Getting Your Users to Care About Security

(It’s not the Kobayashi Maru.)

Room 3004, West HallPresented by Alison Gianotto

Who Am I?

Director of Technology/Corporate Security Officer at noise.

We work with brands like JP Morgan, Chase, Intel, EA Games and vitaminwater.

Developer/Sysadmin for 16 years

Crime-fighting social engineer!

Penetration tester

This is how your users view computer security.

Used with permission. Not an endorsement of Webroot products or services. www.youtube.com/watch?v=qgervxMmoqA

“Given a choice between a dancing bear screen-saver and adhering to a company security policy, the end user is going for the dancing bear every time”.

-- Patrick Gray, host of the Risky Business Podcast, Episode RB78: Interview with Geekonomics author

Users don’t care about security because they don’t know why they should.

That’s where you come in.

Computer Hacking Has Grown Up

Years ago, hacking was often done for just fun and bragging rights.

Today, hacking is a lucrative industry often backed by organized crime.

LOTS of $$$ to be made stealing identities, credit card info, etc.

Source: DarkGovernment.Com: FBI Warning: Cyber Threat Bigger than Ever - January 12, 2012

Why Hackers HackTo steal/sell identities, credit card numbers, corporate secrets, military secrets

Fun, excitement and/or notoriety

Political (“Hacktivism”)

Revenge

Blackhat SEO

The number of successful network security breaches over the past 12

months (2011)

Source: Ponemon Institute, Juniper Networks Sponsored Survey, June 2011

“How much did cyber attacks cost your company over the past 12 months?”

Source: Ponemon Institute, Juniper Networks Sponsored Survey, June 2011

Source: Ponemon Institute, Juniper Networks Sponsored Survey, June 2011

Additional Findings

The top two endpoints from which these breaches occurred are employees' laptop computers with 34% and employees' mobile devices with 29%.

“My company is too small for anyone to bother with.”

Smaller companies are becoming bigger targets because they often don’t have the resources to defend themselves, and can be easily hit by non-selective, broad attacks.

Source: Bloomberg, “Data Theft From Computer Security Breaches Declines, Report Says” April 19, 2011

Social Engineering:

The act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques.

Trickery or deception for the purpose of information gathering, fraud, or computer system access.

In most cases the attacker never comes face-to-face with the victim.

Social Engineering attacks are commonly executed over the phone or through email.

“The human is the new security perimeter. You can spend a fortune on technologies, but attackers will send one email to one of your employees and you'll be done.

You're only one click away from compromise.”

-- Eddie Schwartz, CSO at RSACyber attacks: resistance is futile | Sydney Morning Herald.

Meet Stanley Mark Rifkin

In 1978, Rifkin stole $10.2 million from Security Pacific Bank using social engineering.

No violence. No viruses. No malware.

The woman who performed the funds transfer at Security Pacific thanked him before hanging up.

“There's a popular saying that a secure computer is one that's turned off. Clever, but false: The pretexter simply talks someone into going into the office and turning that computer on.”

- Kevin Mitnick

The threat landscape has changed.

We can not simply throw technology at the problem.

The only long-term solution is to educate users -- which will require a fundamental shift in the way we are perceived.

And that doesn’t happen by itself.

It’s time for a new job!

Because the problem is not solvable through technology alone, our responsibilities now include:

Understanding new threats as they emerge

Determining which threats can be mitigated through technology, education, or both

Explaining the nature of threats to our users in a way that is clear, accurate and meaningful

Cutting through Fear, Uncertainty and Doubt (FUD)

It’s not all bad news.These new responsibilities introduce new, creative challenges - that sometimes even involve a little mischief.

What Threats DO Your Users Need to Care About?

Network security

Privilege escalation

DDoS attacks

SQL Injection

Cross-Site Scripting

Zero Day vulnerabilities

Phishing

Better password practices

Click-jacking/Like-jacking

Staying safe on public wifi

Mobile security

Social engineering

Phishing

Phishing attacks attempt to trick users into entering their login/credit card/SS#/etc into a fake version of a legitimate site so the sensitive data can be saved and used later by the attacker.

