This talk Aaron Zander, Head of IT for HackerOne, discusses the philosophy of dealing with people who take security shortcuts or "Desire paths" in your organization. This is the deck accompanying the speech given at Oktane 2019
Elevate Developer Efficiency & build GenAI Application with Amazon Q
Embracing the Kanye's of your Organization
1. Or What IT Can Learn From Urban Planners
Embracing the Kanyes of Our
Organization
2. About Zander
2
Mononymous just like Kanye
Loves IT automation and long walks on the beach
Believes “Employee Experience” is only as real as the people behind it
Strives to make Security accessible to all employees
21. 21
What Went Wrong?
● We build to a security or compliance or security goal
● We forget about the end user
● We fight against Desire Paths instead of Embracing them
22. 22
It’s not US vs THEM, we all need to work
together to stay secure
32. SSO or No Go
32
● SAML, SCIM, and Deprovisioning:
the sexiest words to HackerOne IT
● Negotiate HARD when companies
charge the SSO Tax
33. 2 Passwords 2 Secure
33
● Laptop Password
● Password Manager password
● Encourage STUPID long passwords
for Okta
34. MFA All The Things
34
● Never SMS
● Skip Google Authenticator
● Start Push Based MFA
● Okta Verify
● Duo
● Yubikey
● Open Source tools
35. Updates Are Your Job
35
● Push Updates with MDM
● Gate Access on Software Versions
● Schedule You Updates like a Meeting
36. Compliance
36
● Not all Compliance Standards are Rigid
● Auditors Want to Work WITH You
● Guidelines Evolve, Evolve With Them
● Don’t Die on Every Hill, Pick Your Battles
IT for more than a decade
Directory-less since 2015
I like to build organizations that can grow fast with trust, automation and efficiency
I actually really like my HR department
1300 customers all around the world
330,000 hackers, from every walk of life
46 million paid in bounties to those hackers over our lifetime, paid by people like you
Over 100,000 vulnerabilities found and reported on HackerOne
Those are 100,000 nightmares if they get out. Not only is the data private, but if it gets out, it doesn’t just impact HackerOne, it impacts all of our customers too.
So we have a company filled with people of different backgrounds, how does that relate to This guy
We work with Hackers, around the world, to give them a place use their skills for good. We work with companies like all of yours to allow them a safe place to receive these vulnerabilties
We’ve grown in size from 60 people to over 200 in a little less than 18 months
Unlike Most security companies we don’t hire people with only security experience, we have to train and instill a security culture to those who might not have seen it before
We’ve all seen this right?
Kanye
White hosue
000000000
Kanye’s Security Friction Threshold is Low
Pause for laughs (I hope)
We all laughed at this, but how many of our colleagues and coworkers are just like Kanye?
Maybe he is your kanye
Or is this exec your Kanye?
But what is Kanye doing? Apple nudged people to 6 digit passcodes especially with biometrics so why is his passcode all zeros?
He took a shortcut,
When lots of people take a shortcut it starts to get noticed, it becomes a Desire path
No matter how well and elegantly we build our rules, and security process. If there’s an easier path users will take it
Some times people love it so much they preserve it under any condition
I call this the “documentation” step. When a cut corner enters your wiki, you’re your user onboarding.
A lot of the time it’s because we wanted to try and protect people, so we created a roadblock, but all it did was make us look silly
When we create security procedures without the end user in mind, we're creating the opportunities for users to cut corners.
Employee Enablement ensures IT gets the right feedback, and we work with the goal of strengthening us all equally.
We can’t just put up a sign and hope for results. Again we just end up looking silly and no one will really stop
We have to shift to meet our users
Urban Planners spend time analyzing these paths and use them to make the world they control BETTER
WE can and should do the same
Some times we need to make a small fix, a small investment
For example
better timeouts on sessions
Or working on better education
Some times we have to provide safety to an existing process
Like taking ownernship of Shadow IT purchase
Buying the SSO tier of an app marketing bought
Working with a vendor for sales to have better audit tools
Sometimes we need to embrace a larger more serious project. This takes serious costs, timing and planning
Example
Moving to beyond corp,
Going in the deep end with SSO.
WE need to create the most linear path possible to accelerate users from Point A to Point B, not just straightening the trajectory but speeding it up.
So what do we do at Hackerone? We’ve spent a lot of time trying to take out as many hurdles
Passphrases
We encourage 64 char password for mac users for Okta so they become addicted to a password manager
Skip SMS
Skip Google Authenticator or any other TOTP tool
Copy/pasting code worst/people hate it
The circle of anxiety
waiting for ever for slow SMS
"Dyslexia" (spell it with letter jumbled on purpose)
Move to push-based MFA/u2f tokens
everyone understands "tap the push notification"
no copy paste
better logging
easier recovery
We Push updates with our MDM 1-2 weeks after EVERY OS update
If you don’t update in time, forced updates can interrupt meetings,
we can’t stop the update
We use Duo to block users who are out of date from our apps
Compliance is frequently about documenting and proving you have controls, not that you have a SPECIFIC setup or setting
Work with your auditors
don’t assume they know everything about your org.
Ask questions
NIST Guidelines change, but they aren’t the ONLY option either
You can fight every single audit inquiry,
but try and fight the ones that matter,
and point out the stupid ones
Special thanks
99% Invisible
r/desirepaths
My PR team for encouraging me to write an article about something so silly
Kanye West and his stupidity