PACKET HACKING VILLAGE - Rethinking Role Based Security Education
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 322 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/39926 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Right angleGraph coloringLevel (video gaming)Goodness of fitComputer-assisted translationSuite (music)Lecture/Conference
00:54
Information securityWave packetMultiplication signInformation securitySource codeScaling (geometry)AreaContext awarenessCAN busAutomationQuicksortMixed realityLatent heatLevel (video gaming)Electric generatorSensitivity analysisInformationStorage area networkTraffic reportingState of matterHeegaard splittingGodGroup actionData managementSpacetimeComputer-assisted translationDependent and independent variablesLine (geometry)MereologyUsabilityDemo (music)Focus (optics)Rollenbasierte ZugriffskontrolleMathematicsMessage passingCartesian coordinate systemProcess (computing)Endliche ModelltheorieDifferent (Kate Ryan album)Sound effect2 (number)Water vaporRoyal NavyObservational studyMultiplicationObject (grammar)WebsiteLecture/Conference
08:25
Information securityInformation securityLatent heatDifferent (Kate Ryan album)Interactive televisionSpacetimeWave packetHidden Markov modelVideoconferencingCollaborationismSensitivity analysisSurfaceRemote procedure callUniform resource locatorType theoryInformationData managementBuildingOffice suitePoint (geometry)Social engineering (security)
11:30
Information securityInformation securityVolume (thermodynamics)EmailUniverse (mathematics)Social engineering (security)Lecture/Conference
12:36
Information securityBuildingSet (mathematics)Data analysisType theoryPort scannerProcess (computing)Information securityLine (geometry)Vulnerability (computing)SurfaceQuicksortExtension (kinesiology)Wave packetPerspective (visual)Profil (magazine)Service (economics)InformationData managementIncidence algebraPresentation of a group3 (number)Dependent and independent variablesSelf-organizationCASE <Informatik>Endliche ModelltheorieLecture/Conference
16:47
Information securityInformation securityProcess (computing)InformationTable (information)Wave packetMultiplication signHacker (term)Sensitivity analysisInteractive televisionIntegrated development environmentVideo gameEndliche ModelltheorieReal numberLevel (video gaming)Presentation of a groupLine (geometry)Different (Kate Ryan album)Group actionUniqueness quantificationQuicksortEvent horizonContext awarenessData management
21:13
Information securityOpen setFeedbackWave packetSubstitute goodLine (geometry)MereologyInformation securityPasswordData managementLatent heatHypermediaIterationContext awarenessLaptopAreaMultiplication signTouchscreenUniform resource locatorContent (media)AdditionDigital photographyInteractive televisionCASE <Informatik>Point (geometry)InformationLattice (order)Universe (mathematics)TelecommunicationTraffic reportingNeuroinformatikMeasurementInformation privacyCuboidOperator (mathematics)Absolute valueLecture/Conference
25:10
Information securityInformation securityPublic key certificateCollaborationismZoom lensMereologyTouchscreenDifferent (Kate Ryan album)Uniform resource locatorSystem administratorQuicksortFreewareLevel (video gaming)Remote procedure callBuildingWave packetPattern recognitionFigurate numberRobotGroup actionMultiplication signChannel capacityTerm (mathematics)Row (database)Goodness of fitCausalityBasis <Mathematik>Lecture/Conference
29:20
Information securityInformation securityParameter (computer programming)CodeIntegrated development environmentGame controllerContext awarenessMultiplication signSpacetimeSelf-organizationLink (knot theory)PasswordElectric generatorVector potentialChainSoftware frameworkMaxima and minimaTouchscreenInformationProcess (computing)Wave packetRight angleDeterminantFunctional (mathematics)Touch typingSound effectCausalityMereologyComputer-assisted translationService (economics)Sinc functionType theoryClient (computing)Term (mathematics)Data managementProduct (business)Mixed realityFrequencyCASE <Informatik>TwitterInternet service providerLecture/Conference
37:44
Information securityInformation securityTrailSinc functionGroup actionInformationNumberVirtual machinePasswordFrequencyTerm (mathematics)FeedbackVirtuelles privates NetzwerkWave packetPoint cloudPosition operatorModule (mathematics)Metric systemSound effectContext awarenessDivisorAuthenticationElectronic program guideIntegrated development environmentPhishingMultiplication signVector potentialSoftwareEvent horizonContent (media)Information overloadLevel (video gaming)Different (Kate Ryan album)HypermediaEndliche ModelltheorieLink (knot theory)Lecture/Conference
Transcript: English(auto-generated)
00:00
it is my pleasure to introduce to you the Cat Suite. Is that good? Can you hear me? Okay,
00:25
