Fighting User Apathy and Indifference

hello everyone thank sir I got stand next to this thing done can you hear me if I walk away thanks for coming to my [Music]

[Music] wife's go then check that out yet to cancel then I wanted to talk about a way I think that maybe we can we can fight this problem will loop back around to some more complaining then we'll have some open discussion some question and answer which officially a little aston a few minutes unofficially it's going to last the rest of my life that I ruined everybody on board already miss to talk cool this is not like a dense informational II you know intensive talk it's me up here talking about this idea I had for like a half hour and then we go and have some snacks problem so mighty news replication difference I'm a penetration tester a member of the red

team is secured and like a lot of penetration testers I have a compulsive need to tell you that I'm a penetration tester and then talk about penetration testing for a while so let's do that how did I get here how did I get to be up here complaining about user apathy and indifference penetration testing it's one of the things that there's always some debate about how to define it what it really means same thing with red team testing but essentially I'm a fake criminal for hire I test security I test things by trying to break the rules it's the best job there is this the best job out there I don't know what your job is

but sorry mine's better with most penetration test they are focused on a specific area of an organization security I but that's the internal network with that external network wireless is it good lots of different stuff each can provide value to the organization they can identify weaknesses but they are inherently restrained they're restricted to whatever is being tested an external penetration test is only going to test the external network with with a red team test we get to take the gloves off of it we get to get a bit more into the role and it's really pretty simple I'm a bad guy you have something that I want to steal I don't know what it is maybe

its credit card information maybe it's personal health names business secrets whatever it is I want it so I'm coming for you now I don't want to go to jail so I'm going to try to choose a text that well and I think they're effective they follow through my level of acceptable risk they're not going to be noticed they're not going to be caught

awesome I hold it lazy I don't want to work too hard stealing your stuff sue and yourself at the business for me I'm not looking to waste resources I got bill cheap and effective for me the attacks is going to trump something that's flashing expensive and and finally I don't feel any real need to play by your rule I don't feel need to just stick to just the external or just a wide line everything is in scope and as has your bad guy i'm going to use whatever works so what we know works with with a disturbing degree of reliability is attacks against the user social engineering USB key drops aiding in the building's fishing the

user is a week p week users a weak point in your defenses and that that's something that will exploit that's something we'll take advantage it we will find someone at your organization having a bad security day and will leverage that in pursuit of stealing all your stuff and yeah that's a lot of fun but I'm not really a bad guy and you're not paying me to just break in a call smogon American I need to provide some sort of like actual response some sort of recommendations on how you can stop whatever attacks were successful during this test and traditionally the recommendations that we provide tend to fall into a couple of different groups I've wandered away from the podium and

Jey flies and I have the thing that lets me change slides as I carried around I'm going to keep leaving it here the person which is well I think of us as technological solutions and we like me these are comfortable user employee allowed tailgating in the building you should buy and install a turnstile for your honors fishing was effective thises secure email gateway 9000 plugging to your network something bad happened by this thing it'll make it better we like these beasts as technology enthusiast these fall in line with our way of trying to solve problems yeah they can be expensive but it's something we can control the problem is that for a large part we're doing here is treating the

symptoms we're putting some band-aids on some bullet wounds we have here yes they work they do you know stuff they do what they're pretty much supposed to do the best they can but they often end up being more of a speed bump to an attacker rather than that that brick wall that we're all hoping for all right what else do you recommend user education I love this will say provide your users with information security awareness training information security awareness training I die just a little bit inside secret honest it and I say it's white I don't know what but information security awareness training undeniably it's a good idea it's critically important that we can't you

can't afford lycra mass ignorance of the topic but everyone hates it everyone even we as security professionals don't like security awareness training so much so that in a lot of places what have we done we've taken the whole thing and we shut it over to the human resources department that here you deal with it information security awareness training has turned into a 40-minute PowerPoint slides egg that you click through as fast as you can it's next to the ethics training and the annual harassment training this is what we've done with them and sadly I guess it's working as intended let's talk about not here the human resources department at your organization exists to protect the

