Weaponizing Layer 8

stage is yours thank you very much the good thing about having trouble with technology when setting up is you look like a fool from the beginnin and you can do whatever you want afterwards so my talk is about weaponizing lay eight and it's all about getting the best for your users and for your company security wise so as you're probably all Niall know we in the industry used to call users idiots the weakest link and all the kind of names that are really not very nice to describe the funny antics and their stupidity when they are on our networks dealing with our services and services service and services I think it's really time to overhaul that kind

of thinking because it's destructive and so I think this talk is relevant because you could of course go to any vendor specific event buy a lot of cyber dark chain block boxes whatever put them in your network and have machine after machine after machine each one with a little nice dashboard for your sock team and with lots of information on there that nobody really is going to read so at the end I don't think that your users are a problem I think your users are not your weakest link but humans matter and you can get your users and the people working at your company to actually help you increase security so we tried that in former times by just

telling them they have to increase security and that obviously didn't work so I tried to come up with Brian fight who did the talk with me for the first time with a few ideas how we can do that but another thing I have been told that if I give a talk next year I have to pay money each time I say cyber this year it's free cyber cyber cyber so I'm using that word for a specific reason and that is because the users and the people dealing with InfoSec are calling it cyber a lot of us in the industry don't like the word and I know that I respect that but our clients and the people at the end of the

day paying us use the word so why not go with it it's an uphill battle so how does cyber impact the physical domain you may have heard or may not have heard about the problems to get a good pizza why a delivery service in Germany last year and the year before because there are many different platforms offering fast food and home delivery and those platforms aplomb at prime times allegedly ddosed each other so that they could get the traffic but on the other hand that means you couldn't get online and order pizza so the whole system went down just because the platforms were battling each other and on a slightly more serious note wanna cry of course is

something that affected a lot of hospitals and cost a lot of not just money but health wise it was a really horror scenario and thanks to a guy called Barton Finch I know about swatting does anybody of you know what swatting is yeah I just still like to explain it if swatting is if I call the police and somebody else and report a while and crime it's very often a violent crime like a homicide like sight like murder like something really really bad going on the police shows up at the house of somebody and then stuff happens in that case two guys had a struggle over an online go game called call of duty and I think it was the trade of

some weapon skin and a handful of dollars so that struggle got out of hand and one guy Finch said Tyler Berra said I'm going to SWAT you and the other guy said well I dare you and gave him an address it just wasn't his address so the first guy called the police reported a while in crime they showed up at a house of a guy called and Andrew Finch and Andrew Finch opened the door and stared at several heavily armed guards and police man pointing weapons at him so no idea what went through his head but he wanted to scratch his ass so whether you hide a weapon if you open the door and have a

while and crime going on and you're the perp you're the guy doing it probably at your waistband so police shot him dead and he was completely innocent in that so this is the kind of weaponizing layer 8 that I'm not proposing because it's completely the opposite of I want to do but we can safely say that cyber does impact the physical domain whether we want to acknowledge that or not but even people like with a pizza delivery service who are not really online and who are not used to be being online are affected by what goes on in in the internet how can we change that this talk is all about empowering users about giving them an option not about

threatening them with consequences if they don't follow security because that obviously doesn't work it doesn't really work well with us either because I think it's in human nature that if somebody really tells you you must not do this then even if you never have the idea to do this you think about doing this whatever this is so I'd like to start with an example how to do over USB sticks you probably all are familiar with the cliche that a pen tester who wants to break into a company just leaves a few you see sticks thumb drives lying around with malware and employees put them into the network and open a back door for you it's not just a cliche

I think it works and there were studies by the University of Minnesota and others where they found out that approximately half of the sticks have been put in that have been found how do you get people to plug a USB stick in you appeal to different emotions for example if it's not just the stick but the stick with a pair of keys and a nice little teddy bear and the stick maybe is in pink one of your co-workers might think hey that could belong to a colleague let's plug it in and see who it is maybe there's a photo on or something like that so that I can return it or you appeal to greet you just label the stick

Bitcoin wallet or you appeal to curiosity by saying this are our finances for the current year something like that people will plug it in somewhere and to be honest and I don't need a show of hands here if you found a USB stick that looks suspicious so you would hand it over and you wouldn't be interested what's on there and try to analyze it we are plugging and USB sticks that we find so how do we expect our users not sure so what we did and disclaimer we didn't do that to foil that pen testers and criminals plan we built something that is a wire start in detention station the way it works this you've gotta use we stick with data on

it you go up there you authorize yourself move your smart card plug in the stick select the files you want to have at your office PC and then when you return to your office PC they will be there will be a link in your inbox to those files we didn't do that to follow the plans of someone as I've said but gather around the fire because I'm going to tell you a tale of a really unnecessarily complicated process the way our company works we are really old company we've been around for 50 years and so some things are a little bit strange if you had something like a presentation like this one and you wanted to work on it and I brought my

