SlideShare a Scribd company logo

Patching your employee's brain (by NVISO - Pieter Danhieux)

N
NVISO

This presentation on security awareness was presented at the SANS Community Night (21 Feb 2013).

1 of 30
Download to read offline
Patching your employee’s brain Pieter Danhieux WARNING: This is NOT a TECHNICAL talk … or at least not after slide #5 Securing The Human - © 2012 Pieter Danhieux 1
Agenda •  Context •  Patching Humans •  Top mistakes Securing The Human - © 2012 Pieter Danhieux 2
Context •  Operation “Aurora” (2009) - spoofed emails with links to 0day •  Operation “Night dragon” (2010) – spear phishing executives & remote workers •  HBGary hack (2011) – social engineering emails Excel sheet •  RSA (2011) – spoofed email with excel sheet with executive salaries! PDF Win-A- Google Nexus 4 Evil attachment .xls .pdf .docx .ppt Securing The Human - © 2012 Pieter Danhieux 3
Targeted Attacks for dummies 1. Generate evil code with Metasploit Framework or use Didier Steven’s code msf > use payload/windows/exec msf payload(exec) > set CMD calc msf payload(exec) > set EXITFUNC thread msf payload(exec) > generate -t vba 2. Copy/Paste VBA code into MS Office Excel document 3. Use Ninja-skills to find a convincing way to deliver the document Aarrgh De t e c t hh. ed by S**** . Now my De mo wi ll fail!! Securing The Human - © 2012 Pieter Danhieux 4
Targeted Attacks for dummies – 2nd Try 1.  Generate evil code with Metasploit Framework or use Didier Steven’s code 2.  Copy/Paste VBA code into MS Office Excel document 3.  Check whether the AV engines alert during your demo 4.  Spent 10 minutes during the SEC542 class at SANS Belgium to find a work around and conclude that S***’s fancy named “Heuristic detection system” is based on …. string matching. 5.  Use Ninja-skills to find a convincing way to deliver the document Securing The Human - © 2012 Pieter Danhieux 5
Context “I clicked on a Friend’s link on Facebook …” “I opened a PDF from a known sender …” “I logged into my online banking and it did not work …” Securing The Human - © 2012 Pieter Danhieux 6
Context Look for common mistakes in your own organization –  Laptop loss with VPN token and PIN written on a paper –  Losing sensitive information in a public place –  Sharing passwords when colleagues go on annual leave Unintentional mistakes … because we humans fail in understanding and identifying insecure situations! Securing The Human - © 2012 Pieter Danhieux 7
Disclaimer All characters appearing in this work are fictitious. Any resemblance to real persons, living or dead, is purely coincidental. Securing The Human - © 2012 Pieter Danhieux 8
Humans fail at evaluating risk Being killed by a shark Death by a vending machine by shaking it to get free stuff Threat = evil shark Threat = evil vending machine Impact = probably death Impact = R.I.P Likelihood = 1 in 251 800 800 Likelihood = 1 in 112 000 000 0.6 people killed each year in the US 10 to 13 people killed each year in the US Source: http://www.bookofodds.com/content/view/full/252163 Source: http://www.bookofodds.com/content/view/full/248157 Securing The Human - © 2012 Pieter Danhieux 9
Humans fail at evaluating risk Could your mother/father/wife/colleague identify the cyber criminal below? Kristina Svechinskaya Gary McKinnon aka Jonathan James aka Stole $9Mil with Solo c0mrade ZeusBot Hacked into 97 US Military Hacked into DTRA and NASA systems (NASA) Securing The Human - © 2012 Pieter Danhieux 10
Now The Real examples Securing The Human - © 2012 Pieter Danhieux 11
What we security people want .. Miauwkes! A Security Alert! Let’s notify my good friends at +1800SECURITY and ask what to do Securing The Human - © 2012 Pieter Danhieux 12
What really happens.. You f**ing – PUUT – stupid computer – PUUT – how the f*ck – PUUT – do I remove this – PUUT – alert *click* *click* *click Securing The Human - © 2012 Pieter Danhieux 13
Humans need patching Security Awareness is Nr. 7 in Australia’s Intelligence Agency “35 Strategies to Mitigate Targeted Cyber Intrusions” 1.  Understand that everyone can be a target 2.  Teach everyone how to recognize potential attacks at work and at home 3.  Show them how to react and not to react = An Intrusion Detection/Prevention System with thousands of (sometimes intelligent) sensors Securing The Human - © 2012 Pieter Danhieux 14