company from the employee so in that regard the information security awareness training doing exactly what they wanted to do because when what if these users inevitably after receiving training clicks a link in an email well now you can you can reprimand them you can yell okay so do a live demo of how that light though yell meow scary well dad gore pointing right at you much that like can you help me out that night ah so in this scenario a user who's click pumping I've come dealing Eric off amen he clicked the link in that phishing email why why did you do that who told you remember eight months ago you took that training to said hey don't

do that promise alright well I mean the CFO click the same link so try not to move again all right yeah that's it thank you that's essentially what is coming down to its a way that that we can get people in a little bit of trouble if they don't follow the rules so we're fighting a battle here how does look like we're doing do we have technological solutions are they expensive and do they annoy our users yeah that's how we know they're working we have user education is it boring yeah that's tough how we know it's educational right the user they're informed they know but they don't care they don't care enough to act and some

of the problem is that we as information security professionals we're not good at making people care about me Computers Computers are still tricky but getting juven very actual people to care about something it's a bit outside our core skills

we need to approach this problem in a different way clearly what we're trying yeah it's working you know what it suppose to do but it's going to continue to be a problem we can get back a bit what we have is a nice probably relatively simple idea something that our users could do do that would make a security better everybody needs the magic don't click every link in the email with you get choose a complex password and user where trainees we've tried to logging Lee gently force them to do it with the technological solutions we have it trying to sell it there's like that's gonna get burned the Nexus showing this to them once in a

while but it's this message out there kid it engraved it so that they can't stop thinking about dead stopped working about it squeezing this muffin fair to Gloucester doll we might be we should you invest the help of marketing professionals to sell security to our users marking professional marketing is telling people about an idea and then giving them to act I that's like exactly what we want and all right yeah it's not it's not a completely new novel idea people look on the internet to find references to it going back for years but it doesn't seem to be either widely implemented or well in connected but that doesn't mean it's not a good idea you can see how you might hear about it

and say use marketing for sale security users if they call it that makes sense but online marketing is not what I do and then the ideas sighs when we head outside there we go when you head outside I see advertisements billboards logos everywhere you watch television there's commercial product placement you go on the internet and you're not using an adblocker some region advertisement score when you head into the office that is that with advertising pretty much drops off hopefully penny will work and what we have is more of a blank slate this is where we could target our reach our target audience this is where we have an opportunity on every blank wall and every screen on every internal

website to get this idea this simple security idea where in front of the users not not look here during training you can in front of them every deck and marketing marketing can help ensure that this message is communicated defensively effective communication we'll talk more about that in just a minute after these messages yeah that's a commercial break in my talk at the time you guys try this one this is this is a pretty good son I can't get it back in the States but I'm hoping to get a sponsorship deal all right fine maybe I should not define it's not actually intermission going no one get up and leave can hardly look at me I've had too much sugar as it is I

possibly too much caffeine today what do we got all right let's say for the sake of argument that you don't think I'm crazy you like this idea maybe you think well how can we possibly get it going in my organization I've been thinking about that too we have so much in common we should hang out how can we do this of what option make looking we can do it internally it's quite likely that that wherever you're working has some sort of marketing personnel already working there maybe you could look them illicit their health and developing an internal information security marketing campaign they understand your corporate culture they know what resources you have available maybe a good working

relationship anything happen place all of that I'm not disappear saying like everything's great clear problems possibly coming up primarily is that working on your security campaign is probably not their job they have their own marketing stuff to do that's presumably making the company money what else is going to cost a certain amount of Maya do this who's paying for this I who was this idea who hates this idea who's fighting with the people who love or hate this idea corporate politics always fun to feel it it's something where you'll need to have done your homework try to find someone on the marketing team where you can you know get there by an idea come at it from two

