PG - Understanding the Human API: Evolving End Users From Authorized Adversaries Into Our Best Defen

good afternoon and welcome to b-sides Las Vegas Wow okay we'd like to thank our sponsors especially our inner circle sponsors critical stack and m/l and our stellar sponsors Robin Hood secure code warrior and paranoids cellphones you know the rule turn off okay I'll pass on the mic when you want to ask questions the first three persons gate sucks on the web over here ty is a highly sought after dinner guest is a security operational center lead and co-founder of full metal cyber security he believes that anything worth doing is doing not only well write our chips I started doing right but also being done with excellence so high very good thank you all right my topic is

understanding the human API involving end users from authorized adversaries into our best defense so I hope you enjoy it all right free talk obligation I just want to point out the last bullet I will be using the word dudes and it is intended to be inclusive cool cool all right so this is me I do many things in many capacities and we're going to talk about each and every one of these things another day here's the structure of my talk my plan is to discover better understand and improve human interactions by mapping some basics of computer science on to human behavior so we'll discuss a range of topics including behavioral science philosophy and neuroscience in the human API

fundamentals we'll discuss our perception of security we'll discuss what helps make a mature organization and Security's role in business and then on to the primary topic of security and end users and then we'll finish up with the prime directive all right so this comic has a little more truth to it than I'd like to admit but the ring girl has a sinus as data security and the emcee announces that in this corner we have all the cool black box technology and in this corner we have Dave and Davis label human error so this this comment quite candidly points out that information security is becoming less about computer science and more about human behavioral science or at

least becoming more so I suggest a frame refresh of some aspects of the security structure refresh what security means reassess our goals and I'll offer my recommendations to maximize their ability to capitalize on opportunity so to that end let's identify and explore some key parts of the human API so an API it's an application programming interface and it is a purty particular set of specifications that programs can follow to communicate with each other it serves as an interface between software programs and facilitates our interaction pretty simple right all right human API is almost the same it's a particular set of rules and specifications that people can follow to communicate with each other it serves as

an interface to the world and facilitates interaction simple enough right so why is understanding this important api's make it easier to develop by providing building blocks necessary to realize complex actions like a potential potential represents something that isn't real yet but we act as if it is real that's heavy duty when you think about it so we realize our potential by interacting with the world in a manner that would get us the most information accurate information is crew is critical to optimal decision-making we know that if we put ourselves into a new environment that new genes turn on in our nervous systems it turns on new circuits and they include and they encode for new proteins so we are full

of biological potential that won't be realized unless we expose ourselves to challenging circumstances by doing so we put different physiological demands on ourselves down to the genetic level and it's important to understand this so we know how to build more meaningful and productive lives so I propose that the human API is split into two parts and in a moment we'll talk specifically about those parts alright so but before that there's a foundational piece to acknowledge within our reality fundamental opposition exists in all things here's a video illustrating opposites

so what volume wasn't great there but I think everyone get I just turned up so we might be alright now I think everyone gets the idea of opposites right so obviously illustrates opposites pretty vividly I think get that everyone gets us so there's opposition in all things and you can't have one without the other so they're not enemies they're only opposites and the existence of opposition provides us with choices so the two parts of the human API I promise to talk about earlier are represented as chaos and order which are fundamental opposites because every conceivable live situation is made up of both they are the two ultimate categories of reality all right so we're gonna start with order order is

predictable order is the place where what you are doing is producing what you want to have happen let's see my mouse is locked in there and won't let me move over that's weird well yeah orders predictable orders a place where what you're doing is producing which ones have happened chaos is the opposite chaos is danger chaos is disorder and lack of organization I don't know if you guys are South Park fans but professor chaos was my favorite episode all right so in a nutshell chaos an order these are the two fundamental pieces very good and so the concept is the more that we most that we can do to reconcile these two opposing seemingly opposing ideals

well will help generate more success and more meaning in our lives and so I'm going to elaborate on that just a little bit so we're gonna talk about some brain sites real quick our brains are split into two hemispheres left and right brain lateralization occurs when certain functions prefer specific brain regions the left hemisphere prefers logic and the right hemisphere prefers imagination this categorization doesn't attribute or prescribe personality it's just simply functionality right the concept is that in the natural world we have a continual dialogue in the right hemisphere and in the left hemisphere the right does a continual dialogue of imagine and in the left hemisphere does critical analysis if the brain if the left brain

