Creating A Powerful User Defense Against Attackers

good good yeah you guys didn't stay out late partying I take it everyone here is uh is actually awake so thank you so much for coming to my talk of creating a powerful user defense against attackers my name is Ben 10. uh for those of you that don't know uh I actually have 12 years of experience in healthcare uh and healthcare industry we deal with over 35 different hospitals in the Chicagoland area I'm the vice president and security officer so even though I look young I've actually got a decent amount of experience and talk a little bit more about that um I'm a developer I build things I've been writing programs since I was 12

years old one of my first applications was a virus on my family's computer and after my mom found out she threatened to call the cops on me so that was great security consultant and trainer and uh I deal with Federal Regulation uh oversight with HIPAA high-tech meaningful use all of that other fun crap uh and I managed a team in the department a team of I.T people but one of the big things about me is I'm a gamer I'm a geek I love doing a lot of different uh strategy based games and Tower Defense games I love sci-fi this is my very first time in Detroit so thank you guys for having me out here

so I did I didn't know what to expect so it's so far it's uh it's having a fun time and then uh with the way that I look uh it's it's really hard to be a vice president and to look like you're 12. uh the CEO is a woman at our company and we went to one of the facilities and we're checking in and we're doing there to go I'm there to do a security assessment for them and uh you know real professional we're ready to get going I'm in a suit doesn't happen very often and we check in the CEO signs in the reception is nice nice little lady she's just like oh welcome

welcome and she looks at me and she's like did you bring your son with you today and I'm like no I'm the vice president so uh it's it's it's it's all right it's fun a lot of people don't take me seriously and that's all right what we're going to be talking about today is the overall defensive strategy uh that we have with creating a user defense uh one of the recent terms that they've they've just now started to apply is the human firewall how many guys have heard that you've seen that human firewall or the human IDs and that's basically what we're trying to create here and I'm I'm trying to look at my slides and everything so if I move

around I apologize we want to talk about user security awareness and this is uh one of the big problems that we see with a lot of organizations today of getting the users actively engaged in your security defense I'm going to talk about some of the tools that we did we'll go to acknowledgments in Q a so security defense right now that we have is like an onion and it's not that it stinks is that it's multi-layer when you create a defense it's not meant to be a One-Stop solution if you go back and you look at all of the different defensive strategies and styles this is not just in technology but let's look at forts

when you created a fort oftentimes when you had to get something up and done it was one wall one point of failure so that if that wall fails you're done when we created defense when it comes to technology we can't think of the One-Stop solution it's not just your AV it's not just your Blinky box there are multiple layers a fort similar to this there's six different moats six different walls six different bridges that you have to get to to get to there this design is not meant to necessarily keep people out it's to slow people down and that's what we need to start thinking about when we think about defensive strategies it's not just a

One-Stop solution it's not that we get rid of something because it's not working exactly the way we want it's the whole idea is to slow it down and our users are are supposed to be one of these lines of Defense one of these layers so think about gaming and so you know you think about trying to set up a defensive strategy when it comes along with it now this could be either a threat or your user base whichever you want you know you guys can decide on that one so you think about that and you think about how you're going to set up your defense because your enemy is going to come at you with everything that they've

got and it's not so much to try and keep them out as much as it is to slow them down so you can stop them and get them out of your network I mean that's a big thing right now with a lot of organizations to even identifying that they have the threat one of the things that I have learned is that our users are great at identifying threats when they are on board with your team and that's what I want to talk to you guys about so what is the current state of security awareness education and security awareness overall it's horrible right now the users no matter how great of your security your users are still

letting people in they have to get out they have to do their job you can't Black Box them and so when they have the ability to come and go as they please think of it like the fort they can leave the door wide open and we're sitting there going would you close the freaking door just don't click on the link so that's part of the problem but let me tell you no matter how many controls you have in place users have enough aptitude to bypass your controls for their ineptitude they don't have to be elite anymore they don't have to know commands or routing techniques or whatever they download a single app or they go visit a website that'll do this

for them it'll bypass all of your stuff your DLP and everything if they want to get to it they have the tools to do so now so it's no longer a technical control that we need to work on it's the person it's working on that person and getting them on our team organizations are now concerning whether or not security awareness education or training is even worth it they're spending billions and dollars across the industries trying to get users involved involved and it's failing and it's really no surprise when you see statistics like this where 80 of 400 West Point Cadets clicked on a link in a phishing emails after four hours of security training and consider that 90 of all malware