directions find a champion in marketing that seems to be done needed to get anything done in in a large organization heavier no arguments ready as to why this is going to help solve a problem that your company is having okay well look we hired an outside consultant to do this work speaking as a consultant hiring a consultant is often an excellent idea the Eclipse you could contract the company fine company that has the experience in both marketing and security to come in and help identify problems and weaknesses it and build that information security marketing campaign you could maybe try to fly past some of the internal politics you don't need to pull from your marketing team

they're still obviously some problems potentially consultants at the very least cost money I don't know I didn't do the math but there's not a line item to the budget who's going to pay for this Oh decisions need to be made we're back at politics so I think consulting is a pretty good idea and you may be thinking this guy work secure work Brandon Ellis lies is he about to stand up here and say that secure words has a brand new service offering where we come in and do marketing no no we're not going on sighs I'm pushing for it maybe we'll all someday but we'll see how convincing my arguments are to the bonkers finally a third way thinking

about this what I think that has was a good deal merit couch college interns college school sydney university students happen to be here sweet not here marketing students doesn't what we need we can bring in a marketing intern and for that semester of whatever you have here they would be more than just bringing the marketing department some coffee and doughnuts they would work to develop an internal marketing security campaign if right now you've got nothing literally anything these students do would be better than nothing that you have your team could provide what you want them to sell as well as various health and resources the marketing department could help out providing guidance and direction this benefit the

organ station because they get some kind of security campaign it benefits the intern who would get some unique experience fairly up-and-coming line of work it would benefit you if your users just stop clicking on things for five seconds while they're looking at whatever this kid made and then helping us out of the day they are so right now it should be fairly obvious to you that I'm just some hackers standing up here saying like hey I got a good idea and go forth go out there and and talk to marking and good things will happen i promise i'm going to stay safe over here in my consultant problem not talk to strangers because they're scary yeah I didn't want to be

completely hypocritical coming up here talking about that so I tried to myself I went out to a member of our own security marketing team I went out to local colleges in the Chicago area where I lived and hunted down Murphy professors I wanted to get their professional input I wanted to say may I have this idea do you think it has an area what potential problems you think we may have and trying to pull this off if we were to try it what what potential issues what can we do to maybe make it more successful there could be big problems I would just have no idea cuz I'm I'm not in marketing i spending go

school for it's never been my job I'm standing up here saying it's a great thing I also wanted to do this so i would have the experience I think I didn't know you guys I didn't have introductions never met them before I wanted to look like 22 approaching strangers with an ID I had and say you know how would it be to try to interact with anything and get their involvement so I came to make his questions and they said larger now instead I get that along they said either overwhelming on each one I spoke to was interested they thought the idea had merit they they offered their inputs or recommendations and perhaps even even

funny they were expressed an interest in continuing to work with me in the future developed appeared to say like a good idea to get out of here I mean I'm 40 so they're not going to call me okay but still it was right to the madam and it's something that's that really inspired me to Achilles this isn't just me Daniel you're saying hey I think this is a good idea it's me and also a couple guys over in America that you don't know and I'm coming over here to back me up what can you do so not as if a critical as I would have been otherwise that's what loop back around to effective communication by possible that this idea

of marketing security is already a play in your organization being used to try to fight off this user apathy and indifference i get 2 i'm lucky enough i get to visit a lot of companies and see what they got going on in security watch sometimes they even knowing they're doing that but I've seen a few things and some stuff I like and some stuff I don't like one of the things that that I found people doing more and more it seems pretty cool is the gamification of fishing detention this is where anyone please you this any one company yeah all right good um hopefully you don't like completely disagree with me as I continue to talk so this is where users

are encouraged to report suspicious emails not just because that training said you should totally do that but because there's some sort of competition this some sort of contest they can possibly win some sort of prize and what if presented to the users it's not it's not a footnote on a PowerPoint slide deck it comes out a little bit of excitement it gets to users thinking like hey I could win some maybe not too shabby prize by just reading my emails and complaining about stuff redeem and complaining about this is pretty much all of you anyway so but various people i talk about that has been deployed it's in your organization the texts attention analogously rave but it's definitely

