This document discusses security awareness training conducted by Michael Woolard. It provides links to security talks and presentations he has given. It then describes the organization he works for and security awareness events he held including Derbycon, Louisville InfoSec, and Bsides Las Vegas presentations. It outlines a Hack.Jam event for his company that included OWASP training, games, and a capture the flag competition. Feedback from the event was very positive with participants wanting to participate again next year. It concludes by mentioning the use of Kahoot for future security awareness training.
6. Org: ~335 employees
275 in Richfield
Technology: ~155
117 in Richfield
30 in Columbus
8 in Poland
7. …enterprise app developers
admit security is not a core
priority.
…developers are not
incentivized to make
security a priority
53 percent of developers
said they have used
shortcuts or put temporary
solutions in place in order
to get their app out
November 10, 2015
http://www.scmagazine.com/report-half-of-developers-rush-apps-to-market-consumers-trust-security/article/452844/
8. The Role of Security in
Application Development
0 5% 10% 15% 20% 25% 30% 35% 40% 45%
What security?
After Production Deploy
At Developers Discretion
https://www.sans.org/reading-room/whitepapers/analyst/survey-application-security-programs-practices-35150
https://www.sans.org/reading-room/whitepapers/analyst/2015-state-application-security-closing-gap-35942
14. The Lecture is Dead as a Teaching Tool
- Bill Gardner / Valarie Thomas
Building an Information Security Awareness Program
15.
16.
17.
18. Sept 9, 2015 – OWASP CLE
“ Tools and Procedures for Securing .NET
Applications ”
We Build .NET Web Applications
OWASP Protects Web Applications
19. “That sounds great!”
“Thanks Mike, I will let you know who will be there”
AUGUST
SEPTEMBER 9th, 2015
ONE person from my company attended – Me.
“Perfectly falls in line with the
other training you have been
working on with the teams”
22. Hack.Jam
v1Events / Games / Training - all month
• OWASP Top 10 Demo/Training
• OWASP Proactive Controls
• Screensaver Game
• Crypto Puzzles
• Lockpicking at Lunch
• (WIFI – Stolen Passwords)
Grand event held October 28th
Main Event: Broken Web App CTF
Locksport Tournament
Mini Games (USB, Crypto)
Social Engineering discussion
Screensaver results
Prizes / Candy / Popcorn!!
28. y ensi DtlaW- nwonk reve
evah Ina mowyn a naht erom
esuoM yekci MevolI
Hint:
kcuDdl anoD => Donald Duck
Winner : $10 Starbucks
Answer:
I love Mickey Mouse more than any
woman I have ever known. -Walt Disney
32. Screensaver Game
Winner: $25 Amazon GC
2nd Place: $10 Subway / $10 Regal Cinema
• 312 submissions from 56 people
• 97 Individuals were caught
o 80 people were nabbed between 1 -5 times
o 15 people were nabbed between 6 – 12 times
o 2 people were nabbed 19 times
• 10 Managers were caught 29 times
• 3 Directors were caught 4 times
35. “So, Amanda and Jeremy just
walked behind me into the
executive kitchen and all of a
sudden Jeremy yelled ‘on no’ and
literally raced by me and
disappeared! Amanda and I
thought something bad had
happened … turned out he left
his monitor on and raced back to
turn it off per your
instructions! When I questioned
him he said he may be taking it to
extremes and I said I thought that
he was!! I told him you would be
proud of him! You’ve created a
monster – he said he loves games!”
47. Survey Monkey
75% stayed the entire time
85% said they are interested in playing in a game
next year after they didn’t this year
100% Do It Again!
“definitely more engaging to learn about security
through these events than through lectures. 10/10
would sign up again.”
50. OEConnection LLC, Company Confidential. Not for disclosure.
MICHAEL WOOLAR
http://wooly6bear.wordpress.com
Michael.Woolard@outlook.com
@WOOLY6BEAR
Editor's Notes
.
It doesn’t have to be expensive. $10 here, $25 there. I gave away in total $290 between 16 prizes. I reached out to my HR and pulled some training and even budgets. I contacted a security organization in the Cleveland area, SecureState and laid everything out. They were on board.
Hack.Jam cost my about $600 to put on, not terrible. For some, doable if you budget. For others it is a drop in the bucket and you can get more and do it bigger.