requires human interaction and so you you look at this and you're like what is going on well the most recent uh trustwave report the variety of social actions fishing with 77 overall this is not this is not remote code execution on just an external Port facing this is attacking your user layer is directly attacking you and the number one way of doing it for the vector is email it's the usen it's the user I mean 13 of in person but even still it requires somebody there and yet the first thing we want to do is throw this throw this entire layer out the window because it's not working well when you see stuff like this or when

management or C levels see this they're like why are we spending all this money it's not working so then so then you also see that uh the compromise Target when you actually look at them as an asset the user is 71 of that compromised Target there's a problem with this layer this is a another thing that a lot of the that was in the trustwave report was that the more emails per campaign the higher your chances are of getting the click to reach 100 percent

this is a problem for us and when you look at your sea levels and you look at your Executives they look at their money and say why are we investing money in this it's not doing us any good then you get people like Dave itel saying if there's one myth in the information security field that just won't die is that an organization's security posture can be substantially improved by regularly training employees and how not to infect the company he goes on to say employees can't be expected to keep the company safe in fact it's just the opposite security training will lead to confusion more than anything else now I got really pissed off when I read

that because I think that's asinine but not to be outdone Mr Bruce Schneider says I personally believe that training a user's in security is generally a waste of time and that money can be spent better elsewhere moreover I believe that our Industries focus on training serves to obscure greater failings in security design I went Super Saiyan absolutely asinine we have statistics that show that this entire layer is faring failing desperately and the only thing we want to do is throw it out that's asinine instead of making something better we're just going to get rid of it and deal with it that's stupid part of the reason that this is failing is because of the way that we're

approaching the trainings so why is security awareness training failing what's the problem part of the problem is user apathy they don't care they don't care they did not get hired to work for your organization to go through your security jump the loopholes they don't care they don't care about the security their job is to get that report over to the management as quick as possible and they're going to do it whatever way possible and if they're looking for something they're going to go click it because they don't care the only thing that they see us is somebody to inhibit their job that's it why can't I just leave my computer unlocked why can't my password

be a b c d I just want to get back to my desk I don't want to spend five years of my life typing in my password all that's all they see us as they don't care part of the reason we haven't given them a reason to this this is another reason

hello I'd say yeah if you try turning it off and on again

hello IG have you tried turning it off and on again hello Auntie if you try turning it off and on again he tried sticking it up your ass that's part of the problem right there is us we're intolerant we're impolite we're impatient and we're irritating and I'm not saying that about just you that's that's me people would call me and I'd be like yes well there's a problem with my keyboard really okay I've got apts on my internet right now I have to deal with them and I'm not no I don't don't have time for you and I gave them that environment that that perception that when they called me they were bothering me because they were stupid

part of the other problem is the way that we perceive them I seriously hope that this was a stage photo because those guys are dead that they're inept that they're ignorant that they're irresponsible that they're illiterate and there are times that I look at somebody and I say are you serious hi there's a problem with my keyboard okay well what's wrong well I don't know can you come look at it sure well I go over there I pick up the keyboard and T is draining out of this thing oh yeah I spilled tea on that is that bad no it's fine we water the keyboards at night too it's okay and you wonder you're like are you

serious but we can't treat him that way if we want them on our team we come to these conventions and we make fun of them then we go back so what's the end result when we've got these two things we've got security failure at this point we've got two sides of this defense that aren't working together one that doesn't care that think that we're completely jerkish and our side where we don't want to deal with them because we think that they're too stupid to figure out something that's simple well this is the result this is why security awareness is not working it's because you don't have two teams working together how are you how do you expect to get

this to work together it's not going to it doesn't matter how great of a security awareness training program you have if your users don't care it's going to be ineffective and I'll also say it doesn't matter how great of a security awareness program you have if your users think that you don't care it's going to be ineffective you're not going to get buy-in if your users don't think that you actually care about them it's no different than you or I you or I are not going to do something or or buy into something if you think that I don't care about you I need you guys to do something with me but if you think that I think that

you're a complete idiot or I think that you're asinine there's no way you're going to do it even if you think my idea is great it's no different with them we can't have double standards in this we wouldn't want somebody to treat us that way and yet we do it all the time and then we wonder why they're not buying into our programs security training doesn't mean that you're accomplishing security education security training has to die in a fire because it's not working education is something completely different when you want to educate somebody on your staff or on your team you don't just sit them in front of the computer for two hours and expect them to be

