So when I tell you those really harmful, terrible things that I'm going to be talking about, let's just remember the kittens, okay? Title of my talk, steal everything, kill everyone, cause total financial ruin, or how I walked in and misbehaved. Quite simply it's

because of the security fails. It's like I'm going to explain to you that the physical security and stuff, you know, is one of our biggest weaknesses because people can understand two dimensional versus three dimensional when they're walking up through the front door. Jason E Street, I have lots of letters behind my name, I promise. Let's start off with who I am. I've got a day job and a night job. My day job is I'm

the AVP of information security at a financial institution. My boss is going to love this on Monday. What I do is I work in a cubicle with a lot of cool action figures around it. I monitor firewalls, I watch IDS systems, I build out our infrastructure, I find more creative ways to secure it and to go after people who are coming after us, and I do

all the day to day blue team stuff. My main job is blue team, is defense. My night job is the CIO of strategy one solutions where I do pin testing maybe like three times a year. Basically I do speaking engagements like this around the world. It's like I've

written a book, dissecting the hack, and I also do some other writing, and that's what I do at night. I respond to incidents during the day, I create incidents for other people at night. Best of both worlds. I love these pictures because you see the first picture with the baseball cap. That was me standing outside for an hour in front

of an industrial park building secured facility on a Sunday with no traffic and the security walked by twice and did not think to stop me and asked me, what the are you doing on the sidewalk just watching our building? He didn't put it in his report either, so bad on him. The second picture looking dapper in the glasses is actually me going to apply

for a job. Yes, I'm wearing a black hat collared shirt because I like to come with warning labels, and I did not get the job. Unfortunately, I was way under qualified for that one. I did get their data, so, you know, win-win. These are my two favorite

pictures of engagements I've been on. The one I'm wearing, the I'm a Liability shirt, I think is the best one because I stole a car in that shirt. I was at a hotel off the coast and the valet gave me the car and I had explained to him, I can't get in this car right now. He's like, why? I'm stealing it. It's like they paid me to do an assessment.

I'm a liability. It took him a while to figure that out. Finally, I had to say, you might want to take this back. I think the owner is going to want it. The next one is my favorite, one of the most secured facilities I've ever seen in my life right across the street from ground zero, SWAT teams, you know, with canine units with their machine guns walking through the concourse, security guards in the main elevator lobby

and stuff, not including the business lobby. That's me in the upper floors wearing an actual valid badge and a shirt that says your company's computer guy. I like that. I picture a lot. We'll get more to that story in a little bit. So I do have a CISSP.

I think the code of ethics say that I have to put a Sun Tzu quote in my talks. There it is. We're in the intro, halfway through. So far, so good. We're going to talk about the one fact that we have to face when we're dealing with this subject. We're going to talk about the two rules that I go by when I'm doing an engagement and the three

outcomes from those two rules and hopefully a good conclusion discussion. Let's face it, you're going to the award ceremony right after this, but still, we can hope. Why this talk? I gave a talk last year on the 36th strategy. It was talking about the beginning of social engineering. It was talking about things that you could do to try to get into the buildings. That was the part one. And quite frankly,

I got some feedback afterwards going, it's like, man, Jason, that's some basic concept stuff. You know, it's like you weren't showing any kind of NLP or – because I can't. I am not a professional social engineering expert. I don't know about NLP. I don't know the psychology, facial recognition, mind ninja techniques. I still get in.

I have a hundred percent success rate of getting into facilities when I'm doing a social engineering engagement. So it's not that I'm that great. Trust me, anybody will tell you that. Our security is that weak. So these are educational and hopefully in a funny way, kind of talk, just to give you an onset of where to go look for more

stuff, and then hopefully have a good chuckle while you're doing it, okay? You're not going to learn anything new, but hopefully you'll remember something that will make you go look at something else, and you'll be better for it. So this is part two, because now I'm not talking about the social engineering part so much as this is all the damage I'm going to do after your security guy let me

through the front door. Because number one fact, I'm getting in, okay? This is the, I took this picture, I kid you not, I'm going to meet the guy for the first part of our meeting, and as soon as I opened up, I got into the concourse and I saw the door, the employee door for the secured area, I was like, oh, you've

got to be joking me. I walked right over, pushed 135, guess what? I got in. I would have tried 531 or 315, you know, I would have tried, but look, see how they're rubbed off? I mean, you just didn't look at the guy's face when I showed up 10 minutes before our meeting and no one knew I was there. So that was fun.

