Human Shields for your Network

hello

um year in October um I tell you the date but I just got last so great um and a father of two uh great little boys

allas I do have a Bachelor of sence Computer Science from what used to be Augusta College then became Augusta State and now is University uh in1 so I've been doing this for a while as far as computer science in general I fell into I basically as elects you never heard that that's the town B several years ago um but basically I had a a token ring Network that had issues my issues look like do attacks and it kind of lur me into I just by doing research looking up stuff um one of the guys I was working with at the time Jeff uh was teaching nwork generalis and he actually started training department system and he called me you

want this this come down

work so um I've been doing

and I was also the it for County Sheriff's Office for a couple years really cool experience that we started that department

also have a master science computer information systems several industrys um I work right now as a trainer uh as a contractor bo uh teaching CP Security Plus we have a course called I immersion which is a kind of security excuse me CP on steroids where we put in an extra U week and a half of handson exercises to go along with Concept and I'm also an adun here at Georgia State trying to gete on kind in the growing page that right now I said my passion is teaching where this came from is every time I see something out there that I think we can fix I'm pretty sure we can do it just by S people in the classroom and you know

talking to about it um and at the same time I also have uh this this voice in my head when I see something that works I'm like should know about that and I should tell them about so um that leads to a lot of U you know just ideas kind of around my head but there's a couple of ramps that I have when I do my my coures and as the words the I abely IP the first is the word password you're like we should get rid of this right password that's what we all depend on now I hate the one password because it's got the word word in it and if I tell you to think of a password

the first thing you going to think of or try to think of is a word now we're like password we let's make them strong let's make them oh 15 characters long oh great how of you use 15 character words every day conversation best I come like peanut butter and Mayon capital p m right this is what we do right take of a word now we okay so it's not it's not even enough that we have you um you know create these long extravagant passwords um um but now it's go some special characters throw in some numbers this is really no it's not where am I going to find special characters in the password at the end where we going to

find the numbers at the end what letters are capitalized the first

two right I mean humans are creatures of habit and habit particular we just happen to call our behaviors habits as supposed to P that's what they are okay so now I've got you picking Works you've never used before I've got you maing them and oh by the way I'd like you to remember it 5 seconds after you change it okay this is the health desk Employment Act okay this do not K anything done okay and oh by the way this we will fire you if you write it down this isn't working okay um that leads into the stuff we see here as I oriented because the whole premise of this is users are part of our defense they should

be okay because they're the Leading Edge after our applications as the users who are the the tget of our accounts so how do we get them to well play along and we've all had our experience we we'll go through um we run into this Stu we go forward um but then the other word that I hate is IIA awareness just awareness awareness is the most useless word I can think of because it's so I make you aware of something really if I don't tell you what to do about it if I don't help you do what's correct about it is worthless that made you aware it's raining out sign if I don't give you a r

code it's not really useful information for you especially want to say I want you to go from here to there and not get away this is what we're asking our users to do I want you to work on the network and not do anything that's going to compromise my network except make really big words that you'll never remember without writing them down make sense Len to the user one other thing that kind of triggered this is actually it's kind of cool that uh Mr came uh and did our Keo today because when I saw this book I was like this is so cool we're taking intrusion detection and we're flipping it well on the side right we're taking

the whole uh hair of Watch the gate seeing the barbarians beating upon it which is what most people's concept of of network security is almost everything they talk about is always in the perimeter he's like what happens if they already got in it's the whole read this book I'm you get this as well as new one um where it's just look at the behavior of your systems right now and see if they don't tell you the have been compromised watch what Behavior that's already occur so it's taking just that concept of intrusion detection and that that process in I it's kind of turn Paradigm on it side he let's look at this a little differently yeah I thought the same

thing about well how do we our users to play along with us as we try to secure the network so we'll take a look at what we're trying to accomplish uh the first point of attack current state of the user current state of training and at least my idea of some solutions you may have your own um I certainly encouraged them um said let's you know tra some emails try and get some U some other training some presentations together help address these issues I just kind of see hanging out there not really getting anything done um so what are we trying to accomplish simple right we want more secure that thank you for coming got

something free to give away so how are we going to get this done okay well the problem is that you know our users one of two things either our users or our web apps that's what they're attacking if we don't have a web presence well we still have a company that's addressing information some other company hosting one in one so there's no Direct in to my network so I'm not stting it over here what's the next point where are they coming next they're coming after your users this uh social engineer this offici you know sens do something stupid that's incredibly hard to do um so you know well do we depend on technology or USIC or fils well we

