This document discusses how to educate users about cybersecurity threats and why they should care about security. It notes that users don't care about security now because they don't understand the threats. It provides examples of common threats like phishing, social engineering, and weak passwords. It suggests getting creative with education methods like using humor, real-life examples, and gamification. The goal is to approach users as people, not just teach technical details, and help them understand security impacts their personal and work lives. Measuring success includes getting feedback and encouraging questions to identify what users don't understand yet.

1. Getting Your Users
to Care About Security
(It’s not the Kobayashi Maru.)
Room 3004, West Hall
Presented by Alison Gianotto

2. Who Am I?
Director of Technology/Corporate Security Officer at
noise.
We work with brands like JP Morgan, Chase, Intel, EA
Games and vitaminwater.
Developer/Sysadmin for 16 years
Crime-fighting social engineer!
Penetration tester

3. This is how your users view
computer security.
moqA
oot products or services. www.youtube.com/watch?v=qgervxM
Used with permission. Not an endorsement of Webr

4. “Given a choice between a
dancing bear screen-saver and
adhering to a company security
policy, the end user is going for
the dancing bear every time”.
-- Patrick Gray,
host of the Risky Business Podcast, Episode
RB78: Interview with Geekonomics author

5. Users don’t care
about security
because they
don’t know why
they should.
That’s where
you come in.

6. Computer Hacking
Has Grown Up
Years ago, hacking was often done
for just fun and bragging rights.
Today, hacking is a lucrative
industry often backed by
organized crime.
LOTS of $$$ to be made stealing
identities, credit card info, etc.
Ever - January 12, 2012
Source: DarkGovernment.Com: FBI Warning: Cyber Threat Bigger than

7. Why Hackers Hack
To steal/sell identities, credit card numbers, corporate
secrets, military secrets
Fun, excitement and/or notoriety
Political (“Hacktivism”)
Revenge
Blackhat SEO

8. The number of successful network
security breaches over the past 12
months (2011)
ey, June 2011
Source: Ponemon Institute, Juniper Networks Sponsored Surv

9. “How much did cyber attacks cost your
company over the past 12 months?”
ey, June 2011
Source: Ponemon Institute, Juniper Networks Sponsored Surv

10. Additional Findings
The top two endpoints from which these breaches
occurred are employees' laptop computers with
34% and employees' mobile devices with 29%.
ey, June 2011
Source: Ponemon Institute, Juniper Networks Sponsored Surv

11. “My company is too small for
anyone to bother with.”
Smaller companies are becoming bigger
targets because they often don’t have the
resources to defend themselves, and can be
easily hit by non-selective, broad attacks.
hes Declines, Report Says” April 19, 2011
Source: Bloomberg, “Data Theft From Computer Security Breac

12. Social Engineering:
The act of manipulating people into performing actions
or divulging confidential information, rather than by
breaking in or using technical cracking techniques.
Trickery or deception for the purpose of information
gathering, fraud, or computer system access.
In most cases the attacker never comes face-to-face
with the victim.
Social Engineering attacks are commonly executed
over the phone or through email.

13. “The human is the new security
perimeter. You can spend a fortune on
technologies, but attackers will send
one email to one of your employees
and you'll be done.
You're only one click away from
compromise.”
-- Eddie Schwartz, CSO at RSA
Cyber attacks: resistance is futile | Sydney Morning Herald.

14. Meet Stanley
Mark Rifkin
In 1978, Rifkin stole $10.2
million from Security Pacific
Bank using social
engineering.
No violence. No viruses. No
malware.
The woman who performed
the funds transfer at Security
Pacific thanked him before
hanging up.

15. “There's a popular saying that a
secure computer is one that's
turned off.
Clever, but false: The pretexter
simply talks someone into going
into the office and turning that
computer on.”
- Kevin Mitnick

16. The threat landscape has changed.
We can not simply throw technology at
the problem.
The only long-term solution is to educate
users -- which will require a fundamental
shift in the way we are perceived.
And that doesn’t happen by itself.

17. It’s time for a new job!
Because the problem is not solvable through
technology alone, our responsibilities now
include:
Understanding new threats as they emerge
Determining which threats can be mitigated through
technology, education, or both
Explaining the nature of threats to our users in a
way that is clear, accurate and meaningful
Cutting through Fear, Uncertainty and Doubt (FUD)

18. It’s not all bad news.
These new responsibilities introduce new,
creative challenges - that sometimes even
involve a little mischief.