Here's another one. I went to go to apply for another job, and when I'm on these engagements, I like to be bad. So when I signed in to the receptionist, I stole the pen. I'm a bad guy, is what we do. So as I go, as soon as I finish getting the pen and signing in, I ask to go where the bathroom is. It's not because I drink so much for Ken Diet Pepsi, it's just because I get lost very

easily, and I will wander buildings looking for that darn bathroom for hours. You can't believe where the things I can get into. Well, I'm going through and I actually happened to stumble into the secured area part of the employee area while I was looking for the bathroom, and I found the employee entrance, and this is like the security guy at this facility actually

bragging about their million dollar security system, and I looked at the door and I saw this little rod thing and stuff you know that was the what was latching the door with and I said like only if I had a condom or something you know that protect that little rod and keep the door from keep the door closing and then making it latch and then I remembered oh wait I got a pen. So I took the pen that I stole, put the cap on the rod, the door

shut perfectly, and it didn't latch. So I leave, it's like I come back in about 20 minutes or so, it's still there, I'm now in the secured facility and no one knows. So that was fun. I am not a, oh actually we're right here, okay, so I'm

not a master locksmith. I tell people I don't have to be a master locksmith okay if your people will let me through the front door, okay? I don't have to be a massive ninja coder, which I'm not, it's like if I can just steal the hard drive with all your data. Here's some of my master lock picking skills

in action. I'm terrible with the lock picks, but I'm awesome with cardboard.

So here's another key. I love forging emails and putting them on iPad. The key is to put them on iPad. If you forge an email and print it out, they're gonna look at you fake. Oh this is, you just you just type this up. You put it on an iPad, the blue hyperlinks stay up hyperlinked and also it's like it's on an iPad. It's magical. You must be telling the truth. It's like so it's

like so they're gonna go and say okay. So I was up in that secured facility in New York. The network guy noticed an unusual amount of traffic coming from the CFOs assistance computer and it's going to their main server and was wondering what was going on. It was me and so he comes

over and he asks it's like what's going on what are you doing and I start telling him exactly why I'm there. I spent two hours on Google creating this email making it sound like the owner the new owner of this company was upset and sent an email to the other company that he owns to send one of his guys out and to go and look at the network and I made it sound very political. I made it sound like there was urgency and that they were supposed

to be surprised so no one was knew I supposed to be there. So I showed this to the the networking guy. Well he sent me to his office. We went to his office and we talked to the CIO for about 10 minutes and the employee then started to escort me around to all the other computer desk and stuff you know so I could plug in my malware and I had an employee escort so I had to be okay.

So it's like I actually can finish the rest of the engagement and stuff you know having someone help me and make sure the people knew I was okay to be there and plugging in my USB devices and doing whatever else I needed to do so I really love that email. I've got two rules but guess what looking for

PCI is not one of them. I don't care about your HIPAA or HIPAA. I don't care about your Sarbanes-Oxley. I don't care about your ISOs unless they got Linux on them. I don't really care. I just want to F you up. I just want to mess you up in the worst possible way. I want to be the worst thing to ever happen to you at the worst possible time. Okay remember the

kittens. So this is where I got my my two rules. I got them from Serenity which was based off the series Firefly which Fox canceled but they died in a fire and the two quotes are very simple. I aim to misbehave and let's go be bad guys. That's it. I'm just trying to do bad. To team it up it's like

you know red team. It's like don't act surprised when we try to kick it below the belt. It's like bank managers are still being kidnapped today, taken to their home, their family held hostage overnight until they go open up the bank for bank robbers. That's not funny. That's real. This stuff still happens.

