$30 off During Our Annual Pro Sale. View Details »

Hackcon 11 - Protecting our people

Laura Bell
February 17, 2016
Technology
0
170

Hackcon 11 - Protecting our people

Laura Bell

February 17, 2016
Tweet

More Decks by Laura Bell

See All by Laura Bell
DIY security for the amateur superhero
ladynerd
0
160
Security in a container based world
ladynerd
0
120
Securing Microservice Architectures
ladynerd
2
330
Better Connected
ladynerd
0
45
Continuous Security
ladynerd
3
920
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.5k
Blindsided by security
ladynerd
0
75
Practical tools for privacy audit
ladynerd
0
98
For the greater good? Open sourcing weaponisable code
ladynerd
1
240

Other Decks in Technology

See All in Technology
ライブラリとの上手な付き合い方
sekido
PRO
0
200
GPTsによるアシスタント業務の改善
neonankiti
3
380
AI・機械学習ライブラリを使ったWebアプリでワクワク体験! / Qiita Night~AI、機械学習 / 20231201
you
PRO
1
1.6k
「成長サイクル」でVUCAの時代を乗りこなす
ar_tama
1
350
EventStormingとRDRA2.0で大規模レガシーシステムのフルリニューアルPJに挑む
leveragestech
0
1.6k
ChatGPTとKarateで実現するシン・BDD / Realizing New BDD through ChatGPT and Karate
takanorig
1
320
go-ldap Contribution
kazamori
0
120
pmconf 2023 プロダクトと事業を無限にスケールするための最強のロードマップの作り方 / The Greatest Roadmap for Unlimited Scaling your Business and Products
yamamuteki
17
10k
AWS re:Invent 2023の期間中に出たコンテナアップデート集
yoshiitaka
3
340
Java in containers and serverless
takesection
0
150
GoのProtocプラグインを活用した効率的な負荷試験戦略 / Efficient Load Testing Strategies Utilizing the Go Protoc Plugin
biwashi
0
120
Is Serverless Safe? ~Hacking AWS Lambda~
pict3
0
110

Featured

See All Featured
The Art of Programming - Codeland 2020
erikaheidi
39
12k
Fantastic passwords and where to find them - at NoRuKo
philnash
34
2.3k
Practical Orchestrator
shlominoach
179
9.4k
Documentation Writing (for coders)
carmenintech
55
3.5k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
351
28k
How to train your dragon (web standard)
notwaldorf
71
4.8k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
The MySQL Ecosystem @ GitHub 2015
samlambert
241
11k
Intergalactic Javascript Robots from Outer Space
tanoku
264
26k
Statistics for Hackers
jakevdp
788
220k
Mobile First: as difficult as doing things right
swwweet
214
8.3k
Raft: Consensus for Rubyists
vanstee
130
6k

Transcript

  1. Laura Bell
    Founder and Lead Consultant - SafeStack
    @lady_nerd [email protected]
    http://safestack.io
    Protecting our people
    the awkward border

    View Slide

  2. #protectyourpeople
    To join the discussion (but play nicely please)

    View Slide

  3. This talk might make you feel
    uncomfortable.
    Sorry.

    View Slide

  4. …I want you to feel uncomfortable

    View Slide

  5. I like people

    View Slide

  6. Border Security
    Application Security
    Threat Intelligence

    View Slide

  7. people are the path of
    least resistance

    View Slide

  8. In this talk
    The Problem
    The need for and lack of human defense
    The Tool
    We built AVA… and we think you might like it
    The Challenges
    Building human security systems is hard…

    View Slide

  9. we are comfortable when we talk
    about technical vulnerability

    View Slide

  10. we do not empathise or sympathise with
    machines
    They are inanimate objects.

    View Slide

  11. technology is only part of the security picture
    technology people process

    View Slide

  12. technical systems are:
    reviewed
    scanned
    penetration tested

    View Slide

  13. processes are audited

    View Slide

  14. what about people?

    View Slide

  15. The problem with people

    View Slide

  16. human vulnerability is natural

    View Slide

  17. fear of rejection
    fear of exposure
    fear of physical harm
    fear of loss

    View Slide

  18. love

    View Slide

  19. humans are sufficiently predictable
    to make it suitably annoying
    when we fail to
    predict their behaviour.