USB stick into the office I be able to use it I need a USB stick that the company gave me I put the presentation on there then I would put it in an envelope that envelope get gets delivered by in-house Postal Service to different building and then they're some kind of magic would happen they would scan it and they would even put a seal over the cap of the USB stick to tell me that it has been scanned and then it went back why are the internal posting services to my desk just a rough estimation how long do you think this whole process takes 50 years old company so yeah one week is a good estimate

it was between four or five working days so what does the do if you try to do a chyle and all the other buzzwords if you try to do something very quick yeah something like that what actually happens is of course that users would plug in the sticks regardless of whether they have been scanned by the internal department or not because basically they want to work and I think whenever we have things in place that stop our users from doing whatever they need to do they will find creative ways around it so we found out that with a wireless detention station this is something where somebody can even bring their private sticks because it doesn't matter or a stick

they found out the parking lot because again it doesn't matter plug them in and those files are the detention station isn't a part of the network that is far far away from the office network so on the way to the office network those files it hashed get scanned and all kinds of security happens before you get the link to the files in the Inbox and if it's malicious of course you don't get a link to the fire to the file on the inbox it just says you know we couldn't deliver this these files it made us more secure and at the same time it's much much more convenient to our users it usually depending on the file size of

course but you've got the link within minutes not within days another thing I think we need to we need to think about is the whole fishing thing so again you people in this room you know about malicious links you know how to spot them and we tried and by we I also mean our company to tell our users what to look for and what among maliciously and linked looks like and so on and so on and nowadays it gets terribly difficult to find out whether the link is malicious or not I can tell you that for the first one and for any kind of link shortener it's going to be impossible except you follow the link and see what

it results to and the second one with the Amazon with a zero for the oh that's actually a channel in Amazon link well they bought it probably because of these reasons but it's changed and you can't be too sure so Ryan came up with a term indicator of all and I think it's a very good method that we can teach our users that we don't really teach them how to spot links but we teach them to look for indicators of and if there's at least one two or three of them in an email they can safely discard it so what are indicators of well the first one should be obvious some people who said spam want to make

money so money is always somehow involved whether it's the Nigerian prince who really really wants to give you a few millions or anything else money is always some kind of thing whether you should buy things or whether it's some kind of threat we're fishing like hey we notice that you are late on account fees pay eighty euros now or pay 1000 later money somehow is very often involved and another thing that is very often involved are threats maybe they are a little bit hidden or maybe they are very obvious but again with an example pay now and for small fee or you have to pay a lot later that is a threat or what have you

you know the whole spectrum of threats be we will we will make your pictures public if you don't don't pay us now that would be an obvious threat and things like that if you get a business email and if you think about all the letter too many emails you get at home and in your business how often do you have threats not that often I presume so that is something to be wary of and the next thing and I lose I use the term very loosely is of course Romans so from the sexy Russian young girl I'm being stereotypic but all the spam I get is Russian or Russian girls from the sexy young Russian girl that really really

wants to make your acquaintance and fell so in love with you by discovering you at some service I never subscribe to Romans is very often involved in emails as well so if you at your workplace and somebody sends your mail like that it's a little bit uncommon it's like somebody would send your love letter without knowing you so again this is an indicator and the next and I think this is one of the most interesting ones is urgency because you know if we force our brain to make a decision really really quickly then some of our ratio just shuts down we are not as humans thinking that straight and urgency a sin I refer to

the first example again as in pay something now or pay 10 times 100 times the money in three days there's a sense of urgency and I think ok um might be a scam but maybe I should do it any of these indicators shows that probably this email is not genuine but with emails we have one more thing we taught our users to click things if you look at the internet at the World Wide Web this is just it lifts from clicking on links on buttons on something so basically we have slightly trained our users to click on things and the site psychological craving to click on something if there is something to click like with an email and phishing link I

haven't found any kind of study from any University I would love to do something like that but I just know from experience you some people want to click something so we provided them with a button that just says report this email and this button for what's the email to the sock or any kind of relevant team they have a look at it and they come back with either this mail is genuine its just spam or this mail is genuine you can whatever you want with it or they have all the data they need to feed the spam filters and to make sure this kind of fishing link or this kind of mail doesn't doesn't come in to anybody