Another thing is this is one of these things that we people talk about. This is not a new concept what we're doing. This is from 1992 the movie Sneakers. It's like so people hire you to break into their places to make sure no one can break into their places. It's a living. Well this one's

old now because it's not a very good one. It's gotten pretty good now. Business is pretty good with this but this is a concept that's not new. It's something that we still have to keep revisiting stuff. You know better people than me talk about it a little bit more technically and stuff. You know like I said I'm the comedy relief on this but let's keep going. So another thing we have to understand is management is not proactive. They are

reactive. So Dana Irwin said in 2008 the best way to get management excited about a disaster plan is to burn down the building across the street. Hello everyone. I'd like to introduce myself. I'm the fire. So what we're gonna get to now is we're gonna get to the fun part and the fun part is talking about all the

different ways we can start those fires. Okay. I love this one. This is this is what I call the trifecta of bad because yes I stole the phone or cloned it. Yes I've got the laptop 30 laptops unsecured in this facility. They had no laptop lock cables because they were secure. By the time I did

the exit interview I started seeing laptop lock cables which was good for them. Also the badge because you know my arms may get tired and I might need to take make trips so it's like so they had me an employee badge I appreciated that. Okay I am I do feel bad about this one because I am a CICSP I have a code of ethics so please no one report me. Let's make this off the

record I'm sure no one's watching. Not about the laptop because I have no problem stealing the laptop. I mean the guy left the cable on it for him. He was just giving it to me and I'm not talking about the screwdriver because I needed to steal something maybe you know that was bolted down because you know I like to be thorough. I was a little hungry and I stole one of the cookies I'm sorry. Okay let's go on. I love this because you know people expect

security not to be that thorough so they get their laptop lock cable they're told to fasten it to the desk but that's hard you have to bend down so let's just look that cable over the the desk and no one's gonna pull it and you know what most security doesn't pull the cable to see if it's

actually secured but I'm not security I'm a thief I'm going to pull the cable I'm gonna try to steal it. Also kudos for this guy because he had it firmly attached to the the desk he had it he had it locked his laptop but I'm telling you when it's the code zero zero zero zero I'm gonna try that one

I'm gonna try one one one I'm gonna try nine nine nine I'm gonna if you're a geek I'm gonna try zero zero zero seven so sorry about that one also they like to move the one like the last number or the the top number they'll move one in either direction and that's it that way they can just go I'm unlocked think I'm locked I'm gonna try those also when I'm in

engagement I'm going through all your drawers wait hold on that didn't sound right I'm gonna go through all your desk and your cabinets okay and I'm gonna be looking for stuff because nice honest and co-workers are not gonna go looking through your desk I'm not a nice honest and co-worker this guy had his laptop locked totally correct everything was right and then he put the keys

in his top drawer so now denials a I steal his laptop but now I have a nice really shiny laptop cable and stuff you know I can protect from someone stealing it because I hate it when they steal my stuff that I stole all the reason why this picture was in here is because I stole the iPod because that's like totally freaking retro how awesome was that this is

another trifecta it's like I stole the purse I stole the car keys and yes I saw the phone let the record state I did not steal the lunch okay I felt really proud about that but but now let's hold on let's let's cut it for a second I took the car keys took the driver's license out of her purse I

then go to the parking lot to find out what car it is I unlock the car I go back and put her car keys back she comes back after work I'm in the backseat with a gun telling her that I've got a driver's license showing with I know where she lives that I've got people there that will kill her family she does not go back into that facility steal all their data that I need and then come right back out and that we're tracing and we've got

our phone cloned and we can monitor it employees need to know that their personal belongings are theirs but the impact can be severe for them as well as the company that's why they need to secure their stuff now let's remember the kittens real quick okay when you have this many frowny faces

on a slide you're just effed okay it's just game over you literally gave me a blank check to steal your your credit and your identity and trust me my credit sucks so I'm taking it you know thanks for leaving the social security card there because it's got your signature on it so I know exactly how to forge it it's like that was very helpful not many people are that kind

so oh when I stole the first car the guy sort of cheated and let some people know that I was going around and doing stuff like that so I said well screw you two o'clock in the morning I walked in grabbed three Mercedes-Benz and a Beamer and just took him with me less than 66 seconds

so Nicolas Cage beats that the look on the guy's face when the manager's security space when I walked to him and I dropped him those four keys was priceless I wish I could have included the picture but it's on my desktop at my home so so some countermeasures employees need to know that this stuff matters for them as well make sure they're locking their desk securing

their property they secure their property at home they secure their property at they're in their car they need to secure their property at work now also no no tailgating you got to make sure that they understand that they shouldn't tailgate it's like they shouldn't because you know what I'm doing I'm coming in a wheelchair and I've got like four books it's like oh

