Brian Honan - Layer 8 Security

afternoon everybody uh aziki says I'm here to talk about partner yet again the the human factor and I'm quite layer age and it's the notch between the keyboard on the screen basically the thing that goes wrong most the time in our lives and causes our problems and if you look at the screen here we have a lot of nice logos when we think about what those logos they've all been in the press in the past 12 to 18 months they've all been hacked and they're all relatively large organizations and dare I say is the dreaded apt has been there everybody's been hacked by the APT in this in this scenario via Aurora B is Night Dragon even stocksmith they've all

hit their headlines but if you look look again even further into the root cause it's not just technical issues that have caused these breaches these statistics here shows you know uh Verizon now I've done this slide last week they have their new data data breach and investigation report if you don't read it you should do it's some great material in that report it's free and you don't have to sign up for any spam or anything else like that there's some great material in it for last year's report investigated that uh 48 out breaches were caused by insiders now they're not saying that 48 of your staff are not hacking your systems what they're saying is that 48 of your staff

are 40 of the breaches were due to people being willingly or unwillingly due to doing something for the cost of reach uh Symantec say 90 of all malware requires some sort of human interaction Microsoft even say that 95 of all malware attacks on the Windows platforms will be mitigated if nobody had admin access to the machines so in your own organizations how many of your users have local admin access to their laptops or to their PCS simply to make things easier well making things easier for the users but we're also making things easier for the bad guys as well imagine who are that we've not familiarism are a U.S organization they provide a managed Security Services one

part of it is an instant response and their investigations and results 100 of all apt style attacks have been root cause I've been humans as well uh Harrison young survey from last year say 64 of all organizations have an issue with security awareness problems they can't get them right and three times as many breaches are being caused by accidentally they're malicious so what we have here is the common name is the human being it's the user okay we might have zero days for our American friends old days but you know the chances of you've been hit by a zero day I don't know that probably my news unless you're working in some multi you know large multinational or somebody has

a lot of precious information that that people put their hands on most beaches have been by simple

is it because your fellow workers are stupid are they just so dumb they fall for every fishing EMA that comes in or maybe they're just lazy you know I'm putting the yards doing this security so stuff on it's not my problem are there Polaris this is my iPad on the bus you're gonna get an attached Network you know or I'm too important to worry about security that's not my job that's it's job oh it's never going to happen to me I'm way too intelligent to fall for a scam or or click on a link in the email don't be ridiculous or maybe they just ignore the risk you know yes I do want to download that

piece of software but I don't care that the certificate is out of date all that and send me that this site is unsafe I'm still going to click on yes they're just trying ignores or they just don't care it's not my PC it's not my information it's not my network it's not my job I don't care that's probably the action we get but I think mostly people are just too busy they are focusing on their own day jobs they're trying to get through what they want to do they're trying to survive there are jobs trying to supply what's going on and let's face it in this environment surviving is a key thing with the economy the way it is uh tip of

deadlines to meet they've got sales figures start to get they've been forced to get out they're just too busy and if they're working how many people here work in large organizations so you don't have health and safety awareness for training courses ethics you know if you're uh you know people are if they're accountants they have to go and do additional professional development courses if their solicitors at the same thing so each profession on each area in the company has all these other competing awareness courses that we have to try and go against so like we thought a lot of things to to fight against and I think a classic example of for awareness is failing is

how many people here drive or have driven at least once in the life of the speed limit how many people here have gone over a sort of white line at least once in their driving career yeah now you're not sure all your hands there's how many people have driven by having a few beers on or a few drinks yet we still see all these campaigns and awareness ads on TV but people still do these things so people have different drivers and different reasons to do things and we as professionals and Security Professionals try to secure our organizations we have to try to understand what those drivers are so that we can engage with the users

and get them to work on things because in security if you look before we spend our money this is my Governor report in 2010 Gartner state that you know a company with a good mature information security program they'd have 10 of the I.T budget goes to I.T security they're up at 10 percent a good 37 38 percent goes on Personnel that's salaries that was big should be more another good 25 goes in software so the antivirus software renewal license that we pay all the time uh any software Hardware firewalls Etc we all have to pay pay for that I was always in 10 and then this went down here Consulting it's only nice you all should be spending

