No Patch For Human Regret! Breaking People to Break into Networks by Jayson E. Street

so uh yeah i'd like to uh thanks for having me uh it's really weird because uh besides dublin uh last year uh in the before times uh it actually became the first conference uh that broke my heart uh because i couldn't travel uh and i was like it was like yep we're not gonna that's when i started realizing my year was not going to go as i planned uh and i don't think anybody's here wouldn't as they planned last year uh and it's an ongoing dumpster fire so therefore we're still having to work with it uh this talk um is a little strange um it's like the reason why i chose the kittens uh is because i always have

kittens uh the reason why i have the t-shirt it's gonna be obvious and the reason why i chose that exact shirt is because uh i'm probably gonna be doing a little bit of flaming and i'm gonna probably get some flames back and i'm probably gonna like you know get some heated discussions about this talk uh because this was not a talk i planned uh this was not uh if you'll notice there's no there's no abstract that's because it hasn't been written yet i've literally just completed this talk this was not the talk i'd planned for this year my talk this year was supposed to be um was going to be uh hacker striptease it's like because i

was supposed to be in person and on stage and i was going to go through and take off all the different tools all the different things that i used to sneak into companies and break into them but i realized uh around november and december it's like it wasn't going to be soon enough it's like i was still going to have to be doing virtual uh and that's an that i didn't want to start trying to do that and find a way to do that virtually i want to do it for on stage so it's going to be next year's talk and i was like what am i gonna talk about well then luckily uh some really crappy people did some

really crappy things around christmas and that gave me the the inspiration for this talk uh so um what this talk is basically going to be about it's going to be about uh the stuff that we overlook it's like we've got i've looking at two problems and then i'm going to try to find uh i'm going to give my two solutions for it uh so and we're gonna get into that a little bit more um this is my bio page uh yeah um hopefully there's some links it's like i'm on twitter uh my website is jcstreet.com uh and if you are adventurous you can google the rest uh so uh i that that's the least important slide in the deck

uh the key thing is um these are my opinions it's like because trust me i already got inflamed for this discussion okay for parts of it uh because people didn't like some of the things i was having to say about it and i was like whatever uh this is how i i feel about it but it's only my opinion okay so uh and i'm wrong on a lot of things uh not on this it's like if you're disagree on this i think you're wrong but hey that's just the way it is uh but i but this is what it's about it's like it's my discussion what's going to be about so let's start off uh

with the play on words of the title i hate this t-shirt this is a crappy t-shirt this is a disrespectful t-shirt this is a lame t-shirt i own this t-shirt i used to wear this t-shirt un ironically okay i was like all hipster wearing it right it's like and it was wrong i didn't realize it was wrong i didn't really think it through it's like we evolve we educate ourselves we grow i mean that's really weird coming from me saying something like growing up or anything because i had this i was growing up don't worry that's not happening it's like but we grow we educate the gross people and we learn but i remember wearing this

shirt i remember all the jokes about uh there's no patch for human stupidity that's why social engineering's so easy and i was like and i bought into that for a while and then i started learning how wrong i was on that and how toxic our industry has become to users the ones that we're actually supposed to be protecting i mean we're supposed to be fighting for the users and it's like and we treat them like this you thought the shirt was bad this chaps my high it's like if you get a little texted in me it's like every time i see this i've i'm livid about this uh comic it's like in this corner we have

firewalls and kryptonite microsoft and in this corner we have dave you know human error it's like totally trying to make information security everybody's supposed to make it look like that's the problem the human is the problem the user the person that you're supposed to be protecting is your problem i'm like what are you talking about what it appears to me to be the problem is all that technology you don't know how to use you don't know how to implement you're not properly uh putting in place to protect your users maybe that's the problem maybe it's we've got to stop saying stupid user clicked on a link stupid user went to a website and started saying stupid information

security didn't properly train prepare their users stop getting technology to protect your users and start getting your users to protect your technology i hate this cartoon so much and have complained about it so much that my boss jason burns literally contacted the artist of the comic strip and had him redo it to make it done properly that's your user he is not a liability she is not someone that you have to be worried about they are someone that are if you train them if you keep them properly informed and let them know that they're part of your team from day one they're your biggest ally they're one of your best assets they're the best nutrition detection