still good? There. Level ears were not made for things that don't have collars. So good morning, um, I will warn you in advance, I have a cold and so I'm feeling a little,
00:42
uh, a little drained, um, but I'm sure some of you were out late last night so hopefully between the two of us we form like one competent human. Um, so yeah, thank you for the introduction Bing, thank you for having me here, um, I'm Cat Suite, I'm an information security analyst at Duo Security, I've been there for about a year, um, I will
01:03
not be answering any probing questions about Cisco's intent to inquire, to, to acquire Duo, um, so, I, uh, a big part of my job is security education internally for employees at Duo, uh, and, uh, this is often a topic that people think, uh, either it is an exercise
01:25
in futility, the prevailing wisdom seems to be kind of that security education is a binary, it can either exist as effective yet inefficient training for a really small population or efficient yet ineffective training for a large population, automate all the
01:41
things and so I want to talk about, I guess, success stories of sort of delivering more in-depth than the basics, uh, role-based security education that helps us, um, scale up effective training, sort of champagne security ad on a lemonade budget which I'm guessing a lot of us have, um, so not just going for efficiency but actually going for
02:02
something that's going to be effective for change but I also want to make sure I give us a chance to, I don't know, hold space and talk about, talk about security education in general and I'm happy to answer questions, we have a mic here and we're a pretty small crowd so I want to try and make this somewhat interactive and, um, if I have, uh, lost my
02:22
voice I'll keep going, I've got water, the best water, six dollars can buy on the strip and, um, I'm happy to take questions at any point and at the end about security education, about how we've done it, about how I see it outside of work, um, so, yeah, uh, just by show of hands, how many of you are responsible for, um, various, uh,
02:45
security education things at work? Oh wow, a lot of you, cool. How many of you feel you have enough resources to do that effectively? So for those in the front that was like four hands, um, yeah, so, um, we're recorded so I'll repeat back shout outs but what are some of
03:04
the problems you are trying to solve in, in your internal security education? Yeah. Engagement. Engagement. Usability. Retention. Retention, yes, oh my god, how do they remember what they just got thrown at them like one minute later? Compliance.
03:23
Compliance, yes. Security education is a compliance requirement for a lot of people. Yes. Generating interest. Generating interest, yeah. How do you get them to actually be engaged in a thing that they have to go to? Yeah. Maintaining that
03:49
across a huge site, basically problems of scale of a huge company, yeah. Cool, yeah. And some of the challenges come down to having enough resources for that, um, so
04:00
every year SANS does this study, um, on, uh, basically they put out a report on the state of security awareness and the, um, oh, sorry, Mike. The biggest challenges are time resources, um, to devote to security education, awareness and outreach. They're consistently lacking. Another problem is that training is often really generic and so there's that
04:24
problem of how do you get people engaged? It's not contextual to employees' roles, particularly when the training is outsourced. When it's not homegrown, you're thinking like, okay, how does this actually, what does this have to do with me and my company and my role when it's just this canned message about, yeah, don't click shit. Um,
04:42
scaling is often addressed. I mean, don't click shit, but sometimes you have to click shit. Sometimes it's your job to click shit. And scaling is often addressed via over-automation. Um, when, when this more in-depth, tailored, contextual, role-based training beyond the basics does exist, a really common split is to group employees into just
05:04
a few buckets, upper management, technical teams and everyone else and sometimes just technical teams and everyone else. So, regardless of where the lines are drawn, each team oftentimes just ends up receiving training separately and the everyone else bucket is a big bucket. So, this can lead to some further scaling challenges. Um, developing
05:25
curricula specific to each role or each team and each, or each level of sensitive information that people deal with, a lot of time and, uh, sources. Sorry. Is that better? Um, so, sometimes important focus areas. Um, yeah, the things to keep going in
05:50
and out. So, one second. I'm wondering if I'm bumping anything. Alright. If anyone is
06:10
