Automated Human Vulnerability Scanning with AVA

Laura Bell
Founder and Lead Consultant -‐ SafeStack
@lady_nerd [email protected]
h6p:/
/safestack.io

Automated human
vulnerabillity
scanning with AVA

View Slide

#BHUSA
#protectyourpeople

To join the discussion (but play nicely please)

View Slide

This talk might make you feel
uncomfortable.

Sorry.

View Slide

…I want you to feel uncomfortable

View Slide

I like people

View Slide

Border Security

ApplicaEon Security

Threat Intelligence

View Slide

people are the path of
least resistance

View Slide

In this talk
The Problem
The need for and lack of human defense
The Tool
We built AVA… and we think you might like it
The Challenges
Building human security systems is hard…

View Slide

we are comfortable when we talk
about technical vulnerability

View Slide

we do not empathise or sympathise with
machines
They are inanimate objects.

View Slide

technology is only part of the security picture
technology people process

View Slide

technical systems are:
reviewed
scanned
penetraEon tested

View Slide

processes are audited

View Slide

what about people?

View Slide

The problem with people

View Slide

human vulnerability is natural

View Slide

fear of rejecEon
fear of exposure
fear of physical harm
fear of loss

View Slide

love

View Slide

humans are suﬃciently predictable
to make it suitably annoying
when we fail to
predict their behaviour.

View Slide

The modern approaches

View Slide

compliance has us racing to the boKom

View Slide

we watch video training or e-‐learning
we make posters
we Eck boxes

View Slide

Security
Awareness
EducaEon
really sucks

View Slide

Posters don’t work

Stop it already.

View Slide

this is not how people learn
go ask the educaEon and psychology communiEes

View Slide

View Slide

we shame the human vicEms of
human security aKacks*
*while secretly doing the exact same things

View Slide

we forget that we are a connected species

View Slide

why don't we acEvely assess
and test our human security
risk?

View Slide

we don't test because it’s too easy

View Slide

people can’t be taught
people are lazy
people are stupid

View Slide

s/people/we/g

View Slide

we don't test

because it makes us feel uncomfortable
because we don't want people to get hurt
because it’s hard
because we don’t know how to ﬁx it
because we don't want people to get ﬁred

View Slide

border devices are not enough

View Slide

AVA

View Slide

A
first generation
proof of concept
3- phase
automated
human vulnerability
scanner

View Slide

Know
PHASE 1

View Slide

We don’t know what our organisations look like

View Slide

Human
security
risk is
magnified
by
connection

View Slide

Active Directory
Twitter
LinkedIn
Facebook
Email providers
People
Identifiers
Groups
Relationships
Data

View Slide

Location
Time stamps
Sender
Receiver
User agent
friends
contacts
frequency
aliases
profiles
Last login
Pw Expires?
Disabled?
Influence
Admin?

View Slide

test
PHASE 2

View Slide

Threat
injection
and
behaviour
monitoring

View Slide

Attack vectors that mean something
Email
Social Networks
Removable Media
Files and honeypots
SMS

View Slide

Email attacks that go beyond phishing
Email
phishing Internal request
social
panic
Direct request External request
favour
authoritative

View Slide

The URL may be different on different messages.
Subject: Security Alert: Update Java (*See Kronos Note)
Date: February 22, 2013
***********************************************************
*************
This is an automaNcally generated message. Please DO NOT REPLY.
If you require assistance, please contact the Help Center.
***********************************************************
*************
Oracle has released an update for Java that fixes 50 security holes,
including a
criNcal hole currently being exploited in the wild.
The IT Security Office strongly recommends that you update Java as
User generated and publicly sourced attacks

View Slide

Removing the boundaries between business and personal

View Slide

Instant, scheduled and recurring
Security fails when it is treated like a special event

View Slide

Give the option of succeeding
and reinforce good behaviours

View Slide

analyse
PHASE 3

View Slide

Behaviour Vs. time

View Slide

Measuring
impact
of
training

View Slide

And now for something a
little bit different

View Slide

Bridges, weak links and targeting

View Slide

Pivoting
and
propagation

View Slide

You know what would be fun?
Predictive risk behaviour analysis

View Slide

Technologies
• Django
• Postgresql
• Celery
• Redis
• Bootstrap
• Open source
• GPL
• docker
• Integrates with exchange,
ad and google apps for
business

View Slide

The inevitable demo

View Slide

View Slide

Case studies

View Slide

The process
• Candidate and volunteer requests submiKed to social
media and contacts
• Volunteers briefed
• Removed volunteers including children, students or
health data
• AcEve directory users and groups collected from acEve
directory server and stored in json ﬁles
• Json ﬁles processed to remove personal informaEon
• Ava know used to parse and idenEfy paKerns

View Slide

You want to show this at BlackHat?
LOL
Wait, you’re serious?
Nope. Nope. Nope. Nope. Nope. Nope. Nope. Nope.
Yes!
… please?
… yes?

View Slide

540 people and idenEEes
3 organisaEons
public and private sector
educaEon and commerce

View Slide

19 adminstrator accounts
400 non-‐expiring
4 groups per account
35 never logged in
oldest password = 11 years
newest password = 3 months

View Slide

In 2015, why is this
sEll an issue?

View Slide

The challenges

View Slide

a public interest security tool

View Slide

….from everyone
success requires engagement

View Slide

is this even legal?

View Slide

The law in this space is immature

View Slide

publically available
previously known
already published

View Slide

can we assess human
vulnerability on this scale
compromising the privacy the
people we assess?

View Slide

Privacy is about protecEng people
Know
Update

Delete
Ask

View Slide

AVA Ethics and Privacy Board
ObjecEve, RepresentaEve, Independent, CollaboraEve
new members welcome to apply

View Slide

Open. Honest. Plain English

View Slide

Providing people with the
informaEon they need to protect
themselves and their privacy

View Slide

Is this technically possible?

View Slide

Building new things is hard

View Slide

Scale that has to be visible

View Slide

There is a
reason why
compromised
email accounts
have value
Can we simulate
aKack aliases in a
manageable way?

View Slide

Nobody has Eme for more appliances

View Slide

Where next?

View Slide

From research project to real life
TesEng
ConEnuous IntegraEon
Roadmap development
Feature development

View Slide

Security culture change as a service?

View Slide

IntegraEon
Google
Facebook
TwiKer
Linkedin
Microsom
Slack
GitHub

If you are reading this and
work for these places, we
should probably talk.

View Slide

Ethics board
Developers
Testers
ContribuEon
DocumentaEon
Sociologists
UX and design

View Slide

volunteers wanted
Safe
consensual
human security
science

View Slide

TL;DR
We have a people problem
AAVA is an early alpha prototype
We want a future of con>nuous human vulnerability assessment
The road ahead is hard
Privacy, ethics, momentum, security, scaling and much more

View Slide

Learn more or get involved
hKps:/
/github.com/SafeStack/ava
now with docker build

@avasecure
hKp:/
/avasecure.com
hKp:/
/ava.rqd.org/
[email protected]

View Slide

Laura Bell
Founder and Lead Consultant -‐ SafeStack
@lady_nerd [email protected]
h6p:/
/safestack.io

Questions?
#protectyourpeople

View Slide

Automated Human Vulnerability Scanning with AVA

Automated Human Vulnerability Scanning with AVA

Laura Bell

More Decks by Laura Bell

Other Decks in Technology

Featured

Transcript