really good at it that's stupid and you're not worth your salt as a manager if you think that that's the best way to train somebody you come alongside them you coach them when they make mistake you don't make them feel like a complete idiot you say well okay that was bad go fix it now here's how not to do that again that's what we need to do when it comes to our users and it takes a lot of extra work for us if your users aren't responding to your security awareness program perhaps the issue isn't your users perhaps it's your program and that's tough because the first thing we want to do is blame the user well they just don't get

it I mean this is very smart and educated and I get it it completely makes sense to me but they're not getting it so they're just too stupid to figure it out and that's our posture that's our mentality and that has to go away so how do we repair how do we create this security defensive layer what do we do at this point well one of the first things that I had to do was I had to figure out how I was going to get our users to actually do buy-in to my security to my security plan and the first thing I had to change was myself I was I was irritated nobody wanted to

talk to me nobody wanted to bring an issue to me and that was just general technical issues much less security emails much less phishing attempts much less anything else because they were too afraid that I was going to treat them like the idiot that I had previously I had to change myself first and the first thing I had to do is start dealing with respect treating that user with common respect yes they confused the crap out of me when they did some of the things that they did and I really questioned their intellectual aptitude but I still had to deal with that treat them with respect because I need them on my team I don't have a choice I can't I don't

choose my team I don't choose my user team and neither do you but you need them on your team and you can't burn that layer by your attitude so what did we do we created a security competition this was after I changed my attitude this was after I started treating people with respect and when I actually said thank you for letting me know that you just destroyed your keyboard thank you at least I know now and I can work on so we created a competition we changed our learning style from punishment based to incentive based and then uh we actually did real life examples of some of our threats and I'm going to go through and how we did all

of that so this is what we didn't do we didn't do a presentation in a conference room we didn't do our security manual go through this read this in four hours sign off on it and go back to your desk we didn't scare everyone that they were going to lose their job if they clicked on something I mean that's a real threat for a lot of organizations and for ours as well we deal with health care we have a huge DLP issue we've got to be careful with that but it wasn't working scaring them it wasn't doing anything it wasn't changing anything the same behaviors and attitudes were still there so we decided to scrap that and try a

different approach so to kind of give you an example of what I'm talking about with incentive-based learning I need a volunteer please I know it's early you want to come out have you seen any of my talks okay good come on up can you guys get my hand come on I know it's early but get my hand

how you doing this morning are you a little nervous you should be what's your name Chris Chris all right so Chris uh have you have we ever met before okay so uh so as far as I know yeah yeah I don't think we've met so um we're going to be implementing something new here at besides destroy it's a new security thing it's going to be a new buzzword and everything else like that I'm going to train you in this new security thing but uh if you don't do exactly what I tell you to do I'm going to kick you out of my talk and you have to go to the next door okay I mean so I mean I'm just gonna

kick you out I mean I'm nobody see exactly right and that's it right there do you see that my Approach I'm gonna kick you out of my talk you do what I tell you do or there's a consequence I didn't get any buy-in do you care about what I'm gonna have to do right now okay so let's try this

I've got fifty dollars here if you're going to willing to do something with me on stage but you have to do it it as long as I can keep my clothes onwards

are you ready are you ready okay so here we go here we go come on man come on

come on man come on

all right give Chris a big hand come on man good job man thank you so much appreciate it

Chris didn't know he was getting into man I've got another fifty dollars who would like to volunteer now all right you're coming out

and just because you volunteered there you go all right that's it who would like to volunteer now I now stop look what I did do you see what I did the first time through I told the guy was gonna kick him out my security thing was awesome but the way that I approached it was asinine and that's why it's failing we sit there and we threaten our users with consequences there's not going to be any buy-in we need to get them to want to be on our team I got only one person raised their hand at the beginning of this after the third time I saw this as the hands go up because you were starting to get buy-in

you didn't care about what I had to do up there there was something in it for you that's the mentality that we need and that's what it is now the problem is is I tried to get buy-in from one other person to come up here and he wouldn't do it