Agenda •  Context •  Patching Humans •  Top mistakes Securing The Human - © 2012 Pieter Danhieux 15
Social Executives Networks PCI DSS Soc. Engin. Hacked! Protecting PII Kids IT Staff Securing The Human - © 2012 Pieter Danhieux 16
Download for free from http://www.securingthehuman.org/resources/ Securing The Human - © 2012 Pieter Danhieux 17
Security Awareness Program •  Define what you want them to understand in the next 6 to 12 months –  Less is more Promoting –  Start with the basics Awareness & Change •  Deliver Key Messages Long Term –  Induction brochures Sustainment –  Class-room training / “Free lunch” sessions –  Computer-based training Metrics •  Reinforce Key Messages •  Evaluate effectiveness Securing The Human - © 2012 Pieter Danhieux 18
Sample 1 Year Program Jan Feb Mar Apr May Jun Protecting Social Kids Networks Passwords 1 2 3 4 Induction Program for new employees 5 6 7 8 IT Staff Mobile Mobile PCI DSS Devices Devices Executives Jul Aug Sep Oct Nov Dec Securing The Human - © 2012 Pieter Danhieux 19
Deliver Key Message - Example Securing The Human - © 2012 Pieter Danhieux 20
Reinforce Key Messages Have your employees come up with a good way on how to communicate a message … Securing The Human - © 2012 Pieter Danhieux 21
Reinforce Key Messages Source: http://mn.gov/oet/support/training/cyber-security-awareness/ Securing The Human - © 2012 Pieter Danhieux 22
Reinforce Key Messages Source: http://mindfulsecurity.com/2009/10/23/free-passwords-security-awareness-posters/ Securing The Human - © 2012 Pieter Danhieux 23
Evaluate effectiveness 1.  Metrics of the Program –  # of people who attend the training or viewed CBT –  Results of employees on Quiz questions 2.  Metrics in Operational Processes –  # security incidents reported to the helpdesk –  # laptop losses with/without passwords –  # unescorted visitors –  # vulnerabilities in software code –  # unpatched systems Securing The Human - © 2012 Pieter Danhieux 24
Evaluate effectiveness 3.  Metrics by assessing your organization –  Get password statistics Source: http://www.l0phtcrack.com Securing The Human - © 2012 Pieter Danhieux 25
Evaluate effectiveness 3.  Metrics by assessing your organization 77% clicked on –  Simulate the security threat obvious •  Spear phishing on executives malicious links •  Social Engineering the Helpdesk in the email •  Red Team / Blue Team exercises –  Learn from the results •  Was the attack timely detected? •  How was the incident identified? •  How did the employee(s) react? •  Which technical security controls failed? •  Which management processes failed? Securing The Human - © 2012 Pieter Danhieux 26
Agenda •  Context •  Patching Humans •  Top mistakes Securing The Human - © 2012 Pieter Danhieux 27
Top mistakes 1.  Consider Security Awareness as a one-off project instead of a continuous program 2.  Execute without thinking or measuring tangible results 3.  Use material that is inappropriate for the AGAIN organizational culture 4.  Drive Security Awareness through Compliance / IT Security / Consultants without organizational support 5.  Trying to make your employees security experts Securing The Human - © 2012 Pieter Danhieux 28
Useful resources •  The SANS Institute – Securing The Human http://www.securingthehuman.org •  ENISA - How To Raise Information Security Awareness http://www.enisa.europa.eu/act/ar/deliverables/2010/new-users-guide •  NIST - SP800-50 http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf •  Microsoft – ISATP http://technet.microsoft.com/en-us/security/cc165442 •  Mindful Security – Free Cartoons http://mindfulsecurity.com Securing The Human - © 2012 Pieter Danhieux 29
#who am I $finger Login: pdanhieux Name: Pieter Danhieux Directory: /geeks/pdanhieux Shell: /bin/sh On since 2011 on ttysAustralia On since 1981 on ttysBelgium (messages off) Mail at <pdanhieux@gmail.com> Phone at +61 429 503 077 / skype://pdanhieux Twitter @PieterDanhieux $id uid=501(pdanhieux) gid=20(humans) groups= 19(nviso), 20 (SANS Institute), 22 (BAE Systems Detica), 23 (GIAC Security Expert, CISSP), 24 (BruCON), 666 (The Hex Factor), 1000 (Ernst & Young) $sudo shutdown –h now Securing The Human - © 2012 Pieter Danhieux 30

