The Art of the Jedi Mind Trick

communication resources and faster and more reliable that go get afternoon welcome back you guys all have a good lunch did you guys have lunch yeah my name is Jeff man and I'm a security evangelist with tenable network security which means yes I do work with Jack Daniel have a very similar role except for I get the dubious pleasure of being much more anonymous than he is I don't have quite the beard that he does this is my information if by the end of the talk you're interested in following up with me feel free to reach out to me i'm on twitter at mr. Jeff man where my email is simply j man at tenable com

purpose of this talk today is to first of all explain to you why I lay claim to being a Jedi Master talk about a problem that I've been noticing in the industry for the past year and a half or so while I've been doing this speaking thing for tenable try to provide a little bit of insight of what I think we can do to improve what I think's missing and you hopefully make it a little bit entertaining yet I wanted to be as interactive as possible and really just try to get to a place where we're a little bit better off by the end of the talk in terms of how we're approaching this thing called security and how we're

getting that message out to our employers our customers our neighbors and friends out of curiosity by show of hands how many of seen the new Star Wars movie that came out last September's December great how many people have seen the original Star Wars how many people saw the original Star Wars when it was released in theaters in 1977 more than I expected great so a long time ago there was this movie called Star Wars and I sort of created this talk because this phrase came out of the whole Star Wars lexicon called the Jedi mind trick does everybody know what the Jedi mind trick it these are not the droids you're looking for the art of making somebody

else do something that you want them to do whether they know it or not it occurred to me that I shouldn't give a whole talk in the Jedi mind trick without making sure everybody knew that I was talking about since this is a talk at the end of the day about communication star wars the the franchise is owned by disney so I'm not allowed to use unless we pay ton of royalties use any imagery so this is somewhat movie and tech media themes but there will be no star wars references directly in the top throw this out there right at the very beginning I've been in the security business for over 30 years and I've got my start at that place if

you guys want to talk to me later if you want to buy me drinks I might talk to you about my views on Snowden or the views on the recent FB i-- apple thing but you have to buy me a drink or two first I got my start at NSA as a manual crypt analyst I worked with these things one-time pads in the old days it was all about communications security and the communications were either encrypted before they were transmitted if they were encrypted before they were transmitted you could send them anyway radio telephone Ashley Morse code code used to be used even when I was working there but obviously technology was advancing and manual crypto systems were

changing and I actually got involved at the very beginning and some of the first software-based cryptography which was simply implementations of a one-time tag to try to put some reference on it everybody's seen the moot well have you seen the movie and now I'm blanking on the name thank you the invitation games everybody seen them anybody seen that movie so you know what that is it's an Enigma machine when i started at NSA in the mid ATS the fact that and that US and its allies the UK had cracked the crypto in that was still a secret why was it so low secret because there were still countries using it it was not Declassified that we had broken that

which happened way back in World War two until the late 80 just trying to put some reference on it that I'm almost as old it but not quite as old as Jack Daniel I left almost 20 years ago go out into the private sector having learned how to do some penetration testing which later became known as red teaming with in NSA wanted to go save the world and make make more money go out in the private sector so I became a pen test around the outside and you know kind of at the very beginning of this whole internet web security thing so back in those days it was teaching people how to if you're going to be on the internet

you really should have a firewall you should really start thinking about having some sort of a security program and essentially all the things we're talking about today you know changing passwords changing default settings removing hidden default passwords you know this should all sound familiar that we've been talking about this for over 20 years ago I guess I made enough people angry enough at some point that somehow i stumbled into pci and i ended up being a qsa for 10 years i like to call that my pc I purgatory days the tenable saved me about two and a half years ago they actually hired me to be a PCI subject matter expert and try to help the company you know help to help

sell into the PCI marketplace but also because of my extensive experience they said you know we want you to hit the road and do the speaking circuit as well why I'm here today I was giving a talk over the last year called the state of information security that's that was for the hacker cons if I was at other industries I'd call it cyber security and my message was essentially nothing changed but as I was going to different conferences and hearing other speakers speaking I kept hearing some themes emerged and the biggest thing that I was in the vibe I was getting from all the talks that I went to was you know this community particularly the b-sides

hacker community we know a lot about how the technology works and we know a lot about the security aspects but if you look at the if you look at the media it seems clear that something's not working that our message is somehow not getting out to the people within companies and organizations that need to hear the message why because major breaches are still happening and they're happening in all in all sectors and all verticals and all industries something seems to be missing this mean came out just a couple weeks ago and I think this illustrates one of the problems that we have in the industry which I will be bold enough to mention to you guys sometimes we have an

ego sometimes when we are smarter than others and we know more than others sometimes we you know we get a little bit of an ego I think that's part of the problem so my basic premise is we need to learn as a community how to communicate better to all those other people that are needing to hear and know what we know and I've actually been to several talks over the last year that attempted to do that and there were some good elements in those talks but I thought there was something a little bit miss him still and I've been a consultant for 20 years I've spent 20 years going into literally hundreds of different companies different