hacking packets, don't hack these packets. Actually, I don't think this is a very smart mic. What's that? Please note to be hacking this packet. Um, so anyway, so
06:25
important focus areas get overlooked. Um, for example, technical teams might focus on just, uh, the OASP top 10 training, really application security specific. Um, I think maybe the back is tying in this. Um, but nothing about threat modeling or basic
06:41
OPSEC. Um, can we maybe get an AV person? Thank you so much. I'm, yeah, sorry about that. I apparently didn't make a sacrifice to the demo gods this morning. Um, cool. So, okay, so there's a lot of challenges out there in the education
07:00
landscape. So, how do we address them? Where do we start? We have to think about what problem are you trying to solve? My manager always tries to map everything that we do back to what problem are we trying to solve? So, we are trying to enable the business. We're trying to protect our company so that the company can succeed. And so, we
07:22
need to think about what are the, what are our assets? What is the information we deal with? What is the most risk? What is the highest risk? Um, and so, who are the people who deal with the information that is the most sensitive that would have the most detrimental impact if it were to get, um, made unavailable or compromised or leaked? And
07:44
start with those high risk roles. Um, we can also think about pooling multiple groups, a mix of technical teams across all seniority levels. We don't necessarily need to
08:00
break up our management away. Um, pool them together. If they're dealing with different information, oh, thanks Grant. Um, how do we, sorry, um, how do we build off concepts in training that all employees receive and, uh, go deeper together while still thinking about
08:22
our own individual roles and access? So, we also, um, a few people mention things like engagement, satisfaction, retention. And so, we really need to be thinking about how do we bring in interaction and collaboration? Um, especially if we're distributed across different,
08:41
um, spaces. Somebody mentioned, um, different offices. So, we need to think about how, how can we build something that engages remote employees? How can we do something where people who aren't just in a physical space can be engaged? Because oftentimes, remote employees or employees who aren't in a centralized location are more likely to just have the
09:04
security education automated away. It'll be like, just watch this video, don't come into the classroom. Um, so, I'm gonna be talking mainly about, like, one specific, uh, example, uh, of training that I built at Duo, but using that as a way to think about larger problems
09:23
of scaling security education, about making sure we're building stuff that's actually retained, and that has, that opens the door to continue, um, to build security and engagement when we're not just all sitting in a room together once or twice a year. Um, and so, I encourage all of you to also think about, like, how, how you can maybe take one
09:45
example, two examples, and build out, um, build out similar things. Um, cool. It sounds like the mic is doing its thing now. Knock on wood. So, I was doing a lot of the
10:07
other kind of hacking last night. So, I mentioned, um, I don't know if you can see it, but I'm identifying these high-risk teams. So, if you have to choose, choose, um, where to focus your educational efforts, um, you can start with people
10:22
who are in the highest, highest impact targets, based on their role, based on their access, based on the sensitivity of the information they handle. Basically, what is their, what is the attack surface of the entire company, and who's the most likely, uh, targets for, um, for disruption to all of that. So, I'm going to, um,
10:43
throw it out to all of you. Who in your company, not specific names, but specific teams or specific types of roles, who do you think are the, are some very high-risk targets? Finance. Finance. Why? Because they're often asked to wire money to
11:04
unknown resources. Yes. Uh, I saw other hands. Executive assistants. Yes. They are the gatekeepers to upper management, and they get all the things, their points of intake for the most high-profile people in the company. Um, sales and marketing.
11:24
Why? Because they're easy targets. Can you elaborate on that? Because correctly crafted, anyone can be an easy target for social engineering. Yeah,
11:51
they have a high volume of emails, and especially sales. They're interfacing heavily with external people. Whereas, like, my role in corporate security, almost everything I do is with people within the company. So, yeah, you
12:02
had a hand up as well. Professors. Oh, so you're with a public university. Or with a university. Sorry, with a university. Yeah. Why professors?