I needed more money apparently so we tried to get wolf Gangnam Style you know

that's gonna be that's that's like my new background image right there when we announced the security competition people were so excited that we caught an actual security incident I sent out the email to everyone saying hey we're going to have this competition what's going to happen is is that you're we're going to do actual security incidents you're going to see emails you're going to see files on your computer we're going to have some stranger walk through our suite we need you guys to identify anything that's out of the ordinary you see that's the difference is that I didn't go through and tell them this is a cisis top 20. this is the oh watch top 10. I didn't do

any of that crap I said you know what your daily job is you know what you do from the time you get here to the time you go if you see anything out of the ordinary let me know that was it they know their job just tell me something that's out of the ordinary so I get a call hi I found one of your security incident thingies the competition hasn't started yet oh well there's a box on my computer saying it's unauthorized access sure enough I go over in one of our remote facilities they had a a breach and she's like I had been clicking this box for two weeks now oh but do you see what I did

I asked them to slow down spot something that you don't typically see they don't need to be experts at this stuff they know their job my computer is acting funny I want to know about it I do I want to know when your computer is not doing what it should be doing when you log in and you see 15 black boxes flash on your screen I want to know about it when you go to a website you type a search and all of a sudden your search engine typical your default changes I want to know about it I do because I want to know what's going on with your system and they're the first persons to let us

know because I can't catch it all there's no Pokemon security you can't you no matter how many Blinky boxes you have you need that user to tell you what's going on so how do how did we do this well the first thing that you're going to do is that you need Executive buy-in if you don't have executive buy-in it's not going to work they have to be on board they have to be excited about it you also need to get your it teams involved because they're the first people that are going to be dealing with the users and their attitudes and mentality and the way that they interact with users that has to change too

the other thing is you actually have to sell it to your users they have to buy into it otherwise it's not going to work and again part of that is changing the way that you interact with them you have to choose the appropriate size I've had a lot of people say how does this scale to a company of 35 000 people I said well you don't typically Jam 35 000 people into a conference room anyways you break it up and that's exactly what you do you can do this with a team and have them go back and do it with their departments make it about learning and not training this is a training right here guys

that's what this is but I'm not coming alongside you to educate you when I'm done and I'm off the stage I have no more obligation to you than than anything else when it comes to your users you need to come alongside them and make it about education you need to invest in them learning you have to want them to learn because when they learn it makes your job easier so and I'll go through and how we set up our our thing so when you're selling it to the executive team Jason Street in one of his talks says if making a pie chart will get the executives involved with security I'll bake them a freaking pie and you can hear that in the Jason

Street accent I can't do it so well you can buy give them grass give them spreadsheets they like it so do it you need them buy-in in the same way that you're going to do some research about any type of technology technology procurement and you want people to to sell you and you want to see the demo and you want to see the the metrics do it for your your sea levels this is going to help you get them buy-in if that means graphs make a freaking graph show the cost difference between the training and what we're doing right now and the results and what this is going to do I did this for a company of 80 people

now granted that's small but a company of 80 people and I did it for twelve hundred dollars that was it twelve hundred dollars you can't shake a stick at any of these programs for that type of money you just can't and I did it for 1200 and I got everyone excited about it show how this helps employee morale we actually got people so excited about this that they were at the water cool going you're going down I'm finding the next one I'm winning this thing I'm getting that card it was so much it was it was a lot of fun and people actually had fun at work that week they really had a good time

then you have to get your it team involved one of the things that I decided to do was to make my it the red team and that was fun I'm like how can we screw with the users what can we do and of course every idea imaginable came up get them involved with them you want them on this you don't want this to think oh this being something I have so much more work I'm already overworked I've got I don't want to deal with this have them be part of the planning process don't just come and say this is what we're going to do have them help you decide on what you're going to do because then it's they're

part of it it's their deal as well let them be the bad guys then you got to sell it to the users and this is a hard one the first thing you have to do is you have to regain their trust and their respect it took me a year to before I was able to implement this and that's because I had burned a lot of people pretty bad and no one wanted to deal with me or talk with me so there's no way I was going to implement this with the way that my people's users perception of me was was at that point I needed to rebuild their trust before I could even think of implementing this

program and that's pivotal and that's something that most people in most organizations and a lot of it shops are missing that without that respect that when we treat our users like crap we can't expect them to want to be a part of our team you have to do the education piece you need to go alongside them this is not about you click to link you're stupid you now have to go sit into a meeting for two hours you know that you're probably going to be on social media anyways but this is our corporate policy that's asinine no one learns that way nobody Empower users to be part of the defensive strategy let them know that

when when they spot things that are out ordinary they keep the company safe and it keeps our job safe we don't have to spend extra money on a lot of ridiculous things like breach notification you know it helps the company it keeps your job and make it fun have fun with them I mean for crying out loud this is a great way to you know use the company's money to have fun choose the appropriate size we were a small business obviously but like I said you're going to want to break this up into individual groups there's no way you're going to run a competition for 35 000 people it's just it's it's unmanageable but you can do it by