    View Slide

  20. The modern approaches

    View Slide

  21. compliance has us racing to the bottom

    View Slide

  22. we watch video training or e-learning
    we make posters
    we tick boxes

    View Slide

  23. View Slide

  24. this is not how people learn
    go ask the education and psychology communities

    View Slide

  25. this is
    adversarial defense

    View Slide

  26. people can’t be taught
    people are lazy
    people are stupid

    View Slide

  27. View Slide

  28. s/people/we/g

    View Slide

  29. we shame the human victims of
    human security attacks*
    *while secretly doing the exact same things

    View Slide

  30. we forget that we are a connected species

    View Slide

  31. It’s time for the age of collaborative defense

    View Slide

  32. border devices are not enough

    View Slide

  33. AVA

    View Slide

  34. A
    first generation
    proof of concept
    3- phase
    automated
    human vulnerability
    scanner

    View Slide

  35. Know
    PHASE 1

    View Slide

  36. We don’t know what our organisations look like

    View Slide

  37. Human
    security
    risk is
    magnified
    by
    connection

    View Slide

  38. Active Directory
    Twitter
    LinkedIn
    Facebook
    Email providers
    People
    Identifiers
    Groups
    Relationships
    Data

    View Slide

  39. Location
    Time stamps
    Sender
    Receiver
    User agent
    friends
    contacts
    frequency
    aliases
    profiles
    Last login
    Pw Expires?
    Disabled?
    Influence
    Admin?

    View Slide

  40. test
    PHASE 2

    View Slide

  41. Threat
    injection
    and
    behaviour
    monitoring

    View Slide

  42. Attack vectors that mean something
    Email
    Social Networks
    Removable Media
    Files and honeypots
    SMS

    View Slide

  43. Email attacks that go beyond phishing
    Email
    phishing Internal request
    social
    panic
    Direct request External request
    favour
    authoritative

    View Slide

  44. The URL may be different on different messages.
    Subject: Security Alert: Update Java (*See Kronos Note)
    Date: February 22, 2013
    **********************************************************
    **************
    This is an automatically generated message. Please DO NOT REPLY.
    If you require assistance, please contact the Help Center.
    **********************************************************
    **************
    Oracle has released an update for Java that fixes 50 security holes,
    including a
    critical hole currently being exploited in the wild.
    The IT Security Office strongly recommends that you update Java as
    User generatedand publicly sourced attacks

    View Slide

  45. Removing the boundariesbetween business and personal

    View Slide

  46. Instant, scheduled and recurring
    Securityfails when it is treated like a special event

    View Slide

  47. Give the option of succeeding
    and reinforce good behaviours

    View Slide

  48. analyse
    PHASE 3

    View Slide

  49. Behaviour Vs. time

    View Slide

  50. Measuring
    impact
    of
    training

    View Slide

  51. And now for something a
    little bit different

    View Slide

  52. Bridges, weak links and targeting

    View Slide

  53. Pivoting
    and
    propagation

    View Slide

  54. You know what would be fun?
    Predictive risk behaviour analysis

    View Slide

  55. Technologies
    •Django
    •Postgresql
    •Celery
    •Redis
    •Bootstrap
    •Open source
    •GPL
    •docker
    •Integrates with exchange,
    Office 365, ad and google
    apps for business

    View Slide

  56. The challenges

    View Slide

  57. a public interest security tool

    View Slide

  58. ….from everyone
    success requires engagement

    View Slide

  59. is this even legal?

    View Slide

  60. The law in this space is immature

    View Slide

  61. publically available
    previously known
    already published

    View Slide

  62. can we assess human
    vulnerability on this scale
    compromising the privacy the
    people we assess?

    View Slide

  63. Privacy is about protecting people
    Know
    Update
    Delete
    Ask

    View Slide

  64. yeah, if you could just give me
    access to all the information
    you have…
    that’d be great

    View Slide

  65. No.

    View Slide

  66. AVA Ethics and Privacy Board
    Objective, Representative, Independent, Collaborative
    new members welcome to apply

    View Slide

  67. Open. Honest. Plain English

    View Slide

  68. Providing people with the
    information they need to protect
    themselves and their privacy

    View Slide

  69. Is this technically possible?

    View Slide

  70. Building new things is hard

    View Slide

  71. Scale that has to be visible

    View Slide

  72. Nobody has time for more appliances

    View Slide

  73. Where next?

    View Slide

  74. From research project to real life
    Testing
    Continuous Integration
    Roadmap development
    Feature development

    View Slide

  75. Security culture change as a service?

    View Slide

  76. Ethics board
    Developers
    Testers
    Contribution
    Documentation
    Sociologists
    UX and design

    View Slide

  77. volunteers wanted
    safe
    consensual
    human security
    science

    View Slide

  78. TL;DR
    We have a people problem
    Attackers will choose the path of least resistance and we are not prepared
    AVA is an early alpha prototype
    We want a future of continuous human vulnerability assessment
    The road ahead is hard
    Privacy, ethics, momentum, security, scaling and much more

    View Slide

  79. Learn more or get involved
    https:/
    /github.com/SafeStack/ava
    now with docker build
    @avasecure
    http:/
    /avasecure.com
    http:/
    /ava.rtfd.org/
    [email protected]

    View Slide

  80. Laura Bell
    Founder and Lead Consultant - SafeStack
    @lady_nerd [email protected]
    http://safestack.io
    Questions?
    #protectyourpeople

    View Slide