Pushing Security from the Outside - Kat Sweet, Chris DeWeese

so our next talk is on pushing security from the outside by Chris to ease please give Chris around the plus baby ok so I get the old everybody from my way who's out here how many people here actually work in the security field oh ok how many people don't work in security too ok great so I have something for both size and I think you'll be able to take this was over the next point minute so people don't take something away from this but like I go said I'm here to push security from the outside so what's the outside I guess that's the first question so I don't work in security actually I only work in IT department

code but I'm out there pushing security I do leontina software developers and we're generating software Uslan or business but but I'm like well like i like most teams more comfy security is not an afterthought it's an important thing that we talked about every day like today I want to talk about my experiences during my career related to security and how to try the booster Gary for non-traditional roles basically outside of our team some of the things I'm going to cover with you this out pushing security can be both fun and rewarding how we all believe entirety train I will need to try and train people to think like hackers and what is responsible disclosure and if you're an information security

team how can you create an environment to allow everyone push security footage from the inside of the ELSA so I says working for the stop we work out a stock a question and I did came up on get it again is securities everyone's responsibility I think everybody here probably agree that's the truth but at your company is that really true so my company's safety is the number-one priority but how do we get to the point where both safety and security are everybody's responsibility it's going to take some work it's gonna take some works for most times if you don't do it you're going to end up with something like this so I picked my first walk today thanks

to my mentor but I'm very sure even though I don't know how to big box very well I can bypass the security if we don't have her ready pushing security from the outside this is what we do dinner so I talked about how pushing security can be reward the way I have chosen to do that is making sure there's a developer in my company who I often talk about security minute ideas and practices this guy's asking about security they also do how to butcher code so as we talked I'm in the sky needed to get out from doing software into America's empty so what a position came up I encouraged to open to apply and

then once I got him to apply I'm entered him on on the process and make sure the heat was successful betty was successful with zero and he got that job and now he's an information security and he got better they didn't assign him to the responsibility or securing the code within our company so that mentoring as well pet has gone away one way for me to push it help help secure help us carry in my help he still comes around we still talk about things and what we're still I'm still getting ideas on how what you've experienced than the company I thought about fun to write you want have fun at work so what's the most basic problem we have a

security people don't lock their workstations this then it's been a problem my whole entire career every company i worked at we run into this problem so what can we do about well I'm going to go from pushing hard to maybe not pushing so hard so Phi the worst I've ever seen is an admin who goes to my office the [ __ ] screen and when asked about it response was i was only awake for a few minutes what can someone do so here's an idea to somebody what you can do if you don't know this is a little example but you get the right street you can replace any program with another problem ego program so why not take the

accessibility tools your list with command prompt there you gives me something like this you're going to get a little welcome screen with a command prompt with lemon rice access to the start menu and in the Moscow besides captaincy this is very simple thing to do and it really it will really drive the message home now you gotta be careful you don't want to do this and leave because you just put a security hole though but something you can demonstrate you can take up the laptop that's not on that's not on the domain and show mountain what's up yeah this is a live stream basically you can go into the registry and replace using the debug people shall be replaced

it with ya just cool it is they're using debugger push the registry okay so that's pretty aggressive let's do something a little worker look less aggressive what I've ever survived this one works really well is to go into their monitor invert scream unlike unlike Tom Cruise the top 10 most people can't work a mouse when it's a bird and what they do get it done done they'll probably hotter screen because they are working to did that a key game now we had one person who I've got you so many times he actually is very good scream as agree but you know the truck probably easiest thing to do how's that company that the baby's up this is just

stinky has prepared a little shocked everybody should go windows l is the quick easiest way to lock your here we step away super simple super effective you find them on computer you put the CD there you long hopefully to get the message okay but earlier I said you think my cat so let's talk about that so I work with software developers and this is the talk we have over and over and over again is it a feature or is it a bug and those are great conversations but sometimes B&S like that conversation is it a feature bug or security risk so one day I was in heat you have to look something up and now requires the

log on the website so we log on to get the information and the guy right eating speed with a password reset for this bachelor expired but either one reset password irritability so here the cancel button next thing we know we're looking at the information that we're supposed to be looking at yeah oh that was the same thing I did it in fact the meeting just went on everybody else just has said Oh got the Commission let's talk about it I actually stopped at me say what's happening and what's in the years ago I said cancel some reason my password expired anyone be said it but still let me get to where you go it's all being finished and then I'm