know that most of us depend on what technology everybody does right can't trust users is anybody here work at the help desk before who who has actually had the joy of actually look you in the eye and telling you that their machine want F till you change am I am I ly okay so this automatically points us into a point of view where we're like these

people because now you got the one user who is always always always they know just enough to spout terminology at you and they can hit you with the acronymic and they're like one or two steps away from they are right so they think they know something but the time it takes you to explain that to them they're like oh yeah they're telling you how you're right the whole time you're telling them how they were wrong okay this is what you're up against but you can't let that change your need towards them as they come as person and there's a point that that I was going to make that I don't think made it as a bu

on one of these slides is that we're talking about in between some of these question some of the talks is that when you've got that IIA it separation which is you know kind of slowly happening now which is a good thing but who's our first respond who's the first responder when the user thinks something happen their Mach so now get down to a point where are they going to call the help desk if there's something a little SC on their machine but every time we go up and talk to them we're basically Google and watch videos you'll enjoy them greatly okay this is what we can be this what we can't let our it people because that's going to make not

call they're the first ones that the way I always liken this is you've ever driven your car and all sudden you hear new noise and it is so faint so SL everybody else need to do are nuts when you tell them we don't know what's going on down to the mechanic and he's like I got no idea what you're talking about but you know why because it's yours you've been in it all day long you know enough time you do anything you know it that's your user machine of your user they know what your system looks like now we can expect we can expect you know uh responses that that are uh you know new

icon shows up yeah we're going to call okay new um directory or something shows up they're going to call it's pretty much standard they at least know to do that is when something is just a little it's not as fast as it's not as responsive as when I would double click this icon that will immediately pop up and now it takes a couple seconds pop up is that important to you almost sounds silly doesn't it it sounds like oh there we go again this sounds absolutely silly to any it person whose only focus has ever been it it is so but as an i makes me go just go take a walk okay because you don't know and you

don't know take a look they know their system but now that's the kind of stuff up

that's this is what you know trying fight so um depend on technology we know what we have here right antivirus Fireballs all that kind of

stuff and said that last is um that interaction between it I and like still these days um as they separated out is to respond stuff after ien okay in this type of instance it's almost like a forensic uh response at that point because it could have happened 6 months ago 6 weeks ago okay whereas that first respond go look just because the user called and said hey something is just sprained with my machine no new icons no new you know nothing new visually showed up it's just not acting the same as it that's enough to get an IA person interested enough to go take a look pretty quick the Nik person so you know for the for the user

right now you know their current state confused where well they don't know first as you know as a CIS I think it's in the bylaws of I Square you cannot give a presentation word policy at least once so here we go um you've got to have policiy your users know that they're there and how are they warning you because um when I work at the sheriff's office um I never got to a point where this made into writing before I left but because it was so small I could actually talk to each person individually and say listen at no time will the help desk ever call you and say let me have your at no point

anybody at the health desk ever interact with you on the phone for your password just trying to deal with you know that one Avenue of of social engineering okay so this is the kind of stuff when we talk about creation of policies it's not just po into that the user because a lot of times what I see in in so many policies is it's always you will comply or else okay and that's going to turn the user off from wanting to call in the first place did I do something wrong okay am I am I going to p on myself you s my hand worse because in most of those policies what's that last line

say may result determination that's kind har does that going to make that you want to call you up that kind of goes down to you know they're scar of the that um I saw a long time ago was uh this company I was working for going through this management transition they brought in U this consulting company trying to push in was a cold quality management I think what uh Edwards Deming had like his 13 points one of those points is drive out Feld and I always thought how do you make this happen and until I really started looking at this like wow that I don't want them so scared that they would not call me in this instance

right for for IA and for protecting our Network I don't know my users are so scared to call me because they're like well did I go out to did I do something got except policies to what you're allowed to do you're but you know what you know how P the they go out to the maybe it's not not blocking or even if you are blocking well maybe this one SL by they just scared you you've done this before again as a help technician walk up to and say what were you doing nothing useful information what were you doing just before this happen nothing did you go out to any websites well I may have had Internet Explorer

