours but you get pictures and if you have one two or three of those indicators of in an email just throw it away and throwing away part is also very interesting I still have not found to have not managed to find a psychological study on this I believe this to be true and all the people I'd talk to about believe that should be true but I have no scientific foundation for that just now but we trained our users to click things basically the world wide web is a

collection of things that you can't click they lead you to other things that you can click a bit of info here there and in an email for the internal to-do list for most likely OCD in our minds you want to do something with the email you if some email comes in even with those indicators of and wants you to force to click something you have a slight craving to click something so just add a button that you can click with every email in the business context that forwards the suspicious email to your sock team or the relevance of your G team that's going to deal with it you will satisfy the craving for the user because he or

she has clicked something and has dealt with the email can take an internal box that email has been dealt with one way or the other and of course basically if you're working in that security team that gets all the fishing in spam emails your first reaction might be what do I do with them we found because we have something similar to that that is massively helpful all the newest scam outbreaks new IP addresses new email addresses they are getting forwarded to the team that can actually implement them into a black mist scam block them and connect upon them although they have to look at spam and phishing emails unfortunate but part of the job and it

gives it a lot of helpful insights and I don't think I'm completely alone with that because most of the companies running awareness trainings with phishing links and so on they offer that button as well to mark that as as a fish or scam or whatever next thing I would like to talk about is the reverse social engineer and again this is something I really like this is a story a lot have you heard about the CEO thought which is no technicals can but it's something where companies lose a lot of money if you haven't heard about that it basically works like that an employee in the company higher up or at least someone who is able to make huge payments gets

an email supposedly from the CEO that email says hello your boss said you are the most trustworthy employee I'm in country X we want to buy a company set can we make a transfer of five hundred thousand years pound sterling today if we can then my lawyer will contact you with all the contact details it's a little bit more complicated than that but on the other hand it works so you get the pressure of hierarchy you target somebody in the hierarchy who can make those payments but it's probably not authorized to but technically able and then you get them to transfer the money and you know you might think that's pretty stupid who's going to fall for that and I can tell

you for example Google Facebook together for 100 million dollars a company in Nuremberg where I live fell for it for 40 million dollars so this really works and there's no tech involved so while I'm talking about that here because another company in Nuremberg had a very bright idea and I love that so it is important to talk to the employees though so the CEO said you know you will never ever get an email from me asking for that kind of money transactions if you do you take the email you forward it to your secure operation center and what they do in return they slightly all the water the email address so they get the new emails

that the scammer is sending them and they reply with oh hello CEO I'm sorry but you probably forgot we have that new fabulous payment portal where you can do all the transactions yourself because I'm really technically I'm not allowed to but you can do it have you lost your login so as a scammer you go that's no it's good yeah I've lost my login and you get login credentials and you get redirected to a payment portal on the website of that company that looks legit and it kind of is so you fill in like half a million million let's go for to millions and most importantly you fill out the field of the iben which is the account where the

money should be transferred to and what happens of course you don't get any money that would be stupid of course this Ivan gets on a blacklist it gets not only blocked in that company but the bank that has that Ivan gets notified that this is the account of a scammer the account gets deleted or put on ice or things like that and this camera loses access to that account and that is much more hurtful than losing access to an email address or a server or whatever because getting a new bank account up and running is more work and it's much more difficult if you have illegal intentions and I like that because it's just really using social

engineering techniques in order to fool those who are going to attack you and I'm briefly talking about passwords because they are important thing as well at the company please and you know all know that use strong passwords user password safe and the reason why I'm saying that is there are still companies who don't allow password safes because they can't yeah can't be bothered to buy them or support them or whatever but the possible to the left except that it is on a slide in a talk at a security conference but it is much better password than password one and I hope you agree to that but this is nothing I would want to type so I want to 1/2 a

password manager that actually remembers the password and types it in for me because I can't be bothered but as a as a shot as a short sight note basically you've maybe heard about collection one which was in the news last week where Troy hunt said 778 million user accounts with passwords have been found which is nice and I'm not trying to incite fear or anything but collection one is the first one in the collections that we found and it's one of the smaller ones and all in all it's way more than seven hundred seventy eight billion a million all in all without checking whether it makes sense or not it was something like 30 million passwords and the trouble with

