Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hackcon 11 - Protecting our people

B114ea20c4172d8f92f3ff42a8cf8ea4?s=47 Laura Bell
February 17, 2016

Hackcon 11 - Protecting our people


Laura Bell

February 17, 2016


  1. Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd laura@safestack.io

    http://safestack.io Protecting our people the awkward border
  2. #protectyourpeople To join the discussion (but play nicely please)

  3. This talk might make you feel uncomfortable. Sorry.

  4. …I want you to feel uncomfortable

  5. I like people

  6. Border Security Application Security Threat Intelligence

  7. people are the path of least resistance

  8. In this talk The Problem The need for and lack

    of human defense The Tool We built AVA… and we think you might like it The Challenges Building human security systems is hard…
  9. we are comfortable when we talk about technical vulnerability

  10. we do not empathise or sympathise with machines They are

    inanimate objects.
  11. technology is only part of the security picture technology people

  12. technical systems are: reviewed scanned penetration tested

  13. processes are audited

  14. what about people?

  15. The problem with people

  16. human vulnerability is natural

  17. fear of rejection fear of exposure fear of physical harm

    fear of loss
  18. love

  19. humans are sufficiently predictable to make it suitably annoying when

    we fail to predict their behaviour.
  20. The modern approaches

  21. compliance has us racing to the bottom

  22. we watch video training or e-learning we make posters we

    tick boxes
  23. None
  24. this is not how people learn go ask the education

    and psychology communities
  25. this is adversarial defense

  26. people can’t be taught people are lazy people are stupid

  27. None
  28. s/people/we/g

  29. we shame the human victims of human security attacks* *while

    secretly doing the exact same things
  30. we forget that we are a connected species

  31. It’s time for the age of collaborative defense

  32. border devices are not enough

  33. AVA

  34. A first generation proof of concept 3- phase automated human

    vulnerability scanner
  35. Know PHASE 1

  36. We don’t know what our organisations look like

  37. Human security risk is magnified by connection

  38. Active Directory Twitter LinkedIn Facebook Email providers People Identifiers Groups

    Relationships Data
  39. Location Time stamps Sender Receiver User agent friends contacts frequency

    aliases profiles Last login Pw Expires? Disabled? Influence Admin?
  40. test PHASE 2

  41. Threat injection and behaviour monitoring

  42. Attack vectors that mean something Email Social Networks Removable Media

    Files and honeypots SMS
  43. Email attacks that go beyond phishing Email phishing Internal request

    social panic Direct request External request favour authoritative
  44. The URL may be different on different messages. Subject: Security

    Alert: Update Java (*See Kronos Note) Date: February 22, 2013 ********************************************************** ************** This is an automatically generated message. Please DO NOT REPLY. If you require assistance, please contact the Help Center. ********************************************************** ************** Oracle has released an update for Java that fixes 50 security holes, including a critical hole currently being exploited in the wild. The IT Security Office strongly recommends that you update Java as User generatedand publicly sourced attacks
  45. Removing the boundariesbetween business and personal

  46. Instant, scheduled and recurring Securityfails when it is treated like

    a special event
  47. Give the option of succeeding and reinforce good behaviours

  48. analyse PHASE 3

  49. Behaviour Vs. time

  50. Measuring impact of training

  51. And now for something a little bit different

  52. Bridges, weak links and targeting

  53. Pivoting and propagation

  54. You know what would be fun? Predictive risk behaviour analysis

  55. Technologies •Django •Postgresql •Celery •Redis •Bootstrap •Open source •GPL •docker

    •Integrates with exchange, Office 365, ad and google apps for business
  56. The challenges

  57. a public interest security tool

  58. ….from everyone success requires engagement

  59. is this even legal?

  60. The law in this space is immature

  61. publically available previously known already published

  62. can we assess human vulnerability on this scale compromising the

    privacy the people we assess?
  63. Privacy is about protecting people Know Update Delete Ask

  64. yeah, if you could just give me access to all

    the information you have… that’d be great
  65. No.

  66. AVA Ethics and Privacy Board Objective, Representative, Independent, Collaborative new

    members welcome to apply
  67. Open. Honest. Plain English

  68. Providing people with the information they need to protect themselves

    and their privacy
  69. Is this technically possible?

  70. Building new things is hard

  71. Scale that has to be visible

  72. Nobody has time for more appliances

  73. Where next?

  74. From research project to real life Testing Continuous Integration Roadmap

    development Feature development
  75. Security culture change as a service?

  76. Ethics board Developers Testers Contribution Documentation Sociologists UX and design

  77. volunteers wanted safe consensual human security science

  78. TL;DR We have a people problem Attackers will choose the

    path of least resistance and we are not prepared AVA is an early alpha prototype We want a future of continuous human vulnerability assessment The road ahead is hard Privacy, ethics, momentum, security, scaling and much more
  79. Learn more or get involved https:/ /github.com/SafeStack/ava now with docker

    build @avasecure http:/ /avasecure.com http:/ /ava.rtfd.org/ hello@avasecure.com
  80. Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd laura@safestack.io

    http://safestack.io Questions? #protectyourpeople