man Jason you're a douchebag and I'm like yes I'm a bad guy I'm trying to steal from you do you really think I care that you're gonna feel lesser about me because I'm not supposed to be in a wheelchair no I'm evil it's like so what I'm gonna do is I entrust me when I go up to that door and I got these books you're really gonna be the asshole who's not gonna let me in the

door I mean seriously no you're gonna let me in and I thank you for that your employees not going to your employer's not going to but I will also if you see some see something say something you don't have to personally tackle the guy if you think he's suspicious okay you do have to call security you need to start empowering the employees to understand

they are part of your security team and they need to start acting like it so yeah here's the real warm and fuzzy side we're actually gonna talk about how you know to kill everyone because that always brings up a crowd on a Sunday night this was a taking pictures at 2 30 in the morning I'm in a hotel

somewhere different hotel than the car and I'm inside a mechanical room I'm wearing Pepsi pajama bottoms over some cargo pants with some really bad things and a white t-shirt and I'm barefoot because I took all my clothes off in the bathroom and the guest area of the hotel and changed into that

and then started walking around and see what I could do I could do a lot because you notice one important fact in this picture there are no padlocks on any of the switches I will tell you this right now I've got some OCD like you wouldn't believe okay if that's which is on I'm turning it off if that switches off I'm turning it on and it by golly if there's a red button I'm

pushing it twice okay that's just how I roll okay now I want you to understand I'm not a total jerk okay it's like because yes I'm going to start a fire in this room and yes it's gonna have some poisonous chemicals in it so the smoke will go through the ventilation system that's right there

but I'm not totally terrible because I mean it's 2 30 in the morning who wants to get woken up at 2 30 in the morning listening to this being ringing alarm sound going off so I'll start once the alarm system for you because it's like I mean I don't be rude the only thing worst and having that alarm going off in your ears and stuff you know someone throwing cold water on your face when you're trying to sleep I'll turn the

sprinkler off system off for you too okay it's like I don't want anybody to get all you know wet and drenched and stuff you know there's a fire going on that'd be dangerous oh wait yeah maybe not okay so another place that I like to I think it's great to kill people is the kitchen it's like this guy didn't even ask who I was there but you know most people

don't so just to bring that home here's a nice little video is there any law enforcement from Malaysia in here okay this was okay good this was a video that I took in Malaysia in a Malaysian hotel I was wearing this shirt and I'm in Malaysia I don't blend well so let's see what happens here we go I

didn't edit this video because I don't you think you know shenanigans is like he made it yourself look or something like that but no so you'll get to see me doing exactly everything that I did including right here where I should have turned the other way but I turned this way but I didn't know what the

building was like so let's walk down this corridor first yay I'm walking as fast as I can and if I wanted to steal some tables there I go I was like wow that was a letdown I'm sure I'm impressing people that are in the

audience right now so I decided to keep going I'm a hacker we don't give up the first try right so now if you get motion sickness or see sickness take gramamine or look away for a second okay because this gets me wasn't joking so I come up against this door here and I'm thinking

oops there we go so I come up against this door and I'm thinking oh this is awesome the reason is because it's secured and it's got stuff in there that you want protected so you put a padlock on it but then you don't padlock it so one

thank you for that what could you be protecting I don't know let's see here oh I did not go in there with an Uzi or an ak-47 I did not bring c4 with me I just walked out of that closet with napalm I just walked out

with poison so let's see what I can do well first I gotta find a place to do that that's going to be a long search you know looking for the proper place to deploy this kind of stuff let me turn around and oh I'm in the kitchen that was quick so let's walk through here everybody say hello to this guy he

didn't say hello to me the jerk I'm if it was a little bit later at night I'd be you know tampering with right there's the refrigerators for the food supply I would destroy your food supply even if you detected it it was poison it would be useless you'd have to destroy all of it that's that's some coinage right there here I'm going into another room I could have gone to some

of these other doors I wasn't really trying especially since I didn't have permission I mean I'm in since they didn't know at first it's like they said it was okay first afterwards here's the mechanical areas this is where I start my mechanical fliers using the napalm you notice those two guys there so I have to use social engineering countermeasures let's listen my countermeasures hey how's it going it was going okay and then I

kept moving so here we go through the rest of it that's just me showing you more places that I would spread the napalm

