Securing Layer 8

now coming to our next talk uh next talk is definitely going to bring some aha moments for all of us it brings light to the concept of hardening the human element securing uh layer 8 to be presented by itni Pico who is a synac Solutions architect so please put your hands together for evening good morning everyone uh no everybody's probably getting hungry now so I'm gonna try to be as quick as I can at the same time even my stomach is growling as well I know everybody is hungry um first I want to say thank you for inviting synac over to the b-sides here it's a pleasure to be here um and it's a pleasure to be in front of everybody and talking to everybody and um thank you again for nikhail depend you guys have done a great job uh with the whole b-sides all right so today I'm going to be talking about um actually let me so I'm I'm eating a pecan okay uh my first name is Eden my last name is become it means spicy in French if you're wondering um so I am a Solutions architect for synac but I was supposed to be a red team SRT Red Team in the past I had a lot of fun it was really enjoyable and it's great to actually see all the SRT people here by the way as well um you know so I've been in cyber security for a while I won't take too long to explain all this but one thing that is important about this is that I'm an Arsenal fan so if anyone has an issue with arsenal we can talk later about that vulnerability that you have we'll fix that vulnerability all right but we have a big game today so I'm very excited um so security securing layer eight so we know about the OSI model we know about layer seven okay um application layer so no there is no real secure layer 8 yet but in real life there actually is and that's the human element so that's what we're going to talk about today so it's not an official thing because I know some people are like wait I was I was Googling you know layer a I didn't see it you know you're not going to see it but is is really out there in real life as far as the human element of cyber security and uh and that's what I want to talk about today because [Music] um you know I was thinking about like this this year uh I was asked a question about what is something in cyber security that hasn't that really needs to be uh talked about and emphasized and for me it's the because the technological hacking aspect we talk about it we get it we get the technology but as far as the psychological hack I feel like there needs to be more talk about that okay more talk about the the state of the human from the emotional standpoint and the mental standpoint of the hacks because a lot of time when we see a breach that happens typically in the first phase of reconnaissance there's a lot of things that happen but the way that it and it encounters the human that is that is a psychological aspect so one of the best one of the people that explained this really well I don't know if you guys remember Sean Parker he was the Napster creator and you know one of the things he said about Facebook was um Facebook we he said that we psychologically hacked people for Facebook because there's a dopamine involved when you're using Facebook and another said that Facebook is you know bad to use or anything but there is a dopamine involved that when you post there's some mechanism there that really interferes with the way that you're always constantly checking who liked it what did they say about it what are they coming about it when you wake up in the morning you check Facebook when you go to bed at night you check Facebook there's a real thing that happens they're a real reward and I I believe a lot of times the adversary is preying on that within the layer eight okay that's a that's a really big um really big deal so Verizon data breach report very popular very well respected check this out so 82 percent of breaches till this day are from the human right but the thing is we'll dedicate about eight about 18 of that is to technology but a lot of times we focus on the technology part but look at where the human element part is 82 percent of that um so I think that needs to be talked about a little bit so that's the reason why I want to talk about it and by the way uh Charlie was supposed to do this talk with me uh Charlie is also a sin hacker he was very ill just keeping your thoughts but um any memes that you see on this slide I have to dedicate to him because he's a master meme he's really good at memes so I'm going to give Charlie credit on that all right so hackers are in business you see hacking I would say back in the day a lot of it was about having fun and seeing what you could get into that was become a business okay we have what we call ransomware as service okay like I you know at some point you know I'm almost wondering if these organized groups are going to start posting jobs on LinkedIn you know they're getting very serious about their business so one of them is Lockwood 3.0 you I'm sure you guys might have heard of them this is a recent post a few months ago that they posted check this out okay they said that we're looking to improve our ransomware as model nothing to improve it but one of the things that they're going to be focused on is they're looking for a high they're looking for people that can help with finding pii on high profile individuals that's layer a that's humans that could be an example of for example you know most organizations will have their blue team detection that will have their defense but if I can get the creds if I can focus on the human element get their information whether they're assist admin C Level I can take their credentials I can then go to the organization and come in as a normal user I don't have to worry about any detection until you have I don't have to worry about any of those things so that's again going back to layer eight so if that's a focus for the organized crime that also needs to be a focus for the organization that needs to be a focus for Enterprises in general and this is going to be their Roi this is going to be the organized crime this is going to be the hackers Roi because for them there's a good return of investment for that doesn't have to they don't have to waste their time trying to sneak around with going into the organization they can just get the credits of an individual and boom there we go great return of investment um I wanted to put this here you know this is just an example Equifax breach happened in 2017. now we all know how everything happened but I thought one thing that was interesting in the breach was during that process Equifax allows you to go check if you were one of