Department and then you don't need to break the bank on this one as I said and it doesn't necessarily have to be money money is great it works really well but it doesn't have to be it could be Pizza it could be PTO it could be a point-based system think of think of games for crying out loud I mean look at Farmville and everything else I mean everyone does this crap to get fake coins and they're addicted to it so give them freaking fake coins and let them re turn them in for other incentives like PTO you know you get a thousand coins you get a day of PTO whatever the case may be it doesn't have to break the bank

be creative make it about learning when someone brings something to you or they fail and they will fail as we all do they'll click a link they'll click something they shouldn't you don't bring them in and say you click the link I can't believe that why would you do something like that do you realize just shut up it's okay so you click the link I get it but did you see how that happened here are the ways that you can look to identify this going forward and that's exactly what the bad guys do this is exactly what they try to do at home and to your kids and to everyone else so the next time you see this please let

me know and if you have any questions let me know and I will be glad to answer them for you thanks Ben so how did we set it up we created application incidents physical incidents phishing incidents and web incidents so we created several categories and we created a framework so that everyone could uh see what was going on and uh we had a framework that they sent an email and I could automatically assign points or close out the ticket and say no this really wasn't a security incident so these were some of the ideas that we chose but before I continue understand that this is what we came up with it may not necessarily work at your

organization a competition may not work but what I'm trying to do is give you the tools to think creatively and to think outside of the box so one of the things we did is we have an in-house application that we develop and so what we create an alert to see if anyone would just click ok it was out of the ordinary right when they log in it they didn't typically get an alert so we created something that was out of the ordinary to see if they would stop and ask us or if they just clicked okay if they stopped and they asked us we give them 50 points and let me tell you the first time somebody got a point

like the number of clicks went because they started talking again 50 points oh let me let me not click that too put in exe with interpreter reverse shell on the user's PC to flag IV so what I did is I just created a interpreter exe and I just put it on we knew that our av would catch it because it wasn't encoded it was Baseline the signature was there it wasn't malicious if someone got a hold of it wasn't going to go anywhere but because it had the signature boom AV popped up bunk would anyone tell me and again you may as not want to do that we did would they tell me if they an AV box

popped up we did physical incidents we taped the the latch on the door you have to enter a keypad to get in we taped it we put Gaffers tape on there and we wanted to see if anyone would notice that they didn't have to enter a code to get in you just push the door and it just came open and it closed differently too it made a different sound because the latch wasn't hitting and sure enough some people didn't see it but some people did we covered a security camera with paper like we just put printer paper on it we had a friend he was carrying boxes and he was watching all the employees come in and he's sitting there and he's

like hey can you hold the door for me and we wanted to see if anyone would let them in I mean because who's going to be the schmuck that doesn't hold the door for the guy with the boxes we did fishing incidents we uh we actually hired a third party company um that I can't name legal asked me not to we we hired them and they created a custom email campaign just for us uh we gave them a lot of our internal workings they knew a lot about our company because we gave it to them they didn't have to do open source intelligence we gave them much more information than what you can gather about us and they

specifically tailored the phishing incidents to our organization they sent it out they got zero clicks nobody did I mean zero I'm not saying that that we won't ever get a click I'm not saying that they're perfect but we got our users into the habit of knowing that when they tell us about this stuff that there's an incentive involved so when they got the email that was out of the ordinary they said is this okay should I click it or not and they got zero clicks pissed off the company doing it because they're like man it's not working but they got zero clicks they reported them all uh we I sent an email from a similar

looking email so like it's like ben.10 at domain I just did Ben 10. just to see if anyone would notice that it's a different email some people didn't but some people did and then when we came back I said hey did you guys recognize that the email was different do you look at just the message or do you look at who's from and then we sent uh we sent one email and I got a few people in this that they could download their free Visa gift card click this link to download your Visa gift card it was from Happy ahmed's Car Wash and Bank and I got a few clicks on it and I I

