Securing Layer 8
Show transcript [en]
now coming to our next talk uh next talk is definitely going to bring some aha moments for all of us it brings light to the concept of hardening the human element securing uh layer 8 to be presented by itni Pico who is a synac Solutions architect so please put your hands together for evening good morning everyone uh no everybody's probably getting hungry now so I'm gonna try to be as quick as I can at the same time even my stomach is growling as well I know everybody is hungry um first I want to say thank you for inviting synac over to the b-sides here it's a pleasure to be here um and it's a pleasure to be in front of
everybody and talking to everybody and um thank you again for nikhail depend you guys have done a great job uh with the whole b-sides all right so today I'm going to be talking about um actually let me so I'm I'm eating a pecan okay uh my first name is Eden my last name is become it means spicy in French if you're wondering um so I am a Solutions architect for synac but I was supposed to be a red team SRT Red Team in the past I had a lot of fun it was really enjoyable and it's great to actually see all the SRT people here by the way as well um you know so I've been in cyber
security for a while I won't take too long to explain all this but one thing that is important about this is that I'm an Arsenal fan so if anyone has an issue with arsenal we can talk later about that vulnerability that you have we'll fix that vulnerability all right but we have a big game today so I'm very excited
um so security securing layer eight so we know about the OSI model we know about layer seven okay um application layer so no there is no real secure layer 8 yet but in real life there actually is and that's the human element so that's what we're going to talk about today so it's not an official thing because I know some people are like wait I was I was Googling you know layer a I didn't see it you know you're not going to see it but is is really out there in real life as far as the human element of cyber security and uh and that's what I want to talk about today because [Music] um
you know I was thinking about like this this year uh I was asked a question about what is something in cyber security that hasn't that really needs to be uh talked about and emphasized and for me it's the because the technological hacking aspect we talk about it we get it we get the technology but as far as the psychological hack I feel like there needs to be more talk about that okay more talk about the the state of the human from the emotional standpoint and the mental standpoint of the hacks because a lot of time when we see a breach that happens typically in the first phase of reconnaissance there's a lot of things that happen but
the way that it and it encounters the human that is that is a psychological aspect so one of the best one of the people that explained this really well I don't know if you guys remember Sean Parker he was the Napster creator and you know one of the things he said about Facebook was um Facebook we he said that we psychologically hacked people for Facebook because there's a dopamine involved when you're using Facebook and another said that Facebook is you know bad to use or anything but there is a dopamine involved that when you post there's some mechanism there that really interferes with the way that you're always constantly checking who liked it what did they say about it what are they
coming about it when you wake up in the morning you check Facebook when you go to bed at night you check Facebook there's a real thing that happens they're a real reward and I I believe a lot of times the adversary is preying on that within the layer eight okay that's a that's a really big um really big deal so Verizon data breach report very popular very well respected check this out so 82 percent of breaches till this day are from the human right but the thing is we'll dedicate about eight about 18 of that is to technology but a lot of times we focus on the technology part but look at where the human element part is 82 percent of
that um so I think that needs to be talked about a little bit so that's the reason why I want to talk about it and by the way uh Charlie was supposed to do this talk with me uh Charlie is also a sin hacker he was very ill just keeping your thoughts but um any memes that you see on this slide I have to dedicate to him because he's a master meme he's really good at memes so I'm going to give Charlie credit on that all right so hackers are in business you see hacking I would say back in the day a lot of it was about having fun and seeing what you could get into that was become a
business okay we have what we call ransomware as service okay like I you know at some point you know I'm almost wondering if these organized groups are going to start posting jobs on LinkedIn you know they're getting very serious about their business so one of them is Lockwood 3.0 you I'm sure you guys might have heard of them this is a recent post a few months ago that they posted check this out okay they said that we're looking to improve our ransomware as model nothing to improve it but one of the things that they're going to be focused on is they're looking for a high they're looking for people that can help with finding pii on high profile individuals
that's layer a that's humans that could be an example of for example you know most organizations will have their blue team detection that will have their defense but if I can get the creds if I can focus on the human element get their information whether they're assist admin C Level I can take their credentials I can then go to the organization and come in as a normal user I don't have to worry about any detection until you have I don't have to worry about any of those things so that's again going back to layer eight so if that's a focus for the organized crime that also needs to be a focus for the organization that needs to
be a focus for Enterprises in general and this is going to be their Roi this is going to be the organized crime this is going to be the hackers Roi because for them there's a good return of investment for that doesn't have to they don't have to waste their time trying to sneak around with going into the organization they can just get the credits of an individual and boom there we go great return of investment um I wanted to put this here you know this is just an example Equifax breach happened in 2017. now we all know how everything happened but I thought one thing that was interesting in the breach was during that process Equifax allows you
