In this talk
The
Problem
The
need
for
and
lack
of
human
defense
The
Tool
We
built
AVA…
and
we
think
you
might
like
it
The
Challenges
Building
human
security
systems
is
hard…
Slide 9
Slide 9 text
we are comfortable when we talk
about technical vulnerability
Slide 10
Slide 10 text
we do not empathise or sympathise with
machines
They are inanimate objects.
Slide 11
Slide 11 text
technology is only part of the security picture
technology
people
process
Slide 12
Slide 12 text
technical systems are:
reviewed
scanned
penetraEon tested
Slide 13
Slide 13 text
processes are audited
Slide 14
Slide 14 text
what about people?
Slide 15
Slide 15 text
The problem with people
Slide 16
Slide 16 text
human vulnerability is natural
Slide 17
Slide 17 text
fear of rejecEon
fear of exposure
fear of physical harm
fear of loss
Slide 18
Slide 18 text
love
Slide 19
Slide 19 text
humans are sufficiently predictable
to make it suitably annoying
when we fail to
predict their behaviour.
Slide 20
Slide 20 text
The modern approaches
Slide 21
Slide 21 text
compliance has us racing to the boKom
Slide 22
Slide 22 text
we watch video training or e-‐learning
we make posters
we Eck boxes
Slide 23
Slide 23 text
Security
Awareness
EducaEon
really sucks
Slide 24
Slide 24 text
Posters don’t work
Stop it already.
Slide 25
Slide 25 text
this is not how people learn
go ask the educaEon and psychology communiEes
Slide 26
Slide 26 text
No content
Slide 27
Slide 27 text
we shame the human vicEms of
human security aKacks*
*while secretly doing the exact same things
Slide 28
Slide 28 text
we forget that we are a connected species
Slide 29
Slide 29 text
why don't we acEvely assess
and test our human security
risk?
Slide 30
Slide 30 text
we don't test because it’s too easy
Slide 31
Slide 31 text
people can’t be taught
people are lazy
people are stupid
Slide 32
Slide 32 text
s/people/we/g
Slide 33
Slide 33 text
we don't test
because it makes us feel uncomfortable
because we don't want people to get hurt
because it’s hard
because we don’t know how to fix it
because we don't want people to get fired
Slide 34
Slide 34 text
border devices are not enough
Slide 35
Slide 35 text
AVA
Slide 36
Slide 36 text
A
first generation
proof of concept
3- phase
automated
human vulnerability
scanner
Slide 37
Slide 37 text
Know
PHASE 1
Slide 38
Slide 38 text
We don’t know what our organisations look like
Slide 39
Slide 39 text
Human
security
risk is
magnified
by
connection
Slide 40
Slide 40 text
Active Directory
Twitter
LinkedIn
Facebook
Email providers
People
Identifiers
Groups
Relationships
Data
Slide 41
Slide 41 text
Location
Time stamps
Sender
Receiver
User agent
friends
contacts
frequency
aliases
profiles
Last login
Pw Expires?
Disabled?
Influence
Admin?
Slide 42
Slide 42 text
test
PHASE 2
Slide 43
Slide 43 text
Threat
injection
and
behaviour
monitoring
Slide 44
Slide 44 text
Attack vectors that mean something
Email
Social Networks
Removable Media
Files and honeypots
SMS
Slide 45
Slide 45 text
Email attacks that go beyond phishing
Email
phishing Internal request
social
panic
Direct request External request
favour
authoritative
Slide 46
Slide 46 text
The
URL
may
be
different
on
different
messages.
Subject:
Security
Alert:
Update
Java
(*See
Kronos
Note)
Date:
February
22,
2013
***********************************************************
*************
This
is
an
automaNcally
generated
message.
Please
DO
NOT
REPLY.
If
you
require
assistance,
please
contact
the
Help
Center.
***********************************************************
*************
Oracle
has
released
an
update
for
Java
that
fixes
50
security
holes,
including
a
criNcal
hole
currently
being
exploited
in
the
wild.