more on Consultants by the way you're really sure but that nine percent also includes security awareness so you've got nine percent of ten percent of your it budget which is probably it in itself I'm unusual percentage of the overall organizations uh uh budget so we're you know we're we're fighting a very hard battle here but our focus is actually Ryan like we're spending all this money up here but the problem is not the technology but it is technology protectors bugs and stuff but the real problem is the people so focus is wrong we're sending the wrong spend the money in the wrong place or if we're spending the money in security Runners we're not getting the

value back out from us if you look at back at all those organizations Google Adobe Juniper Exon Mobile Etc they're big organizations they do have security awareness training programs in place they do have dedicated I.T security people yet they still have reached so is the money been spent in the wrong place and if it has been spent in security awareness is not being spent properly I think probably who has been on security awareness training program who has found them really engaged in a wonderful Insiders they're very entertaining but for all the wrong reasons yeah if you take this audience here we have to go into security awareness training courses for our jobs but we know about the stuff is

but we have to do the course anyway and yet we get the same course that probably the person in HR or the person that counts or the person who says this one again so the content is not Angelos and we find it boring I think if we find it boring and we live eat and drink security and I.T how does the poor person in sales our HR on the admin Department feel about this stuff not another political and I.T that's I don't really care about the other problem is how it's delivered like is it classroom type or electric type workshops online type scenario yeah videos yeah and again Lord you respect to our American friends probably an

American eyes version of the product with American accents and all the yeah Scottish but uh you know the delivery mechanism is probably not the wrong one for the for that particular audience as well are the trainers aren't trained particularly well I've seen training courses for the security advice training courses where the trainers don't know the subject they're just the trainers that's what they do they work in the training department in the organization they're trained in HR training courses they're trying to deliver accounting training course the change exchange whatever the health and safety course and the trend and over the security awareness training course as well they don't know so when somebody asks the question our

reverse of that is if you've got us given the training course and some of us while we're very good technically may not be the best people are talking to to to to to users are presenting to you as a service some people are security people are not very good at presenting yeah we don't deliver properly or we have very monotone voices and we talk like this and we people just turn off so the content can be very importantly fail to engage the users or we miss tomorrow so we have issues we want to address but we don't deliver against them so the the the the the material is not working biggest problem I've seen with security

management process is that they're a compliance requirement we must meet PCI we have to have security awareness therefore let's go and get security awareness training course in and let's see what's achieved and just get it done let's put a tick in the Box our security awareness training oh yeah attorney Walsh 10 minute presentation during induction course or let's coerce people to do anybody working in an organization for you if you don't do your security awareness training course and it's recorded you pass it at the exam at the end you don't get your paycheck yeah either one or two companies I I know for your end of the year annual review but you want to get your salary

increase if you don't do your security awareness training course you don't get your salary increase that's forcing people to do the training course but all they're doing is just going through them just checking the answers get it done and open Donuts I know one company and the team at the NIT Department as it turns out they have annual security awareness race uh races where these all sit down together all start the post together and whoever finish the course first of the winner they're not absorbing the content they don't really care so we have this let's just get it done and overdone it so this you know let's get be compliant with it there is your phone and that's why I

mentioned wasn't an American voice and stuff is that a lot of these particularly online training content is done by U.S organizations and it refers to federal law you know I'm based on Dublin Ireland we don't have a federal state in Ireland well maybe after our economic disaster we'd be important to burn in quite soon you know it doesn't relate to what we're doing it doesn't talk about daily privacy stuff which is very important for a lot of our organizations here but yes because it's cheap it takes the Box we'll take it on board or it doesn't you know even not take away the law it doesn't take the cultural Edge issues into into account and if you're working

for a large organization that is multinational that has answers throughout the world you've got different cultures and different uh to try and deal with the people in China have different drivers and different cultures and people in in UK and Ireland that was even in in the US there are similarities but there are certain differences that if we don't tune the content to meet those differences you can you know you can you can fail to to engage with people because of it because of that and we don't measure now you know I'm management I mean the whole thing is you know you can't manage what you can't measure but it is true if you're not sort of saying how successful is this