to go check if you were one of the people that your information was breached or they put a website up there to go check but an individual now this is the thing he didn't even he didn't even do anything as far as like malicious with the information that he received but what he did was again thinking about psychology right like if you know that first of all Equifax has a lot of information about an individual a lot of information so of course once you hear that it's breach you're concerned so when Equifax says that hey we have a website go check to see if your breached they're going to jump at it but not thinking security so an individual so
Equifax created a website and in this visual also created a website but close enough to match equifax's site so you know the thing is I put these two URLs to know which one would you have gone to like which URL what you have actually gone to because one of them is the malicious but one of them one of the militias uh individual but another one is an actual official site that they created uh Equifax now the one that's the right one though does anybody know oh second one okay that's good that's good um and what what gave that off Equifax there we go so but again this is a good thing to to to look at because
when this guy created the site he had 200 200 000 hits now he didn't do anything with the data but he was just proving look what happens because again it's the psychology so this is where we need to start thinking about how to train the human being as to as to understand the idea the idea of like what actually is happening slowing down thinking about security Focus uh things right because um as a in in totality we're really good at the digital we understand computers at some point especially this generation but we still want to make sure that we have a security mindset security Focus even with Uber right like we understand how the hack happened but again if you
if you think about the psychology of it you can imagine if you were on your phone and you kept getting these messages to say allow allow allow you know they're calling this like you know you can look at it as um you know they're calling it secure like a an exhaustion attack like you're basically exhausting the human being to the point where he's getting so frustrated right and what are you going to do but again it's a psychology thing you're looking at to make sure that you're you're trying to manipulate the the mental status of a human being we know that when things keep happening on our phone and if it keeps happening instead of
taking time to figure out what's going on you know I'm just going to allow it so it can stop and that's the thing that we really need to start focusing on is this the psychological aspect the State of Mind of of individuals today what do we do currently so right now uh and the thing is is this is good at what we do it's not that it's bad it's good that we do it but a lot of times right now we're just doing training um doing webinar you know webinars training at the workplace and those things are good right but again knowing human beings and maybe you guys haven't done it but I'm sure a lot of us have
done it really you're just trying to pass the quiz because you don't want to get in trouble with your manager okay or you might have you know multiple windows open because there's so many that you have to do and you're just waiting until the quiz part pops up and you just answer it real quick all right um this is what most people are doing and this doesn't really help to understand what actually is the why of these breaches what's actually the why of fishing you may understand fishing but you need to understand the why of the fishing and you know to this day they keep falling for the same same bridge that the same attacks that
happen the same fishing that happens so what we want to do is we want to start changing that aspect to get creative with it and honestly there's a lot of ways we can do this it's going to be a community effort but we need to start trying to to change how we can help the human understand the why of why these breaches are happening so we don't keep making the same errors
all right so what should we do okay and what we want to try to do is to focus on teaching the why and looking at that focus on the emotional state rewarding good behavior again that focuses on the dopamine same thing with what uh Sean Parker was saying um teach them to understand personal attack service teach them to understand they're like because we use Facebook we use social media but help helping them to understand what actually gets exposed when you use that what does it mean to put my birthday on Facebook what's wrong with that I want people to tell me happy birthday on my birthday we need to let them know that that hackers will use
that information even though it's one set but if you're on Facebook and you have your you have your hometown that you're from you have your birthday that you're from you know or where you're living now all of these things a hacker can use all of that information to to even create an email fish you to know you as a Target very well make it harder for them right these are the things that we need to teach them because for them it's like hey I want someone to tell me happy birthday on Facebook I love how that feels right so we want to start um teaching we want to start rewarding good behavior in a very clever clever
way but also needs and another thing too is we do a lot of policies right in the in the corporation policies are good we don't want to stop doing those it's a good layer to have it's like you know you have a you have a lock on your door that's a good layer to have but it doesn't mean that that will solve everything right because you can Implement a policy in the workplace but the adversary doesn't care about that policy so the thing that we need to understand is here is a policy but what's the reason for it what's the why for the policy so that they understand why they have it in the corporation
again I think it takes a community effort so even as far as the engineers or the US me you know because a lot of us we we normally wouldn't you know fall for a lot of the uh different schemes because we're so security conscious we're in the industry we understand it but we need that to actually spread out and it's going to take the community to do that right so even with passwords you know understanding like why we have Pat what's the difference between the past phrase and a password right because they may hear like okay you know you need a longer password okay that's where I get it but but why and if I did a long one