is too strong it over let analyzes and over works if the right brain is too strong it dating daydreams away life they require each other to work together to function properly the left brain favors order and the right brain favors chaos like the cerebral hemispheres of our brains these contrary forces are actually complementary interconnected and interdependent so they're separate but together alright so how does this mental processing help us make sense of a tough situation an incredibly old philosophy maps directly onto this concept and will perhaps guide us to potential solutions so this symbol here in the centre this is Dow the Dow means potential the way of life the path that's why I've got a

picture of a path here it the Dow means to live in proper manner so the orange side represents chaos and the blue side I'm sorry the orange side represents order and the blue side represents chaos so order is calm and moderately happy and then we've got this blue dot of chaos right here so this reminds us that order can be disrupted and plunged into chaos in just a few moments so I like this image because it looks because the the texture but looks almost like it's water and it suggests that it has a depth to it and so I imagine this as I like to think of this as a 3d model alright so

all right so when you're deep in chaos and you're in a hopeless state when everything seems to be going wrong and you find a critical realization a little bit of hope a little bit of a little bit of order a striking realization can pull you up out of the chaos and take you back on to the path and order will resume in your life so this is an important dichotomy because we can't chaos isn't all bad that's where a potential adventure and growth lives but we can't just hang out in order and we can't hang out in cast too much or we'll be swamped and overwhelmed so the key fundamental go whoops the key fundamental to understanding this part

is that as these these two pieces of our minds have to work together and the better that they can work together and identified economies the better and more successful will be and then this is how and the more you do to reconcile these two the more you'll stay on this path and this middle path right here through the center that's where meaning is found and so we need me to protect us from catastrophe and so if we have a solid y and a solid of an understanding what we can what we're doing we can get through anyhow so truth and meaning are critical to our survival and so here's a quick video that I just give you a quick sneak

peek of of Ronnie James Dio and he's talking about truth

the truth [Music]

so not all of you may have gotten that reference but now I know where all the metalheads are in the room so the lyrics of that song it's a song called Holy Diver the lyrics of that song are between the Belleville eyes there's a truth that's heart of Steel and the vision never dies like a never-ending wheel so I think there's a lot of wisdom in better than these old rock and roll songs and essentially what he's saying is the more you can live in accordance to reality and what is true the happier and successful and you're happier and successful and the greater chance you have a finding meaning are alright so meaning and truth are critical in this

next video bill and Ted are in heaven and they're at the pearly gates and they're trying to get through and so when there are the pearly gates their questions and their answer in there well asked in this video what is the meaning of life just like every cowboy so they're reciting lyrics from a poison song called every rose has its thorn and again living between the dichotomies finding meaning and truth that's the whole point of this this concept right all right moving on so now I'll show how this principle applies to security often when you're making calls to a restful api there'll be lots of results to return a default limit called pagination or paging is usually

implemented to prevent a massive response with thousands of results in order to make responses easier to handle so it's a mechanism employed to impose order on chaos pagination is like perception our perception services function for the human API so here's some more brain science so it's not necessarily reality that shapes us it is the lens through which our brain views the world it is our perception that shapes our reality which is great news because if we can change our lens not only can we change our fulfillment but can change all personal and business outcomes at the same time so that's a powerful concept let's define our goals that will get us down to this path so

let's revisit our perception of security the Latin word for security translates to without care or without anxiety security literally literally literally means without worrying security is the ability to do whatever is meaningful unimpeded by an opposing force security exists to defend the organization and is people everyone can be secure and everyone can be defensible the goal is to be okay no matter what it means accepting the notion that it's no longer possible to keep the bad guys out of our networks entirely it means that you're prepared to respond quickly to restore operations when it does happen so this doesn't mean abandoning all tenants of traditional defense it means accepting the despite how many resources you expend trying to keep malware and

bad guys out all this can be undone in a flash sounds like that ordered chaos think huh alright next piece so security is an infinite game as opposed to a finite game there is no static goal to cyber security there is no finish line there is no ultimate destination there is no cyber nirvana until there are no longer people who use the cyber domain for bad things companies must understand this and resolve to be fully engaged in this battle so this next bit I'm going to quickly introduce in five lessons is from the cyber Avengers playbook so check it out at cyber the cyber Avengers com so lesson number one security is not optional information security is now a

