Getting users to care about security
0 likes1,182 views
This document discusses how to educate users about cybersecurity threats and why they should care about security. It notes that users don't care about security now because they don't understand the threats. It provides examples of common threats like phishing, social engineering, and weak passwords. It suggests getting creative with education methods like using humor, real-life examples, and gamification. The goal is to approach users as people, not just teach technical details, and help them understand security impacts their personal and work lives. Measuring success includes getting feedback and encouraging questions to identify what users don't understand yet.
![Password Security:
Analysis of Most Common Gawker
Passwords
2516: 123456 318: dragon 255: shadow
2188: password 307: trustno1 241: princess
1205: 12345678 303: baseball 234: cheese
696: qwerty 302: gizmodo
498: abc123 300: whatever
459: 12345 297: superman
441: monkey 276: 1234567
413: 111111 266: sunshine
385: consumer 266: iloveyou
376: letmein 262: [censored]
351: 1234 256: starwars](https://image.slidesharecdn.com/it871-getting-users-to-care-about-security-desktop-key-120127153504-phpapp02/85/Getting-users-to-care-about-security-24-320.jpg)
Getting users to care about security
- 1. Getting Your Users to Care About Security (It’s not the Kobayashi Maru.) Room 3004, West Hall Presented by Alison Gianotto
- 2. Who Am I? Director of Technology/Corporate Security Officer at noise. We work with brands like JP Morgan, Chase, Intel, EA Games and vitaminwater. Developer/Sysadmin for 16 years Crime-fighting social engineer! Penetration tester
- 3. This is how your users view computer security. moqA oot products or services. www.youtube.com/watch?v=qgervxM Used with permission. Not an endorsement of Webr
- 4. “Given a choice between a dancing bear screen-saver and adhering to a company security policy, the end user is going for the dancing bear every time”. -- Patrick Gray, host of the Risky Business Podcast, Episode RB78: Interview with Geekonomics author
- 5. Users don’t care about security because they don’t know why they should. That’s where you come in.
- 6. Computer Hacking Has Grown Up Years ago, hacking was often done for just fun and bragging rights. Today, hacking is a lucrative industry often backed by organized crime. LOTS of $$$ to be made stealing identities, credit card info, etc. Ever - January 12, 2012 Source: DarkGovernment.Com: FBI Warning: Cyber Threat Bigger than
- 7. Why Hackers Hack To steal/sell identities, credit card numbers, corporate secrets, military secrets Fun, excitement and/or notoriety Political (“Hacktivism”) Revenge Blackhat SEO
- 8. The number of successful network security breaches over the past 12 months (2011) ey, June 2011 Source: Ponemon Institute, Juniper Networks Sponsored Surv
- 9. “How much did cyber attacks cost your company over the past 12 months?” ey, June 2011 Source: Ponemon Institute, Juniper Networks Sponsored Surv
- 10. Additional Findings The top two endpoints from which these breaches occurred are employees' laptop computers with 34% and employees' mobile devices with 29%. ey, June 2011 Source: Ponemon Institute, Juniper Networks Sponsored Surv
- 11. “My company is too small for anyone to bother with.” Smaller companies are becoming bigger targets because they often don’t have the resources to defend themselves, and can be easily hit by non-selective, broad attacks. hes Declines, Report Says” April 19, 2011 Source: Bloomberg, “Data Theft From Computer Security Breac
- 12. Social Engineering: The act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. Trickery or deception for the purpose of information gathering, fraud, or computer system access. In most cases the attacker never comes face-to-face with the victim. Social Engineering attacks are commonly executed over the phone or through email.
- 13. “The human is the new security perimeter. You can spend a fortune on technologies, but attackers will send one email to one of your employees and you'll be done. You're only one click away from compromise.” -- Eddie Schwartz, CSO at RSA Cyber attacks: resistance is futile | Sydney Morning Herald.
- 14. Meet Stanley Mark Rifkin In 1978, Rifkin stole $10.2 million from Security Pacific Bank using social engineering. No violence. No viruses. No malware. The woman who performed the funds transfer at Security Pacific thanked him before hanging up.
- 15. “There's a popular saying that a secure computer is one that's turned off. Clever, but false: The pretexter simply talks someone into going into the office and turning that computer on.” - Kevin Mitnick
- 16. The threat landscape has changed. We can not simply throw technology at the problem. The only long-term solution is to educate users -- which will require a fundamental shift in the way we are perceived. And that doesn’t happen by itself.
- 17. It’s time for a new job! Because the problem is not solvable through technology alone, our responsibilities now include: Understanding new threats as they emerge Determining which threats can be mitigated through technology, education, or both Explaining the nature of threats to our users in a way that is clear, accurate and meaningful Cutting through Fear, Uncertainty and Doubt (FUD)
- 18. It’s not all bad news. These new responsibilities introduce new, creative challenges - that sometimes even involve a little mischief.