system you're ever going to have but we don't properly train them we don't properly educate them on that and that's our failing not theirs they will do what is required for them to keep and and uh uh get a paycheck keep their job and get a paycheck we're not telling them that's part of the responsibility so they don't have to worry about it but let's uh we're gonna we're gonna circle back to that in a little bit but let's start off with the first problem offensive teams don't have to be so offensive it's like and straight out it's like and what i'm getting with this is and i'm gonna i'm gonna i'm gonna talk about it in in depth because

it just really irritates me so much red teams what are their functions right what what is a red team function i hear and and i mean i hear so many people come up to say hey i want to be a red teamer oh i want to i want to be here i want to be a i want to be on the red team jason it's like how do i do what you do you know like first of all i don't do wretched but whatever it's like that's a different story it's like it's like they want to be and i said why do you want to do this like because i want to break stuff it's like i'm going to break in on me

then you're useless if you think red teaming is about breaking into networks then you don't understand the job red team only exists as a function is to make the blue team better their job is there to help the blue team not show them how they got pwned not to like you know walk in and show them what they did wrong it is to make them better and more secure they're there only as a function for the blue team for their clients but we've turned like red team being sexy or it's like you know like rock stars in the red team it's like where did we get that you want to know what i mean further

there's no rockstar there's like we're freaking dentist of the internet here it's like but but the people that deserve a lot of credit are the blue teamers the ones that are doing that day job in and day in and day out manning the firewalls creating the intrusion detection system rules working non-stop when an incident occurs when a new vulnerability is out and all the systems have to be patched before they get compromised or responding after they've been compromised that's work going in and knocking down your legos and saying ha ha should i fix that doesn't impress me get the work done i'm so tired of red teamers acting like their job is to kick people when they're down you

know this irritates the crap of me this is to me what i see a lot of red teamers probably wearing on the on the weekend you know you know one thing that all these uh these three people have in common probably never been in a real effing fight it's like i've learned one thing over the years and the decades that i've been if i used to be homeless it's like i used to live on the street i i i've had some scraps and i never had to wear a shirt to show someone how tough i was i never had it i didn't want people to know how tough i was i didn't want to look threatening i didn't want

to be seen as a threat it's like there's a good rapper you know real killers move in silence there's a lot of loud talkers we got in this industry trying to act tough trying to like overcompensate for something acting like they're the the king all of breaking in and destroying stuff when they should be talking about how they help and how they help networks and help companies better protect themselves it's like we get this attitude where it's so offensive where it's like we're so on edge and we're so edgy and we're so and we've turned red team into a like some kind of fetish little like you know icon of like you know that's what

you got to be that's your ultimate goal is to eventually be on the red team to eventually be on the offensive side security because blue teams are for suckers and it's like i built networks it's like at banks it's like and i've i loved it as a blue team that was one of my best jobs like that was amazing because i would create defenses and i would be able to detect when a bad guy came in when a criminal gets on my network like huh mother i knew you'd try that because that's what i do and by the way that's why you're being logged and that's why you're being reported and that's why you're being blocked have

fun in jail talk to you later we're fdic insured that's a felony mother you're going down right i love that that's fun so so miss me with that noise about you know red team being the ultimate it's like that's not the ultimate doing what you love is the ultimate doing what helps others is the ultimate it's like it doesn't matter what you know virtual side you are because there is no side there is no red team versus blue team look red team works for the blue team so there is no side so and i mean and one of the things that gets me and it's always bugged me and i've never really talked about it

but it's like i i gotta call it out because it's like and this is a saying that i've heard from so many people it is so pervasive in our industry this quote everyone has a plan until they get punched in the face that sounds dangerous that sounds tough oh my gosh well first of all i don't take advice from convicted rapist who went to prison for it who then gets out does some more boxing and then when they start getting punched in the face their plan of action was to bite the guy on the ear sorry not he's not my life coach i'm not getting advice from that dude so i i can't help it it's ridiculous

and also you think mike tyson was smart enough to come up with that plan that's not even original thought that's not even an original thought from him he stole this from this guy you see the next slide because i don't see the next slide