12:35
Yeah, you've touched on something a lot of people have in common, which is they just want to do their jobs and not have security be a thing that gets in the way.
12:43
Um, blue shirt, then glasses. What's that? I'm sorry? Customer service. Yeah. Oh, man. It's really easy to call a customer. Give me a here. Oh,
13:04
my own accounts. Oh, man. It's happening. Uh, let's see. I teach support. Same thing. Yeah. Yeah. Data analysts. Why? Yeah. They have access to all the data you do.
13:31
Yeah. So pretty much you can map it to anything. So it depends on what basically what's your threat model for, for your business. Um, so high profile employees like upper management,
13:42
and you have to think about like to what is going back to the old CIA triad, um, teams with a significant impact on confidentiality, um, a data like legal significant impact on, um, availability like, like DevOps people. Um,
14:00
you have to think about physical access to like facilities. People who are the first line of defense when you enter at physical building recruiting people who are going out and meeting strangers and getting, um, getting resumes from strangers. So it's their job to download strange attachments. So identifying these teams also gives the security team more deliberate
14:21
visibility into the rest of the organization. It makes you actually think, okay, what are the, what are our assets? What teams do have access to these assets? Basically just like extensions of risk risk assessments. Um, so a security teams, um, identify who the high risk teams are, what kind of access each team requires and more about each team's attack
14:42
service. One that I didn't hear called out was security teams. We are also super high impact. We know all kinds of things. We drink and we know things. Some of us don't drink and we know things. Um, but we have access to things like vulnerability scans. We know about all of the incidents that happen when there's IRs. Um,
15:02
so we too are not completely, um, are not exempt. Um, and in the case of my, like certain employers, one could argue that like certain, just by being a certain type of company, your employees are all high risk targets of one way or another. So rather than telling attendees of a training why they're there,
15:23
I did exactly, we can do exactly what I did with you and have them tell us why they think they're there. Start, starting with that mental exercise sort of sets the tone of people, um, getting into a mindset of thinking about their attack surface and really evaluating what they, what the impact is, um,
15:44
to the company, to the business of what, based on what they have access to. And this type of discussion also promotes a better understanding of the big picture, the attack surface of other teams instead of just like I'm on the security team. I know that I have access to information about incident response and, um,
16:01
vulnerability scans and stuff like that. But maybe I need to start thinking about the big picture of why I might be also concerned about like what the finance team has, like vulnerability to phishing attacks related to tax season and stuff like that. Um, so it gives people a bigger, a clearer sense of what we're all, why we're all in this together. Um,
16:24
and that's good to keep in perspective too. Um, it's easy to get siloed, especially when you start to get to be a bigger company. Um, participants also know more about the respective roles in the security team presenters do. Like, I think a lot of us in the community maybe like to think we know everything and know what's best for everyone,
16:41
but we do have a lot to learn from other teams and we, it's, especially as we get bigger, it's harder for us to have visibility into what everyone is working on. And so having trainings like this in the first place gives us a security team members more insight into other teams roles and access, uh, and increases increasing visibility into our whole security landscape until our
17:05
whole environment enables us to do our jobs more effectively because as they say, you can't secure what you don't know. And also letting participants across many teams or departments describe their roles or information they handled takes the burden off the security team having to front load,
17:20
prepare all of that information ourselves going into giving trainings. Um, it's also just helps build trust. Um, we spend a lot of time telling people what to do and not enough time listening to people. And so we have a lot to learn from other teams and I think it builds trust when we go in there and say,
17:42
tell me about what you do instead of just having us lecture them. And presenters can engage in this discussion too. Um, like I mentioned, security teams, um, are very high impact. And so letting participants know that we're not exempt from all of this,
18:00
from all of this important stuff, um, makes it feel more peer based and less top down. And I think that's important because oftentimes that's better for feeling engaged when it's a peer talking to us and, um, teaching us things than, um, somebody just lecturing us, you will do this, you will do this. This is why you should be scared. You're cool.
