Getting Your Usersto Care About Security (It’s not the Kobayashi Maru.) Room 3004, West Hall Presented by Alison Gianotto
Who Am I?Director of Technology/Corporate Security Ofﬁcer atnoise.We work with brands like JP Morgan, Chase, Intel, EAGames and vitaminwater.Developer/Sysadmin for 16 yearsCrime-ﬁghting social engineer!Penetration tester
This is how your users view computer security. moqA oot products or services. www.youtube.com/watch?v=qgervxMUsed with permission. Not an endorsement of Webr
“Given a choice between adancing bear screen-saver andadhering to a company securitypolicy, the end user is going forthe dancing bear every time”.-- Patrick Gray,host of the Risky Business Podcast, EpisodeRB78: Interview with Geekonomics author
Users don’t careabout securitybecause theydon’t know whythey should.That’s whereyou come in.
Computer Hacking Has Grown Up Years ago, hacking was often done for just fun and bragging rights. Today, hacking is a lucrative industry often backed by organized crime. LOTS of $$$ to be made stealing identities, credit card info, etc. Ever - January 12, 2012Source: DarkGovernment.Com: FBI Warning: Cyber Threat Bigger than
Why Hackers Hack To steal/sell identities, credit card numbers, corporate secrets, military secrets Fun, excitement and/or notoriety Political (“Hacktivism”) Revenge Blackhat SEO
The number of successful network security breaches over the past 12 months (2011) ey, June 2011Source: Ponemon Institute, Juniper Networks Sponsored Surv
“How much did cyber attacks cost your company over the past 12 months?” ey, June 2011Source: Ponemon Institute, Juniper Networks Sponsored Surv
Additional Findings The top two endpoints from which these breaches occurred are employees laptop computers with 34% and employees mobile devices with 29%. ey, June 2011Source: Ponemon Institute, Juniper Networks Sponsored Surv
“My company is too small for anyone to bother with.” Smaller companies are becoming bigger targets because they often don’t have the resources to defend themselves, and can be easily hit by non-selective, broad attacks. hes Declines, Report Says” April 19, 2011Source: Bloomberg, “Data Theft From Computer Security Breac
Social Engineering:The act of manipulating people into performing actionsor divulging conﬁdential information, rather than bybreaking in or using technical cracking techniques.Trickery or deception for the purpose of informationgathering, fraud, or computer system access.In most cases the attacker never comes face-to-facewith the victim.Social Engineering attacks are commonly executedover the phone or through email.
“The human is the new securityperimeter. You can spend a fortune ontechnologies, but attackers will sendone email to one of your employeesand youll be done.Youre only one click away fromcompromise.”-- Eddie Schwartz, CSO at RSACyber attacks: resistance is futile | Sydney Morning Herald.
Meet StanleyMark Rifkin In 1978, Rifkin stole $10.2 million from Security Paciﬁc Bank using social engineering. No violence. No viruses. No malware. The woman who performed the funds transfer at Security Paciﬁc thanked him before hanging up.
“Theres a popular saying that asecure computer is one thatsturned off.Clever, but false: The pretextersimply talks someone into goinginto the ofﬁce and turning thatcomputer on.”- Kevin Mitnick
The threat landscape has changed.We can not simply throw technology atthe problem.The only long-term solution is to educateusers -- which will require a fundamentalshift in the way we are perceived.And that doesn’t happen by itself.
It’s time for a new job!Because the problem is not solvable throughtechnology alone, our responsibilities nowinclude: Understanding new threats as they emerge Determining which threats can be mitigated through technology, education, or both Explaining the nature of threats to our users in a way that is clear, accurate and meaningful Cutting through Fear, Uncertainty and Doubt (FUD)
It’s not all bad news.These new responsibilities introduce new,creative challenges - that sometimes eveninvolve a little mischief.
What Threats DO Your UsersNeed to Care About? Network security Phishing Privilege escalation Better password practices DDoS attacks Click-jacking/Like-jacking SQL Injection Staying safe on public wiﬁ Cross-Site Scripting Mobile security Zero Day vulnerabilities Social engineering
PhishingPhishing attacks attempt to trickusers into entering their login/credit card/SS#/etc into a fakeversion of a legitimate site so thesensitive data can be saved andused later by the attacker.Many phishing attacks originatefrom e-mails and can be VERYconvincing.
What’s thePoint?Phishers capture logininformation even for non-ﬁnancial sites because theyknow thatMANY PEOPLE RE-USETHE SAME LOGINS FORMULTIPLE WEBSITES.*cough*Gawker*cough*
PlatformAgnosticSince Phishing scams takeadvantage of vulnerabilities inthe human condition instead ofvulnerabilities in technology,ALL users are at risk, whetherthey are on Mac, PC, Linux, etc.same password for email +forgotten password request=access to hijack any account
Phishing onMobileSmartphone users areparticularly vulnerable tophishing attacks because thebrowser takes up the wholescreen, and doesn’t provide asmuch information about a pageas a desktop browser.This makes it easier to trickusers into thinking the site isreal.
ALL Passwords are CrackableUsing an eight-core Xeon-powered system, Duo Security brute-forced 400,000 password hashes of the 1.3 million stolen fromGawker, cracking the ﬁrst 200,000 in under an hour.15 of the accounts for which it had cracked password encryptionbelonged to people working at NASA, nine were assigned to usersemployed by Congress, and six belonged to employees of theDepartment of Homeland Security.2009 RockYou hack: “123456" was the most common passwordin the collection posted on the Web by hackers, followed by"12345," "123456789," "password" and "iloveyou"
There is NO excuse for bad passwords anymore.1Password and LastPass both allow you to: generate long, highly random passwords that are unique to each website you log into store the passwords in a database and auto-ﬁll sync that database across your iPhone, iPad, other computers, etc
“Passwords are likeunderwear - theyshould never beshared with friendsand should bechanged often!”
Social MediaMake sure proﬁles arelocked down so onlyfriends can seepersonal informationTurn OFF geotaggingon images inSmartphones.
LocationServicesBe careful using locationservices such as Foursquare,Facebook Places, etc if yoursocial media accounts areopen to anyone.
So what’s the problem?Many security professionals seem to have given up hope.Many security policies implement techniques that provide theillusion of security but actually make things less secure.(Example: rotating passwords = sticky notes) Identify thesebarriers and look for alternatives that are as secure but lessfrustrating. (Non-rotating password with two-factorauthentication.)Many system administrators have a reputation for beingunapproachable, arrogant or dictatorial. (“You must always do itthis way. Because I said so!”)
It’s time to get creative!We know that old tactics don’t work. So stop. “Insanity: doing thesame thing over and over again and expecting different results.” -Albert EinsteinApproach people as people, not users.Help them understand how these threats affect both at work andtheir personal lives.Use real-life examples, illustrations and analogies. No geek speak.Use humor! Getting people to stay awake through securitypresentations is hard. Making them laugh helps.
SuggestionsRegister a fake domain name that’s similar to your company’sreal domain name. Send around a fake “phishing” email and seewho clicks. (Punycode domains are great for this.)Drop spiked USB drives in the parking lot or hallway, with acheeky reprimand (autorun executable with loud farting noises,for example.)Have a company Wall of Shame (or Hall of Fame). Consider perksfor users who really shine.Position yourself as a security mentor. You are there to helpprotect them and the company.
Measuring SuccessDetermine what your success metrics are at the start.Ask for short evaluations after security presentations. Learnwhere you’re losing or confusing.Encourage users to ASK if they’re not sure. And when they doask, be supportive. Knowing what they don’t know is HUGEprogress.