The
IT
Security
Office
strongly
recommends
that
you
update
Java
as
User generated and publicly sourced attacks
Slide 47
Slide 47 text
Removing the boundaries between business and personal
Slide 48
Slide 48 text
Instant, scheduled and recurring
Security fails when it is treated like a special event
Slide 49
Slide 49 text
Give the option of succeeding
and reinforce good behaviours
Slide 50
Slide 50 text
analyse
PHASE 3
Slide 51
Slide 51 text
Behaviour Vs. time
Slide 52
Slide 52 text
Measuring
impact
of
training
Slide 53
Slide 53 text
And now for something a
little bit different
Slide 54
Slide 54 text
Bridges, weak links and targeting
Slide 55
Slide 55 text
Pivoting
and
propagation
Slide 56
Slide 56 text
You know what would be fun?
Predictive risk behaviour analysis
Slide 57
Slide 57 text
Technologies
• Django
• Postgresql
• Celery
• Redis
• Bootstrap
• Open source
• GPL
• docker
• Integrates with exchange,
ad and google apps for
business
Slide 58
Slide 58 text
The inevitable demo
Slide 59
Slide 59 text
No content
Slide 60
Slide 60 text
Case studies
Slide 61
Slide 61 text
The process
• Candidate and volunteer requests submiKed to social
media and contacts
• Volunteers briefed
• Removed volunteers including children, students or
health data
• AcEve directory users and groups collected from acEve
directory server and stored in json files
• Json files processed to remove personal informaEon
• Ava know used to parse and idenEfy paKerns
Slide 62
Slide 62 text
You want to show this at BlackHat?
LOL
Wait, you’re serious?
Nope. Nope. Nope. Nope. Nope. Nope. Nope. Nope.
Yes!
… please?
… yes?
Slide 63
Slide 63 text
540 people and idenEEes
3 organisaEons
public and private sector
educaEon and commerce
Slide 64
Slide 64 text
19 adminstrator accounts
400 non-‐expiring
4 groups per account
35 never logged in
oldest password = 11 years
newest password = 3 months
Slide 65
Slide 65 text
In 2015, why is this
sEll an issue?
Slide 66
Slide 66 text
The challenges
Slide 67
Slide 67 text
a public interest security tool
Slide 68
Slide 68 text
….from everyone
success requires engagement
Slide 69
Slide 69 text
is this even legal?
Slide 70
Slide 70 text
The law in this space is immature
Slide 71
Slide 71 text
publically available
previously known
already published
Slide 72
Slide 72 text
can we assess human
vulnerability on this scale
compromising the privacy the
people we assess?
Slide 73
Slide 73 text
Privacy is about protecEng people
Know
Update
Delete
Ask
Slide 74
Slide 74 text
AVA Ethics and Privacy Board
ObjecEve, RepresentaEve, Independent, CollaboraEve
new members welcome to apply
Slide 75
Slide 75 text
Open. Honest. Plain English
Slide 76
Slide 76 text
Providing people with the
informaEon they need to protect
themselves and their privacy
Slide 77
Slide 77 text
Is this technically possible?
Slide 78
Slide 78 text
Building new things is hard
Slide 79
Slide 79 text
Scale that has to be visible
Slide 80
Slide 80 text
There is a
reason why
compromised
email accounts
have value
Can we simulate
aKack aliases in a
manageable way?
Slide 81
Slide 81 text
Nobody has Eme for more appliances
Slide 82
Slide 82 text
Where next?
Slide 83
Slide 83 text
From research project to real life
TesEng
ConEnuous IntegraEon
Roadmap development
Feature development
Slide 84
Slide 84 text
Security culture change as a service?
Slide 85
Slide 85 text
IntegraEon
Google
Facebook
TwiKer
Linkedin
Microsom
Slack
GitHub
If you are reading this and
work for these places, we
should probably talk.
Slide 86
Slide 86 text
Ethics board
Developers
Testers
ContribuEon
DocumentaEon
Sociologists
UX and design
Slide 87
Slide 87 text
volunteers wanted
Safe
consensual
human security
science
Slide 88
Slide 88 text
TL;DR
We
have
a
people
problem
Anuous
human
vulnerability
assessment
The
road
ahead
is
hard
Privacy,
ethics,
momentum,
security,
scaling
and
much
more
Slide 89
Slide 89 text
Learn more or get involved
hKps:/
/github.com/SafeStack/ava
now with docker build
@avasecure
hKp:/
/avasecure.com
hKp:/
/ava.rqd.org/
[email protected]
Slide 90
Slide 90 text
Laura Bell
Founder and Lead Consultant -‐ SafeStack
@lady_nerd
[email protected]
h6p:/
/safestack.io
Questions?
#protectyourpeople