else's inbox so the craving for the click is there because you can click the form of this mail and I think I'm not completely wrong that because every social engineering platform I had a look at that do fishing campaigns anti-phishing campaigns have this kind of service exactly for that reason and then of course we can not only recognize how our users why not weaponize the attackers as well why not try reverse social engineering with those guys we deserve it have you heard about CEO fraud generally so CEO fraud is nothing technical it's just an attempt to embezzle a lot of money from your company and it works like that somebody poses as the CEO of your

company in an email and sends an email to someone working finances not the highest level up but somebody who has the ability to send a lot of money and it goes like this the mayor says hi I'm you CEO I'm currently in country X we are thinking about buying this company there do we have 20 million that you could transfer to and it sounds completely stupid and probably if you think how can you possibly fall for that but thing is it's a little bit more complicated than that because there's always again urgency and something like your boss told me you are the employee to talk to because you're the most reliable one but please keep

keep your mouth shut about that and so on and so forth and then the money gets transferred well it's not a useless point because there's a company in Nuremberg and paid 40 million with a scam like that and if you think that your company is secure Facebook and Google paid a combined 100 million to scams like that so these happen these are not that technical but how do you protect against that another company Nuremberg that I really did something I really really like because they had low C or fraud emails so often they came up with a beautiful process they told all the users in fact the CEO told all their users that he would never send such an

email that's the first thing you can do yes well and if they received such an email they should forward it to the stock and a special team they would alter the email address ever so slightly come back to the attacker saying oh see oh yeah thank you of course we can do that but actually I don't have the limits that you need but you do have them and you probably have forgotten about the new shiny payment portal we set up for you and of course it's an attack yeah yeah and then they would follow up with have you forgotten your login credentials shall we send them again and of course yeah nice so as an attacker you get a payment

portal it's all on the service of the company it looks completely legit they fill in all the data and that is important including their Eibon and as soon as they do that of course nothing happens except that this Ivan gets blacklisted the bank gets informed and they don't receive any money its foiled and they can't use that account with this Ivan ever again and it's more really really more complicated to get a new bank account than to get a new email by the way if you're interested in sharing throttle and eibon's please come talk to me we are still trying to figure out how to do that and be legitimate within the gdpr because as the good guys we have the

problem that we can't share data that easily as the bad guys can do but this is a really nice way how you actually can can deal with them certain engineering attacks on your employees another thing I'd like to point out is password some of you probably can't hear that anymore but still passwords are still there they are still there for authentication and if you are at your workplace of course please use strong passwords uses password safe if your company doesn't provide you with a password safe to try to get one of them three months like key pass on one of those because use a strong password everywhere even if you're just doing a proof of concept setting up a test

machine don't use test test as a password please because whenever this goes into production people will forget about it and everything is a gate into your network so yeah use passwords and by Stone passwords I mean something that you probably can't remember that's why I think you need a password safe Allah but what's the point in having strong passwords for your elderly relatives for your friends who are not that computer savvy and for people who are not working in IT at they're at home for example well they can still use a password safe if he if they know how to do how to use it but on the other hand I see people bashing other people whose relatives and parents

use little books and write the passwords down I think by all means if your granny needs to write down her password then let her because whenever she's writing it down it's going to be a better password than just the name of the service like apple and one two three four and why I'm why I'm saying that the thing is you have to consider threat vectors if there's a burglar breaking and entering into your granny's house he's not at all interested in her Facebook account he or she whoever broke in wants to have the valuables and wants to have money once if the jewelry they won't steal the password book because it's a different kind of attack it's of

course different in here in your company but for people at home I think if they write their passwords down they have better passwords and please please if you know developers who don't let people paste passwords in possible fields please show them to some dark corner tar them and feather them and of course thank you and of course you can use two-factor authentication again some people say oh that's broken as well but it's a good model if you want to use it it's better than not having two-factor authentication of course again for your relatives it might be a little bit more difficult and at the end of the day we in security very very very often try to

come up with a solution that fits everybody one size fits all and I don't think we have that and if you think your granny needs a bit of protection than the President of the United States then maybe you're a little bit too permanent I don't know I mean I can't believe I'm here on stage defending Trump but again you you get the the gist of that and I don't know how I'm with the 30 minutes you have nearly there my one of my last points is awareness training probably if your company is large enough you have to suffer through that and it really depends on the company whether this is anything interesting or not and please make