open and what website well you know this is what you you this is what you go through they're scared to tell you what they were doing is going to help you address the problem and now again you've got this this conflict between the user and whoever that first responder is again it's it and so these are typically folks who are fresh in they young people they don't have a lot of uh technical experience themselves they is is way more than they absolutely need so they've got that uh chip under St the arrogance goes along with you know basically um they're the you know say they show up and one of two ways they're either ex

just musi washing or they're overly overly aggressive with their my brain is so big so full of information how you Poss understand they go make burns on you're not making that user more comfortable you're not making them and this is what you know this is that conflict is got to get resolved because they're that first point the machine is compromising like I said they can't get through Mark can't get through the web if they can't get through you know red team can't come in through the um through the portals of The Intern they're going to go to the user let the next logical tget and so much easier let's drop Thum drives in the parking lot let's send

emails this is come out to the website this is so easy and it works so if they've done that I don't want them be afraid to tell me you if you go to the same website two or three times talk with a okay but if you make that mistake once you got to give them that break you got let know so they're Fus um we either don't have a policy or again they don't know that it exists um they are frustrated because well they're not sure what to do and you know kind of going down to irritated leaves frustrated this is like one big ball of of negative emotion that they feel whenever something was

happening and they call this person again to come up and talk to us like our little children as they try and fix our machine so um we kind of gone through the Health Des and you do end up with these typically different U attitudes to show up once in a while the person really cares and you know those some people you really want to hold on to as far as that that Health as person respond I don't see that often you just okay and then the other one would be um so the way that we can get some buying here from the user is to actually train them and train the it health it's going to be another solution we need to

come up with but for the user right now when we sit them down and say okay here is the the solution to our problem the passwords are being compromised whatever issues we have out there and we have them come sit into into a u this and we start talking to them like they're it people like they technicians I was watching on YouTube this one just because I get feel from what other folks are doing for I awareness and this guy is talking about well you know sending out this email and executes this code which compromises this which is fantas if Joe AER good luck Mark starts out about 6 deep and then jumps off did you

follow all the DS and all that other stuff um but I mean this is how this is users don't care to them hacking is you know Merlin working got back what's that well that's access to your machine okay what happens and it's because you know this this disconnect and this guy it was a great talk I said and I watched the whole thing on YouTube like this is great stuff for an it guun cuz it really was good the current basically like the current state of of the ha right here's stuff that's going on here's the you know the perpetrators here's what they're attacking and what you know what information they may have stolen you

think you're care that at allit unless we're in an IA or an IT company doesn't even make sense to them now so we know that it's technal we're too technical too detailed as far as you know the exact process of what's going on they care about this stuff but the big thing is this user St they don't have any this a job that computer is just a piece of equipment you think they got buy you sit there and say well the company could lose well that's the company that's not me this is they're going to right they don't care about you know far as they're concerned they're overworked and underpaid regardless of if they've got four day work weeks and

they're only working 8 hours getting paid for 40 okay and they're making $40 an hour sign me up okay but to them hey I'm overwork and I'm underpay regardless it's always that you know that that that aspect just got Joe a user sitting in so they're already kind of getting that point of view where it's it's me against d because well you know what the just cut our benefits they're going to cut our pay but we didn't get a big they're not quite disgruntled we'll call them semi grun okay so they're not quite disgruntled yet but they're not unhappy they're just in okay so what we have to do really is start Orting this train helps them as an

individual not what the but literally let's just turn around let's turn this thing on side a little bit and say well because our a says you can go C and because your a says you can exchange emails you do you have any information that's what happens if somebody attacks and they get on your machine then they can look at your user information taking look at your personal information might have been in EMA or in the do might have been working on computer can now all of a sudden you're a potential victim for identity that number one issue out there on interet now somebody care not because it's going to hurt the company it will obviously because it

just attack the company but they care because now they got a personal St so as I said our solution is to in my opinion towards the individual and I really think that bod could open some huge aing here because they're taking that bad boy home right they're taking it to the house interacting with stuff they you know what if you get compromise on the inside gu what happens when you take that home especially with that because now this is given that you got personal information now all of a sudden hey you know what if they have the company you're going to lose your you're going to lose your whatever other information your identity of all things so this is how we can you

know kind of turn that training on its side obviously we want to talk about it from a company perspective but if we don't give the user a state like I said right now then a job that's their state is every two weeks I get

