Hackcon 11 - Protecting our people

Slide 1

Slide 1 text

Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd [email protected] http://safestack.io Protecting our people the awkward border

Slide 2

Slide 2 text

#protectyourpeople To join the discussion (but play nicely please)

Slide 3

Slide 3 text

This talk might make you feel uncomfortable. Sorry.

Slide 4

Slide 4 text

…I want you to feel uncomfortable

Slide 5

Slide 5 text

I like people

Slide 6

Slide 6 text

Border Security Application Security Threat Intelligence

Slide 7

Slide 7 text

people are the path of least resistance

Slide 8

Slide 8 text

In this talk The Problem The need for and lack of human defense The Tool We built AVA… and we think you might like it The Challenges Building human security systems is hard…

Slide 9

Slide 9 text

we are comfortable when we talk about technical vulnerability

Slide 10

Slide 10 text

we do not empathise or sympathise with machines They are inanimate objects.

Slide 11

Slide 11 text

technology is only part of the security picture technology people process

Slide 12

Slide 12 text

technical systems are: reviewed scanned penetration tested

Slide 13

Slide 13 text

processes are audited

Slide 14

Slide 14 text

what about people?

Slide 15

Slide 15 text

The problem with people

Slide 16

Slide 16 text

human vulnerability is natural

Slide 17

Slide 17 text

fear of rejection fear of exposure fear of physical harm fear of loss

Slide 18

Slide 18 text

love

Slide 19

Slide 19 text

humans are sufficiently predictable to make it suitably annoying when we fail to predict their behaviour.

Slide 20

Slide 20 text

The modern approaches

Slide 21

Slide 21 text

compliance has us racing to the bottom

Slide 22

Slide 22 text

we watch video training or e-learning we make posters we tick boxes

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

this is not how people learn go ask the education and psychology communities

Slide 25

Slide 25 text

this is adversarial defense

Slide 26

Slide 26 text

people can’t be taught people are lazy people are stupid

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

s/people/we/g

Slide 29

Slide 29 text

we shame the human victims of human security attacks* *while secretly doing the exact same things

Slide 30

Slide 30 text

we forget that we are a connected species

Slide 31

Slide 31 text

It’s time for the age of collaborative defense

Slide 32

Slide 32 text

border devices are not enough

Slide 33

Slide 33 text

AVA

Slide 34

Slide 34 text

A first generation proof of concept 3- phase automated human vulnerability scanner

Slide 35

Slide 35 text

Know PHASE 1

Slide 36

Slide 36 text

We don’t know what our organisations look like

Slide 37

Slide 37 text

Human security risk is magnified by connection

Slide 38

Slide 38 text

Active Directory Twitter LinkedIn Facebook Email providers People Identifiers Groups Relationships Data

Slide 39

Slide 39 text

Location Time stamps Sender Receiver User agent friends contacts frequency aliases profiles Last login Pw Expires? Disabled? Influence Admin?

Slide 40

Slide 40 text

test PHASE 2

Slide 41

Slide 41 text

Threat injection and behaviour monitoring

Slide 42

Slide 42 text

Attack vectors that mean something Email Social Networks Removable Media Files and honeypots SMS

Slide 43

Slide 43 text

Email attacks that go beyond phishing Email phishing Internal request social panic Direct request External request favour authoritative

Slide 44

Slide 44 text

The URL may be different on different messages. Subject: Security Alert: Update Java (*See Kronos Note) Date: February 22, 2013 ********************************************************** ************** This is an automatically generated message. Please DO NOT REPLY. If you require assistance, please contact the Help Center. ********************************************************** ************** Oracle has released an update for Java that fixes 50 security holes, including a critical hole currently being exploited in the wild. The IT Security Office strongly recommends that you update Java as User generatedand publicly sourced attacks

Slide 45

Slide 45 text

Removing the boundariesbetween business and personal

Slide 46

Slide 46 text

Instant, scheduled and recurring Securityfails when it is treated like a special event

Slide 47

Slide 47 text

Give the option of succeeding and reinforce good behaviours

Slide 48

Slide 48 text

analyse PHASE 3

Slide 49

Slide 49 text

Behaviour Vs. time

Slide 50

Slide 50 text

Measuring impact of training

Slide 51

Slide 51 text

And now for something a little bit different

Slide 52

Slide 52 text

Bridges, weak links and targeting

Slide 53

Slide 53 text

Pivoting and propagation

Slide 54

Slide 54 text

You know what would be fun? Predictive risk behaviour analysis

Slide 55

Slide 55 text

Technologies •Django •Postgresql •Celery •Redis •Bootstrap •Open source •GPL •docker •Integrates with exchange, Office 365, ad and google apps for business

Slide 56

Slide 56 text

The challenges

Slide 57

Slide 57 text

a public interest security tool

Slide 58

Slide 58 text

….from everyone success requires engagement

Slide 59

Slide 59 text

is this even legal?

Slide 60

Slide 60 text

The law in this space is immature

Slide 61

Slide 61 text

publically available previously known already published

Slide 62

Slide 62 text

can we assess human vulnerability on this scale compromising the privacy the people we assess?

Slide 63

Slide 63 text

Privacy is about protecting people Know Update Delete Ask

Slide 64

Slide 64 text

yeah, if you could just give me access to all the information you have… that’d be great

Slide 65

Slide 65 text

No.

Slide 66

Slide 66 text

AVA Ethics and Privacy Board Objective, Representative, Independent, Collaborative new members welcome to apply

Slide 67

Slide 67 text

Open. Honest. Plain English

Slide 68

Slide 68 text

Providing people with the information they need to protect themselves and their privacy

Slide 69

Slide 69 text

Is this technically possible?

Slide 70

Slide 70 text

Building new things is hard

Slide 71

Slide 71 text

Scale that has to be visible

Slide 72

Slide 72 text

Nobody has time for more appliances

Slide 73

Slide 73 text

Where next?

Slide 74

Slide 74 text

From research project to real life Testing Continuous Integration Roadmap development Feature development

Slide 75

Slide 75 text

Security culture change as a service?

Slide 76

Slide 76 text

Ethics board Developers Testers Contribution Documentation Sociologists UX and design

Slide 77

Slide 77 text

volunteers wanted safe consensual human security science

Slide 78

Slide 78 text

TL;DR We have a people problem Attackers will choose the path of least resistance and we are not prepared AVA is an early alpha prototype We want a future of continuous human vulnerability assessment The road ahead is hard Privacy, ethics, momentum, security, scaling and much more

Slide 79

Slide 79 text

Learn more or get involved https:/ /github.com/SafeStack/ava now with docker build @avasecure http:/ /avasecure.com http:/ /ava.rtfd.org/ [email protected]

Slide 80

Slide 80 text

Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd [email protected] http://safestack.io Questions? #protectyourpeople