18:26
So when we identify what we are trying to protect, um, and we're trying to protect it from basically just go down the line of threat modeling. When we teach security awareness, we often tell participants think like a hacker and then kind of leave it at
18:41
that. We really put them through the actual exercise of getting into an attacker mindset. Um, although when I teach lock picking, that's exactly what we're going for and people love picking locks. Um, so I like giving participants a chance to threat model what they're trying to protect, um, by devising scenarios where they hack each other based on their own roles. Um,
19:03
I called it hack your neighbor, um, just pair them or group them instead of having everyone work on their own. And then they go through this mental exercise of what would an attacker do and leverage my role to do harm to my company. So again,
19:23
they get better insight to, um, other teams access if they're working, if they're thinking about someone on the same team, I'm so sorry for the mic issues. Um, and people with outsider knowledge may come up with really creative methods of attack. If you have people trying to hack each other, um,
19:40
everything from like, say you've got a recruiter and somebody tries to get information out of them by like going up to them at a recruiting event, asking all of these questions. Oh, who reports to this? Who's this manager? And then escalating levels of sensitive information. So it's in a recruiter's jobs just to be very helpful and
20:02
accommodating and give out just one example of many. Um, also the sort of interactive, um, threat modeling and attack and devising, attack scenarios together. Again, um, interaction is more of way more effective than lectures. And, um,
20:22
if you can tie these scenarios back to real life examples, if there's any that you can share from that have actually happened, people are really interested in what has actually happened and know that what they can't come up with isn't actually that far fetched.
20:40
So then how do you bring it all together? Once you've got all of this on the table about like, okay, we're boned. Uh, everything is terrible. How do you actually bring that back to, you don't have to be scared. Here's what you can actually do. So regardless of differences in teams roles or their technical skill levels,
21:00
um, and the information that they handle, there can be a lot of common ground in the way we talk about proactive security advice. Um, especially for roles that are higher risk beyond just the basics of don't click shit and use two FA use strong and unique passwords, use password managers. So one really common universal theme is just basic ops sec.
21:23
That's something that a lot of people going in don't think about or they don't necessarily map their personal to their work stuff. And so they don't necessarily think about information that they're putting out. They're just either on social media or just by using their computer in a coffee shop without a privacy screen. Um,
21:42
so, and they, they usually don't think about others information that they're, that they're giving out to. Um, so it's important to think about not only their own protecting their own asses, but also thinking about others roles and how they map that back. Um, really good example that I use is, um,
22:03
I gave a security training at our all, um, all hands kickoff meeting earlier this year and, um, our CEO then tweeted out a photo, um, the next day and covered up some laptop screens on it and didn't say, and didn't do it during the training and waited till afterwards and didn't say the location. And I'm like, yay,
22:21
upset from the top down. Um, so we also want to encourage open lines of communication. That's a pretty universal thing regardless of which team people are on. Um, that as members of the security team, we want to make ourselves available. And so that's something that we constantly need to be reinforcing and living.
22:43
Um, so we go beyond just like tell people report fishes to, to the security team. Um, we really want to encourage that they can consult with us, that they can partner with us and hopefully they're going to be more receptive to it after we lead with listening instead of lecturing.
23:01
So where do we take all of that? So we can use security trainings as a jumping off point for identifying additional, um, additional needs for education and additional needs for awareness and opportunities for partnerships between security and other teams, um,
23:24
every, every training that we give, um, whether it's somebody's, um, specific somebody's roles or just a, um, a general all purpose, um, annual security training, it's an opportunity for iteration. And so that's something that we always need to be keeping in mind, identifying feedback, um, measure efficacy, not just compliance,
23:45
not just checking the box to make sure everyone has gone. Think about what kind of impact is this actually having? What problem are we trying to solve with this and what are the next problems that we're going to solve? Keep the doors open for future,
24:00
for not only future trainings and educational opportunities, but also for open communication between the security team and other teams, um, in between when we're all in a room together, um, iterate on training content based on feedback and also based on shifting business needs. This is the thing that's going to become super relevant. Um, in my case, as we go, um,
24:23
from a company of 700 to, um, being part of a company of 70,000, um, you can automate the absolute baseline of security messaging, but as you go higher on the pyramid of training, instead of what tends to happen is things get more automated as you tailor efforts. And as you go beyond the basics,
24:42
you really want to get less automated as much as you can for as long as you can. Um, there's really no substitute for interaction. There's no substitute for engagement and you can take that and run with it. Um, so we have a lot of time left. Um, the mic does work.