critical part of business and a failure to adapt is not an IT problem it's a business problem an organization let's see an organization is like an arch and security is that Center Keystone that holds everything together lesson number two if your company has a computer or data it is a target for attackers even if you don't think your data is valuable ransomware even if you don't think your data is valuable ransomware has proved this for us and then at malware tech block says just because you're not important enough to be a target doesn't mean you're not insecure insecure enough to be collateral that's number three patch an update install security updates run patches as often as possible I know

some some of us work in environments where that's not possible where you're stuck with legacy systems and they can't be they can't be updated your the extreme case but as often as possible patch an update patches are no good at defending against no more abilities if they're not applied right correctly all right number four number four is really simple back it up if you have data that you want to keep back it up and have an icky part is to have someone that's responsible making sure the backups are happening and then when something has and when something has happened that they have the ability to restore operations all right lesson number five constant vigilance this is how you play the

secure the infinite security game as this is how you say ahead of adversaries is constantly patching constantly updating and doing everything you can to be proactive and instead of being reactive so we're going to go over a couple of those models here in just a second but the way you play they caught this constant vigilant infinite game is to continue to practice good principles defense in depth and defense in depth and then we will get to a stable condition where we continue to do what we want what we need to do all right so this last piece right here it's time to like I said earlier it's a time to take IT from just being a simple you know

this cyber scared to being an IT problem to making it an organization or a business problem so it's time to invite cyber security to sit down at the table and then they can be part of the risk management in the budget conversations to make sure these things happen at a pace and at a budget level that's not going to just drain the organization because cyber security can be money pit it's important to you to keep it live and manage it appropriately all right so this next section is about structures that get our security the culture from basic to mature so the Dowell solution to basic and mature dichotomy is risk threat and maturity assessments each of

these models are different and this topic deserves its own talk but time is limited so I'll just briefly introduce the concept so these models will help you assess your current status and help you determine if the risk level is acceptable and plan budgets accordingly here's an example of Batman's cert model so he's got his assets and his protection and threats all lined up nicely and then he's got little risk levels and there's the legend down there low risk medium risk and high risk this is perfect this is a really simple threat model system and then we're going to do I'm going to introduce just very briefly a couple more models so this one was in Krebs online or Krebs on security

posted this maturity model not only can you see where the the red are parts of where things are vulnerable and need to be fixed it's a good map of at-a-glance being able to see what's going on in each different Department and what their security levels are like the shows how to take attitudes from a basic organization to progressing to advance and then this if this model right here takes an takes an organization from reactive to proactive pretty simple stuff all right the next section we're gonna shift focus to is the relationship between the IT department and the end-users so rule number one is and users our friends not food or restate it and users are friends

not foes so any users will behave as authorized adversaries if treated as such so to keep this bit at the top of mind so we're gonna add humans to the layer 8 and the OSI model and in the carbon layer so these sensors are configurable to form a Brazilian Defense from this section I'm going to use tweets from real information security pros to teach a few security principles so let's look at some examples sometimes we forget who our user is a secured professionals sometimes we are so proud of this security baby mobile thing that we made that we forget what it looks like to the end-user and your end up staring up at the rear ends of these

stuffed animals and sometimes when we're delivering a product like the comic over there on the right it goes through all the various departments of the bottom right where the customer wanted a tire swing although through the different departments of mistranslation of what they thought the user actually wanted so perception and perspective is important all right this next piece comes to us from Swift on security and don't worry I'm not gonna read the whole thing I'm just going to tell the story the story is that a grandparent wanted to watch a video of their grandkids and inadvertently downloaded malware they didn't want to get malware they just want to watch videos so this thing it teaches us three points if users feel

beat up over security measures it's 95% of fixable through design changes in the interaction sounds like that human API thing we're talking about so number two point number two users machines that are provisioned with all the tools they need won't go download adware and spyware bundled programs from shady sites point three seek to understand no user goals and know what they need and provide it if we understand user motives we can deliver security in a way that sticks alright this next example is on the right dude man for win relates a bit that may sound familiar and this malicious compliance phishing email training so that he relates a story where he fell for he fell for a fishing

camp an internal phishing campaign was sentenced to one hour of security detention and so to avoid going through this again to avoid being thrown in the security violation boo box again and to put off undesirable tasks he just simply doesn't open emails from management anymore and so when they asked why he didn't respond emails he just says I was being careful of phishing and he doesn't do that for dodging work so when poor security awareness training is implemented it'll lead to these poor results so using security training as punishment and shaming users is not a good plan this next piece comes to us from info sectio at Jeff's Loic and he teaches us that any questions the

