Eradicating the human problem

Transcript

1. ERADICATING THE HUMAN PROBLEM Laura Bell @lady_nerd [email protected]

2. People are a problem. We are tangled balls of emotional

   detritus that masquerades as a trusted member of society. Underneath this lacquered veneer of respectability however writhes a tiny pink squishy ball of vulnerability - the root of all evil, well the root of security issues anyway. Let me tell you a story, let me bend your brain and make you feel uncomfortable. I want to show you why we are all our own worst enemies, why we should never ever be trusted and security people are the worst of them all.

3. this talk MIGHT make you feel uncomfortable

4. I want you to feel uncomfortable

5. This is a talk about vulnerability

6. we are comfortable when we talk about technical vulnerability

7. we do not empathise or sympathise with machines they are

   tangible, inanimate objects.

8. technology is only part of the security picture technology people

   process

9. technical systems are: reviewed scanned penetration tested

10. processes are audited

11. What about People?

12. in short, we are failing

13. how Do we measure vulnerability in people?

14. short answer (Spoiler) we don't

15. and related to this how do we structure and plan

    how to defend them?

16. we watch video training or e-learning we make posters we

    tick boxes

17. We shame the human victims of human security attacks* *while

    secretly doing the exact same things

18. This is not how people learn Just go ask the

    education and psychology communities

19. WE LET children fall so that they can learn to

    stand REINFORCING BEHAVIOURS LEAD TO POSITIVE CHANGE

20. we don't give people opportunities to fail safely before an

    actual attack

21. why don't WE actively assess and test our human security

    risk?

22. we don't test because it’s too easy

23. people can’t be taught people are lazy people are stupid

24. s/people/we/g

25. we don't test because it makes us feel uncomfortable because

    we don't want people to get hurt because it’s hard BECAUSE WE DON’T KNOW HOW TO FIX IT because we don't want people to get fired

26. Vulnerability leads to physical and psychological pain

27. we don’t want to face our own vulnerability

28. human vulnerability is natural

29. it has roots in emotion fear and love – oh

    yeah, the fluffy stuff

30. fear of rejection fear of exposure fear of physical harm

    fear of loss

31. love

32. the need to be seen the need to be accepted

    the need to be loved the need to be liked

33. is it better to avoid testing the vulnerabilities in our

    people so they don't get hurt?

34. is it better to safely test and understand these vulnerabilities

    so that our people can get stronger, learn and become more resilient?

35. can we assess human vulnerability without victimizing the people we

    assess?

36. yes Let me show you how

37. Ava first generation proof of concept 3- phase automated human

    vulnerability scanner

38. Know PHASE 1

39. We don’t know what our organisations look like

40. Human security risk is magnified by connection

41. Active Directory Twitter LinkedIn Facebook Email providers People Identifiers Groups

    Relationships Data

42. Location Time stamps Sender Receiver User agent friends contacts frequency

    aliases profiles Last login Traffic rate Pw Expires? Disabled? Influence

43. Test PHASE 2

44. Threat injection and behaviour monitoring + =

45. Attack vectors that mean something Email Social Networks Removable Media

    Files and honeypots SMS

46. Email attacks that go beyond phishing Email phishing Internal request

    social panic Direct request External request favour authoritative

47. The URL may be different on different messages. Subject: Security

    Alert: Update Java (*See Kronos Note) Date: February 22, 2013 *********************************************************** ************* This is an automatically generated message. Please DO NOT REPLY. If you require assistance, please contact the Help Center. *********************************************************** ************* Oracle has released an update for Java that fixes 50 security holes, including a critical hole currently being exploited in the wild. The IT Security Office strongly recommends that you update Java as User generated and publicly sourced attacks

48. Removing the boundaries between business and personal

49. Instant, scheduled and recurring Security fails when it is treated

    like a special event

50. Give the option of succeeding and reinforce good behaviours

51. analyse PHASE 3

52. Cascades are interesting

53. Behaviour Vs. time

54. Measuring impact of training

55. You know what would be fun? Predictive risk behaviour analysis

56. Bridges, weak links and targeting

57. Pivoting

58. Technologies •Django •Postgresql •Celery •Redis •Bootstrap

59. None
60. None

61. This talk should make you feel uncomfortable The humans are

    a problem Let’s do something about it

62. Want to Come and play? SafeStack is hiring in 2015

63. Questions? Laura Bell @lady_nerd [email protected] Massive thanks feabell, Paula H,

    lucilu, sharrow, overburden