felt bad I'm like so how would you use the downloaded gift card so you know so that was one of the things that we did we created web incidents we created invalid certificates would they click OK would they go through the invalid server because that's one of the that's one of the attack factors when you're doing man in the middles you're going to get invalid certs so I just gave them an invalid shirt on one of our in-house apps just to see if they would tell me about it uh we created a redirect to an IP instead of a URL so when they went to log in it would redirect to an IP and we

use set to clone the page but it's now an IP and not a URL did you notice that that happened uh we created a JavaScript on a permission on a website that they went to log in Java popped up did they click ok we did a lot of the same stuff that the attackers are doing and we controlled it because we wanted people to see what it's like when these guys are doing it we know what it looks like but they may not and they may not know that Java popping up on a site that they're not typical is not okay part of the reason is we haven't told them that it's not okay so these are some of the tools that I

had used uh email set Metasploit one of the things that I wanted to do is I didn't want to leave like my tripoder out there and a lot of other tools that are used for somebody else to you to utilize to breach my network or use to Pivot and so what I did is I created a benign application or benign that we can put out there that would track the users so I could have the analytics but it was actually completely benign it didn't do anything bad and AV didn't flag it so I created the Ben 9 application and then I created a security account framework which I'm still finalizing to put out to GitHub so you guys can utilize yourself

it'll just read in emails nice easy user interface to run your competition and then I use my friends I'm like hey man can you come break into my company like dude that's awesome sure I'll come do it so this is uh the security account framework that I wrote It's all web-based PHP and uh it kind of keeps track of all the tickets that are coming in you can read the emails assign the points assign it to a category uh just basically made it an easy way for us to run this because one of the things is you know you get this influx of emails you're not going to sit in there answering a thousand emails every day so we created this in

you could select a bunch like if there's a bunch of junk ones you could just close them out but I want to show you some of the responses that I got from running this security competition I want to show you how people started to get engaged one of the emails that we got was just got a semantic antivirus detection results box pop up on my screen wget one Trojan sort sort info should I click on this or not so that was the eight that was the that was the um the virus that I had put on everyone's box so they clicked on that or they they let me know about that I received an email from UPS stating

that I have a package and it was returned and now I should log into the website to verify my delivery very typical that was the phishing email campaign hi someone is drilling outside the new door I'm on my way to investigate stay tuned I'm like it's it's it it's okay they're here working on the door and then and then they sent another email uh I don't know if you can see it the driller is clean they started to get excited about it because we had a leaderboard and you could see you know one of these some of these people got 200 points here and some of these were only five point things they started catching everything

and and they started going a little bit crazy too they started catching really esoteric things and I'm like it made us laugh it was great uh but but you know like some of the things that were really silly like the print there was printed hikvahs right side up on the with patient information showing by The Hip foot printer yeah we have to print in this organization it's okay there's nothing we can do about it they're going to come out of the printer and they will have Phi on them nothing we can do this one got me a little concerned this was about the time that uh Pony plug had come out you guys Pony plug the power

strip that you just plug in and it's awesome and so they're like there's a little black box on the floor next to the shelves by Ben's office before the break room that wasn't there before and I'm like oh crap someone put a pull and plug on my network and I'm I'm paranoid and in my opinion if you're a good security professional you have a healthy level of paranoia I have an unhealthy level of paranoia and so I'm running around I'm like awk rap and so sure enough I go outside my office and I see this the it's a freaking rat trap and I'm like that's okay that's for our four-legged intrusion prevention system it's all good

but they started to notice things that were outside of the ordinary because they wanted the points they were literally looking around our suite trying to find something that didn't look right and that's what we want them to do right that's exactly what we want them to do get them I mean most people come in they're they don't even know if you put a security camera up get them incentivized to see around their office so this is the Ben 9 application which is available on GitHub I'll give you guys the uh the URL at the end of the talk but it works in Windows it's just a python script I also have a net version for those who are just simply window

shops and don't want to deal with all of that stuff you can download the.net version it's got a listener and a client what we did is we renamed the client to change password and we put it out onto our local shares and we put in a bunch of different directories and we asked everyone to do is change their password recently like within the next week please change your password because we wanted to see oh well I can just change my password here I just click this link and hit change password and what it would do is it would actually tell us whether or not someone clicked the exe but then there's also a web-based envelope as well so you only

