Getting users to care about security


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Getting users to care about security

  1. 1. Getting Your Usersto Care About Security (It’s not the Kobayashi Maru.) Room 3004, West Hall Presented by Alison Gianotto
  2. 2. Who Am I?Director of Technology/Corporate Security Officer atnoise.We work with brands like JP Morgan, Chase, Intel, EAGames and vitaminwater.Developer/Sysadmin for 16 yearsCrime-fighting social engineer!Penetration tester
  3. 3. This is how your users view computer security. moqA oot products or services. with permission. Not an endorsement of Webr
  4. 4. “Given a choice between adancing bear screen-saver andadhering to a company securitypolicy, the end user is going forthe dancing bear every time”.-- Patrick Gray,host of the Risky Business Podcast, EpisodeRB78: Interview with Geekonomics author
  5. 5. Users don’t careabout securitybecause theydon’t know whythey should.That’s whereyou come in.
  6. 6. Computer Hacking Has Grown Up Years ago, hacking was often done for just fun and bragging rights. Today, hacking is a lucrative industry often backed by organized crime. LOTS of $$$ to be made stealing identities, credit card info, etc. Ever - January 12, 2012Source: DarkGovernment.Com: FBI Warning: Cyber Threat Bigger than
  7. 7. Why Hackers Hack To steal/sell identities, credit card numbers, corporate secrets, military secrets Fun, excitement and/or notoriety Political (“Hacktivism”) Revenge Blackhat SEO
  8. 8. The number of successful network security breaches over the past 12 months (2011) ey, June 2011Source: Ponemon Institute, Juniper Networks Sponsored Surv
  9. 9. “How much did cyber attacks cost your company over the past 12 months?” ey, June 2011Source: Ponemon Institute, Juniper Networks Sponsored Surv
  10. 10. Additional Findings The top two endpoints from which these breaches occurred are employees laptop computers with 34% and employees mobile devices with 29%. ey, June 2011Source: Ponemon Institute, Juniper Networks Sponsored Surv
  11. 11. “My company is too small for anyone to bother with.” Smaller companies are becoming bigger targets because they often don’t have the resources to defend themselves, and can be easily hit by non-selective, broad attacks. hes Declines, Report Says” April 19, 2011Source: Bloomberg, “Data Theft From Computer Security Breac
  12. 12. Social Engineering:The act of manipulating people into performing actionsor divulging confidential information, rather than bybreaking in or using technical cracking techniques.Trickery or deception for the purpose of informationgathering, fraud, or computer system access.In most cases the attacker never comes face-to-facewith the victim.Social Engineering attacks are commonly executedover the phone or through email.
  13. 13. “The human is the new securityperimeter. You can spend a fortune ontechnologies, but attackers will sendone email to one of your employeesand youll be done.Youre only one click away fromcompromise.”-- Eddie Schwartz, CSO at RSACyber attacks: resistance is futile | Sydney Morning Herald.
  14. 14. Meet StanleyMark Rifkin In 1978, Rifkin stole $10.2 million from Security Pacific Bank using social engineering. No violence. No viruses. No malware. The woman who performed the funds transfer at Security Pacific thanked him before hanging up.
  15. 15. “Theres a popular saying that asecure computer is one thatsturned off.Clever, but false: The pretextersimply talks someone into goinginto the office and turning thatcomputer on.”- Kevin Mitnick
  16. 16. The threat landscape has changed.We can not simply throw technology atthe problem.The only long-term solution is to educateusers -- which will require a fundamentalshift in the way we are perceived.And that doesn’t happen by itself.
  17. 17. It’s time for a new job!Because the problem is not solvable throughtechnology alone, our responsibilities nowinclude: Understanding new threats as they emerge Determining which threats can be mitigated through technology, education, or both Explaining the nature of threats to our users in a way that is clear, accurate and meaningful Cutting through Fear, Uncertainty and Doubt (FUD)
  18. 18. It’s not all bad news.These new responsibilities introduce new,creative challenges - that sometimes eveninvolve a little mischief.
  19. 19. What Threats DO Your UsersNeed to Care About? Network security Phishing Privilege escalation Better password practices DDoS attacks Click-jacking/Like-jacking SQL Injection Staying safe on public wifi Cross-Site Scripting Mobile security Zero Day vulnerabilities Social engineering
  20. 20. PhishingPhishing attacks attempt to trickusers into entering their login/credit card/SS#/etc into a fakeversion of a legitimate site so thesensitive data can be saved andused later by the attacker.Many phishing attacks originatefrom e-mails and can be VERYconvincing.