that is your new password that you're thinking of competes with all the passwords that are known not your passwords but somebody somebody else came up with because the hash is known if the hash is in salted you can just check it up in a database and even if it's a good password if somebody else used it then basically you're screwed and that's again something you should use a password manager and complex long passwords in the company now if you have tar and feathers then I totally expect some of you to use them on me after that but in your family with your granddad with your mother elderly people friends who are not as internet savvy as you how

to do you passwords sure still strong passwords possible safes are great still but my point is let them write them down in a notebook because this is not an advice for your workplace it is a bad shitty arise for a workplace that's why I want to make it clear that is for private house if you write down passwords they tend to be better than password 1 or Apple 1 2 3 or 1 2 3 4 or if you really want to be very secure 1 2 3 4 5 if you let them write down passwords you get the chance that they use a different password for different websites and that it is good and let's

think about that if there's a person standing next to your granny's computer having her password book in hand they are not after the passwords they broke in to steal valuables they are not really interested in them in the Facebook password of those friends and even if there was a break-in and somebody stole the password account then you can start replacing all the passwords of course and work that's a different kind of story because many people will pass by your desk and you can't do that but for private reasons many people in the industry bash stuff like that and I think you know you have to take a step in the direction of where your users are or where those people are

in order to get a result otherwise they will use pass with one everywhere where they can because they can't write it down and they have to remember it and if you can get them to get two factor authentication that's great this by the way is a fully functioning mobile phone you can use that for two-factor authentication this I've been told is very popular in prisons I wonder why and at the end I'm I can't believe that I'm using that person as a SNe sample but if you think your granny's security is not good enough then just think about that and he's the presser is he still president I think I think so right one other thing we are working on but I

haven't seen that in the wild yet because there are legal reasons why this could be problematic Smail forward as a service so we identified or we say that for private people their email address they very often just have one email address and that is the most valuable digital asset because if you have access to the email account you can reset all the other counts on any platform whatsoever you get the reset notifications and then you can just log in so if you have someone's email account then it's pretty much game over for the person if they only have in private so the idea was to register a domain as the company it doesn't have to

do something that doesn't heat you have to do something with extra company name just any domain and use it as a mail forward so your user a at my home email comm would have a ad the company's domain comm or email me the questions why it's very easy if you register with that email address at different portals and this portal gets breached then they only have before water email address and this is of no use of somebody who wants to reset other platforms so it might be another level of security but if you have a bright idea about that just let me know because the problems we have at the moment is we are in discussion with

what happens when that person leaves the company will they still get access to that email address will it still be forwarded and the administrative overhead to that is not even funny for a channel so yeah so we haven't done that yet and one thing so we in her keynote was also talking about and I'm again I'm very happy I she had a few points that I'm going to make as well but I didn't rewrite the slides just in the last 10 minutes is making awareness training interesting I hope that none of you have to sit through shaky awareness trainings at work I'm pretty sure a lot of you have to sit through shitty awareness trainings at work but the thing is we I

just think that we do but most of us like security else we wouldn't be here at besides I guess and even we find security trainings exhausting sometimes especially when they are done wrong and believe me you've got nothing on wrong security awareness trainings when it comes to some stuff my company does as I said we are changing that because it's really not working but it's a different department so I can bash them first thing of course is avoiding fear uncertainty and doubt s whether with a collection one and everything this is something that can easily lead to fear but on the other hand sometimes some people need to have the facts and it's the way they are presented whether you

can actually create the facts and create the understanding of the danger that is out there without actually saying we are all doomed use password1 because doesn't matter anyway uncertainty and doubt much of the same if you can try to avoid that then people get a ration get to make a rational decision about what they are doing and can have a look at it in a very different way if you have a sat through a multiple choice click vest then you know that this isn't working for security this is just there so that one department can tick off a box yes we do security awareness trainings for employees and I check the box and I get the certification use is zero in my