environments different you know hostile and non-hostile audiences but always with the goal of I'm a security expert or I know a little bit more about security than you do I'm here to teach you educate you in the PCI sense I need to get you to a point of compliance of course i always wanted them to be secure and i would make them compliant but that's another talk but essentially i've been in a role of educating and awareness training in my role of a consultant for 20 years so I thought you know there must be things that I do that smart people have figured out techniques but there but these are things that are probably worthy of sharing with others

as a way to learn how to communicate differently and better I also think that sometimes a lot of us don't really have a lot of opportunity to speak you know there's the stereotype that that the hacker types kind of stay in closed rooms usually without windows and they're they're happy to be in front of their technology and you probably know people like this maybe you are people like this but put these types of people sometimes in front of a small audience in front of people that they don't know a large audience they don't necessarily have a lot of good communication skills they're not comfortable with speaking so the goal of this talk is to try to bring

up some points of tips and indicators of how you might learn to talk better and that's essentially what I'm trying to get at is what I think is missing so for example I think it's important when you're speaking to an individual or a group to get to know them now I've seen a talk in the last year where basically they said well you know you've got google go out and find out everything you can find out about that person including social security number don't need to go that far but it's helpful to know that the person might be interested in sports or they're not interested in sports or you know maybe their kids are on ball teams or maybe their pet owners

maybe they love skiing try to get to know a little bit about them because that gives you a little bit of an idea of where they're coming from and it gives you also some tips on later when you're trying to communicate with them common reference points or knowing where they're coming from so as an example by show of hands how many people think the greatest hacker movie ever made is flat pat good nobody ever raises their hand for that we'll skip over to war games anyone one person 23 sneakers the overwhelming favor what does that tell us about this audience what's what is significantly different about the movie sneakers then for example the movie wargames which is my personal favorite

more technical I think there's also the introduction of social engineering in sneakers much more so than war games which as things get better in security world you have to learn more social engineering techniques to be successful anybody think hackers is the various movie hacker movie of all time what if Angelina Jolie who hadn't been in it well I'm in the interest of time I'm trying to be expedient here but swordfish anyone Halle Berry it's all about hacking but to have something like that if you're speaking in a group large or small some kind of icebreaker gives you an indication a little bit of where the people are coming from you know this proud says sneakers so I know this crowd

largely is thinking about social engineering maybe they're a little bit deeper in than my old favorite war games which is how i use to hack which is over a modem the next thing is I have learned to listen over the years which sounds may be counterintuitive but the best way to learn how to communicate it is to learn to listen and that's in all walks of life that's no matter where you are and what you're doing it's important for several reasons I think one of our biggest problems is and I think it's pretty well understood we tend to speak a different language than other people in organizations and other people in the industry we have a hacker speak we have

a technology speed I saw TV show the other night and it wasn't a technology show but there was a scene where a waiter brought some dessert out and the person said what is it and the waiter says this is raspberry pi had nothing to do with the show but i'm thinking the writer has to know techies and he put that in there just as kind of an easter egg and even in easter egg is hackers fee so learning to listen means you're learning the language of the people that you're talking to because you have to be able to put what you know in terms that they understand at the end of the day it's it's not okay we're just talking

about this at lunch if you're speaking to a deaf person raising your voice and speaking slowly doesn't do a whole lot of good if they don't understand your language they're not going to get it if they speak a foreign language how many times have you seen this you try to speak slowly and loudly and that person that doesn't know your line which somehow they're going to magically understand what you're saying it doesn't work the only thing that works is to learn their language we're Americans they're supposed to learn our language but that's a different story not a movie but it's all about frog protection right fraud protection we're on the same page is a TV commercial do you have it out

west when you when you learn to speak their language you're learning the language of the business if you're working at a company if it's a customer you're learning what their motivations are what their drivers are these are all necessary things it takes persistence sometimes you know you have to keep at it it take I think it takes practice I used to in my years of consulting used to sit around the dinner table with my family and try to explain things to them and none of them are really technical but if I could get to a point where they were understanding what i was talking about then I thought I was ready to go to the customer and usually that's where

the frustration would begin because I didn't have that much time tell stories you know I said you know understand their background understand where they're coming from try to pick the stories that make sense to them sports analogies you hear them all the time but not everybody is a sports enthusiast I've been in audiences is going to sound sexist but you know an audience that's a group of women they may not be into football so they may not know sports analogies related to football as an example it's really interesting if you go to a foreign country and that's when I start to notice all the idioms and axioms and colloquialisms that I have is an American and as I'm saying i Mun

realizing you know people in the UK they don't know American football so they're not going to get the football analogy anyway so what does this mean in terms of soccer and real football and so on so forth anyway for fun anybody know what movie that is to shout it out big fish very good I'm a crypt analyst by trade and I've been to many talks about crypto and you know cryptos in the news lately about iphones and things like that but you start going to technical talks about elliptic curve cryptography and symmetric and asymmetric cryptography and public key and private key you start to lose people very quickly so I it down into very simple terms even if my simple