19. What Threats DO Your Users
Need to Care About?
Network security Phishing
Privilege escalation Better password practices
DDoS attacks Click-jacking/Like-jacking
SQL Injection Staying safe on public wifi
Cross-Site Scripting Mobile security
Zero Day vulnerabilities Social engineering

20. Phishing
Phishing attacks attempt to trick
users into entering their login/
credit card/SS#/etc into a fake
version of a legitimate site so the
sensitive data can be saved and
used later by the attacker.
Many phishing attacks originate
from e-mails and can be VERY
convincing.

21. What’s the
Point?
Phishers capture login
information even for non-
financial sites because they
know that
MANY PEOPLE RE-USE
THE SAME LOGINS FOR
MULTIPLE WEBSITES.
*cough*Gawker*cough*

22. Platform
Agnostic
Since Phishing scams take
advantage of vulnerabilities in
the human condition instead of
vulnerabilities in technology,
ALL users are at risk, whether
they are on Mac, PC, Linux, etc.
same password for email +
forgotten password request=
access to hijack any account

23. Phishing on
Mobile
Smartphone users are
particularly vulnerable to
phishing attacks because the
browser takes up the whole
screen, and doesn’t provide as
much information about a page
as a desktop browser.
This makes it easier to trick
users into thinking the site is
real.

24. Password Security:
Analysis of Most Common Gawker
Passwords
2516: 123456 318: dragon 255: shadow
2188: password 307: trustno1 241: princess
1205: 12345678 303: baseball 234: cheese
696: qwerty 302: gizmodo
498: abc123 300: whatever
459: 12345 297: superman
441: monkey 276: 1234567
413: 111111 266: sunshine
385: consumer 266: iloveyou
376: letmein 262: [censored]
351: 1234 256: starwars

25. ALL Passwords are Crackable
Using an eight-core Xeon-powered system, Duo Security brute-
forced 400,000 password hashes of the 1.3 million stolen from
Gawker, cracking the first 200,000 in under an hour.
15 of the accounts for which it had cracked password encryption
belonged to people working at NASA, nine were assigned to users
employed by Congress, and six belonged to employees of the
Department of Homeland Security.
2009 RockYou hack: “123456" was the most common password
in the collection posted on the Web by hackers, followed by
"12345," "123456789," "password" and "iloveyou"

26. There is NO excuse for bad
passwords anymore.
1Password and LastPass both allow you to:
generate long, highly random passwords that
are unique to each website you log into
store the passwords in a database and auto-fill
sync that database across your iPhone, iPad,
other computers, etc

27. “Passwords are like
underwear - they
should never be
shared with friends
and should be
changed often!”

28. Social Media
Make sure profiles are
locked down so only
friends can see
personal information
Turn OFF geotagging
on images in
Smartphones.

29. Location
Services
Be careful using location
services such as Foursquare,
Facebook Places, etc if your
social media accounts are
open to anyone.

30. So what’s the problem?
Many security professionals seem to have given up hope.
Many security policies implement techniques that provide the
illusion of security but actually make things less secure.
(Example: rotating passwords = sticky notes) Identify these
barriers and look for alternatives that are as secure but less
frustrating. (Non-rotating password with two-factor
authentication.)
Many system administrators have a reputation for being
unapproachable, arrogant or dictatorial. (“You must always do it
this way. Because I said so!”)

31. It’s time to get creative!
We know that old tactics don’t work. So stop. “Insanity: doing the
same thing over and over again and expecting different results.” -
Albert Einstein
Approach people as people, not users.
Help them understand how these threats affect both at work and
their personal lives.
Use real-life examples, illustrations and analogies. No geek speak.
Use humor! Getting people to stay awake through security
presentations is hard. Making them laugh helps.

32. Suggestions
Register a fake domain name that’s similar to your company’s
real domain name. Send around a fake “phishing” email and see
who clicks. (Punycode domains are great for this.)
Drop spiked USB drives in the parking lot or hallway, with a
cheeky reprimand (autorun executable with loud farting noises,
for example.)
Have a company Wall of Shame (or Hall of Fame). Consider perks
for users who really shine.
Position yourself as a security mentor. You are there to help
protect them and the company.

33. Measuring Success
Determine what your success metrics are at the start.
Ask for short evaluations after security presentations. Learn
where you’re losing or confusing.
Encourage users to ASK if they’re not sure. And when they do
ask, be supportive. Knowing what they don’t know is HUGE
progress.

34. Great Resources
http://www.securingthehuman.org
http://www.social-engineer.org/
http://stopthinkconnect.org/
<shamless plug>http://www.moresecure.us (coming soon!) </
shameless plug>

35. Questions? Get
in touch!
E-mail: snipe@snipe.net
Twitter: @snipeyhead
http://www.snipe.net