opinion I can tell you that at our company somebody had the idea of gamification so you need to walk virtually through a virtual training company it's not even ours and for example if there's a fire extinguisher you need to click it and they need to answer questions about it somebody thought that would be fun it's not it doesn't change we have to do that every year so it's every year the same stuff but we found a shortcut or no we didn't find it people were yelling so loud for a shortcut that they wouldn't have to walk the corridors of the virtual training company because that sucks they just wanted to have the questions and the answers but still you can't get

there without reading through all the text that is attached to the various stations and you could do that training in a short amount of time but since you need to read all that and click yes I read that yes I read that you it takes time and usually nobody likes it so we started to have different kind of engagements with the users and those are very open meaning you're free to attend if you want to attend and very often it's it's an open space so maybe I would talk about something that happened in security in the last few weeks and people could come and go as they pleased because it's it doesn't have a door it's

in an open office and so if you went there and listened to me and you found out that I'm really boring that unlike here where you are sitting down and it's it's awkward to leave in that situation so you just can leave and we are engaging with the public as well the left is a picture where we opened the doors we have the thing it's called long night of the sciences in Nuremberg every two years where lots of big companies open the doors and show what they're doing to the public and that's where we try to get people to understand what we're doing security wise and I never thought that I never thought about the

effect that has but we are getting apprentice in September who said that specifically she went to our company because she liked what we were doing there so it helps overall that is my point and use different channels I'm writing blog articles we're doing this open space that we're doing after our stuff so if you can offer security training in various formats then somebody will like one format better than the other and you get more people to engage with you and for the love of everything if you do stuff after hours be a decent human being and buy the drinks because otherwise you will be there alone and it's perfectly understandable and stopping yourself is something I think is very important as

well um what I mean by that sure you already pay money to get pen tested you probably have red team engagements every now and then but on the other hand sometimes depending on the scope it might not really work that well and on another note very often you chest at the network side of face you are not looking at the social media side of things so you should have a keen eye on social media as well you should hopefully try to monitor what is being said about your company in social media or have a team but you should also monitor sites like LinkedIn for example and the these are a lot of examples from the company where I work from because

I'm giving you these examples because they work or I think they work we had one person on LinkedIn are claiming to be from our company and sending a lot of connecting requests to other people in our company and since our people in the company are trained in security and are interested in that they forwarded that to us and said we find don't find that person in our internal directory are they for real and we found out no they are not they are probably not preparing an attack on our company but on one of our customers and would like to pose as somebody from our company so we got that account shut down rather quickly and you

can only do that if your people are going to give you the info you know and that ties in with cyber risk management as a whole if you are interested in that it's not going to be a presentation about the other company I'm I'm working with but cyber risk is basically not threats because threats are too immediate and they might be it could be too late cyber risk is stuff like the social media and see what reached accounts you have and to prepare accordingly if there is something coming up from there so finding the right language again something so it was talking about it I'm so really sorry if this is not that new if you listen to an hour ago but it's

got a new perspective I'm not as well talking to people always works best if you talk from eye to eye and I mean that in in a way that is not Condor that you let the other person stand as they are even if you don't agree with them but you just respect them as a human and you just talk to them and you express you think and they express what they think and you don't talk down to them so you don't try to be better than them or insult them you might do that but with friends but if you really want to get your point across you need to be taken seriously and nobody well not

nobody but most people won't take people seriously when they are just saying you have to do that and you have to be there at seven and so on and so forth because human beings and hackers especially if you tell them you have to be X then what are they going to do not be X finding the right language this is a tweet from last year from Def Con I kind of blurred it out because I don't know whether they are that happy yeah I mean it's still online but I still blurt it out so there was a person during Def Con saying if they have the time but shouldn't motive to launch really good at X in Vegas they

