Like Share and Subscribe: Effective Communication of Security Advice

Transcript

1. like, comment and subscribe: effective communication of security advice @Sereeena

   | LinuxConfAu 2020

2. jingeri jingeri jingeri jingeri jingeri jingeri

3. None
4. None
5. None
6. None
7. None
8. None

9. Infosec

10. Tech Infosec

11. Everyone else Tech Infosec

12. everyone deserves security.

13. People who do the “right” things People who do the

    “wrong” things supply chain 0days XSS vulns lack of 2FA adoption old operating systems password reuse

14. People who do the “right” things People who do the

    “wrong” things

15. “I can’t help you”

16. security is hard people are bad at security

17. People who do the “right” things People who do the

    “wrong” things

18. what if we didn’t give up?

19. People who do the “right” things People who do the

    “wrong” things

20. security is hard people are bad at security

21. “I don’t think about security” ↓ “I’m used to insecurity

    and lack of privacy” ↓ “I consume tech but don’t demand privacy or security” ↓ “I make tech but security isn’t top of mind” ↓ “I care about security but no one else cares… no funding/support” ↓ “Why are there bugs and vulns everywhere???” The system enables security problems

22. Everyone else Tech Infosec

23. None

24. 1. Who are these people? 2. What advice should we

    be giving them? 3. How do we communicate this advice?

25. PART ONE PART ONE PART ONE PART ONE PART ONE

    WHO IS “EVERYONE ELSE”?
26. None

27. group one group one group one group one group one

    group one

28. I Ion, R Reeder, S Consolvo. “...No one Can Hack

    My Mind”: Comparing Expert and Non-Expert Security Practices. In Proceedings of SOUPS, 2015. “Visit only websites you know” “Change passwords often” “Use antivirus”

29. group two group two group two group two group two

    group two
30. None
31. None

32. Don’t reuse passwords

33. None
34. None

35. –“Sally” “I know I shouldn’t do this, but I cycle

    through two or three passwords for all of my accounts.”

36. –“Sally” “I know about password managers, I just haven’t gotten

    around to it yet. It seems like a big time investment.”

37. –“Sally” “I’ve been meaning to change my passwords, but my

    current password system is just so memorised.”

38. ←“Sally”

39. “asking for a friend”

40. None

41. Our (rough) personas • Those who are confused about what

    to do • Those who know what to do but not how to implement it

42. PART TWO PART TWO PART TWO PART TWO PART TWO

    WHAT ADVICE DO WE GIVE?

43. –Interview participant 6 “Which program do I need to install

    to be secure?”

44. Security is like exercise • There is always room for

    improvement • Must be customised to the individual’s needs • Must be habitual and ongoing

45. incremental incremental incremental incremental incremental incremental

46. None

47. What is running? Let’s do a marathon!

48. What is security? Change ALL the passwords and put them

    in a password manager!!!11!1

49. Old software Accept the next update

50. Same password for everything Just change your email password

51. Unique passwords but memorised Try a password manager

52. the perfect is the enemy of the good

53. personalised personalised personalised personalised personalised personalised

54. Technological capability Privacy needs Likely adversaries Not comfortable with technology

    “I am in hiding” Script kiddies Can quit vim “I need to be visible” Nation state

55. Lean on the familiar • Store passwords in browser …

    or a notebook • Rely on smartphone • End-to-end encrypted chat apps Technological capability Not comfortable with technology Can quit vim

56. Technological capability Not comfortable with technology Can quit vim Customise,

    try new stuff • Independent password manager • U2F keys • Ok, fine, you can tell them about PGP

57. Be a minimalist • Turn off location permissions • Strict

    privacy settings • Compartmentalise • Regular follower/friend purging Privacy needs “I am in hiding” “I need to be visible”

58. Obfuscate • Remove metadata / information in the background of

    photos • Use scheduling to hide activity patterns • Separate public / private personas “I am in hiding” “I need to be visible” Privacy needs

59. Use generic protections • Unique passwords • App-based 2FA Likely

    adversaries Script kiddies Nation state

60. Get specialist advice • Don’t take advice from a talk

    slide • Introduce them to someone who knows what they are doing • Seek !! professional !! help !! Likely adversaries Script kiddies Nation state

61. Technological capability Privacy needs Likely adversaries Not comfortable with technology

    “I am in hiding” Script kiddies Can quit vim “I need to be visible” Nation state

62. Personas by the Open Internet Tools Project; illustrations by Rob

    Vincent

63. habitual habitual habitual habitual habitual habitual

64. Lay a path for progression

65. Couch to 5K for security

66. Update your email password Get a password manager Turn 2FA

    on for your email Turn 2FA on for Facebook, Twitter, LinkedIn Save current passwords to manager Update passwords with manager Put a passcode on your phone Update passwords with manager

67. Effective security advice • Make it incremental • Make it

    personalised • Make it habitual

68. PART THREE PART THREE PART THREE PART THREE PART THREE

    HOW DO WE COMMUNICATE?