Recommended

Where worlds collide: Agile, Project Management, Risk and Cloud?
Where worlds collide: Agile, Project Management, Risk and Cloud?Where worlds collide: Agile, Project Management, Risk and Cloud?
Where worlds collide: Agile, Project Management, Risk and Cloud?Livingstone Advisory
 
Rethinking Disaster Prepardness THEITS12
Rethinking Disaster Prepardness THEITS12Rethinking Disaster Prepardness THEITS12
Rethinking Disaster Prepardness THEITS12Thomas Danford
 
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...Livingstone Advisory
 
XEN App
XEN AppXEN App
XEN Appsubtitle
 
Cloud computing implications for project management methodologies
Cloud computing implications for project management methodologiesCloud computing implications for project management methodologies
Cloud computing implications for project management methodologiesLivingstone Advisory
 
Cloud computing: What you need to know as an Australian Finance Director
Cloud computing: What you need to know as an Australian Finance DirectorCloud computing: What you need to know as an Australian Finance Director
Cloud computing: What you need to know as an Australian Finance DirectorLivingstone Advisory
 
Will the Cloud be your disaster, or will Cloud be your disaster recovery?
Will the Cloud be your disaster, or will Cloud be your disaster recovery?Will the Cloud be your disaster, or will Cloud be your disaster recovery?
Will the Cloud be your disaster, or will Cloud be your disaster recovery?Livingstone Advisory
 
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...IT Network marcus evans
 

Recommended

Where worlds collide: Agile, Project Management, Risk and Cloud?
Where worlds collide: Agile, Project Management, Risk and Cloud?Where worlds collide: Agile, Project Management, Risk and Cloud?
Where worlds collide: Agile, Project Management, Risk and Cloud?Livingstone Advisory
 
Rethinking Disaster Prepardness THEITS12
Rethinking Disaster Prepardness THEITS12Rethinking Disaster Prepardness THEITS12
Rethinking Disaster Prepardness THEITS12Thomas Danford
 
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...Livingstone Advisory
 
XEN App
XEN AppXEN App
XEN Appsubtitle
 
Cloud computing implications for project management methodologies
Cloud computing implications for project management methodologiesCloud computing implications for project management methodologies
Cloud computing implications for project management methodologiesLivingstone Advisory
 
Cloud computing: What you need to know as an Australian Finance Director
Cloud computing: What you need to know as an Australian Finance DirectorCloud computing: What you need to know as an Australian Finance Director
Cloud computing: What you need to know as an Australian Finance DirectorLivingstone Advisory
 
Will the Cloud be your disaster, or will Cloud be your disaster recovery?
Will the Cloud be your disaster, or will Cloud be your disaster recovery?Will the Cloud be your disaster, or will Cloud be your disaster recovery?
Will the Cloud be your disaster, or will Cloud be your disaster recovery?Livingstone Advisory
 
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...IT Network marcus evans
 
Preparing for the Unexpected with The Town of East Haddam, CT
Preparing for the Unexpected with The Town of East Haddam, CTPreparing for the Unexpected with The Town of East Haddam, CT
Preparing for the Unexpected with The Town of East Haddam, CTEverbridge, Inc.
 
