How to Build Security Awareness Programs That Don’t Suck

Slide 1

Slide 1 text

How to Build Security Awareness Programs That Don’t Suck Vlad Styran CISSP CISA OSCP Berezha Security

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

password123

Slide 5

Slide 5 text

7eh_vveakest_l1nque!1

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

Social Engineering Hi-tech & lo-tech human hacking Influence principles • Reciprocity • Commitment • Social proof • Authority • Liking • Scarcity

Slide 8

Slide 8 text

Anti- Social Engineering

Slide 9

Slide 9 text

“Social engineering is cheating.” – A CISO I once met.

Slide 10

Slide 10 text

What next?

Slide 11

Slide 11 text

Raise Awareness

Slide 12

Slide 12 text

Stop trying to fix human behavior with tech only

Slide 13

Slide 13 text

Give people responsibility (back)

Slide 14

Slide 14 text

Security isn’t always a business problem, but it’s always a human problem

Slide 15

Slide 15 text

The Tools Fear Incentives Habits

Slide 16

Slide 16 text

Fear The key to humanity’s survival Teaches us to deal with threats “Dumps” precursors of dangerous events

Slide 17

Slide 17 text

Moar Fear We need to be told what to be afraid of Overdose leads to phobias and disorders Reasonable amount helps to learn Memory needs refreshing

Slide 18

Slide 18 text

Social Incentives Competition: getting ahead of others Belonging: getting along with others

Slide 19

Slide 19 text

Social Incentives Competition: getting ahead of others Belonging: getting along with others

Slide 20

Slide 20 text

Habits 1.Trigger 2.Routine 3.Reward 4.Repeat

Slide 21

Slide 21 text

Habits 1.Trigger 2.Routine 3.Reward 4.Repeat

Slide 22

Slide 22 text

Attack methods: phishing, impersonation, elicitation, phone pretexting, software exploits, baiting… Influence principles: scarcity, reciprocity, social proof, authority, liking… Security context: anything of personal or business value – privacy, access, trust, confidential data… You receive an email with an urgent request to provide confidential data. The pizza delivery guy is staring at you while holding a huge pile of pizza boxes at your office door. An "old schoolmate" you just met in the street is asking you about the specifics of your current job. You receive a call from a person that introduces themselves as the CEO’s executive assistant and asks you to confirm the receipt of their previous email and open its attachment. An attractive, likable human is asking you to take part in an interview and is going to compensate that with a shiny new USB drive (in hope you insert it into your working PC later).

Slide 23

Slide 23 text

Type of attack + Influence principle ⊂ Security context =

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

CASE STUDIES

Slide 26

Slide 26 text

CASE STUDIES

Slide 27

Slide 27 text

Human is the weakest link; by default We can be taught security; we’re wired for that Drive security with fear, social incentives, and habits; not money Knowing attack types, influence principles, and security valuables is essential

Slide 28

Slide 28 text

“How to stay safe online” guide: Text https://github.com/sapran/dontclickshit/blob/master/README_EN.md Mind map http://www.xmind.net/m/raQ4 Contacts: https://keybase.io/sapran