25:04
And so if you have any questions, um, please feel free to use the mic and I'll be happy to answer them. I see one. So especially at large companies, um,
25:25
or when you are having a little trouble hearing that you can speak up. So especially at large companies, um, or when you are a trainer for hire, essentially carving up your audience into roles beyond everybody, the technical and maybe the executive admins.
25:41
Do you have any suggestions for helping people brainstorm or for how people can what for how people can brainstorm or, uh, how you can get like that group together because of 2000 general users can't all be in the same auditorium at the same time. So, oh, sure. I would say one thing to do is even if people can't be in the same physical
26:03
space, if you have, um, any kind of capacity for remote collaboration, whether it's like zoom or WebEx or something like that, get people on a screen together, even if they can't be on a room together, just so they still have that synchronous training. Um, or that's it, that they're, that they can be in the same, like in the same discussion,
26:23
even if they're not in the same physical space. Um, that also, if they're in a bunch of different locations and they're not just like distributed remote, another thing to do is start thinking about how you leverage and build security advocates and other departments, people who can be champions for you when you can't be there yourself.
26:42
Find somebody in sales who can talk security with other salespeople. Find somebody in marketing who can talk marketing, um, security for marketing people, things like that. Um, cause we can't necessarily be everywhere at once. So it's when we, we got to think about fostering, um, our, our champions to be our eyes and ears. So yeah, good question.
27:06
When you're speaking to a department that isn't your own. Sorry. Sorry. Is that better? A little. Okay. I think you need to really hug the mic really close. Better. Good. Okay. When you're speaking to a department that isn't your own, how do you best put the bottom row on the ladder,
27:23
figure out where they are and then figure out where to build from. Okay. Um, asking is a good start. Um, you can also, before you're actually in a room with them, try to try to sit down with someone engaged where they are. Um,
27:40
just try and figure out what they, what they need, um, and where they're at from a technical level. Sometimes it helps to say like, ask like what they're working on. And that way you might know like what, what kind of thing they're dealing, what kind of things they're dealing with. But yeah, never hurts to ask. When it comes to building and maintaining community engagement, what works and what doesn't work with gamification awards, certificates?
28:05
I'm sorry. I didn't catch the last part of that. What works and what doesn't work in terms of the gamification awards, certificates, free food, completely serious. Um, yeah, I think people, I think generally, um, the problem is it can turn, um,
28:25
it can turn into a lot of work for, um, for somebody to build, build that in. Um, but yeah, um, rewards, I would say just normalizing recognition on a day to day basis too, always, uh, instead of just, uh, having a few big ones. Um,
28:42
because if you have like a security friend award once a year, it's easy, it's easy for people to forget about that. So if you've got levels of, um, of, uh, giving recognition, giving, um, giving, um, good karma, basically, um, Slack even has a karma bot that you can give, um,
29:00
just ways of like building, building it into the culture instead of just, um, just having, um, small things, but also, yeah, free food. If you are at a company that has a culture of free food or a budget for it. First of all, thank you. Despite the, uh, mic issues,
29:21
I think you did a really great, really great talk for everybody. Thank you. Um, what about cadence and frequency? Oh yeah. Um, so from a compliance standpoint, usually the minimum requirement is to give security awareness training once a year, um, for certain frameworks. Um, but I would say, um, it, it depends is the,
29:43
is the short answer and I guess it depends on the size of your organization and the time resources you have. And also, um, what the need, what the needs are. Um, but I don't think it's out of the question to have something security related, um, a lot more frequently than once a year so that people don't forget it. Um,
30:02
whether it's, um, whether it's something kind of, um, tailored for certain people like like a secure coding workshop or something else, just keep something that keeps it top of mind. And, um, yeah, anything from like a monthly lunch and learn or something like that, um, definitely more than once a year, probably more than once a quarter,
30:24
just something to get people there. Cool. Um, anyone else? We've still, we're still doing okay on time. And if you have a question you'd prefer to not ask in the audience, I will be around for a little while afterward. Um, I'm also, I'm the sweet cat on Twitter, so feel free to come and find me that way.
