Automated Human Vulnerability Scanning with AVA

Transcript

1. Laura Bell Founder  and  Lead  Consultant  -­‐  SafeStack @lady_nerd  

    [email protected]   h6p:/ /safestack.io   Automated human vulnerabillity scanning with AVA

2. #BHUSA #protectyourpeople To  join  the  discussion  (but  play  nicely  please)

3. This  talk  might  make  you  feel   uncomfortable. Sorry.

4. …I  want  you  to  feel  uncomfortable

5. I  like  people

6. Border  Security ApplicaEon  Security Threat  Intelligence    

7. people  are  the  path  of   least  resistance    

8. In  this  talk The  Problem   The  need  for  and

    lack  of  human  defense   The  Tool   We  built  AVA…  and  we  think  you  might  like  it   The  Challenges   Building  human  security  systems  is  hard…      

9. we  are  comfortable  when  we  talk   about  technical  vulnerability

10. we  do  not  empathise  or  sympathise  with   machines They

     are  inanimate  objects.

11. technology  is  only  part  of  the  security  picture technology people

    process

12. technical  systems  are:     reviewed   scanned   penetraEon

     tested

13. processes  are  audited

14. what  about  people?

15. The problem  with  people

16. human vulnerability is natural

17. fear  of  rejecEon fear  of  exposure fear  of  physical  harm

    fear  of  loss

18. love

19. humans  are  sufficiently  predictable   to  make  it  suitably  annoying

        when  we  fail  to     predict  their  behaviour.

20. The  modern  approaches

21. compliance  has  us  racing  to  the  boKom

22. we  watch  video  training  or  e-­‐learning we  make  posters we

     Eck  boxes

23. Security   Awareness   EducaEon   really  sucks

24.       Posters  don’t  work     Stop  it

     already.

25. this  is  not  how  people  learn go  ask  the  educaEon

     and  psychology  communiEes
26. None

27. we  shame  the  human  vicEms  of   human  security  aKacks*

    *while  secretly  doing  the  exact  same  things

28. we  forget  that  we  are  a  connected  species

29. why  don't  we  acEvely  assess   and  test  our  human

     security   risk?

30. we  don't  test  because  it’s  too  easy

31. people  can’t  be  taught people  are  lazy people  are  stupid

32. s/people/we/g

33. we  don't  test       because  it  makes  us

     feel  uncomfortable because we don't want people to get hurt because it’s hard because  we  don’t  know  how  to  fix  it because we don't want people to get fired

34. border  devices  are  not  enough

35. AVA

36. A first generation proof of concept 3- phase automated human

    vulnerability scanner

37. Know PHASE 1

38. We don’t know what our organisations look like

39. Human security risk is magnified by connection

40. Active Directory Twitter LinkedIn Facebook Email providers People Identifiers Groups

    Relationships Data

41. Location Time stamps Sender Receiver User agent friends contacts frequency

    aliases profiles Last login Pw Expires? Disabled? Influence Admin?

42. test PHASE 2

43. Threat injection and behaviour monitoring

44. Attack vectors that mean something Email Social Networks Removable Media

    Files and honeypots SMS

45. Email attacks that go beyond phishing Email phishing Internal request

    social panic Direct request External request favour authoritative

46.   The  URL  may  be  different  on  different  messages.  

    Subject:  Security  Alert:  Update  Java  (*See  Kronos  Note)   Date:  February  22,  2013   *********************************************************** *************   This  is  an  automaNcally  generated  message.  Please  DO  NOT  REPLY.     If  you  require  assistance,  please  contact  the  Help  Center.   *********************************************************** *************   Oracle  has  released  an  update  for  Java  that  fixes  50  security  holes,   including  a     criNcal  hole  currently  being  exploited  in  the  wild.   The  IT  Security  Office  strongly  recommends  that  you  update  Java  as   User generated and publicly sourced attacks