would attack wouldn't attack random deaf converts because they are powerless and broke anyway they would go for a black hat at least because they have money and power what happened this person got evicted from hotel security they later got back because Def Con organizers worked hard with hotel security to say you know this guy was not talking about buying an assault rifle and killing people like what happened in Vegas just a few months before but yeah Vegas was on edge and if you write something like that and someone reads this without knowing its cybersecurity and not a regular attack then they might get nervous so yeah avoid talking from the top down and this is another tweet from I think

last week with Videoland I think it's still up but I blurred out Scott helm as well and they were going on about how they perceive the security industry and that they really don't like them and Scott asked well come on we're not that bad we fan they answered with that yes you are a world very bad and I think that is one of the problems that when we engage with others we don't take their problem seriously we try to for security upon them without thinking whether this is something they want because security is so important to us we need to find a way to better deal with people and if that means learning their language and going

half way to where they are then I think that's the case nobody who is not totally deeply interest security will come to where we are because all of us are already here if that makes sense and then there's ritual for actions sake so I thought about an example that will illustrate that I think if you think about that you will come up with examples in your company where somebody's following following some kind of procedure not necessarily security but some kind of process procedure that doesn't make sense at all even if you look at the background maybe it had made sense in the past but it didn't get abundant and so people are still doing it and I found that one from a few weeks

ago and this is I think a brilliant example why you shouldn't follow what their ritual which is for the sake of it you know um it doesn't make sense and everybody sees it doesn't make sense but somebody said you know people have to check that box because when they buy the car online they check the box and we have both processes should be the same just make sense another small thing is get people to lock their screens because apart from having the password next to it if you don't lock your screen it doesn't take long to take away your computer if I'm an adversary and it doesn't mean I'm typing fast it just means I've got to use be rubber ducky or

any other device that can put in keystrokes at three thousand characters per second and where can install the backdoor within seconds so even if you going to the loo and you're alone in the office or somewhere just try to lock your screen so how do we do it um actually I'm not saying how we do it because it's a little bit less good than what I heard from a former colleague at a different company they have a macro and that macro actually it's just executed very quickly in their Windows environment and it sends a mayor to their team that they are inviting them to have a cake the next day they are going to bring cake and this is the

takeaway you know if you send a mail to your team from an unlocked screen I'm buying beer I'm buying a cake something like that something small then if you are the affected party that didn't lock the screen usually you go along with it if you say you know if you say another major of the CEO like haha you've got a hairy ass that might not be the way to do it but if you do it in a small small way like buying cake or something people go along with it but it is hurtful enough that next time they will lock their screens I mean usually or they buy cake again I mean we shall see and the

importance of that is really making the message transparent if somebody asks why should i lock my screen we have that USB rubber ducky that will well it won't encrypt your files but it will encrypt some files that it created beforehand just to demonstrate what you could do with an unlocked PC within seconds and you should always make a point of educating each individual there are companies who say yeah our secured person in Team X that is her and it doesn't work like that because there's not one person doing security for all of the people in the department everybody needs to have some kind of basic education about it and it doesn't mean they need to be knee-deep in it but as

you probably know cyber security has taken off and now as part of a business process it's thing that has to happen it's crucial to the business and if security is bad and your company gets attacked and gets taken down then you will lose revenue so since it's a it's a business process you really have the option to educate everybody and say you know apart from teaching you what we do generally as a company we also need to teach you a little bit about security and if you do then hopefully you now have a few pointers how to do it in a better way than just a multiple-choice click test so that's 45 minutes I think I'm more or

less I'm nearly at the end because as always I'm speaking way faster than when I try that at home so never try it at home just go for it the conclusion to all that is again that we need to get into dialogue I know that not everybody in the info security industry likes to talk to other people and that's fine you don't have to but find people who know security on the one hand and who also want to talk to people like the sea level on the other hand because the discussion that so we had how do I approach the sea level that is very interesting because they won't get down to your technical level and be

interested in what you do as she said they are going to ask are we secure and picking up on that what so he said again is most techies won't say yes we are but if you can say well we reasonably are but we have this risk and we think it's well you just describe it in business terms with probability or what you can do against it then they can insure against the risk and then you can say from an overall perspective not from a technical perspective because we always will have box and holes and everything but you can say yeah from a business perspective we are as secure as we can be at the moment we could be more secure