Digitale fabriek - I2 - Icms
Digitale fabriek - I2 - IcmsDigitale fabriek - I2 - Icms
Digitale fabriek - I2 - IcmsSirris
 
Nysais presentation may 2010
Nysais presentation may 2010Nysais presentation may 2010
Nysais presentation may 2010Curt Lieneck
 
Exploring the opportunities and pitfalls of new and emerging technologies in ...
Exploring the opportunities and pitfalls of new and emerging technologies in ...Exploring the opportunities and pitfalls of new and emerging technologies in ...
Exploring the opportunities and pitfalls of new and emerging technologies in ...Livingstone Advisory
 
“The impact of digital technologies on human wellbeing.”
“The impact of digital technologies on human wellbeing.” “The impact of digital technologies on human wellbeing.”
“The impact of digital technologies on human wellbeing.” Timothy Bosworth
 
ZENDAL BACKUP
ZENDAL BACKUPZENDAL BACKUP
ZENDAL BACKUPNéstor Alemán Esteban
 
Stefan Decker Keynote at CSHALS
Stefan Decker Keynote at CSHALSStefan Decker Keynote at CSHALS
Stefan Decker Keynote at CSHALSStefan Decker
 
Best Practices for Proactive Disaster Recovery and Business Continuity
Best Practices for Proactive Disaster Recovery and Business ContinuityBest Practices for Proactive Disaster Recovery and Business Continuity
Best Practices for Proactive Disaster Recovery and Business ContinuityReadWrite
 
How to Avoid Anxiety During Emergency Incidents
How to Avoid Anxiety During Emergency IncidentsHow to Avoid Anxiety During Emergency Incidents
How to Avoid Anxiety During Emergency IncidentsEverbridge, Inc.
 
Rob livingstone CIO Strategy Summit - Park Hyatt Melbourne 17th feb 2012
Rob livingstone CIO Strategy Summit - Park Hyatt Melbourne 17th feb 2012Rob livingstone CIO Strategy Summit - Park Hyatt Melbourne 17th feb 2012
Rob livingstone CIO Strategy Summit - Park Hyatt Melbourne 17th feb 2012Livingstone Advisory
 
Accenture - Innovation at Work
Accenture - Innovation at WorkAccenture - Innovation at Work
Accenture - Innovation at WorkRobert Casselman
 
Digital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierDigital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierThe Lorenzi Group
 
232 a7d01
232 a7d01232 a7d01
232 a7d01SMK PRASASTI KARANG BERAHI JAMBI
 
A point of view on digital citizenship essentials
A point of view on digital citizenship essentialsA point of view on digital citizenship essentials
A point of view on digital citizenship essentialsEduwebinar
 
Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior
 
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior
 
Secure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior
 

More Related Content

What's hot

Preparing for the Unexpected with The Town of East Haddam, CT
Preparing for the Unexpected with The Town of East Haddam, CTPreparing for the Unexpected with The Town of East Haddam, CT
Preparing for the Unexpected with The Town of East Haddam, CTEverbridge, Inc.
 
Digitale fabriek - I2 - Icms
Digitale fabriek - I2 - IcmsDigitale fabriek - I2 - Icms
Digitale fabriek - I2 - IcmsSirris
 
Nysais presentation may 2010
Nysais presentation may 2010Nysais presentation may 2010
Nysais presentation may 2010Curt Lieneck
 
Exploring the opportunities and pitfalls of new and emerging technologies in ...
Exploring the opportunities and pitfalls of new and emerging technologies in ...Exploring the opportunities and pitfalls of new and emerging technologies in ...
Exploring the opportunities and pitfalls of new and emerging technologies in ...Livingstone Advisory
 
“The impact of digital technologies on human wellbeing.”
“The impact of digital technologies on human wellbeing.” “The impact of digital technologies on human wellbeing.”
“The impact of digital technologies on human wellbeing.” Timothy Bosworth
 
Stefan Decker Keynote at CSHALS
Stefan Decker Keynote at CSHALSStefan Decker Keynote at CSHALS
Stefan Decker Keynote at CSHALSStefan Decker
 
Best Practices for Proactive Disaster Recovery and Business Continuity
Best Practices for Proactive Disaster Recovery and Business ContinuityBest Practices for Proactive Disaster Recovery and Business Continuity
Best Practices for Proactive Disaster Recovery and Business ContinuityReadWrite
 
How to Avoid Anxiety During Emergency Incidents
How to Avoid Anxiety During Emergency IncidentsHow to Avoid Anxiety During Emergency Incidents
How to Avoid Anxiety During Emergency IncidentsEverbridge, Inc.
 