47. Removing the boundaries between business and personal

48. Instant, scheduled and recurring Security fails when it is treated

    like a special event

49. Give the option of succeeding and reinforce good behaviours

50. analyse PHASE 3

51. Behaviour Vs. time

52. Measuring impact of training

53. And now for something a little bit different

54. Bridges, weak links and targeting

55. Pivoting and propagation

56. You know what would be fun? Predictive risk behaviour analysis

57. Technologies • Django • Postgresql • Celery • Redis • Bootstrap • Open source • GPL • docker

    • Integrates with exchange, ad and google apps for business

58. The  inevitable  demo

59. None

60. Case  studies

61. The  process • Candidate  and  volunteer  requests  submiKed  to  social  

    media  and  contacts • Volunteers  briefed • Removed  volunteers  including  children,  students  or   health  data • AcEve  directory  users  and  groups  collected  from  acEve   directory  server  and  stored  in  json  files • Json  files  processed  to  remove  personal  informaEon • Ava  know  used  to  parse  and  idenEfy  paKerns

62. You  want  to  show  this  at  BlackHat?   LOL  

    Wait,  you’re  serious?   Nope.  Nope.  Nope.  Nope.  Nope.  Nope.  Nope.  Nope.   Yes!   …  please?   …  yes?  

63. 540  people  and  idenEEes   3  organisaEons   public  and

     private  sector   educaEon  and  commerce  

64. 19  adminstrator  accounts   400  non-­‐expiring   4  groups  per

     account   35  never  logged  in   oldest  password  =  11  years   newest  password  =  3  months

65. In  2015,  why  is  this     sEll  an  issue?

66. The  challenges

67. a  public  interest  security  tool

68. ….from  everyone success  requires  engagement

69. is  this  even  legal?

70. The  law  in  this  space  is  immature

71. publically  available previously  known already  published

72. can  we  assess  human   vulnerability  on  this  scale  

    compromising  the  privacy  the   people  we  assess?

73. Privacy  is  about  protecEng  people Know Update Delete Ask  

     

74. AVA  Ethics  and  Privacy  Board ObjecEve,  RepresentaEve,  Independent,  CollaboraEve new

     members  welcome  to  apply

75. Open.  Honest.  Plain  English

76. Providing  people  with  the   informaEon  they  need  to  protect

      themselves  and  their  privacy

77. Is  this  technically  possible?

78. Building  new  things  is  hard

79. Scale  that  has  to  be  visible

80. There  is  a   reason  why   compromised   email

     accounts   have  value Can  we  simulate   aKack  aliases  in  a   manageable  way?

81. Nobody  has  Eme  for  more  appliances

82. Where  next?

83. From  research  project  to  real  life   TesEng ConEnuous  IntegraEon

    Roadmap  development Feature  development

84. Security  culture  change  as  a  service?

85. IntegraEon Google Facebook TwiKer Linkedin Microsom Slack GitHub If  you

     are  reading  this  and   work  for  these  places,  we   should  probably  talk.

86. Ethics  board Developers Testers ContribuEon DocumentaEon Sociologists UX  and  design

87. volunteers  wanted Safe   consensual   human  security   science

88. TL;DR We  have  a  people  problem   A<ackers  will  choose

     the  path  of  least  resistance  and  we  are  not  prepared   AVA  is  an  early  alpha  prototype   We  want  a  future  of  con>nuous  human  vulnerability  assessment   The  road  ahead  is  hard   Privacy,  ethics,  momentum,  security,  scaling  and  much  more    

89. Learn more or get involved hKps:/ /github.com/SafeStack/ava   now  with

     docker  build       @avasecure   hKp:/ /avasecure.com   hKp:/ /ava.rqd.org/   [email protected]  

90. Laura Bell Founder  and  Lead  Consultant  -­‐  SafeStack @lady_nerd  

     [email protected]   h6p:/ /safestack.io   Questions? #protectyourpeople