$30 off During Our Annual Pro Sale. View Details »

Hackcon 11 - Protecting our people

Laura Bell
February 17, 2016

Hackcon 11 - Protecting our people

Laura Bell

February 17, 2016
Tweet

More Decks by Laura Bell

Other Decks in Technology

Transcript

  1. Laura Bell
    Founder and Lead Consultant - SafeStack
    @lady_nerd [email protected]
    http://safestack.io
    Protecting our people
    the awkward border

    View Slide

  2. #protectyourpeople
    To join the discussion (but play nicely please)

    View Slide

  3. This talk might make you feel
    uncomfortable.
    Sorry.

    View Slide

  4. …I want you to feel uncomfortable

    View Slide

  5. I like people

    View Slide

  6. Border Security
    Application Security
    Threat Intelligence

    View Slide

  7. people are the path of
    least resistance

    View Slide

  8. In this talk
    The Problem
    The need for and lack of human defense
    The Tool
    We built AVA… and we think you might like it
    The Challenges
    Building human security systems is hard…

    View Slide

  9. we are comfortable when we talk
    about technical vulnerability

    View Slide

  10. we do not empathise or sympathise with
    machines
    They are inanimate objects.

    View Slide

  11. technology is only part of the security picture
    technology people process

    View Slide

  12. technical systems are:
    reviewed
    scanned
    penetration tested

    View Slide

  13. processes are audited

    View Slide

  14. what about people?

    View Slide

  15. The problem with people

    View Slide

  16. human vulnerability is natural

    View Slide

  17. fear of rejection
    fear of exposure
    fear of physical harm
    fear of loss

    View Slide

  18. love

    View Slide

  19. humans are sufficiently predictable
    to make it suitably annoying
    when we fail to
    predict their behaviour.

    View Slide

  20. The modern approaches

    View Slide

  21. compliance has us racing to the bottom

    View Slide

  22. we watch video training or e-learning
    we make posters
    we tick boxes

    View Slide

  23. View Slide

  24. this is not how people learn
    go ask the education and psychology communities

    View Slide

  25. this is
    adversarial defense

    View Slide

  26. people can’t be taught
    people are lazy
    people are stupid

    View Slide

  27. View Slide

  28. s/people/we/g

    View Slide

  29. we shame the human victims of
    human security attacks*
    *while secretly doing the exact same things

    View Slide

  30. we forget that we are a connected species

    View Slide

  31. It’s time for the age of collaborative defense

    View Slide

  32. border devices are not enough

    View Slide

  33. AVA

    View Slide

  34. A
    first generation
    proof of concept
    3- phase
    automated
    human vulnerability
    scanner

    View Slide

  35. Know
    PHASE 1

    View Slide

  36. We don’t know what our organisations look like

    View Slide

  37. Human
    security
    risk is
    magnified
    by
    connection

    View Slide

  38. Active Directory
    Twitter
    LinkedIn
    Facebook
    Email providers
    People
    Identifiers
    Groups
    Relationships
    Data

    View Slide

  39. Location
    Time stamps
    Sender
    Receiver
    User agent
    friends
    contacts
    frequency
    aliases
    profiles
    Last login
    Pw Expires?
    Disabled?
    Influence
    Admin?

    View Slide

  40. test
    PHASE 2

    View Slide

  41. Threat
    injection
    and
    behaviour
    monitoring

    View Slide

  42. Attack vectors that mean something
    Email
    Social Networks
    Removable Media
    Files and honeypots
    SMS

    View Slide

  43. Email attacks that go beyond phishing
    Email
    phishing Internal request
    social
    panic
    Direct request External request
    favour
    authoritative

    View Slide

  44. The URL may be different on different messages.
    Subject: Security Alert: Update Java (*See Kronos Note)
    Date: February 22, 2013
    **********************************************************
    **************
    This is an automatically generated message. Please DO NOT REPLY.
    If you require assistance, please contact the Help Center.
    **********************************************************
    **************
    Oracle has released an update for Java that fixes 50 security holes,
    including a
    critical hole currently being exploited in the wild.
    The IT Security Office strongly recommends that you update Java as
    User generatedand publicly sourced attacks

    View Slide

  45. Removing the boundariesbetween business and personal

    View Slide

  46. Instant, scheduled and recurring
    Securityfails when it is treated like a special event

    View Slide

  47. Give the option of succeeding
    and reinforce good behaviours

    View Slide

  48. analyse
    PHASE 3

    View Slide

  49. Behaviour Vs. time

    View Slide

  50. Measuring
    impact
    of
    training

    View Slide

  51. And now for something a
    little bit different

    View Slide

  52. Bridges, weak links and targeting

    View Slide

  53. Pivoting
    and
    propagation

    View Slide

  54. You know what would be fun?
    Predictive risk behaviour analysis

    View Slide

  55. Technologies
    •Django
    •Postgresql
    •Celery
    •Redis
    •Bootstrap
    •Open source
    •GPL
    •docker
    •Integrates with exchange,
    Office 365, ad and google
    apps for business

    View Slide

  56. The challenges

    View Slide

  57. a public interest security tool

    View Slide

  58. ….from everyone
    success requires engagement

    View Slide

  59. is this even legal?

    View Slide

  60. The law in this space is immature

    View Slide

  61. publically available
    previously known
    already published

    View Slide

  62. can we assess human
    vulnerability on this scale
    compromising the privacy the
    people we assess?

    View Slide

  63. Privacy is about protecting people
    Know
    Update
    Delete
    Ask

    View Slide

  64. yeah, if you could just give me
    access to all the information
    you have…
    that’d be great

    View Slide

  65. No.

    View Slide

  66. AVA Ethics and Privacy Board
    Objective, Representative, Independent, Collaborative
    new members welcome to apply

    View Slide

  67. Open. Honest. Plain English

    View Slide

  68. Providing people with the
    information they need to protect
    themselves and their privacy

    View Slide

  69. Is this technically possible?

    View Slide

  70. Building new things is hard

    View Slide

  71. Scale that has to be visible

    View Slide

  72. Nobody has time for more appliances

    View Slide

  73. Where next?

    View Slide

  74. From research project to real life
    Testing
    Continuous Integration
    Roadmap development
    Feature development

    View Slide

  75. Security culture change as a service?

    View Slide

  76. Ethics board
    Developers
    Testers
    Contribution
    Documentation
    Sociologists
    UX and design

    View Slide

  77. volunteers wanted
    safe
    consensual
    human security
    science

    View Slide

  78. TL;DR
    We have a people problem
    Attackers will choose the path of least resistance and we are not prepared
    AVA is an early alpha prototype
    We want a future of continuous human vulnerability assessment
    The road ahead is hard
    Privacy, ethics, momentum, security, scaling and much more

    View Slide

  79. Learn more or get involved
    https:/
    /github.com/SafeStack/ava
    now with docker build
    @avasecure
    http:/
    /avasecure.com
    http:/
    /ava.rtfd.org/
    [email protected]

    View Slide

  80. Laura Bell
    Founder and Lead Consultant - SafeStack
    @lady_nerd [email protected]
    http://safestack.io
    Questions?
    #protectyourpeople

    View Slide