training course is it delivering what it's supposed to be living how can you tell how good a bad is and then the worst thing is you've managed to get your budget-free security awareness training course you've delivered it and now going back to management saying we need to run another one for next year then I can go well boy prove us proved was that the money was well spent here it goes well hey look they all has fill in the forms it doesn't it doesn't work and I just want to see what the value they're getting and if you can't measure the value of what you're getting back from uh because it's it's not it's not going

to work but mostly folks we just hope it works we send it out there and we go oh please go ahead and do it let it sink in there in some way shape or form and maybe subliminally next time they get efficient email they go oh yeah that's what the that's that's what they're talking about and that's what we raise so securing the nut I think we have to take a much more uh strategic way right and anybody familiar with ISO 27 000 would be private familiar with this type plan dude check act type scenario and you know people say yeah that's a whole lot of rubbish and crap but it does make sense if you don't plan on what you're

doing if you don't prepare you're not going to be ready for it and then Implement what you're going to do put it in place get it working measure reveal how well that is working you know and based on that feedback maintain it see if anything improved and feed that package you're planning again and you've this constant cycle where over time and over a period you should be improving what you're doing so at the planning stage you need to make sure you go and get senior management support and that is not the CEO signing a note that you have written and then he sends it out to everybody security awareness training course was important and then they've got the security word

is training course if they're going to support this you have to get their commitment vote from giving you the resources you need to do those and they have to go on the courses too like I know a lot of organizations management local on these training courses I think that's where it's fairly but not even by example how do you expect staff to take the things seriously if management I'm going to take it seriously be prepared do your research what is your audience going to be like have you got a young audience when you're working for an I.T company like PayPal or something like that which is put on younger generation who are familiar with I.T who know the

technology who know the phrases and the terminology or if you've got people like me who are older I'm probably technophobic and the one you have two finger and Titan Titus who don't know what you know can barely spell email never mind worry about what uh how how it all works together so what legal issues do you have to take about what cultural issues do you have to think about have you got remote users how are you going to address the remote users do you bring somebody in for one day you know somebody in the outer Hebrides who's the remote user you have to come into London office for your security writing training course the waste

you know our teleworkers how do you get that in as well so you need to be prepared what's going on develop a strategy to figure out how am I going to get this delivered out to meet the requirements that we've just identified so if you've got people who are remote workers and tell your workers in different jurisdictions and different cultural backgrounds are different uh scenarios how are we going to to to to deliver it should we developed courses and the content specific for the different type of audience so if you want to give a security Iranian training course to the I.T people well at least treat them with the respect that they know what i t stands for

and develop the course for that if you're going to talk to somebody in HR you know take into account that they may not be as I.T Savvy and adjust the course accordingly as well make sure you've got budget I know that's very very topical make sure you've got plenty of budget and it's a dedicated oh sorry make sure it's a dedicated and you've got plenty of money because you're going to deliver this properly any job like like any job that has to be doing properly you need the resources to do and ideally it should be a set budget each year that's not just whatever's left over from the I.T security spend we'll put that into this into security

awareness campaign have it as a set item in your annual budget agenda that you can you can have a first and then select the appropriate tools make sure you have the right thing to do the right job if you've got remote users make sure you've got that in place are you going to deliver in the classroom style and if you have a classroom style how you want to get people into the room how many people per time you're going to do it have you got the trainers trained properly are they able to deliver the content do they know the content and the content and support the issues that were there and said everyone consider the different

coaches again if you've got different uh jurisdictions now different laws so if you've got people based in Europe and People based in Australia and People based in Canada in the US well for example there's different privacy laws and regulations to each of those jurisdictions make sure you take them into account what's been delivered and try and take into account you know the the the the culture the society that they come from and what issues the map they may have there as well I always try and make sure we hook the audience you know if you don't give a hoop that the people are going to hang on to and engage with well you're going to fail