but then we would have to spend more money for that and basically we would close the company you need to reach that point and as a tech and that is a hot pot you need to reach the point within yourself where you can say yeah I think we're reasonably secure because basically if you want to be 100% secure then you need to write how to do it because a lot of people would buy the book most people in the industry will tell you you can never be 100% secure and I've heard the funny well it's not really funny yeah but that's German humour for you the funny guy 10 years ago who always said when somebody said

yeah we are we want to be 100 percent secure and he said to the client ha ha then we take your server dig a hole think you sir put yourself in that hole and filled out with cement then you are secure it's exactly what the client wants to hear I can tell you that and we need to really get there with our language and we need to find out what our users want and how to empower them to do that with the best security possible I don't think it will work when we always say we want to be as secure as possible and whatever you want to do has to adapt to that we have also chaired up

to them and that is I think my point so yeah key takeaways conclusion more or less the same I've put a few links in there for you but I'm also on Twitter info shortly if you have any further questions and I'd like to talk to you if you have any other ideas how to empower your users or if you're interested in exchanging fraudulent eivin's we are still trying to figure out without with a reverse social engineering we're still trying to figure out a legal way where our data protection officer is happy when we share fraudulent eivin's with other people because you know the bad guys can't break laws and they don't care about data protection and they are

so very very well-connected whereas the good guys so people working legally have the utmost trouble to actually share a fraudulent Aylin that just belongs to someone a criminal but we can't give up the island because we didn't ask the criminal if he's okay with that these are some funny things but again if you want to have a conversation about that I'm going to be around the only thing I want to mention as well as the same security podcast if you enjoyed what I'm talking about there's more on that together with Mike Attica from active net and thank you very much for listening I put that slide at the end because if you made it through here then

you probably need to know who I am if you want to send me an email or a tweet I'm my name is Stefan Hager I go by the lady by the head of Kate I work for a company called dot F in Germany we are doing software for tax accountants which sounds like the most boring shop in the world you have to imagine that this company has 7,000 employees and the 1 billion euro turnover per year because yay Texas I mean Germany laughs taxes and taxing they say that 80% of world litter on text is in German yay so that's what I do I'm with a team for internet security and I'd like to thank

Brian fight for the original contributions and most of all you and mrs. Leeds for having me and you for listening to me thank you very much [Applause] are there any questions I don't have anything to give away apart from my love so just to repeat you can't we use the Ivan as a knife indicator of compromise and then shared with others we probably could but my company is different from others so whenever 99 lawyers say this is not something that needs to be protected our company says well we think it is so this is for other companies it might be easier than for us okay thank you more questions oh yeah she cried two questions one of them is around the

nation yet each attorney catharsis which is ntsc like a little baby obviously brand awareness of an organization the party will compete in data into it you get a lot of protection back from from them and making your sharing so I'm just wondering whether from your perspective on the German version of that will be a better way to disseminate matrixyl is a very close group the people who receive Mountain facial images whatever they're very close to the people who then going to do something that's actual intelligence and that's capable exactly the second is it is the question village about your age when to program the reason why businesses take continuity when to programs about ABCD these four

metrics because the bottom top of the tree needs to say this year 200 people and we have now better than last night there may be lots more I think fluffier don't mean that despite the kind of training modeling this is all what we need to kind of know how does the FAFSA possibly go and now we're more see folks have spent more money on this training budget yeah to your first question I think again it would be easier to share information but our company is different in that way because we do have miss sharing as well and that with a few things like the Iban it is difficult and the other thing is it's not our CEO he

who's after that metrics it's the people responsible for internal security who have no clue about security at all and I hope I didn't say that while the magnet was still open but who are challenged with some aspects of security let me say say like that but we are seeing that we still do both so it's the multiple choice click fests and the virtual training company which is mandatory and our department does those other trainings and we see an effect of both well we like to think that our effect is higher in in the end and that it just doesn't only contribute your list and to a number at the end of the day all right

any more questions ok I'll be around thank you again for your patience