our help Des how to interact with difficult people okay difficult is everything from the person who knows absolutely everything except most okay do the person who just can figure out where thez you got them but I mean we're used to to computers these days we got know Workforce we still got a Workforce in place that you know they were around before alnet so to them looking at computers and stuff still you know something where I remember when I worked here at Augusta State when it was Augusta College as a student assistant taking these these whopping 386 Compu um about this big over to the nursing school set them up for the professors over there knowing they would never

touch

them so you're going to deal with your it people are they have train Bally customer service not just to be technically oriented and able to solve problems of course that ain't never going to happen right you know um would been nice um and of course clear well defined policies um where we can actually get to a point where we're not going to say we're going to fire you if you don't adhere to these uh policies uh but we're going to talk about the benefits of employ and we can also let them be aware of like that policy I talking about um at the Sheriff's Office where no one will ever call you an IT typee of policy but the users

need to be you know told hey look help us will never ever call you for your P for effort if somebody does that you'll hang up the phone do whatever and let somebody know okay so it's trying to address that one little aspect of social engineering but it's again trying to get that buy from uh from the user so they feel like they're a part of the solution cuz they are right um so in conclusion uh we already have our human Shields there are users their machines going to be the ones that are compromised again we can't get into the web apps can't get into anything else next step is the usern okay so they're going to be that

first person we need them to be unafraid to talk to it we just have to know get used to that fact um leveraging that familiarity with their own system know what normal is for that you don't okay I I don't know how many places don't even have a baseline on the average install for their all their systems let alone of that individual user dealing so when they call you up and say hey my syst is acting F me you're going to go sit down and start you know running your PS tools and looking at the processes and M usage and everything else looks normal to me you don't know what you don't know what normal looks like abnormal you

don't have any idea the user is going to look at that no it's not respond it's not the same as it was not obvious right no said my background change on my screen or anything but it's something not so we want them to be a part of the solution to help us create a more secure

network I wanted favorite but I don't know if that's a good term what's your preferred method foring a large number of users or you know a large user population to to get them more knowledgeable to help of things they should look some of even know they even system is that's to me this um your health desk Personnel in my opinion if you're not working on a trouble ticket you should be out just mingling interacting with people interacting with with all staff there not just the hot Chien the third floor but with all the users because that's how

conv it's up to in my personal opinion that's where cks of what kindes are looking as because the person the person person relationship we could rely on technology we can do um you know show them recordings of of tech talks we can do our own Tech talks pages but do it and then all of a sudden it's like oh by the way it's mandatory that you go out and do this so that you can be well trained and well informed and then of course then for so it doesn't ACC only personal relationship so you got to find a way somehow it's on your way to answer trou ticket pop in couple places what's up problems what's going on um

as soon as we rely on something that's not face to face and person to person well now it's voluntary for the US to to do it hope that they know that it's out there and then all becomes an imperative that they know hey this is stuff you should be aware of we make it mandatory up

you in my opinion I think you should be I should be able to create as complex password as I want for you but you should be able to write it down you should only be able to keep it the wall people like what if you steal your wall well are you not going to call a credit Cardy cred you're not going to call lost my you know weing opinions but then at least have a strong password passwords the only reason they're out there so much is free right built into everything they're nice and free that's why they're so PR but they're also the weakest for for obious as easy as possible so try to find comom some I

know lots of folks like what down your B just don't put it damn right there's an air gap that's that's what writing it down is good you got an air gap you can't get to it over the Internet which is usually you know your biggest concern how is somebody going to leverage this over thatw it's written a piece of paper they're not so but you got folks just you the fact that you did I'm like you're not quite catching this on the putting it on the phone I completely agree that a lot of this is about getting the user to care about security and paying attention to things but I don't think that even um

you know comparing to their personal like computer personal space is going to make them care that much more because even on home computers the the websites that go do things they do are just so nonant about you security care about their home computer until something bad has happen true enough and it stops working and they can't do what they want to do I mean there computer will slow down over time computers are constantly getting you know going back to where we were talking about fear and driving out fear um there's good fear and bad fear you know bad fear to me is you're so afraid to CL me because you'll lose your job good for fear is hey you could lose

your identity you know you could have your account BR the zero your credit just absolutely destroyed and you you can spend 5 six years trying to put it all back together that's good for you right so if you can you know if we approach our training towards them in the company set in those terms might start to turn turn I don't know that for um see that kind of put for but there's no guarantees and you still got users who are just like Flo

don't other

questions questions than much first person ra your hand lock was that was pretty challenging yeah was to get the edge a little bit good talk