Laura Bell Founder and Lead Consultant - ‐ SafeStack @lady_nerd email@example.com
To join the discussion (but play nicely please)
This talk might make you feel uncomfortable.
…I want you to feel uncomfortable
I like people
people are the path of least resistance
In this talk The Problem The need for and lack of human defense The Tool We built AVA… and we think you might like it The Challenges Building human security systems is hard…
we are comfortable when we talk about technical vulnerability
we do not empathise or sympathise with machines They are inanimate objects.
technology is only part of the security picture technology people process
technical systems are: reviewed scanned penetraEon tested
processes are audited
what about people?
The problem with people
human vulnerability is natural
fear of loss fear of rejecEon fear of physical harm fear of exposure
humans are suﬃciently predictable to make it suitably annoying when we fail to predict their behaviour.
The modern approaches
compliance has us racing to the boKom
we watch video training or e- ‐learning we Eck boxes we make posters
Security Awareness EducaEon really sucks
Posters don’t work
Stop it already.
this is not how people learn go ask the educaEon and psychology communiEes
we shame the human vicEms of human security aKacks* *while secretly doing the exact same things
we forget that we are a connected species
why don't we acEvely assess and test our human security risk?
we don't test because it’s too easy
people can’t be taught people are lazy people are stupid
we don't test
because it makes us feel uncomfortable because we don't want people to get fired because it’s hard because we don’t know how to ﬁx it because we don't want people to get hurt
border devices are not enough
A first generation proof of concept 3- phase automated human vulnerability scanner
PHASE 1 Know
We don’t know what our organisations look like
Human security risk is magnified by connection
Active Directory People Twitter Identifiers LinkedIn Groups Facebook Relationships Email providers Data
friends Last login Location contacts Pw Expires? Time stamps frequency Disabled? Sender aliases Influence Receiver profiles Admin? User agent
PHASE 2 test
Threat injection and behaviour monitoring
Email Social Networks Removable Media Files and honeypots SMS Attack vectors that mean something
panic phishing Internal request Email Direct request External request social favour authoritative Email attacks that go beyond phishing
The URL may be diﬀerent on diﬀerent messages. Subject: Security Alert: Update Java (*See Kronos Note) Date: February 22, 2013 *********************************************************** ************* User generated and publicly sourced attacks This is an automaNcally generated message. Please DO NOT REPLY. If you require assistance, please contact the Help Center. *********************************************************** ************* Oracle has released an update for Java that ﬁxes 50 security holes, including a criNcal hole currently being exploited in the wild. The IT Security Oﬃce strongly recommends that you update Java as
Removing the boundaries between business and personal
Security fails when it is treated like a special event Instant, scheduled and recurring
Give the option of succeeding and reinforce good behaviours
PHASE 3 analyse
Behaviour Vs. time
Measuring impact of training
And now for something a little bit different
Bridges, weak links and targeting
Pivoting and propagation
You know what would be fun? Predictive risk behaviour analysis
The process • Candidate and volunteer requests submiKed to social media and contacts • Volunteers briefed • Removed volunteers including children, students or health data • AcEve directory users and groups collected from acEve directory server and stored in json ﬁles • Json ﬁles processed to remove personal informaEon • Ava know used to parse and idenEfy paKerns
You want to show this at BlackHat? Yes! LOL … please? Wait, you’re serious? … yes? Nope. Nope. Nope. Nope. Nope. Nope. Nope. Nope.
540 people and idenEEes 3 organisaEons public and private sector educaEon and commerce
19 adminstrator accounts 400 non- ‐expiring 4 groups per account 35 never logged in oldest password = 11 years newest password = 3 months
In 2015, why is this sEll an issue?
The chal enges
a public interest security tool
success requires engagement ….from everyone
is this even legal?
The law in this space is immature
publically available previously known already published
can we assess human vulnerability on this scale compromising the privacy the people we assess?
Know Update Privacy is about p rotecEng people Delete Ask
AVA Ethics and Privacy Board ObjecEve, RepresentaEve, Independent, CollaboraEve new members welcome to apply
Open. Honest. Plain English
Providing people with the informaEon they need to protect themselves and their privacy
Is this technically possible?
Building new things is hard
Scale that has to be visible
There is a reason why compromised email accounts have value Can we simulate aKack aliases in a manageable way?
Nobody has Eme for more appliances
From research project to real life TesEng ConEnuous IntegraEon Roadmap development Feature development
Security culture change as a service?
Google Facebook IntegraEon TwiKer If you are reading this and Linkedin work for these places, we should probably talk. Microsom
Ethics board Developers Testers ContribuEon DocumentaEon Sociologists UX and design
volunteers wanted Safe consensual human security science
TL;DR We have a people problem A<ackers wil choose the path of least resistance and we are not prepared AVA is an early alpha prototype We want a future of con>nuous human vulnerability assessment The road ahead is hard Privacy, ethics, momentum, security, scaling and much more
Learn more or get involved
hKps://github.com/SafeStack/ava now with docker build