why can't I just have a long run with the password why does it have to be a passphrase you know this would be good questions for them and we need to help them understand the why of that and the thing that's key is we don't want to just make them experts in technology because that there's no need for that we don't want to overwhelm them with that really we just need to focus on helping them understand the why of it if they understand the why that alone can help them understand what a new attack comes they can start thinking security more focused and they'll be able to understand they don't need they don't need to know the the technology so deep
they just need to understand the why so when things start to happen they can start detecting it because as human beings we're already wired to detect Danger so the thing is we just have to bring that over to the cyber space and just help with understanding what certain things mean and why they're doing it and this will be a better way to educate them you know it's funny I just saw this meme on someone else's uh so this is a popular meme right here um digital security fluency you know like again you know we have to think about who our age group when they got into you know like for example our grandparents you know they might not necessarily be
computer savvy but unfortunately everything we do today is Information Technology based right so now unfortunately they have to learn some things about the digital space right like even in the um like a good example is the uh in the healthcare industry see back in the day it's a lot of paperwork you write paperwork you write prescription on paperwork but with emrs that that has been changing so the thing about that is it's a good thing because there's some subscriptions that you know the writing on it is not clear and this actually killed some patience right so now everything is done electronically but this is the thing the nurses that are there they didn't have to they weren't
here to learn digital they don't they weren't here to learn how to use a tablet but now they have to do that if they want their if they want to be able to work because now they're given an electronic uh platform to and put the data so now they need to understand how to use that that could be stressful right that could be stressful but well the thing is if we can under if we can help them understand the basics of how to understand like how to use it but understand like this can happen if if you know if you don't realize what you're doing these are the things that can happen all right they can get overwhelmed
um and I'm sure you guys have grandparents that you know they ask you questions all the time and they ask you questions so we can understand like this is a very tough situation but this is the thing though and I like this statement right here almost none are digital security native outside of Security Professionals you know so there's a difference and I'm going to go to the next slide on this there's a difference between digital security but also being security native so digital digital native or security native you know we want to help people to start becoming that that you may be digital native but we need to also have humans be security native to understand so for example
right like let's say you're using chrome chrome pops up on your browser the top right sometimes like when there's a you know there's a vulnerability out there right oh you know Chrome will be good about hey update your browser right but the thing is you may see that and I tell you I can't tell you how many times you know these days we do Zoom calls and we're on Zoom somebody's sharing their screen I look at the top right update needs to be clicked now it's a small thing to do just click it but the thing is we need to be security native to understand like you know what this is the thing that needs to be automatic
we don't want to waste time but it needs to be automatic so this is the things that we're trying to do we're trying to train people to focus on security conscious things right um even with pop-ups you know understanding not not to just click on things like look at this one here one one less the hacker in one blocks and reports them which do you have on your team see this is very important you know so if we can get people to report certain things that's good training as well you know not just we block it but and understand help them understand how to report these things
my control advantage so one of the things that I think is really important to do is to retrain the human to understand how to see the technology space because there's the breaches aren't going to stop they're going to continue happening as assets continue to grow especially now that the application layer everything is done on there right so there's going to be so many the tax stuff is going to grow so much that the technology piece is good to have but we really need to have a security mindset right and we need to start basically retraining human beings how to look at the cyber space because usually when we think about cyber security we think that when we go into the
corporation all right I got to thank cyber I'm at my desk I got to thank cyber but now we're working like you know the generation now especially with covid there's the work from home right so now the your home your room your office space at home is an extension of your workplace right using VPN connecting back into the work to get servers and to get files from servers this is a really important thing that we uh really need to start focusing on so one of the things that we need to retrain our mind on is the fact that cyber security is not just in the workplace cyber security is going to be everywhere it's going to be everywhere
that you go right like we have phones today that we are walking around everywhere with our phone we're working from our phone now it's going to be it's gonna have to be a responsibility that we think about it everywhere that we go okay and but in order to do that it's going to take some time because this is like a new world in a sense right like the way that we do things so for example even with fishing phishing still happen through via email but a lot of fishing now is smushing happening through text messages right so when you get a text message are you really conscious of what you're seeing and when you get the text message where