kind of sitting here thinking what's happened obviously my mind just found pretty big security alarms website and the next thing being our guiding the software velvety is why I did this happy little contestant surely the tester did some testing on this password reset well turns out they just test test the case that they do a good users you know if they're totally reset the password is going to be set the password they're not going to worry about that pesky counselor but if you have people think I've hackers the first thing they're probably going to do is press that cancel button see what happens turns out what does happen we hit the cancel button is to get a pinnacle of

the cookie English it doesn't matter yeah expired password so what are doing well if I'm not pushing security I think great hey this is a feature I just found out I have not expired password on this website I just look at my old password hit the cancel button and I'm in but I'm not doing it so what I need to do I'm sure I can tell anyone around here about responsible disclosure but think about that your company what's the responsible disclosure policy do you have one you might have 14 X early but what about injuries what are they supposed to do so I start asking around what am i to i think i just found a

scary cool i got some suggestions including it going you found a good feature which i obviously I cannot go with one was open a ticket because we all know tickets get taken care I mean I've had tickets boss this rounded we get tickets all the time in there for the wrong thing so I was going to do that so I taught some friends I contacted I wore it helped me find out who was responsible his website we work together I got a contact with him we set up in their test environment we verified that this truly was happening Anna and scared evil and got fixed we got remember this one had ever happened someone wasn't thinking like a

hacker or if it were thinking my hacker and they know that was possible disclosure so one of the things I was trying to do is never passed an off day talk about security

password is breaking talk about when I'm in the United night oftentimes I phone the meetings I log in with my 20-plus character password and the first question I get is why do you have such long password the password policy does of a bargain mush right that gives me opportunity to talk to them about we shouldn't be using passwords we need to use aspirations people are surprised here windows that you can actually put spaces this part of your password I also tell them you know if you can at least 2 14 characters for the 14 characters on little voice to land an ex-pro they might not need to know about the land and hash problem but if Tom 14 or

more people will do it and if they keep asking questions I'll talk to them about password managers obviously that has to go to personal preference and policy in your company the things things that you can do so the other thing about passwords that I did recently as I was sent to a public speaking class hopefully at this point you're nothing you would waste money now this is mark our class time it was basically learn about Bubba I'll gave up event public speaker and we did it by doing five or seven talk 57 bit of talk so I thought why not talk about passwords we have all convention on passwords surely i could get 52 to 57

minutes of material for further comfort my talk so i gave a talk three times each time i had a little bit more to make it really interesting for the team and try to get them both thinking Mike hackers looking for problems the last time and when they create no camera I had in second factor authentication then I give the password I said prove to me back side you know yeah and I'll buy a bunch now luckily it was this group that i was trying with and I didn't have anyone successful but I have a lot of people try and I thought that it's a big success because I have been thinking like a hacker and some of

them you to try the social engineer me they're all trying things that they did need to know your turn so you might be thinking now I can't do all these things but surely can do something how about just fixing the problems you can influence ok this is the file i was given but i wouldn't even look at one point my career I was never filed much like this a password so I saw this one little problem that right it was even better is my ass flip what were to do about this is it don't worry this password protected I didn't have time to teach them about how easy I would beat black bass but I did

take this opportunity to fix this problem so I took this this this information I got it off wash our shared drag where that's where it was located I set up a capacitance with my team and then we added a sec dr. temptation not only saying this fight the best solution but it's way better macpac I found I've never calm passionate about xls file Mulder the water to give me but I found a lot of other information on shared drives I've done financial information performance plans staffing plans what do I do why taken for myself right now I don't I do take them but not for myself I take yeah I move up a public share similar

safe and I go ahead and other pod user hey you should have this information out there here's what you could do is scary we need to be very careful one most interesting wait one of the most interesting things I've seen is standing each on counters so I'm going to give you an example this is my calendar let's just a mock-up let's stay here we have nine o'clock on monday the managers meeting with the HR about employee 24 employed course plan in the HR rep songs follow by an employee meeting with HR rep an HR croissants what's going on here someone's going on performance that's probably information that you don't want to broadcast it's real simple you just need to be

cognizant of the information put on so here's that I have a secret meeting going on at the Neon Museum on Thursday so but I know don't ask those bad cos x walking so whether its outlook or if you're lucky enough to use those notes now this feature is always good still happy