Rob livingstone CIO Strategy Summit - Park Hyatt Melbourne 17th feb 2012
Rob livingstone CIO Strategy Summit - Park Hyatt Melbourne 17th feb 2012Rob livingstone CIO Strategy Summit - Park Hyatt Melbourne 17th feb 2012
Rob livingstone CIO Strategy Summit - Park Hyatt Melbourne 17th feb 2012Livingstone Advisory
 
Accenture - Innovation at Work
Accenture - Innovation at WorkAccenture - Innovation at Work
Accenture - Innovation at WorkRobert Casselman
 
Digital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierDigital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierThe Lorenzi Group
 
A point of view on digital citizenship essentials
A point of view on digital citizenship essentialsA point of view on digital citizenship essentials
A point of view on digital citizenship essentialsEduwebinar
 

What's hot (14)

Preparing for the Unexpected with The Town of East Haddam, CT
Preparing for the Unexpected with The Town of East Haddam, CTPreparing for the Unexpected with The Town of East Haddam, CT
Preparing for the Unexpected with The Town of East Haddam, CT
 
Digitale fabriek - I2 - Icms
Digitale fabriek - I2 - IcmsDigitale fabriek - I2 - Icms
Digitale fabriek - I2 - Icms
 
Nysais presentation may 2010
Nysais presentation may 2010Nysais presentation may 2010
Nysais presentation may 2010
 
Exploring the opportunities and pitfalls of new and emerging technologies in ...
Exploring the opportunities and pitfalls of new and emerging technologies in ...Exploring the opportunities and pitfalls of new and emerging technologies in ...
Exploring the opportunities and pitfalls of new and emerging technologies in ...
 
“The impact of digital technologies on human wellbeing.”
“The impact of digital technologies on human wellbeing.” “The impact of digital technologies on human wellbeing.”
“The impact of digital technologies on human wellbeing.”
 
ZENDAL BACKUP
ZENDAL BACKUPZENDAL BACKUP
ZENDAL BACKUP
 
Stefan Decker Keynote at CSHALS
Stefan Decker Keynote at CSHALSStefan Decker Keynote at CSHALS
Stefan Decker Keynote at CSHALS
 
Best Practices for Proactive Disaster Recovery and Business Continuity
Best Practices for Proactive Disaster Recovery and Business ContinuityBest Practices for Proactive Disaster Recovery and Business Continuity
Best Practices for Proactive Disaster Recovery and Business Continuity
 
How to Avoid Anxiety During Emergency Incidents
How to Avoid Anxiety During Emergency IncidentsHow to Avoid Anxiety During Emergency Incidents
How to Avoid Anxiety During Emergency Incidents
 
Rob livingstone CIO Strategy Summit - Park Hyatt Melbourne 17th feb 2012
Rob livingstone CIO Strategy Summit - Park Hyatt Melbourne 17th feb 2012Rob livingstone CIO Strategy Summit - Park Hyatt Melbourne 17th feb 2012
Rob livingstone CIO Strategy Summit - Park Hyatt Melbourne 17th feb 2012
 
Accenture - Innovation at Work
Accenture - Innovation at WorkAccenture - Innovation at Work
Accenture - Innovation at Work
 
Digital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierDigital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next Frontier
 
232 a7d01
232 a7d01232 a7d01
232 a7d01
 
A point of view on digital citizenship essentials
A point of view on digital citizenship essentialsA point of view on digital citizenship essentials
A point of view on digital citizenship essentials
 

Viewers also liked

Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior
 
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior
 
Secure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior
 
Secure Code Warrior - NoSQL injection
Secure Code Warrior - NoSQL injectionSecure Code Warrior - NoSQL injection
Secure Code Warrior - NoSQL injectionSecure Code Warrior
 

Viewers also liked (9)

Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessions
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with origins
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by default
 