are you getting it are you in the line of the grocery store are you somewhere like not really paying attention because now we're we're kind of like walking around with technology all the time right so usually if you're at the workplace you're a little bit you could be a little bit more cyber focused but now it's all over it's your lifestyle so we're gonna have to retrain how human beings think about cyber security uh this is not just going to be in the workplace and it's a lot of work to have to do that because we're not you know we're still getting used to a lot of the things that have changed our lives um you know I was talking to somebody
the other day and you know ring is a really popular thing that we use for security um but nobody really checks their ring on their laptop it's you check it on your phone you know so your phone is almost everything today that's becoming just a way of life
showing the personal attack surface you know I don't know if I'm sure a lot of you heard the Cambridge analytica um story that happened now one of the things that's interesting is they were able to build a profile on an individual based off their likes for example now again it's not to say that you know you can't like something on Facebook but it is to say that these are the things that happen like anything that you do online is watch it's monitored right so when you like something enough likes can build a pro naturally it builds a profile about who you are and with that data they were able to send certain people information to change their mind
about a situation right to change their mind so again the attack surface if you understand that Hey whenever I post on Facebook these are the things that people can build off of me if I go and we know these things too as well like if I go on vacation um do I post it real time do I wait you know and if I do what's my risk you know because sometimes it's not about like you can't live your life but understand your risk understand what are the risk factors when you do certain things online understand what are the risk factors when you uh you know clicking on an email understand like all those kind of things security folks and really
after a moment it becomes second nature it's not like we have to like do this whole like long process but in the beginning it you know it is hard to train the human it takes some time but once it becomes a normal pattern it's like second nature again we already have we're already wired for this we just need to bring it over to the cyberspace
but why me all right this is a good one you know because I tell you a lot of people like for example when you are on Facebook right and you log in and then you notice that you have somebody that is asking to accept an invitation it's inviting you to accept an invitation and sometimes your money is thinking wait a minute I could have sworn I added that person already uh oh well I'll just I'll just click it maybe I did it and that that may not be that person right people are creating fake profiles they human beings don't a lot of people human beings don't understand this again you would say why would they do this because
the thing is they're trying to befriend you they want to get into your network if there's a Target that is in your circle one way for them to get to that Target is to be friends with you because what's going to happen is and this is what we need to retrain them on is typically even on LinkedIn right when someone is asking hey I want to be a part of your network typically if we're security focused we usually and even if you're not you usually look to see wait who else do you know that's in my network so that can validate okay yeah I can click you know that's typically how we think so because the adversary knows
that they're thinking the same thing like hey as long as they see that I'm building this profile I'm part of this individual Circle they're going to accept me and once they do that that's when you can start that that's when they they can start you know targeting their uh Target more more clearly and you know this is not the demo for this to talk for this but there's ways to detect fake profiles there's ways to even look at the ears the earrings how the measurements are like because I mean there's technology that's getting really good at creating faces right and if you're not looking carefully just like with this with the Equifax the URL if you're not looking
carefully you're going to miss it but sometimes it you know again it just takes a second once you become security focused it takes a second like even now like there's people there's a literally LinkedIn had to remove a whole bunch of fake LinkedIn profiles because there are people that are creating these uh there's a there's a big uh thing right now where they're creating these accounts where they're trying to connect with a lot of csos being a part of Fortune 500 companies and uh actually Brian Krebs even how to talk about this and this is becoming a common thing right but can you imagine you know you're trying to Target csos from Fortune 500 companies I mean that's a
brilliant thing to do right but again we have to start helping human beings detect why these things are happening they don't understand what sock puppets are they don't realize that you know there are people creating generating just fake avatars but making it look so real you think it's a real human being and again you know they need to understand the why right they don't need to understand too much of the technology of how they do it but they just need to know that it's there so that when they do get someone saying that hey I want to be part of your network they can start thinking like wait a minute let me just do some quick analysis to see like what
this really is you know because how many times now have you seen on Facebook a poll post that comes up and says oh it's not me my account got hacked you know sorry now that could be minor because it's Facebook but this can actually interfere with your life right it can interfere with let's say you know a user takes your uh your your um your user like your profile who you are and they'll use your information to go apply for a loan and just still steer your identity that's when it really gets tough right and you don't want to have to deal with that because it's so messy it's a lot of work it's a lot of work so we're trying to