[Music] okay so I talked about my children leave vomiting one of things that I hear often is where we talked about in the security code book so what would we do house careful daughter not this this is often the response you get from developers when you talked about information security nope not my problem I don't want nothing to do it impulse tech is going to scan anything once I pass the skin we're going to production right I'm sure y'all seen it what is that really the way to this some of the things that we talk about our team is how we can secure our bows are coding our environment from the beginning so you need to think about

things like what's the type of information your story how you're going to store their information what's the security model is your needs there's a buzzy good attorneys counter and go visit secure code you can choose a baller or do this I'm i crack men fall the other thing I train my team on is default passwords let's get it back passwords so i think i have gotten to the point where they know this i can get master hacker and your company if they're anything like this so if they put a piece of equipment or website up whether it's in depth test or production and they may default password they know i'm going to be said at this point they

don't do anymore but there were times when things I put out there I reset it and the damn time we need it faster I don't know why he just said be said again she said but we'll talk about that another time so I popped a lot about pushing for Allison a talk about pushing too hard

what I just did he get his talk was don't even push security within my company I thought it was a great idea if you would if I was up here talking about the first inversion one point on the stock I probably did this room to get a call from the c.i.a so because I was pushing way too hard and I took the help of my mentors and friends to talk about upset issues I had with my talk and just the things that I was revealing with the stock so thanks for that but there's another good reason why we shouldn't push the door who knows in Wrangell Schwartz's okay don't know already Schwartz's you should you could have gone got him because he

was a pearl he's one of the most won't it goes my Berlin hey Dino Merlin he's one of the more notable girl helpers but earlier sphere and sorry this is a really good friend she's kind of friends in ramstein he decided that he was gonna push security would sit within his phone he's working as a sysadmin he was not happy with a scary best practices so he was his shoulder he was there pushing her so what'd he do he did some unauthorized fantastic what happened this is back in 1935 he got he got an intro when I say big trouble we're talking 13 family missed three felony convictions what does to me think about that

so we don't want that to happen I don't want that I was gonna go over this talk and say crystal the apush so I'm gonna push and then look like this so for Randall this took 12 years and in excess of 200 thousand dollars to clear but he eventually got a circle but if you remember it if you don't remember anything ugly Shamar remember the story okay most of you guys are in full sick so are mine specifically talked about so I'm talking about I'm talking about pushing giving people I guess how to push you want everybody to be a bush so let's take the example these guys push this boat up the beach looks like a fun

thing to do right sure so I'm sure that the guys I'm primarily was pushing they'd have a tough time pushing this boat at the beach but everyone together his lines be success so you think back to that picture than getting everybody around the block helping push security that's what we want to do so what are some things you can do first just encourage people talk about security every so someone has a median is great information security team talk about security you might want to make sure they're pushing the right days or saying hi things to train them but it's okay for them to talk about security give them the tools to talk about security spend some money by those windows el

ticket sticky notes recognize users who a group of being secure outside of information security formalized navigator old camp I feel like I'm doing unofficial half table but there's no reason why I can't formalize it in a great heart if your HR group would allow it give them support to do everybody shortstop these days maybe you can have a rotation program I'm done working efficient security for a little bit or make them honorary red or blue team members if you do that I'm sure someone who's interested and had the opportunity would love to do that I would good so talk about a bunch of different days if you're not information scary which is a small group of you somebody adult will

hopefully it takes of these ideas and use it to push security within their company and if you're in that great party secretary your company why don't you go ahead and try and create an environment that will allow me to push security if you didn't get that out of talk come find me because like I said you should never have the opportunity to talk about security Thanks [Applause] yeah when you talk about pushing security from the outside um it sounds like in a lot of corporations it's going to be a culture change what are some things that you found that were effective in getting that culture change to what are some things you found that were not so effective at changing

culture for security based on myspace the information in the security team as has basically Walden soap in and they don't really allow outsiders I think it needs to start first with information theory culture to say we're going to allow the sky so we're going to say Chris or how much to push but we're gonna push these are things that you would have gone to push on and we miss things of don't worship and just get some training everybody I don't think anybody wants their dumb even if I song right I hope that maybe there are some people that hey Chris you mentioned that you have a there's a she show in your SE iso and

your company yes um I'm curious weirdest where where does he fall I mean has he's been supporting you and your efforts I guess I'm at a loss here like where is he in this picture like has he been supporting anything at the supporting that detect attack on to your question about the culture change I'm

sore ass or no we talked about I yes but I think so I work a company as a subsidiary of comfy and he's being he's being given guys that causes problems if he's doing that I think he said the best he can he does know about this so so I think I'm surprised a nice out there you i have already I think we have time for one more question or request by I want it further so the follow-up up with what Ming was saying where does the permission come into play with the sea so and kind of how far you go yeah [Music] so my advice for me to probably try to just get out before

pushing I didn't do that and there's a reason to do that but will see you now

boys I said version one player on the stop probably got me a lot more hot water so we'll see but i'll put the elbow the information i'm here listed after this talk i'm looking for a job in the requirement I got a leg cast week for all of the delegated great thanks Chris [Applause]