effectiveness of canned phishing attacks so I'm not saying don't do them I'm just saying do them better and what he suggests here is an honest security walkthrough by security by security teams and security professionals teaching exactly what a phishing fishings a real-life phishing scheme looks like teach it in the tales teach him how to spot things and then that way they're not gonna be caught by the obvious ones so the important part is to build relationships with our end users to where they trust us and we trust them mutual respect comes out of it and then they all get better and being one of our best defenses all right so this is my last bullet in my attack plan and this

is the prime directive [Music]

party on dudes so bill and Ted it's my favorite movie I'm gonna quickly breakdown the prime directive into two parts so the first one is is be excellent to each other and this is simple it's restating ancient philosophy love thy neighbor as thyself do unto others as you would have others do unto you it means you help serve and sacrifice for others that's that's easy that's what being a leader is party on dudes is a little more nuanced I think the sentiment work hard play hard is misguided and sounds like you're constantly pedal-to-the-metal either way it can lead to burnout so I think it would be healthier more fulfilled and we find that we stay on the straight and

narrow path if we work smart and play always party on dudes means that people are gonna wonder if we're working or playing so this is my final piece this is my final admonition meaning emerges from chaos and order when impulses are regulated organized and unified meaning emerges from the interplay between the chaotic possibilities of the world and the ordered value structure within that world if the value structure is aimed at the betterment of being the meaning revealed will be life-sustaining it will be the antidote to chaos and suffering and it will make everything better and it will make everything matter so do what you must do to faithfully continue to keep the machinery of the world

running and finally I'll conclude with the words from a former president as security professionals we are today

x2 each other alright that's all thank you sure we have time for questions oh you need socks day one socks I see how this works all right go ahead oh very cool good thank you right there oh I hardly agree that the trust is one of the key factors is working with your your users but my overarching question is how do you how do you build that trust and I know you could probably do a talk for hours on that but do you have any tips on how to build trust because I know with with perception being reality sometimes they don't see the efforts you're putting forward to build that trust so how do you take how do you

build that trust taking into account perception with your end-users that's a really good question and it's a lot easier to talk about than it is to implement but communicate with them I we're separated in my current facility we're separated from our users by quite a way so you know where you're still in the same building but it's far enough but every so often I'll go down like hey we're pushing this new thing a Nokia Malcolm up for it like hey this is what we're expecting this is why and I'll explain to them the meaning behind it and why it's why it's important and how it benefits them and if you know the sales team understands that hey this is

going to help me make more money they're usually all right with it you know they may complain about the you know there may be some implement a issues to begin with but if they understand what's happening in why they usually it usually goes much better so simply just explain them why explain to them why and interact with them and the more they see then they more they know that they that you care about them and that when you are making implementations you know in order to help them they're usually more responsive so how do you help when the co-worker just doesn't get it when it comes to phishing attacks that's a tough one there are there are very click happy

people the it's a tough one because you're trying to get someone to care about something that they feel like it's in the way of their job and whenever you feel like whenever I feel like I'm doing well with security I'm really humbled when I go through the airport and have to go through the TSA facility so you remember what it's like being an end-user in that regard and so behavior when it's when it's taught and they change their attitudes about it it'll stick and so in order to get them to care about something you need to incentivize it positively and not negatively so if that comes in the form of bonuses or whatever positively reward

the good behavior that you want incentivize so rather than user shaming or say hey you guys that fail you get more security detention positively reward the people that do well and so you make an incentive to do well on it and they usually respond better does that help last question here training or awareness what will you implement in cases for big organizations or did you even make a difference in that part is the same for you for this part or often users if I understand your question you're asking what's the difference between awareness and regular training why will you recommend react we are training for the employees for example our use awareness for just for end user

security training you know I recommend is that your question yeah okay cool if it's entertaining it's gonna stick a lot of security detention training is just boring and so there are a couple of vendors out there that do exciting encouraging gamify training and I think that's really the key is if you can gamify the training it usually is a lot better and it's usually a lot more well received and people remember it rather than it's trying to just pound through the computer-based training you know fail the quiz a couple of times and then learn from the mistakes and then take the quiz and then pass it at the end and then forget about it so just canned computer-based

training it usually isn't effective but something that's that you would enjoy taking it's usually something that an end user would be good with so the trick is finding a company that does it but there are some other speakers well thank you [Applause]