one of the other things you notice that they protect guest information really well you know in the computer systems you know you can't go to the front desk and ask where someone's staying but obviously you can walk into the kitchen because every person their room number and their name is right

there for room service so that's pretty low-tech now I'm going through this and I'm thinking to yourself like you're saying with Jason all you're just walking around a freaking place what's that well basically first of all dude I told you I was showing you the physical stuff not social engineering but since you asked let's go try to do some social engineering because let's

see what happens if someone notices me so I'm gonna go talk to the head chef in the manager of the hotel so I asked him if he's using Wi-Fi or cable I got an iPad and I've got my hacker shirt I was like do you want I'm questioning on the stuff you know and he's saying I love the way they

smiled like the guy in the back window was just like you know photobombing me and stuff you know like what's going on with that guy it's like and then I just left that was it so that's how easy it can be and it's like and we

talk about social engineering it's just easy as just saying how's it going and talking to someone people don't expect bad things to happen until they happen so some of the countermeasures one of the key ones that I could not stress enough is create a code word make sure people understand that first of all make your employees understand this stuff happens workplace violence happens

I mean for gosh sakes I got this information off of workplace violence news calm it happens so often they've got a website for it for gosh sakes that's depressing okay so you got to understand that that happens so set up a code I tell people especially with receptionist code oh my god he's got a

gun run panic we're all gonna die is not the best code okay it is effective it does you know raising but it may not be the best I always tell them to suggest something like a code periwinkle mr. periwinkle to HR mr. periwinkle to HR and I'm hoping that someday someone institutes an actual code periwinkle because I think that's just funny saying periwinkle another one is

conduct routine safety checks not just safety checks of your equipment but of your people as well I when I walked around for an hour I noticed one thing at that facility there was this one door that I could easily Jimmy and it had a camera that was right over it but I couldn't tell by the angle because where the other two cameras were spaced if I walked diagonally from

the other parking area they wouldn't see me except for that one camera and if that camera was angled at the right way I could totally bypass it so I talked to the former head of security there and I told him so I dude it's like this is where I can get and he's like whatever it's like come with me he takes me to this office the security office it was empty showed me the

computer screens although the TV monitor screens they were all turned off he turns them on the one camera that was not working was that one I looked him dead in the eye and I said in all seriousness like oh I guess I wasn't the only one that had that idea you may want to check your

inventory I did mention he was the former head of security at that facility okay good okay so let's talk about you know financial ruin let's look about the espionage and and I hate to break some people's feelings and stuff gonna hurt some people's feelings and just say it's not just the Chinese okay 70s the 80s 90s it's like the French were doing

awesome with it so sorry to you know to insult actually I'm company my French friends because they did a great counter espionage thing with the CIA and stuff back in the 90s with the Boeing incident you can google that one see I wish you wouldn't so that was fun so let's talk about some of things you can do there once again this many Franny faces not good because you know what

I'm an environmentalist I am do you know how many poor senseless trees die every day due to those printouts that you leave beside the printer well you know what they will not die in vain when I visit I'm taking all of them I'm gonna liberate those trees I'm gonna liberate all and you know what

I'm such an environmentalist I will take the ones that are still printing out just to make sure you don't forget them those trees will not die in vain when I'm there it's like you know nothing like and this is so sad this is actually a Dilbert comic strip is that they still use shred bins to put

all your you're telling me all your confidential data all the stuff that needs to be shredded let's put in a big blue bucket this is all the confidential and this is done in DC and this is done in financial institutions this is done in like conch DoD contractors offices what my favorite is the DoD contractors office the it's a secured area the office the

office the actual offices of the executives they're actually secured locked where security cleaning crew can't go in because of all the top secret data so what do they do at night they put the blue bucket outside their door

yes that's awesome I mean I mean I'm sorry it's awesome for the bad guys oh dude yeah when I get to the point where I could just stick malware into your hard drive it's just gonna be a fun night for me not for you that really yeah it's defcon get with it one thing we're going off your work

station is when you see that USB Drive in your exchange server it's not gonna end well for you okay I know where that USB drives been you don't want it in your exchange server okay and I mean and you're thinking it's like what kind of damage and stuff you can do going after our exchange server ask HP Gary but we can go and say well then how about your