awareness training interesting because you know if you're sitting somewhere and you have to listen to a guy rambling on about stuff like you do just now if it interests you it's probably going to stick in your mind if it doesn't interest you at all and you will have forgotten it by next Tuesday avoid fear uncertainty and doubt these are my main this is what I really like to avoid because I see that so very often that we try to sell security by spreading a few D and it never helps because forcing somebody to do something and using fear as the main motivator might work once it will not work the second time because people are not that stupid and funnily

enough if you treat your users as adults um it's much easier to talk to them than just pointing the thing of them and spreading fu D multiple choice click fests I probably don't need to tell you that but they are completely useless in my opinion because you just learned their answers the answers very often are not right but you know which answer they want to hear so you just tick that box there and that all doesn't work so what we started doing is we engaged our users we have various of formats very open formats where you can just talk about security and wear attendance is voluntary so you could come up you could listen to somebody talking about

security and the security issues was never talking down to the users it was how can you stay safe when you're at home what can you do why are antivirus engines still relevant for you at home whatever and it works really well especially if you use multiple channels we have a block or several blocks actually where we're talking about security stuff and with blocks you know if you're interested you can read it but you don't have to and you can read it whenever you want to and you don't have to be there at Wednesday at 10:00 or something like that and we've got several of them office structures where we do those talks and you can just go there and listen to it

and if you don't like it you can just leave and nobody will notice so we're not quite there yet that we do not have the multiple choice click fests they are still being done by internal security we're trying to get away from that but so far we have both but judging from the feedback our method of teaching security is more approved by the users than the traditional method and again if you do something after-hours and out of office hours just be so nice and provide at least drinks or a little bit of snacks or food people will stick around much longer and the last point I think I have is I think you really need to find the

right language this is a tweet from this year's Def Con I plopped out the name because well it was it was an open tweet and it was public but still somebody posted during DEFCON that he would rap rather attack black hat attendees than Def Con attendees what do you think happened after the treatment life they call the police and they kicked him out that was before talking to Def Con organizes it was the hotel so if you consider that last year on 1st of October sorry that I walked into the v-j a shooter managed to kill I think over 50 people in it in short 800 or more people then this kind of treat at a Las Vegas conference hotel is

not the right language because he was not talking about shooting people of course that outside of our industry this is not known so of course they would be down heavily on him he was able to reattempt the conference I think but of course it costs in cost him a lot of problems yeah so my conclusion is again don't really buy a lot of more boxes you probably have all the boxes in your network that you need to do a proper job at least if your company has been around for a bit but try to educate your users they might be seen as the weakest link but on the other hand I don't think they are and

with a little bit of education you can make them to your best defense be the social engineering attack or anything else if they notice something that is suspicious to them they might report it to you if they feel that it's better for the overall safety for the company and if they can do that without fear of looking dumb or without the fear of retribution because they did something wrong so there are some links in the slides and I will provide you the slides later on and thanks for listening thanks for having me at these sites and since it's the end of the talk and you stay time till now now I feel good with talking a little bit about myself I work

for a company called dot if we are a software manufacturing company mostly in Germany outside Germany we are not really well-known we are about 7,000 people working there writing software for tax consultants and tax accountants and I'm part of the internet security team thank you very much

so thank you very much for this hidden threesome talk do we have any one that to launch description [Music] I have only one mic so I you you can actually share I bands on this platform and limited to only financial sector so I think that's the best way to be develop comprehensive just if you share just this financial sector it's basically for making the business work so that should be okay thank you very much it's not a technical problem with the sharing we thought about exactly that kind of platform the problem we are facing it kind of fits in what what Klaus said about GDP are our internal lawyers say that this item might be PII and so we would have to ask

the bad guy whether he feels comfortable of that information being shared and we had this is an internal struggle we still need the okay to share those iPhones and that would be one platform to do it thank you and we'll next a thank you for the great presentation I have two questions that's okay the first thing I read a lot of roles was to create awareness on related topics and one thing that seems to come up a lot recently is that security awareness is dead we need to give up on this and find another way do you agree that it's not working at all and we just need to find no I don't have to give you

one example you probably familiar with LinkedIn there's a German platform like LinkedIn but it's called Singh you might have heard about that I think even they provided the tickets for that or the ticketing system and there was one account saying hey I'm software specialist at Dartmouth and he connected to a lot of people and we don't know whether this was in preparation for a social engineering attack on us or one of our clients but within I would say hours we got first feedback from users who not working in security saying I don't know this guy and he contact me do you know them so we found out he's not working at us and we just wrote an