so often now I'm giving the training courses I go okay you're here because you're supposed to be here but what you want to learn here was save your computers at home you know the security awareness training get here we keep your PC safe at home or try and figure out what is the consequence of security breach for the organization you know they may not care about properties but try and see what's that mean in real terms to them I was given the training course to a a a security company that does a lot of cash and transfers and reviewing the course I could see that people weren't engaged until they didn't understand the impact or physical Deeds

but when he told them that a potential breach could have information in the hands of criminals who could then Ambush a cash ban under our colleagues Could Be In Harm's Way but that put a completely different context on the security of the information and they're able to understand then this is why it's so important I want to talk about data and information in abstract terms is not going to hook up the audience we need to try and make sure they understand what the impact of repeatable being unto them or into the organization itself make sure you've got regular communication going through as well and that can be post the course you know you've got feedback forms and stuff

feedback forms from the staff management when they come back from the uh from from the doors are we try and help and you get the organization's internal structures to help you if you're working for a large organization you've got HR department they're supposed to be good for humans it's in the title say it's remarking they're supposed to go to marketing PR in public relations engage with them and see how can you use them to promote your security awareness program and sell it to the humans in the organization so once they're all yo you've got that expertise on board you can help push it out and maybe you know you're constantly continually reinforce the message because somebody coming to security

awareness planning course today may not remember what you were talking about six months down the road it's a reinforce the message potentially by using posters or the usual gamings around the place but they can work if they're doing property so make sure your Communications strategy takes all that into account as well so every toughest you know and give the feedback to the users and also make sure you're adaptable to new threats or new issues should they arise and then you can bring that out and communicate that out and use this in it quickly in a quick and effective manner review and measure how effective your program is right now that's the best you can do without a

mentini okay but if you don't measure how effective your program is as I said around you can't manage it so how effective is it and how do you measure how effective it is go see how impact that has had maybe on the number of issues reported to your support desk after security awareness training course and you may be surprised you're probably going to get an increase in possible resets because people do go and use complex passwords but they then forget about them or they might start something you might have a certain increase in instance because people are now reporting things they're more aware about and they're good things you can use to measure how effective your

program is see has there been any impact on the uh on your information security and and then alter accordingly take the information and then feed it back in if it has not been affected try and fix what the problem is maintain your program it's like a machine we don't keep that machine well old it's going to fail and you're not going to be able to do what what you should I think the important thing is going back but again the slide is remember more security you know more technology doesn't make you more secure no technology can help but the end of the day we need to make sure our people are aware when people understand the impact

niches what they want to do so with that thank you very much if anybody wants any questions and have you take them or you can contact me

any questions do we say that user education is an issue for today but possibly not for 30 years from now when the generation has been born today already understands technology and ID and all that I think generation born today will understand technology and generation better than we have done but I do think they may not understand the security and I've seen this in the way we look the way people use Facebook and Twitter and how much personal information they need into Facebook and Twitter because hey the whole world is above me that's not necessarily a good thing in the long term so I think we will always need to make people aware of what the issues are

and I think over the 20 next 20 years we do need to adjust the content and how we deliver to make sure that we deal with that so I don't think okay yeah any other questions

we had a large number of users don't help us can say I can't go into the site anymore it's not why it's a massive Red Box on the screen so it's the certificate is not valid and just that particular Fit made them all suddenly go oh this is wrong and they said don't we never happened before yeah it didn't even think yes the tiny little box like making those things more obvious and yeah I actually put it right and that's a very good point I think if you look at a lot of and Microsoft have changed in the past few versions of a lot of software they do but by default the focus is to be on the yes button for

all these questions so people just hit enter I mean yeah yeah you know they don't even make the message yeah I'm like you know the more broader thing but do you think we need to design our software interface is much better so that the message for the user gets are more in their face and that they're not as easy to and we use Landers to understand social engineering you know you you certainly you see attacking with a note explaining that they'll get a warning and this is how they get around the morning so that they can run I think yeah exactly it's doing what he said it will do yeah it doesn't work 2010 yeah

certificates and the fact that alert is never a real war ning why is that a useful alert I mean relative to anyone ever actually stopped being taxed by that alerts

so you're annoyed the users

yeah yeah but yeah yeah

okay well thank you everybody