accounting server me and the 25 other employees that are also me they're now getting paychecks from you say oh it's okay it's not gonna be too bad or I could just do a wire sniff this was like from my part one talk you know just do a wire sniff on your traffic sniffing passwords are hard you got

to configure all the stuff Linux you gotta get the wire like I said I'm not that technical I'm not that you know bright it's like a why don't I just get leave blank bracket first I gave them the benefit of the doubt okay and yes it

was just hit enter this is my favorite of all time you know why because this was at a pharmaceutical bio whatever research lab and stuff you know where I'm supposed to be doing with rocket scientists right the password first of all they shouldn't have written it down at all but the password was that

scratched out was actually an alphanumeric special character password it was very complex and it was hard so they scratched it out and put it to welcome so and it was all lowercase I tried the capital first because you know they're rocket scientists the one thing worse than seeing me in Pepsi

pajamas you know ask my kyrile is actually seeing me in this suit because if I'm in this suit I am out to screw you over terribly okay because I'm wearing my best to doom I call it the best of doom because I think it sounds cool and I'm reliving my childhood if you want to know more about the best

of doom and all these little toys it's in my part one talk that I did last year and it's like but those uh but now I want you to know I've got a best of doom 2.0 let's let's see some of those things okay I've got some video recorder USB pins right here none of my keeping one in my pocket I'm going to

actually be going in and leaving them in your little cupholders that you leave so I can record you logging in your passwords carrying on your conversations things like that so that's awesome if I'm the tech guy I got my nice little handy 8 gig USB flashlight video recorder that I'm still your data off of

and as you remember the little bouncy Dremamine that was because it was taken on my 4 gig audio video recorder watch when I walk into your facility I'm a walking talking Google Streetcar okay I'm capturing everything I can now I got another device into the to the to my 2.0 vest this was something that was

given to me by a three-letter agency in DC I'm not the only reason why he gave me this this device and stuff you know which cost billions of dollars research he said was that I was to never talk about it in public so this device he gave me it's actually a USB keystroke logger it's undetected by any antivirus you can plug it in it's very streamlined it's

undetectable stuff you know it's very hard to spot when you actually plug it into the vice and it records all the keystrokes you're right I'm lying I got it off of think geek think geek I like to put this for you know for the QSAs and for your for your executives you know that you want to talk about this slides to and stuff you know and tell when you get back and tell them

about these things let them put it in a different way that they understand a little bit better the risk matrix available at a geek and gadget website well we've discovered that's a near certainty okay being able to log the CEOs keystrokes yeah I'm gonna go with catastrophic on that one now you see all these other devices you see all these pins you know those were

acquired it's like you know from a very I mean you have to be a select group of people okay to be able to get access to that kind of technology I mean I think everybody is familiar with that kind of that kind of access I mean everybody here has that access it's called frequent flyers I mean you talk

about hackers getting this kind of data okay I'm an accountant I really hate my boss I really hate my job I want to go somewhere I want to steal a whole bunch of stuff from the company first how can I do that oh I'm on this flight oh look I'm all oh I can put keylog stroke keystroke logging and spy where on his my boss's computer oh I can you know have a USB recorder and

stuff you know pin and take video of our company secrets and yes I can actually have a voice recorder so I can record our top-secret confidential conference meetings this is not hard that is one of the biggest things you know you hear I see these talks and like these guys are like the rock

stars and like they're super leading stuff you know and they deserve all the credit all the stuff but I'm telling you it's not just that I'm the reverse of that I'm the guy saying it's so easy even I can do it okay it is like it's just the general stuff people are so busy protecting their stuff from these very high-level attacks they're forgetting oh SQL I oops sorry Sony you

know it's like it's sometimes it's a low-hanging fruit it really is the low-hanging fruit they're going to go after so you've got to be protecting that as well you got to be protecting from these kind of threats as well this is one of I love this one I took these pictures this is a the pony plug from Pony Express I took these pictures at a bank branch off on

the out on the West Coast and I did four branches four attempts four successes after the fourth one they told me to stop the reason why is because I walked in I was wearing a blue Def Con shirt work shirt I come with warning labels and I told it's like I'm here to check we have been having brown

outs at the corporate office and we need to check to make sure that the power fluctuations aren't affecting your operations here so I'm gonna need to do is I need to plug this device into your here plug into the network so it can take the readings and report back to the home office exactly what's going on and by the way I need to go in and check your make sure all the computers have proper power surges and UPS units working they I used a face