needed one listener so you had the server it's set up and then what it does is that when you click it'll actually put everything in pipe delineated so you can dump it to excel do any type of graphs sheets whatever you want with it it'll check for clicks it'll check for web-based whatever so it's not like you're having to do multiple setups for this it's one setup so you can see that I'm running this through sigwin because I'm a Windows guy but I also like Linux so you can run it through both and then this is the web click one so there's a PHP file that I've got along with it that you can modify and it the

same listener will deflect detect whether or not it's a web click whether it's an exe click whatever the case may be completely benign that's all it does is logs and that's it and it's open source so you guys can take it modify it do whatever you want with it but this was one thing that I wanted to do because I wanted to be able to see when people click stuff that they shouldn't I mean there's some things that you can track but other things you can't like if they visit a website I wanted to just be able to see that so that I could go back and come alongside that user and provide them that user education

so a lot of people ask me about metrics and I'll let you guys read this real quick

so a lot of people are like what are your metrics 22. there there's my metrics metrics are different uh what we've found is that we have an increase in notifications and a lot of them are benign a lot of them are esoteric a lot of them have nothing to do with security whatsoever but we have caught three actual incidents since we implemented this now that seems low but that's three that people would not have mentioned and all it takes is one for your network to be bad for a bad guy to get in and for things to go for six months without us knowing about it your metrics are going to be different than mine

what you have to know and understand is your organization and your users and your people and what they're doing right now are you getting feedback from your users about things or do they think that you're a jerk and they don't want to talk to you we have had an influx in notifications to our security systems about these types of things and we say thank you every single time we hired three separate uh pen testing companies uh one out of Chicago one out of Ohio and a third again I can't disclose three separate internal external full social engineering engineering and I said go after the CEO I want you to go after her she's not exempt

we did all of this and you know one of the things is we're small so we're able to be a little bit more locked down in most organizations but they got nothing from our users nothing and they actually had to send it back and do a retest because they thought that the original tester did it wrong it works that's my metric I can't show you the reports but I can tell you that it works and part of it is you'll start to see it when you change the way that you interact with your users you'll start to see a change in your entire Dynamic of your organization in conclusion what I want you guys to

understand is that this is not designed so that uh this would be the layer that will completely change your organization and you'll never get a user click we we will get a user click where someone's going to click something that's stupid you're like oh my goodness I can't believe you did that this is not designed to to to uh Harden your network so that you'll never have an incident that's not the case remember this is multi-layer what I'm telling you is don't throw the lair out change the layer make it stronger you're not only going to change your entire corporate uh security stance you're going to change your entire corporate environment because users are actually going to want to be a part of

your team come up with a way that's going to work best for your organizations and I've heard some great feedback from other organizations they've got a one company that has developed an internal little game type thing and they've got like steam achievements and everything else like that and it's just like little little banners like you've got on stack exchange or whatever the case may be something that shows hey I'm the top security guy this week come up with something unique and fun I mean we like playing games why don't we make this a game for them it makes our job a lot easier so before I go on I do community question answers I want to say thank you

to Jason Street security Maui Elizabeth Martin dual core and uh of course besides Detroit for having me out here uh so you can get a hold of me on at Ben 10 on Twitter uh it's 0xa so just so everyone knows it's not o x a it's zero XA uh you can get a hold of me at b-size Detroit ben10.com I'm on free node on IRC in the burb SEC and the mysec channel they let me in uh so I'm I'm honoring I'm honoring my SEC channel and then all of my code is out on GitHub I also have some Powershell scripts out there to help you guys out with KBS and anything so does anyone have any

questions yes sir so the SEC portal that you have where you keep a track of all this stuff is there a view that's seen by users they're keeping track yep we actually had the leaderboard uh out by the time clock so when they came in every morning they could see who was in in the top lead and then what we did is uh the top Place person had was going to win the 100 gift card and then they had different and we color coded it and then uh two days before the competition ended I I put question marks instead of their names in the top five so no one could know until the very end who actually won

that competition that kind of pissed everyone off but it was really fun it was it led up to it so we let everyone have like a leaderboard and everything else and even on the leaderboard I put an invalid cert so when they came in one day it said invalid certificate just to see if anyone would say anything yes

