Users: Your First Line Of Defense 1
Users: Your First Line of Defense
Ari Elias-Bachrach
Defensium llc
May 2014
http://bit...
Users: Your First Line Of Defense 2
About Me
Ari Elias-Bachrach
●
Application Security nerd, training
instructor
●
Former ...
Users: Your First Line Of Defense 3
This Talk Will Cover Effective Training For Non-Security Personnel
Why We Do Training
...
Users: Your First Line Of Defense 4
Why We Do Training
Users: Your First Line Of Defense 5
Attackers Are Targeting End Users More
Source: 2014 Verizon Data Breach Investigations...
Users: Your First Line Of Defense 6
Technical Problems Have Technical Solutions.
Non-Technical Problems Have non-Technical...
Users: Your First Line Of Defense 7
Training Works
Source: Threatsim, 2013 State of the Phish
Users: Your First Line Of Defense 8
Training Works
Source: 2013 Verizon Data Breach Investigations Report
Users: Your First Line Of Defense 9
How To Give Advice
Users: Your First Line Of Defense 10
Give Positive Advice.
Instead of telling people what NOT to do, tell them what to do
...
Users: Your First Line Of Defense 11
The Security Industry Gives Advice Mostly in the Negative Form
Don't click the link
1...
Users: Your First Line Of Defense 12
The Security Industry Gives Advice Mostly in the Negative Form
Cross Site Scripting
2...
Users: Your First Line Of Defense 13
Give Positive Advice
Common security advice:
- Don't click the link
- Don't use “prod...
Users: Your First Line Of Defense 14
Give Positive Advice
Good security advice:
- When you get a phishing email....
- use ...
Users: Your First Line Of Defense 15
Training Needs to be Relevant
Users: Your First Line Of Defense 16
Pick Your Topics Based on Real Needs
What causes our IT incidents here?
➢
Phishing at...
Users: Your First Line Of Defense 17
Training Needs to be Relevant
Don't Rely on Gimmicks – Focus on Concrete Things Peopl...
Users: Your First Line Of Defense 18
Training Needs to be Relevant
Don't Rely on Gimmicks – Focus on Concrete Things Peopl...
Users: Your First Line Of Defense 19
Training Needs to be Relevant
Don't Rely on Gimmicks – Focus on Concrete Things Peopl...
Users: Your First Line Of Defense 20
Do Not Teach Them The Language of Security, We Need to Speak
Their Language
256 pages
Users: Your First Line Of Defense 21
Do Not Teach Them The Language of Security, We Need to Speak
Their Language
Vulnerabi...
Users: Your First Line Of Defense 22
Use Social Psychology – There are Six Factors of Influence
1) Reciprocity
2) Commitme...
Users: Your First Line Of Defense 23
Reciprocity – A Person Feels Like They're Repaying A Favor
Users: Your First Line Of Defense 24
Commitment – Once Committed to a Position, People Stick to it
Source: Yes: 50 Scienti...
Users: Your First Line Of Defense 25
Commitment – Once Committed to a Position, People Stick to it
Click-through doesn't d...
Users: Your First Line Of Defense 26
Commitment – Once Committed to a Position, People Stick to it
Do you think that the s...
Users: Your First Line Of Defense 27
Commitment – Asking Questions Can Force a Person To Commit to
a Position
Compare thes...
Users: Your First Line Of Defense 28
Liking – People are More Likely To Be Influenced By People They Like
People like peop...
Users: Your First Line Of Defense 29
One Way to Make A Department More Likeable is To Humanize it.
Source: petrelocation.c...
Users: Your First Line Of Defense 30
One Way to Make A Department More Likeable is To Humanize it.
Who should this email b...
Users: Your First Line Of Defense 31
Social Proof – Do What Everyone Else is Doing
People do what they
perceive everyone e...
Users: Your First Line Of Defense 32
Social Proof – Do What Everyone Else is Doing
“Last year our company had 237 incident...
Users: Your First Line Of Defense 33
Social Proof – Do What Everyone Else is Doing
“In a company audit, we found that 95% ...
Users: Your First Line Of Defense 34
Authority – Some People's Positions Are Influential
Source: Rusch, Jonathan. The "Soc...
Users: Your First Line Of Defense 35
Authority – Some People's Positions Are Influential
Who is an authority where you wor...
Users: Your First Line Of Defense 36
Scarcity – People Are More Likely To Want Something Perceived as
Scarce
While supplie...
Users: Your First Line Of Defense 37
Conclusion
Why We Do Training
How To Give Advice
Make Training Relevant
Use Social Ps...
Users: Your First Line Of Defense 38
Further Reading
To Sell is Human Predictable Irrational Influence
Dan Pink Dan Ariely...
Users: Your First Line Of Defense 39
CSRF: Not All Defenses Are Created Equal
Ari Elias-Bachrach
ari@defensium.com
@angelo...
Upcoming SlideShare
Loading in …5
×

