Developing The Human Firewall


Published on

Presentation to RSA Europe 2009

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Developing The Human Firewall

  1. 1. Developing the Human Firewall Frank Wintle PanMedia 20/10/09 | Session ID: PROF-105 Classification: Intermediate
  2. 2. Agenda A Journey to the East It’s not just technology The power of story f Four rules for happiness 2
  3. 3. A wilderness of mirrors...
  4. 4. Secrets Betrayed
  5. 5. From first man to fifth?
  6. 6. One author’s theory...
  7. 7. Sex and secrecy
  8. 8. A housewife and mother
  9. 9. Who is the hacker? Who is the spy?
  10. 10. An engineer calls...
  11. 11. ... and checks under the desk
  12. 12. Now wires have ears “Keystrokes recorded so far is 2706 out of Keystrokes 107250 ... <PWR><CAD>fsmith<tab><tab>arabella <CAD> CAD <CAD> arabella <CAD> <CAD> arabella exit tracert telnet Ci ” Cisco”
  13. 13. New weapons, new fronts, old battles
  14. 14. Wedded to mystery
  15. 15. A true story?
  16. 16. Nonsense as science
  17. 17. Science as nonsense
  18. 18. Backs to the Facts “The h “Th human mind is l i d i less di t b d b a disturbed by mystery it cannot explain than by an explanation it cannot understand.” David Mamet The Water Engine Mamet,
  19. 19. Typical defence: silver bullets Key features: • Sexy name • Pretty diagrams • C Complex t h l l technology • Flashing lights • Rack mountable • Reassuringly expensive
  20. 20. The criminal’s approach Social engineering plus technology • Phishing • Trojans & rootkits + • Laptop theft • In person intrusion
  21. 21. Why social engineering? • Social engineering can be g g used to gain access to any system, irrespective of the platform. • It’s the hardest form of attack It s to defend against because hardware and software alone can’t stop it.
  22. 22. The difficult sell! The money you spent on security products, patching systems and conducting audits could be wasted if you don’t prevent social engineering attacks … You need to invest in Awareness and Policies
  23. 23. Countermeasures Countermeasures require action on physical and psychological levels as well as traditional technical controls Physical: Psychological: – in the i th workplace k l – persuasion i – over the phone – impersonation – dumpster diving – conformity – on-line – friendliness
  24. 24. Staff awareness • Educate all employees - • Train new employees as everyone has a role in they start protecting the • Give extra security organisation and thereby training to security their own jobs guards, help desk staff, • If someone tries to receptionists, telephone p , p threaten them or confuse operators them, it should raise a red • Keep the training up to g flag date and relevant
  25. 25. Which point of view? “The single most important problem in science is to reconcile the first and third person accounts of the universe...” V S Ramachandran
  26. 26. Third person
  27. 27. First person
  28. 28. Wooing the audience “I CAN THINK of nothing that an audience g won't understand. The only problem is to interest them; once they are interested, they understand anything in the world." Orson Welles
  29. 29. Telling the STORY Once upon a time.... O ti And then one day.... A d th d But what they didn’t know.... Climax and resolution
  30. 30. Understanding the mind “Narrative is the primary human tool for explanation, prediction, evaluation and planning” ------- Mark Thomas, The Narrative Mind “We live, and call ourselves awake, and make decisions by telling ourselves stories” ------ Julian Jaynes, The Origins of Consciousness
  31. 31. Games with a purpose EXECUTIVE GAMES COULD HELP STEM CYBERCRIME, FIRST EXPERTS TOLD Kyoto, Japan – June 30, 2009. Senior executives should play special computer games and watch animations to help them understand the scale of the threat from cyber-crime and win their support for improvements in security, one of Japan’s top Internet protection experts said yesterday at the 21st annual conference of FIRST, the Forum of Incident Response and Security Teams. Dr Suguru Yamaguchi, member and adviser on information security at the Japanese Cabinet Office National Information Security Centre, was giving the opening keynote address at the five-day conference, which got underway at the Hotel Granvia, Kyoto. “We need to find ways to help corporate executives actually to visualize what goes on when a computer network is under attack,” he said. “Just explaining in words isn’t enough – the words are too dense, too technical – what we should do is design special games and animations which will bring the severity of current threats vividly alive in the executives’ imaginations.” g y y g
  32. 32. Everyone hates a sermon... “Audiences shrink from sermons…” Akira Kurosawa
  33. 33. Everyone loves a story “I think that I have made them aware…” I aware
  34. 34. “They just don’t get it...” “We concealed the very things that made us right – our respect for the individual, our love of variety and argument, our belief that you can argument only govern fairly with the consent of the governed, our capacity to see the other fellow’s point of view... so it wasn’t much wonder, was it, it if we opened our gates to every con-man con man and charlatan?” George Smiley (John Le Carré)
  35. 35. A human firewall
  36. 36. Four rules for a good life 1. Exercise 2. Love 3. Disdain 4. 4 A project
  37. 37. Need more information? Frank Wintle PanMedia @p +44(0)7850 102194