the people that your information was breached or they put a website up there to go check but an individual now this is the thing he didn't even he didn't even do anything as far as like malicious with the information that he received but what he did was again thinking about psychology right like if you know that first of all Equifax has a lot of information about an individual a lot of information so of course once you hear that it's breach you're concerned so when Equifax says that hey we have a website go check to see if your breached they're going to jump at it but not thinking security so an individual so Equifax created a website and in this visual also created a website but close enough to match equifax's site so you know the thing is I put these two URLs to know which one would you have gone to like which URL what you have actually gone to because one of them is the malicious but one of them one of the militias uh individual but another one is an actual official site that they created uh Equifax now the one that's the right one though does anybody know oh second one okay that's good that's good um and what what gave that off Equifax there we go so but again this is a good thing to to to look at because when this guy created the site he had 200 200 000 hits now he didn't do anything with the data but he was just proving look what happens because again it's the psychology so this is where we need to start thinking about how to train the human being as to as to understand the idea the idea of like what actually is happening slowing down thinking about security Focus uh things right because um as a in in totality we're really good at the digital we understand computers at some point especially this generation but we still want to make sure that we have a security mindset security Focus even with Uber right like we understand how the hack happened but again if you if you think about the psychology of it you can imagine if you were on your phone and you kept getting these messages to say allow allow allow you know they're calling this like you know you can look at it as um you know they're calling it secure like a an exhaustion attack like you're basically exhausting the human being to the point where he's getting so frustrated right and what are you going to do but again it's a psychology thing you're looking at to make sure that you're you're trying to manipulate the the mental status of a human being we know that when things keep happening on our phone and if it keeps happening instead of taking time to figure out what's going on you know I'm just going to allow it so it can stop and that's the thing that we really need to start focusing on is this the psychological aspect the State of Mind of of individuals today what do we do currently so right now uh and the thing is is this is good at what we do it's not that it's bad it's good that we do it but a lot of times right now we're just doing training um doing webinar you know webinars training at the workplace and those things are good right but again knowing human beings and maybe you guys haven't done it but I'm sure a lot of us have done it really you're just trying to pass the quiz because you don't want to get in trouble with your manager okay or you might have you know multiple windows open because there's so many that you have to do and you're just waiting until the quiz part pops up and you just answer it real quick all right um this is what most people are doing and this doesn't really help to understand what actually is the why of these breaches what's actually the why of fishing you may understand fishing but you need to understand the why of the fishing and you know to this day they keep falling for the same same bridge that the same attacks that happen the same fishing that happens so what we want to do is we want to start changing that aspect to get creative with it and honestly there's a lot of ways we can do this it's going to be a community effort but we need to start trying to to change how we can help the human understand the why of why these breaches are happening so we don't keep making the same errors all right so what should we do okay and what we want to try to do is to focus on teaching the why and looking at that focus on the emotional state rewarding good behavior again that focuses on the dopamine same thing with what uh Sean Parker was saying um teach them to understand personal attack service teach them to understand they're like because we use Facebook we use social media but help helping them to understand what actually gets exposed when you use that what does it mean to put my birthday on Facebook what's wrong with that I want people to tell me happy birthday on my birthday we need to let them know that that hackers will use that information even though it's one set but if you're on Facebook and you have your you have your hometown that you're from you have your birthday that you're from you know or where you're living now all of these things a hacker can use all of that information to to even create an email fish you to know you as a Target very well make it harder for them right these are the things that we need to teach them because for them it's like hey I want someone to tell me happy birthday on Facebook I love how that feels right so we want to start um teaching we want to start rewarding good behavior in a very clever clever way but also needs and another thing too is we do a lot of policies right in the in the corporation policies are good we don't want to stop doing those it's a good layer to have it's like you know you have a you have a lock on your door that's a good layer to have but it doesn't mean that that will solve everything right because you can Implement a policy in the workplace but the adversary doesn't care about that policy so the thing that we need to understand is here is a policy but what's the reason for it what's the why for the policy so that they understand why they have it in the corporation again I think it takes a community effort so even as far as the engineers or the US me you know because a lot of us we we normally wouldn't you know fall for a lot of the uh different schemes because we're so security conscious we're in the industry we understand it but we need that to actually spread out and it's going to take the community to do that right so even with passwords you know understanding like why we have Pat what's the difference between the past phrase and a password right because they may hear like okay you know you need a longer password okay that's where I get it but but why and if I did a long one why can't I just have a