they've seen certain benefits of it and it's a example of a security idea that has been marketed better you know we've already told them like reports that this officious suspicious email and they weren't really doing it but it took that instead lows let's work with the human condition a little bit let's work and find a way to try to get people to you know actually act actually move on this simple idea that we want to do it and review concept is not working yes is there is there any reward both rom matters is just something where there's like oh they feel ya okay the history of the program is different and I've heard about programs where they people win

amazon gift cards if your if your team is your group it reports the most suspicious emails and they're even maybe ranked like like these were no obvious dishes that these were actually like scary stuff and you did good job pointing out on your team could could win prizes keep the party I don't know whatever people that who have real jobs like so it's something that i steam it I'm like that that is we need more of that or at least that kind of thinking to say like what we're trying right now by just telling them to do it isn't hitting the job done on the other end of the spectrum and there's probably more people with with this they have a the

bulletin board somewhere in your office in the break room a hallway there's a bulletin board and on that bulletin board wedged between parking regulations or just wedge between the parking regulations and whatever else is up there is a piece of paper and maybe says like security at the top with my keyboard ID and then it says although we don't really know it says maybe it says report suspicious visitors or don't click phishing email sorry lady maybe it says who knows no no one it might as well be camouflaged I mean we all we all know that it's there but it's ineffective communication this is the kind of stuff that that left to our own the voice devices i think we come up

with like we need to tell people about security things all right when we won't fit open up word and change the color to red as Reds important it is it's up there and nobody knows what it says yes that's not true that nobody knows what it does I don't know I know what what your sign says because when I break into your organization when I break into your office and I'm creeping around the place looking the seal saw or attached up your network I work for these could they make me smile outlook for them any when I see them I take a picture of that or sometimes I'll take a selfie with them yeah so I'm cater behind you says if you

see something say something nobody's there I told that dangled in front of people it was delicious still nobody says anything we motivating people to do any sort of action this is what you're fighting it is so you can do this I mean you can find a way to make your communication more effective to use marketing to work with them to make security better talk to Marge mean most known pretty good people run on keep your guard up a little bit you shouldn't feel the need in this battle you shouldn't feel like you have to be constrained to whatever comfortable solutions we've you know past and working before whatever duct tape half measures that you've tried the past it's

clearly you know not working well enough or we wouldn't have jobs feel free to take a page from our bad guy play ball you guys should use whatever world so that's pretty much it short talk if you have fun with that I don't care but I appreciate everyone showing up I preach thanks besides for letting me come and talk hopefully you're not going to just be super mad at me okay at this point discussion if you have questions I will pretend to try to answer them while desperately thinking of a way to get out of the situation if you want to talk about penetration testing clearly I cannot shut up about that if you want to talk about the

person who's currently the American president I can't because I haven't been drinking heavily but is there any questions you guys hated date me oh yeah and that's what we got we have secured in a stick potentially i mean it could just be the stake but who wants to work with the place where it's just this thick hopefully there's also some carrots we should do saying accuses aspect of the gamification like you know if you're consistently not playing the game you're failing every every fishing test if you're becoming almost a liability company because you suddenly don't care it's punishment in order oh I've never liked the negative reinforcement again I don't have to deal with it but at a personal level I'm like

now let's not punish people it in D motivates them I think rather than motivate some zzz's ok I see ok so like pushing the problem off on foot down so like they bring their own like vices I I'm always really they're like either bring their phone in and then connect your corporate laptop their phone and bypass that needed restrictions next thing you know that corporate laptops popped and yeah actually I like from that happens this is me doing it thank you I the other Oh Becca now you have you all right I didn't want to have to do this what I'm sorry I couldn't understand you yeah oh