Effective user training

521 views

Published on

Too often user training gets a bad rep in the information security industry. Too often this is because training is done extremely poorly. In this presentation I show that training works, can be effective, and give suggestions for putting together a good training program.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
521
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Effective user training

  1. 1. Users: Your First Line Of Defense 1 Users: Your First Line of Defense Ari Elias-Bachrach Defensium llc May 2014 http://bit.ly/effective_training
  2. 2. Users: Your First Line Of Defense 2 About Me Ari Elias-Bachrach ● Application Security nerd, training instructor ● Former pen tester ● Former infosec engineer ● Wanted to increase my impact on security ● Make CBTs ● Trainer ● Develop e-learning classes
  3. 3. Users: Your First Line Of Defense 3 This Talk Will Cover Effective Training For Non-Security Personnel Why We Do Training How To Give Advice Make Training Relevant Use Social Psychology
  4. 4. Users: Your First Line Of Defense 4 Why We Do Training
  5. 5. Users: Your First Line Of Defense 5 Attackers Are Targeting End Users More Source: 2014 Verizon Data Breach Investigations Report
  6. 6. Users: Your First Line Of Defense 6 Technical Problems Have Technical Solutions. Non-Technical Problems Have non-Technical Solutions.
  7. 7. Users: Your First Line Of Defense 7 Training Works Source: Threatsim, 2013 State of the Phish
  8. 8. Users: Your First Line Of Defense 8 Training Works Source: 2013 Verizon Data Breach Investigations Report
  9. 9. Users: Your First Line Of Defense 9 How To Give Advice
  10. 10. Users: Your First Line Of Defense 10 Give Positive Advice. Instead of telling people what NOT to do, tell them what to do No Running In the House! In The House We Walk
  11. 11. Users: Your First Line Of Defense 11 The Security Industry Gives Advice Mostly in the Negative Form Don't click the link 1,500,000 results Report a phishing email 54,400 results
  12. 12. Users: Your First Line Of Defense 12 The Security Industry Gives Advice Mostly in the Negative Form Cross Site Scripting 2,710,000 results Output Encoding 110,000 results
  13. 13. Users: Your First Line Of Defense 13 Give Positive Advice Common security advice: - Don't click the link - Don't use “product” - Don't use easily guessable passwords - Don't have any of these vulnerabilities
  14. 14. Users: Your First Line Of Defense 14 Give Positive Advice Good security advice: - When you get a phishing email.... - use “other product” - To make a good password... - Code in the following way....
  15. 15. Users: Your First Line Of Defense 15 Training Needs to be Relevant
  16. 16. Users: Your First Line Of Defense 16 Pick Your Topics Based on Real Needs What causes our IT incidents here? ➢ Phishing attacks? ➢ SQL injection? ➢ Viruses coming in through sneakernet? ➢ Loss/theft of laptops and smartphones?
  17. 17. Users: Your First Line Of Defense 17 Training Needs to be Relevant Don't Rely on Gimmicks – Focus on Concrete Things People See
  18. 18. Users: Your First Line Of Defense 18 Training Needs to be Relevant Don't Rely on Gimmicks – Focus on Concrete Things People See
  19. 19. Users: Your First Line Of Defense 19 Training Needs to be Relevant Don't Rely on Gimmicks – Focus on Concrete Things People See 8:00 10:30 12:00 2:00 5:00 Get to work and hold door open for “coworker” Write some code for a new web application Get an email from the helpdesk with instructions to fill out a form Discuss work over lunch in restaurant Go home. Leave desk unlocked
  20. 20. Users: Your First Line Of Defense 20 Do Not Teach Them The Language of Security, We Need to Speak Their Language 256 pages
  21. 21. Users: Your First Line Of Defense 21 Do Not Teach Them The Language of Security, We Need to Speak Their Language Vulnerability SQL Injection Confidentiality AES Encrypted Bug Prepared Statement Eavesdrop Protected