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file upload
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encoding
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storage
 
Secure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injection
 
Secure Code Warrior - NoSQL injection
Secure Code Warrior - NoSQL injectionSecure Code Warrior - NoSQL injection
Secure Code Warrior - NoSQL injection
 

Similar to Patching your employee's brain (by NVISO - Pieter Danhieux)

Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsPeter Wood
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
Australian CIO Summit 2012: Big Data, New Physics, and Geospatial Super-Food ...
Australian CIO Summit 2012: Big Data, New Physics, and Geospatial Super-Food ...Australian CIO Summit 2012: Big Data, New Physics, and Geospatial Super-Food ...
Australian CIO Summit 2012: Big Data, New Physics, and Geospatial Super-Food ...IT Network marcus evans
 
Physician Office Presentation
Physician Office PresentationPhysician Office Presentation
Physician Office Presentationfranbodh
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategyJason Clark
 
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateInsider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateFidelis Cybersecurity
 
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONSIMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONSPreetiDevidas
 
Mobile Workplace Risks
Mobile Workplace RisksMobile Workplace Risks
Mobile Workplace RisksParag Deodhar
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013Imperva
 
Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017) Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017) Mike Kleviansky
 
Presentation on Fundraising
Presentation on FundraisingPresentation on Fundraising
Presentation on FundraisingFilip Tack
 
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data AssetsFS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data AssetsPuneet Kukreja
 
Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligenceguest08b1e6
 
Pci compliance training agents
Pci compliance training agentsPci compliance training agents
Pci compliance training agentsocinc
 
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target 2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target Raleigh ISSA
 
Moving beyond Vulnerability Testing
Moving beyond Vulnerability TestingMoving beyond Vulnerability Testing
Moving beyond Vulnerability TestingCapgemini
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseFidelis Cybersecurity
 

Similar to Patching your employee's brain (by NVISO - Pieter Danhieux) (20)

Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day Threats
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
 
Australian CIO Summit 2012: Big Data, New Physics, and Geospatial Super-Food ...
Australian CIO Summit 2012: Big Data, New Physics, and Geospatial Super-Food ...Australian CIO Summit 2012: Big Data, New Physics, and Geospatial Super-Food ...
Australian CIO Summit 2012: Big Data, New Physics, and Geospatial Super-Food ...
 
Physician Office Presentation
Physician Office PresentationPhysician Office Presentation
Physician Office Presentation
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
 
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateInsider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
 
Security on a budget
Security on a budget Security on a budget
Security on a budget
 
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONSIMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
 
Mobile Workplace Risks
Mobile Workplace RisksMobile Workplace Risks
Mobile Workplace Risks
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013
 
Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017) Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017)
 
Presentation on Fundraising
Presentation on FundraisingPresentation on Fundraising
Presentation on Fundraising
 
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data AssetsFS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
 
Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligence
 
Pci compliance training agents
Pci compliance training agentsPci compliance training agents
Pci compliance training agents
 
Ht t17
Ht t17Ht t17
Ht t17
 
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target 2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
 
Moving beyond Vulnerability Testing
Moving beyond Vulnerability TestingMoving beyond Vulnerability Testing
Moving beyond Vulnerability Testing
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception Defense
 

Patching your employee's brain (by NVISO - Pieter Danhieux)