yeah I'm definitely there's a I'm sorry I'm not pushing certainly different different and I think any congestion consultants full backing up in this on certain businesses or in certain fields you get a test for and it's like ours this is going to be fun healthcare you really hope that that health care companies would have stuff locked down and you have my health information know some of the Skerries contest that that I've done are at a hospital and I was seriously considering trying to steal a baby because that was the level of access that I again other organizations I've seen you know certain financial places they they know what their issues are they done a good

job of segmenting things off and locking them down so that it makes a little bit more challenging for the tester really large organizations frequently have some things that they're doing quite well and then and you're worried as a tester for a little bit that it's going to be hard and then you find the fact that they're huge means they're screwing up a whole bunch other stuff and can attack that yeah definitely certain organizations are certain certain feel a little bit more lockdown in others but it's not a hard and fast rule there's been this surprising the crafting security pretty much everywhere you go so kiss me yeah the airport it's I mean it's an airport

security yeah we have we all know that a security theater same with your organization the people's it does I mean to a certain degree like you're wearing your your badge on a lanyard around your neck through all the people in your organization wear them on their hips damn I clip there or is it where your lanyard around your neck and that's okay what if the attacks that we use a lot in physical penetration testing when we spend the I mentioned tailgating or following people in the building we've actually moved are moving away from that because so because it is too easy because of the problems like this like how do you tell how do I tell you how to stop that

that's not like tell people not to do that or put a turnstile in your already you know telling you want to do that in turn styles are expensive will do an attack that involves badge money you have you know that keen on the editors we have long-range Badgerys proxmark you invite that badge so we target people coming in heading out at the coffee shop and steal the badge and make a clone and walk in and when I'm asked on nine how do we how do we stop that I can talk about some more technological solutions which are going to be like oh maybe move I class readers are a different bag to put numbered pads on the doors so that

when people need to punch an echo in the changes Elise in the sensitive areas but something else Falls Rahman is have your folks where their badges on the lanyard around their map as opposed to on your side because mine because it's hard for me to get a read my holding that up to your chest and steal your badge that way it's not perfect solution but it makes my job a little bit harder also you have badge discipline had your badge always on display while you're walking around the facility but when you leave when you go outside put it away put it in your bag so I don't know that someone sitting out GM dash he's really worked there I

don't know that's kind of I talked to Wallace we have to feed her question I'm like I'll talk about other stuff and make okay that's not good okay hyster security theater of I'm not fan professionally but in regardless will it help us with what we're trying to do as far as committee people that they they need to do whatever security action that we really want me to do to a certain degree i think it might be okay if you can do something like oh we've talked about scenario we're like tailgating happens you need to like scare anyone for a week by having like really insane entry and exit procedures and maybe don't give them all the information but

lets the rumor mill vela circulate that there's a security problem so um you know exactly what happened but you've raised everyone's awareness by causing some hats on their life i don't know i wish i may be a curie office and they had made up of mock movie posters of current it's like movies and then they had swapped out like the curious it was like the new Mission Impossible movie but you know is I don't want their like mission impossible not clicking links and fish Neil but it was instead of that boring piece of paper it looked like you know the legit movie posters that that they had up and complaceme also had like hand out free book for these I side I

stole a couple cuz they're pretty cool but exactly but you know most often think I think the Cure works probably had something else in our breakroom Jane like don't give out information over the phone and we test their people on that and most part yeah we don't give out information of a song which is annoying if you're calling in as an employee trying to get information out of them so yeah it does happen but I I doubt in that case that it was just the security person coming up with that on her own it was more likely that she teamed up with someone in that in the movie studio to like hey Camille he was already working

on the idea without ever having the joy of listening to me talk for however long I've been time I uh well then I'll stop I leave you all to go about your day thank you so much for coming out and listening to me talk on my Twitter dress up there feel free to ignore that because I hadn't logged in and months but I mean via check it out if you like um I work for security I don't want to plug them too much but there's lots of you know security options out there we're also one of them so check out thank you so much