internal email saying don't accept friendship requests from them because it's just in preparation for an attack or somebody who's a choke or something like that and this wouldn't be possible without security awareness if nobody really cared about that they wouldn't have informed us of that account if that answers your question the second question is I think everyone is worried about making music secure aware but I am more more worried than struggling actually is making news more suited aware I found it much harder to work with engineers when the security awareness and making them adapt to grow more secure I thought was if you have some tips on that that would be great yeah I think if you've got somebody who

doesn't really work in security at all they are more open to suggestions if you have people who think they know it better it's a little bit more difficult but very often in discussions you can come to a certain level of agreement because for example I don't expect all the people I talk to to come up with the same opinions as I have there might be people violently debating the possible thing for example with the book lying at home and things like that and again there's this one security one one size doesn't fit all with engineers very often if you talk to them you find out that the reason why they are blocking something is not because they think it's

bad but because it causes them pain in some kind of other process so you have to carefully see where the real reason is why they are blocking something or why they really hate anti wires or whatever and try to find a way to cope with that at the end of the day you can't let them free rein so you can't say to seven thousand people to what you want with your security you have to have a set of guidelines but if you make it too strict people will find ways around it and I found that talking to people really helps in in getting a better result yeah thank you for the last point about not making it too strict

because when working with security policies and so on that comes to mind a lot and the thing is why it's so hard as engineers because they can always find ways around the controls or the security policies that we usually put in place and they can just evade it so that's why it's a bit much harder as a man I can't find an answer to which level you need to put your security policy on if you would eat too much or too strict in the middle so yeah I think that's a continuous fight that will never end I agree and there's no good answer for that because that again would be some one-size-fits-all answer um thank you I

have small come in there while I do in general agree that fat is bad and you should definitely not fight your colleagues or and end it security awareness tell them the truth InfoSec is a politican and as you probably all are aware global politics institutions have agendas and I'm Danish and the Danish government every time there's a crisis they have a pre-prepared list of things that they want to do that might be even borderline unconstitutional and for every crisis they get this one thing through you see is then they receive them happening in like the US and so on I recommend that you as an InfoSec Department your blue team if you're the seaso even better you have a list of

your main blocking points the things that are preventing you from maturing your security operations and forever Isis every time someone up use it tell them cut them like L tell them I need this point fixed or it cannot get better use let no good crisis ever go to waste thank you thank you I like the idea of a blacklisting Ibans it's a very nice concept I think there's lots of fun hidden there like blacklisting the Iban of the text authority or of the social security organizations and all of them so if the organization if the company doesn't pay their taxes anymore because the Ivan has been blacklisted internally yeah fun I agree but this wouldn't be an open

platform it wouldn't be something where you can just put in a list of all the iPhones you don't like and you're done with it at the moment as as I said we're carefully we are working with two companies and at a level where you think the pranksters well one of them is probably standing in front of you but even I would refrain from putting the Ivan on that list because it has severe repercussions if such a list I don't think it would be ever be completely public but yeah yeah yeah thanks for giving me ideas when I ever want to quit the company in style I want wanted to come back to mod either ons point of view and so because I'm

also trying and working a lot in this in this sector and what I always say is that user is not the weakest link it's your last resort because in the end when all your security controls fails it's up to the decision of the user that will save the day or not and when you speak to them like this and it's come back to your policy question and it's the same for your sis engineer when you empower them and you give them a responsibility saying you will maybe save the day and then you hit cognize it later it changes everything absolutely dr. Jessica Parker opens with a with a tweet from Emma W that says if

security doesn't work for the users it doesn't work and something I also always do when I'm doing awareness session is that I'm I'm trying to demystify to remove the magic about malware's because for a lot of users it's like malware something you never seen they don't know what it is and so on so I bring my wife and I execute them in DVM just to show them because we had kids these were physically users so they I knew it was fishing I knew it but I just wanted to see what's going to happen so trust me that happens and and yeah I can understand that so yeah I'm always trying to show them it's easy

this is there's nothing to see just so that they have seen it once okay now they know it and yeah they will not do it again yeah I think it's a very good good point because if you take away the mystification of stuff then you just make it real and people see well yeah it's just malware it's just doing this and that it's not that fear and uncertainty in the background that it might do stuff that is nearly impossible I'm not saying that a lot of the things that uses attribute to malware are impossible but again you have to think about who you are and who would spend a lot of resources to get your personal

data if it's easier to buy a screwdriver and Ram it until you need to get the information out of you then people will do that if that information is that valuable and this is something to bear in mind small anymore questions okay so thank you very much thank you