long run with the password why does it have to be a passphrase you know this would be good questions for them and we need to help them understand the why of that and the thing that's key is we don't want to just make them experts in technology because that there's no need for that we don't want to overwhelm them with that really we just need to focus on helping them understand the why of it if they understand the why that alone can help them understand what a new attack comes they can start thinking security more focused and they'll be able to understand they don't need they don't need to know the the technology so deep they just need to understand the why so when things start to happen they can start detecting it because as human beings we're already wired to detect Danger so the thing is we just have to bring that over to the cyber space and just help with understanding what certain things mean and why they're doing it and this will be a better way to educate them you know it's funny I just saw this meme on someone else's uh so this is a popular meme right here um digital security fluency you know like again you know we have to think about who our age group when they got into you know like for example our grandparents you know they might not necessarily be computer savvy but unfortunately everything we do today is Information Technology based right so now unfortunately they have to learn some things about the digital space right like even in the um like a good example is the uh in the healthcare industry see back in the day it's a lot of paperwork you write paperwork you write prescription on paperwork but with emrs that that has been changing so the thing about that is it's a good thing because there's some subscriptions that you know the writing on it is not clear and this actually killed some patience right so now everything is done electronically but this is the thing the nurses that are there they didn't have to they weren't here to learn digital they don't they weren't here to learn how to use a tablet but now they have to do that if they want their if they want to be able to work because now they're given an electronic uh platform to and put the data so now they need to understand how to use that that could be stressful right that could be stressful but well the thing is if we can under if we can help them understand the basics of how to understand like how to use it but understand like this can happen if if you know if you don't realize what you're doing these are the things that can happen all right they can get overwhelmed um and I'm sure you guys have grandparents that you know they ask you questions all the time and they ask you questions so we can understand like this is a very tough situation but this is the thing though and I like this statement right here almost none are digital security native outside of Security Professionals you know so there's a difference and I'm going to go to the next slide on this there's a difference between digital security but also being security native so digital digital native or security native you know we want to help people to start becoming that that you may be digital native but we need to also have humans be security native to understand so for example right like let's say you're using chrome chrome pops up on your browser the top right sometimes like when there's a you know there's a vulnerability out there right oh you know Chrome will be good about hey update your browser right but the thing is you may see that and I tell you I can't tell you how many times you know these days we do Zoom calls and we're on Zoom somebody's sharing their screen I look at the top right update needs to be clicked now it's a small thing to do just click it but the thing is we need to be security native to understand like you know what this is the thing that needs to be automatic we don't want to waste time but it needs to be automatic so this is the things that we're trying to do we're trying to train people to focus on security conscious things right um even with pop-ups you know understanding not not to just click on things like look at this one here one one less the hacker in one blocks and reports them which do you have on your team see this is very important you know so if we can get people to report certain things that's good training as well you know not just we block it but and understand help them understand how to report these things my control advantage so one of the things that I think is really important to do is to retrain the human to understand how to see the technology space because there's the breaches aren't going to stop they're going to continue happening as assets continue to grow especially now that the application layer everything is done on there right so there's going to be so many the tax stuff is going to grow so much that the technology piece is good to have but we really need to have a security mindset right and we need to start basically retraining human beings how to look at the cyber space because usually when we think about cyber security we think that when we go into the corporation all right I got to thank cyber I'm at my desk I got to thank cyber but now we're working like you know the generation now especially with covid there's the work from home right so now the your home your room your office space at home is an extension of your workplace right using VPN connecting back into the work to get servers and to get files from servers this is a really important thing that we uh really need to start focusing on so one of the things that we need to retrain our mind on is the fact that cyber security is not just in the workplace cyber security is going to be everywhere it's going to be everywhere that you go right like we have phones today that we are walking around everywhere with our phone we're working from our phone now it's going to be it's gonna have to be a responsibility that we think about it everywhere that we go okay and but in order to do that it's going to take some time because this is like a new world in a sense right like the way that we do things so for example even with fishing phishing still happen through via email but a lot of fishing now is smushing happening through text messages right so when you get a text message are you really conscious of what you're seeing and when you get the text message where are you getting it are you in the line of the grocery store are you somewhere like not really paying attention because now we're we're kind of like walking around with technology all the time right so usually if you're at the workplace you're a little bit you co