69. “Tell, sell, and shame” doesn’t work.

70. “Tell, sell, and shame” doesn’t work.

71. reactance theory AKA don’t tell me what to do

72. Direct instruction harms the feeling of autonomy

73. Lead by example

74. “This is what I do and I would recommend it

    to you”

75. “Tell, sell, and shame” doesn’t work.

76. A. PERUSCO, N. PODER, M. MOHSIN, G. RIKARD-BELL, C. RISSEL,

    M. WILLIAMS, M. HUA, E. MILLEN, M. SABRY and S. GUIRGUIS, Evaluation of a comprehensive tobacco control project targeting Arabic-speakers residing in south west Sydney, Australia, Health Promotion International, Vol. 25 No. 2, 2010

77. A. PERUSCO, N. PODER, M. MOHSIN, G. RIKARD-BELL, C. RISSEL,

    M. WILLIAMS, M. HUA, E. MILLEN, M. SABRY and S. GUIRGUIS, Evaluation of a comprehensive tobacco control project targeting Arabic-speakers residing in south west Sydney, Australia, Health Promotion International, Vol. 25 No. 2, 2010
78. None

79. ىبرع

80. 5.3% decrease in smoking prevalence 7.8% increase in smoke free

    homes A. PERUSCO, N. PODER, M. MOHSIN, G. RIKARD-BELL, C. RISSEL, M. WILLIAMS, M. HUA, E. MILLEN, M. SABRY and S. GUIRGUIS, Evaluation of a comprehensive tobacco control project targeting Arabic-speakers residing in south west Sydney, Australia, Health Promotion International, Vol. 25 No. 2, 2010

81. Give people successful examples to emulate

82. FOR EXAMPLE !

83. “Tell, sell, and shame” doesn’t work.

84. Tech has a pervasive culture of shame

85. None
86. None

87. “Windows XP”

88. None

89. –Interview participant 3 “I googled it, and kept installing antivirus

    programs until one worked.”

90. Shame culture means people don’t ask for advice

91. Obligatory xkcd: https://xkcd.com/1053/

92. “Can I show you a better way to do this?”

93. How to communicate • Veer away from the culture of

    shame • “Can I show you a better way?” • Show, don’t tell • Lead by example • Give people a script to navigate social situations

94. “Tell, sell, and shame” doesn’t work.

95. “you are literally telling us what to do”

96. Let’s walk the walk

97. What is something that has significantly changed my behaviour?

98. “influencers” • Showing, not telling • Gives people the choice

    to opt in (or out) • Shows their mistakes, imperfections • Outlines routines, gives people steps/script to follow • Lots of different people to follow, can find one you relate to
99. None

100. PART FOUR PART FOUR PART FOUR PART FOUR PART FOUR

     SERENA BECOMES A YOUTUBER???
101. None

102. I made a security YT channel, AMA • I made

     some average videos • They were cringeworthy • The experiment lasted 3 months • YouTube + full time work is HARD, how does SimplyNailogical do it???

103. I made a security YT channel, AMA • Immediately fell

     back into the habit of TELL, SELL and SHAME • Most successful video was me going through my conference bag before Kiwicon

104. What I learned • To reach and connect with people

     requires vulnerability • My brain was screaming, “BUT OPSEC”

105. The paradox of personal security

106. What else happened • Friends and colleagues started asking me

     about security • I got over myself • I showed people, IRL, my personal setup, and how I got there • I was honest about how hard it was

107. What else happened • A lot of them were already

     clued up about what to do • Seeing someone they knew IRL do the Good Security allowed them to make the leap

108. Be vulnerable

109. I SWEAR THIS IS ALMOST OVER I SWEAR THIS IS

     ALMOST OVER I SWEAR THIS IS ALMOST OVER I SWEAR THIS IS ALMOST OVER I SWEAR THIS IS ALMOST OVER SUMMARY

110. everyone deserves security.

111. “I don’t think about security” ↓ “I’m used to insecurity

     and lack of privacy” ↓ “I consume tech but don’t demand privacy or security” ↓ “I make tech but security isn’t top of mind” ↓ “I care about security but no one else cares… no funding/support” ↓ “Why are there bugs and vulns everywhere???” The system enables security problems
112. None

113. Update your email password Get a password manager Turn 2FA

     on for your email Turn 2FA on for Facebook, Twitter, LinkedIn Save current passwords to manager Update passwords with manager Put a passcode on your phone Update passwords with manager

114. Technological capability Privacy needs Likely adversaries Not comfortable with technology

     “I am in hiding” Script kiddies Can quit vim “I need to be visible” National state

115. –Interview participant 3 “I googled it, and kept installing antivirus

     programs until one worked.”

116. Obligatory xkcd: https://xkcd.com/1053/

117. Lead by example

118. None

119. Be nice to people

120. thanks! be nice to me @Sereeena reading & references: serena.nz/talks/like-share-subscribe-references/

     a lil’ worksheet: serena.nz/work/purplecon-worksheet.pdf