false name that I had no ID or identification for I used a fake company and a fake phone number I signed into their vendor log if I would have come in there with a ski mask and a shotgun every single person would have reacted exactly the right way they've been trained to handle that

they were not able to they did not expect the geek factor and they walked me through the teller area the drive-through area and through the back rooms where the actual money is not the shiny little vault thing but the big safes with the actual money in it what kind of damage could I have done

what I did do was I plugged in my pony device this one with the power unit and stuff you guys see the power UPC on the right I like that one the best because I had to get the bank manager to get out of her seat so I could plug it into behind her desk and what I do right after that it's like I can I don't have to go to my car I don't have to phone home I go to the bank lobby and I've got backtrack 5 on a zoom tablet and it's

I've got it already connected to the Pony Express I'm pwning you before I even get out your door okay so what are some of the counter countermeasures there's only one major countermeasures people okay and that quite frankly is just going to be stop printing what happened to this paperless office for

gosh sakes it's like make sure you're doing proper DLP making sure you're talking about we there was a recent report about how some of these data leakages are mostly coming from insider and threats from the actual employees themselves so make sure you're watching you're doing dual diligence making sure that not everything is being shared open so so now what can we

do like I said I'm the blue team I like it when we win I love I am I kid you not I am rooting so hard for the good guys when I go on an engagement okay I mean I look at some of those employees sometimes I'm like you've got to be ethic you're believing what I just said seriously and it's like and

they let me in I'm like oh my dude obviously I was a bad guy it's like so we need it what do we need to do though we need to educate empower and enforce our workforce our employees and the best way to educate them is to stop this one simple phrase stupid users stupid users clicked on an email stupid

users went to a website they weren't supposed to go you know what if I'm in the security department stupid me for not educating my employees properly on how to handle those kind of threats okay and another thing is if I hire an employee and on the first day they don't even have a driver's license and on the

first day of work I tell them here's the keys to my Bentley go do some deliveries and they break and they crash that car who's the idiot the one that started driving the one that gave them the keys we're giving them technology they don't know how to use they need to start being educated properly on how to use it then when they screw up we can say it but not

until then we need to educate our employees and let them understand where they're going to do we also need to empower our employees and by empowering them I don't mean starting a union okay so don't get all upset with me you know management types okay we need to let them know one simple fact they are part of the security team from the CEO to the mailroom you are part of the

security team it is part of your job and your duties to make sure you're protecting the company data and they need to know that and they need to enjoy that they need to understand you as information security has the has access to the biggest intrusion detection system known to man all those employees on the

front line they're saying oh that looked weird that shouldn't have happened let me call somebody that's what you need to start doing you need to start empowering them you need to start letting them know that it's required I've got a guy who sends me 15 freaking emails okay a week on a phishing scam or some kind of other thing that he thought was weird and

he wanted to he wanted to make sure I knew about it you know what I say every single time awesome thank you very much I appreciate it because that 16th one is not going to be a false positive it's going to be something we need to respond to I'd rather get a thousand false positives from people that are actually thinking about it because if they're sending it to me that means they're thinking about

security we do walkthroughs in our facility during our day job and we look under keyboards for passwords I mean at first we actually started finding them okay that was bad it's like but then we started not finding them but we still do it you know why because every time you do that everybody in that area is going oh they're checking for something we got to make sure

creating that security awareness without shoving it down their throat that's how you do it that's how you do it and then you enforce it okay not with a baseball bat oh gosh that would be fun but no it's like not with a baseball bat but with positive enforcement when someone stops me when I don't have a visible badge it says what are you doing what are you doing there I report them to their supervisor

and I say awesome job that person did what they're supposed to do that person is protecting our data we've got it where we put a list of stuff you know in our bulletins and stuff you know an employee bulletin saying people that got kudos for security they did the right thing they did it the right way and you know what that breeds competition because that freaking susie in

accounting she's always getting the credit for doing that stuff well I can do it too you know I can stop someone if I don't think they have a proper badge that's how you enforce it it doesn't have to be negative you've got a workforce you've got a human ids system out there just waiting to be used start using them okay so as soon as you

as soon as you stop saying stupid user and start saying my co-workers in the information security department we're going to start winning so here's some links and there you go