Protecting your people

Transcript

1. Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd [email protected]

   http:/ /safestack.io Protect your people

2. #protectyourpeople

3. we are comfortable when we talk about technical vulnerability

4. we do not empathise or sympathise with machines they are

   tangible, inanimate objects.

5. technology is only part of the security picture technology people

   process

6. technical systems are: reviewed scanned penetration tested

7. processes are audited

8. What about People?

9. human-centric security current solutions hope and scary questions?

10. None

11. human vulnerability is natural

12. FEAR & love

13. Humans are sufficiently predictable to make it suitably annoying when

    we fail to predict their behaviour.

14. one stimulus == hundreds of outcomes

15. None

16. Security awareness • So we teach? • Who do we

    teach? • What is the message? Security Awareness Education

17. Compliance has us racing to the bottom

18. Posters don’t work Stop it already.

19. Red Teaming Red Teaming and Social Engineering Penetration Tests

20. Learning styles Tactile Aural Visual

21. None

22. 1. Learning styles are ignored 2. Teaching outside of the

    work environment 3. Lack of reinforcement to build habit and behaviours 4. Lack of measurement 5. Lack of context

23. Phish 5 • Good start • Online service • Phishing

    attack simulator Outsourced phishing programmes

24. Trouble is we are building tools for the world that

    was… not the world that is.
25. None

26. Ava first generation proof of concept 3- phase automated human

    vulnerability scanner

27. Know PHASE 1

28. We don’t know what our organisations look like

29. Human security risk is magnified by connection

30. Active Directory Twitter LinkedIn Facebook Email providers People Identifiers Groups

    Relationships Data

31. Location Time stamps Sender Receiver User agent friends contacts frequency

    aliases profiles Last login Traffic rate Pw Expires? Disabled? Influence

32. test PHASE 2

33. Threat injection and behaviour monitoring

34. Attack vectors that mean something Email Social Networks Removable Media

    Files and honeypots SMS

35. Email attacks that go beyond phishing Email phishing Internal request

    social panic Direct request External request favour authoritative

36. The URL may be different on different messages. Subject: Security

    Alert: Update Java (*See Kronos Note) Date: February 22, 2013 ********************************************************** ************** This is an automatically generated message. Please DO NOT REPLY. If you require assistance, please contact the Help Center. ********************************************************** ************** Oracle has released an update for Java that fixes 50 security holes, including a critical hole currently being exploited in the wild. The IT Security Office strongly recommends that you update Java as User generated and publicly sourced attacks

37. Removing the boundaries between business and personal

38. Instant, scheduled and recurring Security fails when it is treated

    like a special event

39. Give the option of succeeding and reinforce good behaviours

40. analyse PHASE 3

41. Behaviour Vs. time

42. Measuring impact of training

43. And now for something a little bit different

44. Bridges, weak links and targeting

45. Pivoting and propagation

46. You know what would be fun? Predictive risk behaviour analysis

47. Technologies •Django •Postgresql •Celery •Redis •Bootstrap •Open source •GPL •Vagrant

    + ansible build •Integrates with exchange, ad and gmail

48. Where next? Aka: what are companies actually built from?

49. Learn more or get involved @avasecure http://avasecure.com open source (GPL)

    https://github.com/SafeStack/ava now with vagrant/ansible

50. What about People?

51. human-centric security current solutions hope and scary questions?

52. Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd [email protected]

    http:/ /safestack.io Questions? #protectyourpeople