30:42
Um, I will try not to cough on anyone. All right. Um, oh, we got one more false cadences. All right. Hi. Hi. What are your thoughts on the perception that security is a function of it, that security is a function of it? Yeah.
31:01
We run into that a lot where, um, the general perception is that security is a, uh, part of it and therefore it's an it related function and sometimes it's hard to get people to realize the import. Okay. Yeah. So hard to get people to realize the importance of security as a function of
31:20
it. So if you're running into that issue, um, I don't know why, why is it important to start there? Um, cause we, there people probably wouldn't be able to do their jobs without, without internal tech support. Um, but I think emphasizing that security is kind of a function of everything in
31:42
one way or another is important too. Um, that it's, um, that's not this walled off thing. It touches every asset, every aspect of the company. So, um, yeah. But, um, yeah, I guess decoupling it from it isn't, um, it can be a thing, but also
32:04
you can also use that too. And here's why security is important as it relates to it. So yeah. So in a, in a perfect world, like we're all passionate and interested in doing this, right. But a lot of times, especially in like smaller organizations with like a large user base and it
32:24
sounds weird, but like RIT is like seven people. So, um, like 30,000 users. So, um, we have issues like internally generating interests in like the people who have kind of fell into the security team at all. So like my problem is getting people to just want to like fucking do it.
32:45
Yeah. It's like you have the same job as me, but you're not interested in like talking to users or like getting any of this information out there. Generating interest among security people internally. Yeah. It's like a dumb question, but it's a big problem. No, it is. It is. A lot of people think that, um,
33:02
any kind of user education is an exercise in futility. And so that's a huge, uh, a huge roadblock that we're up against. So I think it's important to remember that users don't have to be just the weakest link in the chain. Like they have the potential to be our greatest asset and it's in our best
33:21
interest to be engaging with them for many reasons. Um, for one thing, if they trust us, they're going to be more likely to report stuff to us and they're not going to be scared to report things that could be detrimental to our company.
33:40
So that's important to keep in mind, um, in thinking about the way we interact with users and making sure we make ourselves available. It's also in our best interest to know, um, like I said, what's in our environment and what people are doing. So there's a, there's a visibility argument to be had and then, um, there's just the, uh, making sure that we're, um,
34:04
excuse me, I'll be chugging cough drops after this. Yeah. So there's the visibility argument. There's just making ourselves not antagonistic. Um, and then, yeah, we need to, um,
34:21
um, yeah, things like that. Um, basically I think we need, we need to not think about users as the enemy. And so if we can think about, um, security education as a security control and that's one that's important to implement, then hopefully security people will
34:41
not, I don't want to say stop because there'll always be people that don't want to do education, but think about it as, um, an important security control for our team. Yeah. Hi. Um, I work for a managed service provider, so we have a lot of clients on the smaller side and in many cases, you know, you have high value folks like, uh, doctors, lawyers,
35:03
executive types who demand lack security for themselves and then tighter employee, uh, security for lower value targets. And, and I just, I've never really been very successful in inspiring these folks. I wondered if you had any thoughts like screen lockouts even. Oh man,
35:22
I'm, I have mixed feelings on screen lock. Um, it can be funny to determine somebody's screen upside down if they don't lock it, but it also might make them shamed. And I don't think shaming is necessarily a, um, a good, we want to think about carrots, not sticks. So I think you've got to, um, find a way to bring it back to what they value and put it in those terms.
35:44
Like when I talk about password managers, a lot of it comes not back to like because security, but because productivity, because it's, it's efficiency, it's hundreds of passwords that you no longer have to remember and it frees up brain space.