sure well see that's uh yeah great question and one thing I didn't mention is that when we did the competition it didn't end at the end we allow them to send in reports throughout the year and it builds up their score for the next competition so they're already in the lead so we typically will have things ongoing and we will drop things like for example uh like trustwave reports and I'm not I'm not I don't work for trustwave I I like the reports because they have graphs and infographics and that's amazing because I can just hit print and put it up by the time clock or send it out an email and say look and see what this is and

they put it in such a way that's that's easily digestible by your user base it doesn't you don't have to have a huge amount of technical expertise you guys can choose something else that goes along with that and say hey uh we want you guys to start using passphrases now we had recently implemented passphrases before the trustwave report came out and the cool thing was is because we were had everyone on board with it the CEO who would typically have the same password and like seven people in the organization knew what her password was because she told them and I came back to her and I showed her I'm like look I cracked your password in

like less than two seconds she implemented a passphrase sent me an email and said come at me bro so it is ongoing it's something that you can do keep going on and getting them excited about yes we are 80 people yeah yeah but we we deal with 35 different facilities and we have some offshore teams as well so but internal in-house we have 80 people yeah um for like new employees

yep absolutely what we do is we typically will go through and we will hit a lot of the top hot options which again we go through the security manual as everyone should do but we also do is we we go through and we explain to them there are security competitions as you learn your job you will quickly learn what's out of the ordinary do us a favor the first out of the ordinary you see send it to us and we'll immediately get you points on the board so that you can work towards getting this cool prize and that's the whole idea is that we want to give them to start to know to realize that they they're in the running just

like with everyone else and just give us that first out of the ordinary just so you get in the habit of trying to see that and that's it we don't have to train them on everything we just want them to tell us anything that's out of the ordinary and we're going to get a lot of esoteric uh stuff that goes along with it but that's okay it gives us something to laugh about yeah um do do I'm going like uh I don't know updates like hey you know check out the URL make sure you know things like that yes well that's that's not talking about the infographics uh that we that we will send out like the past phrases versus

this or how to keep your kids safe on Facebook or uh this is one of the new attack vectors that everyone's doing um we don't use buzzwords like apt and cyber in China uh we don't we don't go through and scare our users but what we do is we go and say we try and relate to them and we also put it to their kids that's one of the most effective things I have found if you let them know that you're concerned about their kids they're going to want to more implement it for themselves because they want to keep their families safe as well so we do that on an ongoing basis email posters whatever the case may be

we try and do it in multiple different ways and then one of the things that I'll do is occasionally I'll change up the email for the post that I put out just to see if someone's set up I saw you put a link in there I'm not clicking it and then they get some points on there so even in the notifications we put something that's out of the ordinary just to see if people are going to do that yeah so Ben I'm seeing you're talking about a couple times that was amazing but I've heard you mentioned before when you change that Gene with regard to your users you mentioned that one of the other conferences if New Jersey members

like I got an email at home blah blah blah if you ever will that's not my problem it's not work related I know that you're one of those guys now it says hey thank you for learning new net here's how I can educate you going forward so yeah well kind of like what Derek was just talking about is that when you get them and talk about their family they'll come in and be like yeah I just got an email that was like I had won a million dollars and I just had to send some information over to them and I know that I'm supposed to spot things out of the ordinary but I really want a

million dollars so I'm really hoping that this is legit yeah no it's not you're only getting 500 000. just give me your information but but they do they come in they tell you like yeah I saw that and someone someone called me and they said I had a problem on my computer I didn't give them my information I hung up the phone so you know so they do they start to take it home so any other questions yes

we always have brochures free stuff from the FTC about keeping your kids safe online we get more traction from that than anything absolutely yeah over to the table and then yep they learn Kids Safe yep absolutely absolutely and and one of the easiest things that we actually recently implemented uh was passphrases amazingly enough because I said I'm in a conference room and I gave them a 14 character randomly character very strong password I left it on the screen for five seconds and then I put it away and I said now tell me what the password is anyone and I've got a hundred dollars if you could tell me what it is there's nobody in here that would do it

and then I put up a 22 character the purple horse has flying wings left it up to three seconds close it what was the password exactly and like C isn't that much easier so we just switched to pass phrases I'm like what would you rather have 14 ridiculous or this and they're like oh I'd rather have that it's easier to remember it was so much easier for them to get into passphrases and that's because they had a part of the thing so I think I'm out of time so guys thank you very much I appreciate it