- 19. What Threats DO Your Users Need to Care About? Network security Phishing Privilege escalation Better password practices DDoS attacks Click-jacking/Like-jacking SQL Injection Staying safe on public wifi Cross-Site Scripting Mobile security Zero Day vulnerabilities Social engineering
- 20. Phishing Phishing attacks attempt to trick users into entering their login/ credit card/SS#/etc into a fake version of a legitimate site so the sensitive data can be saved and used later by the attacker. Many phishing attacks originate from e-mails and can be VERY convincing.
- 21. What’s the Point? Phishers capture login information even for non- financial sites because they know that MANY PEOPLE RE-USE THE SAME LOGINS FOR MULTIPLE WEBSITES. *cough*Gawker*cough*
- 22. Platform Agnostic Since Phishing scams take advantage of vulnerabilities in the human condition instead of vulnerabilities in technology, ALL users are at risk, whether they are on Mac, PC, Linux, etc. same password for email + forgotten password request= access to hijack any account
- 23. Phishing on Mobile Smartphone users are particularly vulnerable to phishing attacks because the browser takes up the whole screen, and doesn’t provide as much information about a page as a desktop browser. This makes it easier to trick users into thinking the site is real.
- 24. Password Security: Analysis of Most Common Gawker Passwords 2516: 123456 318: dragon 255: shadow 2188: password 307: trustno1 241: princess 1205: 12345678 303: baseball 234: cheese 696: qwerty 302: gizmodo 498: abc123 300: whatever 459: 12345 297: superman 441: monkey 276: 1234567 413: 111111 266: sunshine 385: consumer 266: iloveyou 376: letmein 262: [censored] 351: 1234 256: starwars
- 25. ALL Passwords are Crackable Using an eight-core Xeon-powered system, Duo Security brute- forced 400,000 password hashes of the 1.3 million stolen from Gawker, cracking the first 200,000 in under an hour. 15 of the accounts for which it had cracked password encryption belonged to people working at NASA, nine were assigned to users employed by Congress, and six belonged to employees of the Department of Homeland Security. 2009 RockYou hack: “123456" was the most common password in the collection posted on the Web by hackers, followed by "12345," "123456789," "password" and "iloveyou"
- 26. There is NO excuse for bad passwords anymore. 1Password and LastPass both allow you to: generate long, highly random passwords that are unique to each website you log into store the passwords in a database and auto-fill sync that database across your iPhone, iPad, other computers, etc
- 27. “Passwords are like underwear - they should never be shared with friends and should be changed often!”
- 28. Social Media Make sure profiles are locked down so only friends can see personal information Turn OFF geotagging on images in Smartphones.
- 29. Location Services Be careful using location services such as Foursquare, Facebook Places, etc if your social media accounts are open to anyone.
- 30. So what’s the problem? Many security professionals seem to have given up hope. Many security policies implement techniques that provide the illusion of security but actually make things less secure. (Example: rotating passwords = sticky notes) Identify these barriers and look for alternatives that are as secure but less frustrating. (Non-rotating password with two-factor authentication.) Many system administrators have a reputation for being unapproachable, arrogant or dictatorial. (“You must always do it this way. Because I said so!”)
- 31. It’s time to get creative! We know that old tactics don’t work. So stop. “Insanity: doing the same thing over and over again and expecting different results.” - Albert Einstein Approach people as people, not users. Help them understand how these threats affect both at work and their personal lives. Use real-life examples, illustrations and analogies. No geek speak. Use humor! Getting people to stay awake through security presentations is hard. Making them laugh helps.
- 32. Suggestions Register a fake domain name that’s similar to your company’s real domain name. Send around a fake “phishing” email and see who clicks. (Punycode domains are great for this.) Drop spiked USB drives in the parking lot or hallway, with a cheeky reprimand (autorun executable with loud farting noises, for example.) Have a company Wall of Shame (or Hall of Fame). Consider perks for users who really shine. Position yourself as a security mentor. You are there to help protect them and the company.
- 33. Measuring Success Determine what your success metrics are at the start. Ask for short evaluations after security presentations. Learn where you’re losing or confusing. Encourage users to ASK if they’re not sure. And when they do ask, be supportive. Knowing what they don’t know is HUGE progress.
- 34. Great Resources http://www.securingthehuman.org http://www.social-engineer.org/ http://stopthinkconnect.org/ <shamless plug>http://www.moresecure.us (coming soon!) </ shameless plug>
- 35. Questions? Get in touch! E-mail: snipe@snipe.net Twitter: @snipeyhead http://www.snipe.net