36:00
Or you don't always have to put security in security terms. You have to sort of meet them on their terms sometimes. So think about what they value, how you can work with that. Yeah. I have some question. Uh, this is, uh, when it comes to a large company wherein you have a lot of users.
36:24
So, uh, we already frequently sent like a security awareness, so can you speak into the mic a little more? Thank you. We actually have like a large base, a user in our company. So, uh, we frequently send them like a security awareness and uh, as part of the security team, we still receive a lot of alerts from them.
36:42
So, uh, since we're already giving up, uh, like a security awareness, what would be your best approach? So, so we can have them, uh, so we can instill it to them. And, um, I mean, I'll make it more efficient because we're already giving them the awareness, but still they're missing it out.
37:02
So what is the best way that we can implement it without forcing it to them? Like, uh, providing like memos, just to, just for them to stop and also what's the best way on how we can measure it as well, to measure the effectiveness of the security awareness? Yeah. Um,
37:21
so to address the first question of how can we, um, make sure we're actually, um, doing our training effectively when, when you're, um, when you're giving security awareness and alerts are still, first of all, I don't think it's, I don't think it's inherently a bad thing that alerts are still firing because if you suddenly have no alerts in your sock, something has gone horribly wrong. Um, but there,
37:44
um, there is no 100% secure and there's no 100% informed user base. So I think, um, I think one of the most important things is making sure that you have a positive relationship with other, with other teams that they feel safe to report things when something has gone
38:01
wrong and that they feel safe saying, yes, I clicked what tended, what ended up being a phishing link, um, so that they can admit it because the more information you have, the more quickly you can remediate a situation. And if you're doing something where a user isn't going to feel safe, then that I think in my opinion has a higher potential for a risk to the
38:20
company. Um, and so as far as, um, thinking about effectiveness, um, of that, yeah. So I think a lot of times security awareness trainings only tend to get measured for effectiveness in terms of clicks on a, on an internal phishing link, like before and after or over a monthly period.
38:42
And I think sometimes that can actually kind of lead to like phishing fatigue. They're like, Oh yeah, I got another one. Let me just, let me just not click this anymore. Um, so I think some other ways to think about measuring success. Um, and this is something that I'm admittedly not in, um,
39:02
I, I'm, I still, metrics aren't like my specialty, but we want to think about other ways we can track, um, track engagement, like how many people reported of an internal phishing campaign, uh, before and after, um, track engagement just in general with how many people
39:20
are interacting with a security team, track how quickly people update their devices when an update, um, if you're not doing automate, if you're not automatically pushing out updates, um, how many people are using a password map? How many people have two factor authentication enabled? Um, what is the attendance like when you give security trainings and security
39:40
education events that aren't mandatory or if you've got like a CTF going for hacktober, how many people play it? Um, also metrics don't just have to be numbers. Numbers often lie and narrative is data too. So think about qualitative feedback as well and what people are saying, um, about your security education content and take it from there.
40:04
That's often where you get the juicy stuff. Hi. Uh, thank you very much for your talk. Um, my question was, uh, is there any security training resources that you would recommend? Oh yeah. So one that I really like is the EFF security education companion and their
40:20
surveillance self-defense guide. They really good basic. It's in there for things like, uh, how to threat model, how to protect yourself on social media, how to set up two factor authentication. And then the security education companion is also, they've got a bunch of different, um, pre-made training modules as well as some train the trainer stuff. So I definitely check them out. Oh yeah.
40:44
The electronic frontier function, the EFF, their security education companion. Quick question. Can you hear me okay? I was just wondering, oh, can you hear me? Yes. I was just wondering as your approach changed now that so many companies are 100% in the cloud where like everyone's very empowered to spin up virtual
41:04
machines and they may not understand private subnets versus public subnets and security groups and things like that. Um, since everyone's so empowered now, I was wondering if some of your education is towards that at all. Um, I think that actually makes a piece of it easier because you don't necessarily have to talk about VPNs in a beyond Corp environment.
41:22
You can say the network doesn't matter because your device is trusted. Um, so, uh, it's not necessarily harder, just different I would say. All right. Any others? Sold. Thanks for coming.