  21. 21. What’s thePoint?Phishers capture logininformation even for non-financial sites because theyknow thatMANY PEOPLE RE-USETHE SAME LOGINS FORMULTIPLE WEBSITES.*cough*Gawker*cough*
  22. 22. PlatformAgnosticSince Phishing scams takeadvantage of vulnerabilities inthe human condition instead ofvulnerabilities in technology,ALL users are at risk, whetherthey are on Mac, PC, Linux, etc.same password for email +forgotten password request=access to hijack any account
  23. 23. Phishing onMobileSmartphone users areparticularly vulnerable tophishing attacks because thebrowser takes up the wholescreen, and doesn’t provide asmuch information about a pageas a desktop browser.This makes it easier to trickusers into thinking the site isreal.
  24. 24. Password Security: Analysis of Most Common Gawker Passwords2516: 123456 318: dragon 255: shadow2188: password 307: trustno1 241: princess1205: 12345678 303: baseball 234: cheese696: qwerty 302: gizmodo498: abc123 300: whatever459: 12345 297: superman441: monkey 276: 1234567413: 111111 266: sunshine385: consumer 266: iloveyou376: letmein 262: [censored]351: 1234 256: starwars
  25. 25. ALL Passwords are CrackableUsing an eight-core Xeon-powered system, Duo Security brute-forced 400,000 password hashes of the 1.3 million stolen fromGawker, cracking the first 200,000 in under an hour.15 of the accounts for which it had cracked password encryptionbelonged to people working at NASA, nine were assigned to usersemployed by Congress, and six belonged to employees of theDepartment of Homeland Security.2009 RockYou hack: “123456" was the most common passwordin the collection posted on the Web by hackers, followed by"12345," "123456789," "password" and "iloveyou"
  26. 26. There is NO excuse for bad passwords anymore.1Password and LastPass both allow you to: generate long, highly random passwords that are unique to each website you log into store the passwords in a database and auto-fill sync that database across your iPhone, iPad, other computers, etc
  27. 27. “Passwords are likeunderwear - theyshould never beshared with friendsand should bechanged often!”
  28. 28. Social MediaMake sure profiles arelocked down so onlyfriends can seepersonal informationTurn OFF geotaggingon images inSmartphones.
  29. 29. LocationServicesBe careful using locationservices such as Foursquare,Facebook Places, etc if yoursocial media accounts areopen to anyone.
  30. 30. So what’s the problem?Many security professionals seem to have given up hope.Many security policies implement techniques that provide theillusion of security but actually make things less secure.(Example: rotating passwords = sticky notes) Identify thesebarriers and look for alternatives that are as secure but lessfrustrating. (Non-rotating password with two-factorauthentication.)Many system administrators have a reputation for beingunapproachable, arrogant or dictatorial. (“You must always do itthis way. Because I said so!”)
  31. 31. It’s time to get creative!We know that old tactics don’t work. So stop. “Insanity: doing thesame thing over and over again and expecting different results.” -Albert EinsteinApproach people as people, not users.Help them understand how these threats affect both at work andtheir personal lives.Use real-life examples, illustrations and analogies. No geek speak.Use humor! Getting people to stay awake through securitypresentations is hard. Making them laugh helps.
  32. 32. SuggestionsRegister a fake domain name that’s similar to your company’sreal domain name. Send around a fake “phishing” email and seewho clicks. (Punycode domains are great for this.)Drop spiked USB drives in the parking lot or hallway, with acheeky reprimand (autorun executable with loud farting noises,for example.)Have a company Wall of Shame (or Hall of Fame). Consider perksfor users who really shine.Position yourself as a security mentor. You are there to helpprotect them and the company.
  33. 33. Measuring SuccessDetermine what your success metrics are at the start.Ask for short evaluations after security presentations. Learnwhere you’re losing or confusing.Encourage users to ASK if they’re not sure. And when they doask, be supportive. Knowing what they don’t know is HUGEprogress.
  34. 34. Great Resources <shamless plug> (coming soon!) </ shameless plug>
  35. 35. Questions? Getin touch!E-mail: snipe@snipe.netTwitter: @snipeyhead
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.