  • 1. Patching your employee’s brain Pieter Danhieux WARNING: This is NOT a TECHNICAL talk … or at least not after slide #5 Securing The Human - © 2012 Pieter Danhieux 1
  • 2. Agenda •  Context •  Patching Humans •  Top mistakes Securing The Human - © 2012 Pieter Danhieux 2
  • 3. Context •  Operation “Aurora” (2009) - spoofed emails with links to 0day •  Operation “Night dragon” (2010) – spear phishing executives & remote workers •  HBGary hack (2011) – social engineering emails Excel sheet •  RSA (2011) – spoofed email with excel sheet with executive salaries! PDF Win-A- Google Nexus 4 Evil attachment .xls .pdf .docx .ppt Securing The Human - © 2012 Pieter Danhieux 3
  • 4. Targeted Attacks for dummies 1. Generate evil code with Metasploit Framework or use Didier Steven’s code msf > use payload/windows/exec msf payload(exec) > set CMD calc msf payload(exec) > set EXITFUNC thread msf payload(exec) > generate -t vba 2. Copy/Paste VBA code into MS Office Excel document 3. Use Ninja-skills to find a convincing way to deliver the document Aarrgh De t e c t hh. ed by S**** . Now my De mo wi ll fail!! Securing The Human - © 2012 Pieter Danhieux 4
  • 5. Targeted Attacks for dummies – 2nd Try 1.  Generate evil code with Metasploit Framework or use Didier Steven’s code 2.  Copy/Paste VBA code into MS Office Excel document 3.  Check whether the AV engines alert during your demo 4.  Spent 10 minutes during the SEC542 class at SANS Belgium to find a work around and conclude that S***’s fancy named “Heuristic detection system” is based on …. string matching. 5.  Use Ninja-skills to find a convincing way to deliver the document Securing The Human - © 2012 Pieter Danhieux 5
  • 6. Context “I clicked on a Friend’s link on Facebook …” “I opened a PDF from a known sender …” “I logged into my online banking and it did not work …” Securing The Human - © 2012 Pieter Danhieux 6
  • 7. Context Look for common mistakes in your own organization –  Laptop loss with VPN token and PIN written on a paper –  Losing sensitive information in a public place –  Sharing passwords when colleagues go on annual leave Unintentional mistakes … because we humans fail in understanding and identifying insecure situations! Securing The Human - © 2012 Pieter Danhieux 7
  • 8. Disclaimer All characters appearing in this work are fictitious. Any resemblance to real persons, living or dead, is purely coincidental. Securing The Human - © 2012 Pieter Danhieux 8
  • 9. Humans fail at evaluating risk Being killed by a shark Death by a vending machine by shaking it to get free stuff Threat = evil shark Threat = evil vending machine Impact = probably death Impact = R.I.P Likelihood = 1 in 251 800 800 Likelihood = 1 in 112 000 000 0.6 people killed each year in the US 10 to 13 people killed each year in the US Source: http://www.bookofodds.com/content/view/full/252163 Source: http://www.bookofodds.com/content/view/full/248157 Securing The Human - © 2012 Pieter Danhieux 9
  • 10. Humans fail at evaluating risk Could your mother/father/wife/colleague identify the cyber criminal below? Kristina Svechinskaya Gary McKinnon aka Jonathan James aka Stole $9Mil with Solo c0mrade ZeusBot Hacked into 97 US Military Hacked into DTRA and NASA systems (NASA) Securing The Human - © 2012 Pieter Danhieux 10
  • 11. Now The Real examples Securing The Human - © 2012 Pieter Danhieux 11
  • 12. What we security people want .. Miauwkes! A Security Alert! Let’s notify my good friends at +1800SECURITY and ask what to do Securing The Human - © 2012 Pieter Danhieux 12
  • 13. What really happens.. You f**ing – PUUT – stupid computer – PUUT – how the f*ck – PUUT – do I remove this – PUUT – alert *click* *click* *click Securing The Human - © 2012 Pieter Danhieux 13
  • 14. Humans need patching Security Awareness is Nr. 7 in Australia’s Intelligence Agency “35 Strategies to Mitigate Targeted Cyber Intrusions” 1.  Understand that everyone can be a target 2.  Teach everyone how to recognize potential attacks at work and at home 3.  Show them how to react and not to react = An Intrusion Detection/Prevention System with thousands of (sometimes intelligent) sensors Securing The Human - © 2012 Pieter Danhieux 14
  • 15. Agenda •  Context •  Patching Humans •  Top mistakes Securing The Human - © 2012 Pieter Danhieux 15