avoid all of those things all right this is a funny one you know but there's a there's a lot of truth to this right in regards to passwords change them regularly don't leave them on your desk and don't loan them to anyone right but the thing is in your mind if we can have this Focus this will also help be security conscious right because again the passwords are not knowing I get it like to remember all of these passwords it's just so frustrating but unfortunately there's a trade-off for security it's a good thing to have but there's some things that's a trend of just like 911 right before 9 11 to go to the airport
to go into security like I mean it's quick right but now there's a lot of checks but we gotta we gotta do our due diligence because there's a trade-off you know and the thing is we need to get used to that but also there's ways to make the life easier so for example you know a lot of times we talk about having a password manager you know but with the password manager it makes it easier because one the password manager can generate a password for you a really good password that the entropy level is very high right you don't have to think about it this is not the pressure is not on you you just have to remember one
password to get into your vote right um but again I get it it's a lot of work so this is why it's hard to train but this is the kind of mindset that we need we need to have to do where it becomes normal um we need to train them that there's ways to make it quicker so you can have the a local passive manager even on your phone it can pull the password very quickly it's not going to take that long we just need to let we just need to train how to do this but it it really takes actually getting out of the workplace as as individual in the security space we need to help people in
the home to understand this we need to practice that at home when you start practicing practicing these things at home and then can go to the corporation because when you start practicing at home it becomes a it becomes more of a normal way of life right like if you're told to do things in the workplace typically the mindset is once I leave the workplace and I go home it's a different situation and it's like no it's becoming the same so a lot of big a lot of things right now for example the breaches right they'll say Network segmentation Well Network segmentation can also be practiced at home well why is that because these days all of us
have Smart TVs mostly in our homes Smart TVs now have IP addresses these TVs are on the same network as your main Network but the TV when the manufacturer is creating the TV they're not thinking security so you don't want to have a device that's on your network iot device that has no security on it you want to have it on a separate Network a guest network if we could if we could just teach those minor things uh in the home this will help people understand security cyber security as a lifestyle
all right what we can do today and again there's a lot of things we can do and this can go so far so deep so wide um and again I'm just trying to Breeze through this to keep up with time but on a on a higher you know level of this the idea is we want to reward the human right we want to make it interesting and again this is the same thing Facebook did is it's it's attacking the dopamines you know it's making people feel like good about something it's the same thing they do at the casinos right it's a reward a random reward that you can get so we've got to have a way of doing it
though right so one of the things that we could do in the workplace is you know we can have a different ways that we can send over training voluntarily but the thing is for every quiz that you do you can get an amount of credits you can get some credits for it right now these credits and totality like let's say if you do this quarterly you know whether it's three times a year or four times however you want to do it but you'll most definitely want to do this uh not just once in a in the Enterprise but what you do is based on the points that you get there will be a drawing that happens
right and then the drawing anybody can win because even if you have like 50 credits or one one credit gets you to the entry no matter what so then that means that everybody can win it's not just like Whoever has the most but what you can't do is they can be a reward there can be multiple rewards right and there could be like a war that's like a high reward the one that's a middle reward and a low reward right but you still get a reward like let's say you have gift cards for example at the end of the year um you know around December you can get like a you know even a 100 gift card
right you can get a 1500 gift card that incentive is enough to make it very rewarding for the individual but the thing is uh we don't want to force on them want to be voluntarily right and one of the ways they can do this is whoever is the winner or the top winner or the middle we can even have them train individuals about how do they really how did they level up and understanding like the different quizzes that they took you know um at this way it's not just cyber security department training them it's their peers right so then they can see how realistic it is right one of my peers actually won oh what did you do oh
this is what I did or what you know conversation starts happening right again it needs to be a lifestyle it needs to be something that's happening in our conversation we need to have a way of rewarding not just a quiz that you pass and then if you don't you get in trouble um there are those things too but you want to be able to reward and look forward to something we all like money because we all like you know gift cards um this would be a great way to um to kind of help the individuals understand uh the meaning of different fishings the meaning of like we can send different quizzes right um but this is the thing let's say you
send a an example of a phishing quiz but the thing is even if you get the answer right you know typically when you get the answer right they tell you oh why you got it right we make it two parts you give the answer but then you also give why is it that answer because then you understand because typically when you're doing the quiz you're kind of like guessing sometimes most human beings may be guessing and then after that they may explain oh this is wise the answer well no let's let's have the individual have the human put the why right because in some ways not that technology uh security things are bad but in some ways they also