Many phishing attacks originate from e-mails and can be VERY convincing.

What’s the Point?

Phishers capture login information even for non-financial sites because they know thatMANY PEOPLE RE-USE THE SAME LOGINS FOR MULTIPLE WEBSITES.

*cough*Gawker*cough*

Platform Agnostic

Since Phishing scams take advantage of vulnerabilities in the human condition instead of vulnerabilities in technology, ALL users are at risk, whether they are on Mac, PC, Linux, etc.

same password for email +forgotten password request=access to hijack any account

Phishing on Mobile

Smartphone users are particularly vulnerable to phishing attacks because the browser takes up the whole screen, and doesn’t provide as much information about a page as a desktop browser.

This makes it easier to trick users into thinking the site is real.

Password Security:Analysis of Most Common Gawker

Passwords

2516: 1234562188: password1205: 12345678696: qwerty498: abc123459: 12345441: monkey413: 111111385: consumer376: letmein351: 1234

318: dragon307: trustno1303: baseball302: gizmodo300: whatever297: superman276: 1234567266: sunshine266: iloveyou262: [censored]256: starwars

255: shadow241: princess234: cheese

ALL Passwords are Crackable

Using an eight-core Xeon-powered system, Duo Security brute-forced 400,000 password hashes of the 1.3 million stolen from Gawker, cracking the first 200,000 in under an hour.

15 of the accounts for which it had cracked password encryption belonged to people working at NASA, nine were assigned to users employed by Congress, and six belonged to employees of the Department of Homeland Security.

2009 RockYou hack: “123456" was the most common password in the collection posted on the Web by hackers, followed by "12345," "123456789," "password" and "iloveyou"

There is NO excuse for bad passwords anymore.

1Password and LastPass both allow you to:

generate long, highly random passwords that are unique to each website you log into

store the passwords in a database and auto-fill

sync that database across your iPhone, iPad, other computers, etc

“Passwords are like underwear - they should never be shared with friends and should be changed often!”

Social Media

Make sure profiles are locked down so only friends can see personal information

Turn OFF geotagging on images in Smartphones.

Location Services

Be careful using location services such as Foursquare, Facebook Places, etc if your social media accounts are open to anyone.

So what’s the problem?

Many security professionals seem to have given up hope.

Many security policies implement techniques that provide the illusion of security but actually make things less secure. (Example: rotating passwords = sticky notes) Identify these barriers and look for alternatives that are as secure but less frustrating. (Non-rotating password with two-factor authentication.)

Many system administrators have a reputation for being unapproachable, arrogant or dictatorial. (“You must always do it this way. Because I said so!”)

It’s time to get creative!

We know that old tactics don’t work. So stop. “Insanity: doing the same thing over and over again and expecting different results.” - Albert Einstein

Approach people as people, not users.

Help them understand how these threats affect both at work and their personal lives.

Use real-life examples, illustrations and analogies. No geek speak.

Use humor! Getting people to stay awake through security presentations is hard. Making them laugh helps.

SuggestionsRegister a fake domain name that’s similar to your company’s real domain name. Send around a fake “phishing” email and see who clicks. (Punycode domains are great for this.)

Drop spiked USB drives in the parking lot or hallway, with a cheeky reprimand (autorun executable with loud farting noises, for example.)

Have a company Wall of Shame (or Hall of Fame). Consider perks for users who really shine.

Position yourself as a security mentor. You are there to help protect them and the company.

Measuring Success

Determine what your success metrics are at the start.

Ask for short evaluations after security presentations. Learn where you’re losing or confusing.

Encourage users to ASK if they’re not sure. And when they do ask, be supportive. Knowing what they don’t know is HUGE progress.

Great Resources

http://www.securingthehuman.org

http://www.social-engineer.org/

http://stopthinkconnect.org/

<shamless plug>http://www.moresecure.us (coming soon!) </shameless plug>

Questions? Get in touch!

E-mail: snipe@snipe.net

Twitter: @snipeyhead

http://www.snipe.net