terms aren't even technically accurate sometimes if I can get the point across and the people that are receiving understand oh you mean encryption means you take something I can read and turn it into something I can't read and there's something in the middle going on yeah that's all they really need to understand sometimes and then you can start talking about the costs associated with it and and the benefits and the frozen the kind i think it's essential if you're in your own company or if you're if you're a consultant and you're working with other companies you have to understand their language which is very offered their business it's great to be a secure is you can be i used to get

customers all the time telling me well we don't need DOD level security because they knew i had a DOD background because we just sell women's underwear or we just sell shoes or you know the CEO from target when they were breached a couple years ago he was quoted as saying we sell hammers why should we care about security you can disagree with that but you also have to find a balance you have to find a way to work that attitude and educate them and enlighten them but also help them to connect and sort of find a middle ground movie thank you I'm not people a person in fact I think I have that role in my company now as a side

job which is embarrassing this is also essential you can think you've done a great job explaining a concept ask them where did you just hear me say you'd be amazed at how many people times people will come back and you can realize very quickly wow you had no idea what I was talking about let me try again and don't try again with the same story with the same technique with the same language you got to try something different you got to try it from a different angle and again the goal is to put it in language that they understand movie this is the stumper remote nope one of my favorite star Geena Davis long kiss goodnight very good never make an

assumption because you make an ass out of you and um shun oftentimes when you're presenting especially as a consultant you have to give results you've gone in and done a pen test a vulnerability assessment some sort of an analysis and you've got to you got to explain it to them I have learned this technique actually from my father but I always found it was good to start off with you know say something good like you know your website has a lot of pretty colors but and then you move on to the bad you know we found some issues and then you drop the bomb on them and the ugly you know there's some default passwords in there so the good the bad

and the ugly is the movie that one's a dead giveaway oh my dad I have to share with this this part of it when I was a kid I never got straight A's but one time I came home with a report card like six days and one beats the best I'd ever done my dad first thing he said to me was why did you get a be scarred me for life I'm still suffering from it so where do we go from here practice try to try to attempt these steps you may think it's daunting and impossible how many people want to take the red pill how many people want to take the blue pill it's hard it is not easy to communicate

with other people and get them to a point of understanding those of us that have been in the industry a while probably know that you know all too well I would say don't give up it may seem sometimes like it's not worth it I'm sorry everybody know what the movie is I know what this movie you were again now the message of the war games of was you know the moral of the story was don't play the game because of my cryptanalytic background I prefer to think of this more as a puzzle puzzles have often more than one solution but there is a solution so you know if one thing doesn't work try something again

try something different don't even think of security as a game think of it as a puzzle and recognized at the end of the day that it takes time it's difficult to do when your especially when you're within an organization and you're trying to change corporate culture and trying to get them to think more securely because they have to that takes that takes time it takes hard work it's like steering the there you go so this is a whirlwind you know 30 years of experience into a 20-30 minute talk but be the change you want to be try stepping out of your comfort zone if you haven't done this before and communicating you can do it in a small

group setting do it with a friend you say hey I want to run something by you try to find somebody that isn't as smart as you or isn't in the tech crown try to tech crowd try to find somebody that that's outside and say hey I want to run something by you give it a whirl see if it works ask them what they've heard try it I mentioned the the ego thing at the very beginning with that you know I wish I was stupid yes sometimes we do no more than others but a lot of its just education and awareness I find it challenging to try to teach people and get them to a point of understanding and

I feel like if I can't do that well maybe I'm not as smart as I think I am so that keeps me humble I used the and I still talk about how I'm bilingual I've developed over the years the language of the tech community but I also speak the language of the business non-technical community and I have found it essential to get things accomplished in my customers and companies I've worked for to be able to communicate with the non-technical community probably more so important than talking to the tech proud because it's really easy to talk to the people to catch you on the back to yeah yeah yeah I get it I get it I agree with you

to me after 30 some years in the business I think what really is going to make a difference ultimately because everything we've done up to this point doesn't seem to be working very well and the technology certainly not getting easier we still need to be able to teach and educate what are still the basic fundamentals of security knowing what it is you're trying to protect knowing that you have to do certain things knowing that there is no such thing as ultimate security and so on and so forth we have a few minutes left does anybody have any questions this is your chance to communicate you have you must have come in late you have to ask me that after

you've purchased me an alcoholic beverage I'm a rap by Jedi mind trick is button buy me alcohol buy me alcohol and I last note any other questions comments you you that were older that's all the original Star Wars agree disagree we're good sure

hmm

so the comment is if you want to get some opportunities to practice join your Toastmasters club local Toastmasters club look it up find one see if there is one my immediate question is what is a Toastmasters club

so it's a group that gets together and tries to practice communication it almost sounds like there's a little bit of improv in there okay very good great if any of you guys happen to be more on the East Coast later in june I'm actually putting together a training course to try to actually put some of these techniques into practice to try to give the opportunity to teach a little bit some of these communication skills but more importantly than teaching I want to give people the opportunity to put it into practice in a safe comfortable environment I should look up toastmasters and and steal their mojo anyway that'll be at Circle City con in indianapolis in june that's it thank

you