handicapped the human being right there's a lot of detection tools that we have to help protect the human for not pressing certain things for not opening emails but at the same time that actually will handicap the human because they're relying on the technology so much that they don't think security anymore they're thinking oh the security tool is taking care of security for me I'm all good so therefore I don't have to think about security and that's what's starting to happen and again it's not to say that we get rid of the the security tools it's just more so that we don't want to handicapped the human so we want to give them a chance to
exercise what cyber security looks like what does it mean what's the why
policy doesn't cover everything we talked a little bit about this you know in the workplace you know when the Auditors you know we always have we always used to have this joke the Auditors are coming the Auditors are coming we got to get everything right right but we don't have that same mindset in the Enterprise for the hacker right and the hacker is hacking every like 43 seconds but when the Auditors come we have this mindset okay we got to get things together but this is the thing when you do and when you implement these policies it still doesn't stop the adversary right there's one thing about implementing policy but there's another thing about what's actually happening in
the wild there's a lot of different things happening in the wild that doesn't even affect policy like even alone like you know with with the you know typically you know when there's a vulnerability we pass the device but the question is sometimes how fast can we patch the device you know sometimes we can't we can't fix it before the actual hacker gets to it you know because there's a lot of things that's involved you know inside the corporation but the thing is it's one thing to implement policy but it's another thing when policy is implemented what does it mean to the human at the workplace so one of the quizzes for example can be sending a
policy in in the quiz and what does this policy mean to you what's the right answer for this right so then they can understand like what the policy actually is because a lot of times they don't even know what the policies are right um but again we need to we need to also have this impact in the home it's very important to bring this in the home uh this is we're just talking about this if we can help explain the why the policy help them learn policy what does it mean once they understand that what helps is it helps them have a security conscious mindset oh this is the pasta that we actually have in the workplace and this is why we
have it you know so let's say someone didn't know that we can expect oh did you know that we have this policy this is why we have it we don't need necessarily cyber security department to explain it anymore we can have now peer-to-peer them explain because the thing is in the in the workplace every department is different the marketing department from the engineering department different attacks can happen different policies may be in place for certain departments because they're all different on what um and what assets that they have what could be a risk it could be all different so if we could have peer-to-peer explaining policies to each other that would be a that would be
a game changer
again um now the attacks are not just happening in the workplace they're happening in the home especially with the work from home so this is why it's crucial to really start teaching these things in the home right we need to make it a lifestyle okay um you know this is just a funny little story here about password security but this is the these things are very true about about password security and you know passwords are a good layer to have right um and it's not to say that it's going to protect you from everything but one of the things I like to tell my clients is you know I'm not here to protect you 100 as if you're never going to get you
know never going to get attacked the focus is make the layers enough that when the adversary that when you're one of the targets adversary is going to be very hard for the adversary to really to really breach you and they'll go to somebody else not that they can't do it but because there's so many layers in place they're going to go to somebody else and that's what that's the key you don't want them to you don't want them to spend too much time on you it's been enough time that they get so frustrated that they go to somebody else and that way we're going to start changing the ROI of the adversary you know because the thing about hackers
look if we could do it quick let's do it quick that's a better that's a better return investment for me I don't want to spend too much time fooling around so the thing is if I could just do it quick that'll be great and the thing to do it quick is having a password that's not you know have a high entropy level you know so if you have a longer password it makes the attackers uh time very annoying because now they have to do more work and then that changes their uh the way that they look at that Target and then they go to somebody else so that's the kind of way we need to be
thinking about we're not here to be like you can never uh hack me but I'm gonna make it so annoying that you're going to go to somebody else that's the biggest key but in order to do that you have to understand what makes it annoying for the adversary what are the things that annoys the adversary about things that make it difficult to breach an asset or a company or an individual once they start once the humans start understanding those things they're going to be more security conscious they're going to be more focused on you know when they see it when they see an email they can smell something is strange about it you know because they're starting to be security
they're starting to be security conscious because they understand the why like for example let's say for example you know it's the holidays right hackers love sending love having uh campaigns during the holidays so that would be a good time for when when humans know that it's the holidays they're going to be more focused on wait a minute I understand that the season that I'm in I'm they're going to think about this thing in a quick level it's not that they're going to take that long it's going to be a real quick wave you know what I know what season I'm in I know what uh what you know what position I have in the workplace I'm a Target and