  • 16. Social Executives Networks PCI DSS Soc. Engin. Hacked! Protecting PII Kids IT Staff Securing The Human - © 2012 Pieter Danhieux 16
  • 17. Download for free from http://www.securingthehuman.org/resources/ Securing The Human - © 2012 Pieter Danhieux 17
  • 18. Security Awareness Program •  Define what you want them to understand in the next 6 to 12 months –  Less is more Promoting –  Start with the basics Awareness & Change •  Deliver Key Messages Long Term –  Induction brochures Sustainment –  Class-room training / “Free lunch” sessions –  Computer-based training Metrics •  Reinforce Key Messages •  Evaluate effectiveness Securing The Human - © 2012 Pieter Danhieux 18
  • 19. Sample 1 Year Program Jan Feb Mar Apr May Jun Protecting Social Kids Networks Passwords 1 2 3 4 Induction Program for new employees 5 6 7 8 IT Staff Mobile Mobile PCI DSS Devices Devices Executives Jul Aug Sep Oct Nov Dec Securing The Human - © 2012 Pieter Danhieux 19
  • 20. Deliver Key Message - Example Securing The Human - © 2012 Pieter Danhieux 20
  • 21. Reinforce Key Messages Have your employees come up with a good way on how to communicate a message … Securing The Human - © 2012 Pieter Danhieux 21
  • 22. Reinforce Key Messages Source: http://mn.gov/oet/support/training/cyber-security-awareness/ Securing The Human - © 2012 Pieter Danhieux 22
  • 23. Reinforce Key Messages Source: http://mindfulsecurity.com/2009/10/23/free-passwords-security-awareness-posters/ Securing The Human - © 2012 Pieter Danhieux 23
  • 24. Evaluate effectiveness 1.  Metrics of the Program –  # of people who attend the training or viewed CBT –  Results of employees on Quiz questions 2.  Metrics in Operational Processes –  # security incidents reported to the helpdesk –  # laptop losses with/without passwords –  # unescorted visitors –  # vulnerabilities in software code –  # unpatched systems Securing The Human - © 2012 Pieter Danhieux 24
  • 25. Evaluate effectiveness 3.  Metrics by assessing your organization –  Get password statistics Source: http://www.l0phtcrack.com Securing The Human - © 2012 Pieter Danhieux 25
  • 26. Evaluate effectiveness 3.  Metrics by assessing your organization 77% clicked on –  Simulate the security threat obvious •  Spear phishing on executives malicious links •  Social Engineering the Helpdesk in the email •  Red Team / Blue Team exercises –  Learn from the results •  Was the attack timely detected? •  How was the incident identified? •  How did the employee(s) react? •  Which technical security controls failed? •  Which management processes failed? Securing The Human - © 2012 Pieter Danhieux 26
  • 27. Agenda •  Context •  Patching Humans •  Top mistakes Securing The Human - © 2012 Pieter Danhieux 27
  • 28. Top mistakes 1.  Consider Security Awareness as a one-off project instead of a continuous program 2.  Execute without thinking or measuring tangible results 3.  Use material that is inappropriate for the AGAIN organizational culture 4.  Drive Security Awareness through Compliance / IT Security / Consultants without organizational support 5.  Trying to make your employees security experts Securing The Human - © 2012 Pieter Danhieux 28
  • 29. Useful resources •  The SANS Institute – Securing The Human http://www.securingthehuman.org •  ENISA - How To Raise Information Security Awareness http://www.enisa.europa.eu/act/ar/deliverables/2010/new-users-guide •  NIST - SP800-50 http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf •  Microsoft – ISATP http://technet.microsoft.com/en-us/security/cc165442 •  Mindful Security – Free Cartoons http://mindfulsecurity.com Securing The Human - © 2012 Pieter Danhieux 29
  • 30. #who am I $finger Login: pdanhieux Name: Pieter Danhieux Directory: /geeks/pdanhieux Shell: /bin/sh On since 2011 on ttysAustralia On since 1981 on ttysBelgium (messages off) Mail at <pdanhieux@gmail.com> Phone at +61 429 503 077 / skype://pdanhieux Twitter @PieterDanhieux $id uid=501(pdanhieux) gid=20(humans) groups= 19(nviso), 20 (SANS Institute), 22 (BAE Systems Detica), 23 (GIAC Security Expert, CISSP), 24 (BruCON), 666 (The Hex Factor), 1000 (Ernst & Young) $sudo shutdown –h now Securing The Human - © 2012 Pieter Danhieux 30