Security Mindset - For the selected few, or an acquired (required) skill? by Dina Treves

[Music] [Applause] [Music] [Applause] tuesday june 25th 2019. i'm thrilled to go to intel's first security conference in israel excited about learning new things and for that i'm willing to travel to haifa three days in a row that means switching trains at tel aviv university train station and riding for an hour and a half in each direction as i'm waiting for the train to haifa i notice this seriously do you actually believe that i would connect my phone to that malware spyware injecting machine i'm dina trevis and security is not part of my job title it's part of my life before i came to the conference my only experience with security was detecting simulated phishing emails that were sent

by i.t to raise our security awareness like this lovely if you press the link you would reach a web-based training about phishing but today we're even more advanced and we have an add-on button in outlook that says report fish and if we press it we get this message in any case i did not fall for those phishing emails and after four failed attempts i got an email saying thank you for keeping intel secure take the training anyway here's a link just how gullible do you think i am how do i know it's not another phishing attempt so i opened my browser i went to my learning to see the assigned trainings oh i guess i was assigned with that

training well better safe than sorry when i got to the conference i noticed that most of the people are security professionals i hardly knew anyone but that didn't matter because i was fascinated by all the presentations i learned about have i been pawned this website that can tell you whether an account that connected with your email or your phone had a security breach a while ago we received such an email what is this account i don't remember this account and then we remembered that when my daughter was in junior high we needed to rent a locker for her and we needed to open an account the company that we rented the locker from was sold bought merged whatever

and the database was transferred also to another company that's why we did not recognize it the more accounts one has the more chances of information leak the highlight of the conference was the last day when i had two workshops the first was a workshop that showed how easy it is to do a man-in-the-middle attack on a wi-fi network so i was really glad that i trusted my instinct who told me that connecting to a free wi-fi network in a conference full of hackers is probably not a very good idea there was of course free wi-fi at the conference what kind of password is that you need a robust password like this this is a lot harder to guess

but there was no need to guess because it was displayed on a sign with the network name and the password out of curiosity how many of you are connected to the free wi-fi here raise your hands how many aren't connected and the rest are probably disabling wi-fi right now the second workshop was secured development mindset and at the end of that workshop i went to the instructor and said i want to be a security advocate i wanted to know everybody i want everybody to know how important security is whether it is in everyday life or to make our products more resilient raising security awareness means you need to do a mindset switch usually when we develop develop a

product we think with a functional mindset we want the product to do what it's supposed to do and if the product doesn't behave properly because of misconfiguration that's the user's problem right i mean the manual specifically states that the user is responsible to configure the registers with valid values and according to the sequence as defined in the spec and what if the user is not responsible security mindset also makes sure that the product doesn't do what it's not supposed to do and what if the user isn't nice let's look at the following guidelines you have a sequence that you should follow and a range of valid values the responsible user would think about use cases

well even without malicious intents i would say it is interesting to know what would happen if you configured the register not according to the sequence and i would love to see what the unexpected results would be if i configured an invalid value the attacker would think about abuse cases so doing the mindset switch means that we need to do a lot of training and learning and here's the thing why would a developer designer validation engineer or manager whose main job is not security bother to do all these things don't they have enough on the plate what are we paying cecil for of course one could say that we will make those trainings mandatory everyone will be required to take them

and if you don't take them you will start getting annoying emails with the words mandatory and deadline and your manager will be copied on that email but i believe that security trainings and activities should not be assigned they should be wait listed like the wi-fi hacking workshop that i attended but how do we get to that point how do we make people want to engage in security activity in security learning well externally we pay them money and bring them fame we want those creative brilliant people on our side and internally a little branding never hurt anyone security belt certifications in various paths see my verified achievement some linkedin swag awards for security leadership awards and recognition for bug of the

month vulnerability of the week whatever and ctfs they're fun and they're addictive i participated in my first ctf about a few months ago it was face to face and it was really nice to see people from my department taking more interest in security we were divided to groups and we had to solve the challenges together since we were beginners we had a lot of help from the instructors it was a good start and then i participated in another ctf virtually a couple of weeks ago not for beginners unfortunately due to time zone issues i could not be part of a team let's just say that i was not the top of the leaderboard but i was not the bottom either

every time you learn something new and security quizzes i participated in a fun workshop well you didn't really have to know how to program in a specific language it was more about the concept they showed us implementations we had to identify the problems and think of a better way to approach this and for the more advanced secure code warrior my friend created with a vendor a customized course for the target audience that way they can see the relevance and implement what they've learned security is a team sport so many of the security advocates and security professionals drive security activities and offer mentorship to whoever seeks it in conclusion i'd like to leave you with the following

message before you press a link you should stop and think do i know the sender or is it an offender do you open your accounts almost every week you're increasing the chance of information leak are security training sometimes a drag splice them up a little with capture the flag make people more aware instead of writing ransomware and don't be an attacker be an ethical hacker i was xena travis thank you very much [Music] [Applause] you