this is why I'm a Target and because I understand that I'm going to be careful how I how I open an email how like for example if I go to a restaurant that's next to my company that's next to the company make sure that I don't have my my badge because people can clone that right and I don't they don't need a corner by touching them back physically they can be distance away and just clone like if we teach them these things this will help them understand that you know because when they understand how how hackers think the mindset then they can be they can understand like what actually is happening they understand yeah there's fishing campaigns you
understand that but they don't understand like the why they don't understand why they charge targeted once they understand the those things it can help them understand what they need to focus on and this is what we're talking about before again like you know we're trying to change the ROI for for attackers we're trying to make it difficult for them and one of the ways to do that is to educate people the education is going to have to happen not just in the workplace it's going to have to spread but when it when it's talked about um you know for example like a lot of people do talk about the Uber hack because especially Uber is you know it's
a popular company but we need to start talking about what happened there what like why like how did this initially happen and why did it happen was there a particular reason you know once they understand those kind of Concepts the conversation like the more more of those conversations that happen the better we can understand like how hackers think because one of the problems is you know the human is not understanding why the attackers are doing what they're doing they understand that they're doing something bad but they don't understand the why once they start understanding the why this can help them realize how they need to do things differently and the thing is there's so many different
aspects of it whether it's your position you have maybe what organization you're part of maybe the family your last name that you have because as an attacker if you're the target a lot of times they're going to go to you know maybe your your brother your sister your aunt they're going to go that way to get to you so it's really important to understand your position and it's important to understand your attack surface as a human being you know not just a corporation but even as a human being what's your what's your attack service like if if you know usually I tell people go on Google and just type your name type your first name type your last
name and we don't have to teach them like Google Dorking necessarily but let's just have them even type that to see what comes up just to understand the concept of what information is out there on me who am I connected to how can they use my information for a campaign
now this will help us win all right now we can start changing the game the idea is we're trying to change the game of the adversary and yeah we're doing it we're doing our technology part which is great but there is a psychological part that really needs to start coming into play a little bit more right this is again the the mental state the emotional state of a human being we need we need to start changing this once we start changing this this will help us change the attacker this will make it this will start making it harder for the attacker because a lot of times what we're doing now is we're hoping that we create more
technology more tools to help stop the attacker and yes those things are great but we need us we need to also emphasize a focus on the human aspect right like the human being is the weakest link we understand that right we understand that concept but why not make the human being more valuable asset make them like sensors in the corporation right start like it's usually with the with the vulnerability will patch the technology piece you know but with human beings we can't patch them we understand that right like we can't pasture human but what we can do is we can help you a human evolve and how they think about the actual cyber security industry think
about the adversary attacks and how they do things right so once that starts happening is going to change the game but we need to start focusing on the psychological aspect and this is the thing that's really going to throw off uh the attackers because a lot of times the attackers are initial footprint is praying on the emotional and the psychological the mindset of that human being there are so many if you look at a lot of breaches that happen before you look at the big exploit that took place when you start looking at the the setup before that what happened before that typically a human being's psychological mindset was taken advantage of the emotional state was
taken advantage of again just like with the Uber it was taken advantage of because it just exhausted the user to the point where he's so frustrated they just clicked on the button we got to start changing that once we start changing that it's going to change the uh um how easy it is for the attacker right like we got to stop making it so easy for them you know we're going to start making it a bit more challenging so uh that's the that's it I try to Breeze through it because I know we're hungry but um if anything that you get from this the idea is we want to start helping the human being the layer eight
we're going to say that the that every attack can happen everywhere there's so many ways and this is the thing right like we're getting these new devices these new technologies that we love they're convenient but in their convenience they bring vulnerability even technology brings the vulnerability the same tools that we're bringing to the corporation brings vulnerabilities as well right so um if we can just focus on helping the human being and different aspects understanding their attack surface what does it mean this will help change the attack the attacker's footprint and not make it easy so thank you [Applause] I really hope the companies start incentivizing our good behavior just like you mentioned those are some really good insights like
you know changing our perspective from how we look at a tax office not only at the application Level but start looking at humans as attack surface thank you so much Sydney yep thank you take care
Related talks
1:06:07
1:03:19
36:35
33:53
5:51
37:31