  22. 22. Users: Your First Line Of Defense 22 Use Social Psychology – There are Six Factors of Influence 1) Reciprocity 2) Commitment 3) Social Proof 4) Liking 5) Authority 6) Scarcity
  23. 23. Users: Your First Line Of Defense 23 Reciprocity – A Person Feels Like They're Repaying A Favor
  24. 24. Users: Your First Line Of Defense 24 Commitment – Once Committed to a Position, People Stick to it Source: Yes: 50 Scientifically Proven Ways to Be Persuasive, Noah J Goldstein
  25. 25. Users: Your First Line Of Defense 25 Commitment – Once Committed to a Position, People Stick to it Click-through doesn't do much If you can get people to read and sign a physical document, especially in a group, they're publicly supporting the position.
  26. 26. Users: Your First Line Of Defense 26 Commitment – Once Committed to a Position, People Stick to it Do you think that the security of our data is important? Why?
  27. 27. Users: Your First Line Of Defense 27 Commitment – Asking Questions Can Force a Person To Commit to a Position Compare these 3 options If you get a phishing email, please call the help desk. The next time you get a phishing email, will you call the service desk? The next time you get a phishing email, what will you do?
  28. 28. Users: Your First Line Of Defense 28 Liking – People are More Likely To Be Influenced By People They Like People like people who: ● Look like them ● Are Attractive ● Make them feel good (compliments, etc.) Not really possible for infosec to use this right? :-)
  29. 29. Users: Your First Line Of Defense 29 One Way to Make A Department More Likeable is To Humanize it. Source: petrelocation.com
  30. 30. Users: Your First Line Of Defense 30 One Way to Make A Department More Likeable is To Humanize it. Who should this email be sent from? 1) The IT Security department 2) A person
  31. 31. Users: Your First Line Of Defense 31 Social Proof – Do What Everyone Else is Doing People do what they perceive everyone else to be doing.
  32. 32. Users: Your First Line Of Defense 32 Social Proof – Do What Everyone Else is Doing “Last year our company had 237 incidents caused by people using weak passwords.” “Last year our company had 37 incidents caused by people clicking on links in phishing emails” These Statements are actually detrimental!
  33. 33. Users: Your First Line Of Defense 33 Social Proof – Do What Everyone Else is Doing “In a company audit, we found that 95% of our employees are using strong passwords.” “Last year we received 25,000 phishing emails, of which 99% were caught by the spam filter or ignored by the recipients.” These are much better
  34. 34. Users: Your First Line Of Defense 34 Authority – Some People's Positions Are Influential Source: Rusch, Jonathan. The "Social Engineering" of Internet Fraud Nurses were told to: ● Via an order over the phone ● Administer an unauthorized drug ● Above the maximum dosage ● From a Doctor they'd never heard of 95% did as they were told
  35. 35. Users: Your First Line Of Defense 35 Authority – Some People's Positions Are Influential Who is an authority where you work? ● Manager ● VP ● CEO ● IT Department
  36. 36. Users: Your First Line Of Defense 36 Scarcity – People Are More Likely To Want Something Perceived as Scarce While supplies last! Act now! This offer ends soon! Sale ends...
  37. 37. Users: Your First Line Of Defense 37 Conclusion Why We Do Training How To Give Advice Make Training Relevant Use Social Psychology
  38. 38. Users: Your First Line Of Defense 38 Further Reading To Sell is Human Predictable Irrational Influence Dan Pink Dan Ariely Robert Chialdini
  39. 39. Users: Your First Line Of Defense 39 CSRF: Not All Defenses Are Created Equal Ari Elias-Bachrach ari@defensium.com @angelofsecurity Defensium llc http://www.defensium.com

×