there we go okay he stole the quote from this guy no battle plan ever survives contact with the enemy helmet von multiver the elder was a prussian general born october 26 1800 it's like uh that was the original plan and you know what that whole thing was the whole root of that quote it wasn't to show how bad the red team was going to be and how the offensive team was going to come in and kick butt and take names it was a warning to red teams that once you go in and start conducting your battle guess what you're gonna be surprised with what the defenses are by what occurs on the battlefield this was made to warn people who were

doing offensive attacks not for the defenders this wasn't for the defense side and stuff this was a warning for the people who were doing the offensive attack it's like and so of course it got bastardized by tyson it's like it turned into a t-shirt and a a nice cool saying but the reason why i bring that up because i'm not cast in shape the reason why i bring that is this whole attitude of negativity and offensive and aggressive attitude of red teamers has a worse problem it has bled off into the blue team this attitude that we have to it that the red team has to attack the blue team show them no mercy totally pone them so they get like you

know hey we got it we got to win we broke them it's like well guess what when you abuse someone it's like they find someone else to abuse it's like it's a vicious cycle that's very hard to break that we need to break in this community because now the blue teams are like crap it's like they totally destroyed you know what i i blame the users on this i've got to break them i got to use the same attacks that they were using on me that the red team used to be i'm going to use them on my users and show them where they failed i'm going to show where it's like the user's problem for clicking links and

going on things it wasn't my fault my network network was doing great why am i getting trouble for that and so they bring it to the users they turn that if they and they start justifying themselves well we're just trying to use the same things that attacker uses we're still trying to do what you know how how that works bs it's like you see how the red teamers act and you want to be like them and you want to act like them and you take it out on the users and stuff you know because they don't have a say in this case in point and the origination of this talk christmas 2020 i mean let's face it

the whole year was an effing dumpster fire it's like if you think the pandemic was was a problem it's like i mean come on where were you it's like we still had murder hornets to deal with right it's like i mean there's all kinds of things going on in 2020 it's like i can tell you that there was a lot of shell shock and it's hard to keep up with every single pathetic horrible thing that happened but one of the things that did it that sort of hit the top of the radar for me and should have hit in this industry was freaking go daddy oh i'm calling him out thank goodness you're not a sponsor

didn't matter it's like but you know at least it's a little bit less awkward right these efforts decide to go and say hey during the middle of a pandemic when people still don't know how they're going to feed their children to the rest of it who are trying to also be teachers now while they work from home not knowing if they're gonna have enough money for rent not even for their house it's like over anything else it's like let's tell them that they're going to get a bonus a christmas bonus mother scrooge looked at him scrooge was in his grave one damn that's cold i mean seriously how can you do that and do you know what i kept hearing from

the information security community from red teamers made me sick was that's what an attacker would do it's just a real world adversarial simulation because a criminal would do that that fish jason why are you so upset with that you seem a little ranty right now it's like you shouldn't be so upset but because it is wrong you know i do active simulations and attacking simulations i have done some horrible fish i've used the murder of children in my fishes as demonstrations never once have i sent an email out to a person that unduly made them stressed influenced or got their hopes up that they wouldn't get it it's like that is wrong they are great

for demonstrations for showing people how bad it can be that's how you do that you show the executives these are some of the case scenarios of what kind of emails you could send out to someone and how horrible they can be definitely give them those kind of demonstrations you don't send those to the end users it's like you know i've used a a badge reader to clone id badges to get into a building that's an active attack but you know what else would be a good attack you know if i really wanted to do a good real world scenario it's like and i'm a criminal and i'm doing an attacker simulation mother why am i not going up to the guy

when he's going into the parking garage putting a gun to his head and saying give me your badge and get in the trunk your car because i need to use your id to go rob your place that's a little extreme jason you think it's what an attacker would do i could see a criminal doing that it's like i mean i've seen that in several different you know movies it's like so it's got to be real right we got to do the stuff that an attacker does so why aren't we doing that it's like i need to get into the building why won't the client let me use explosives to get through the wall it's what an

attacker would do that's stupid and it sounds stupid saying it it's even more stupid to do things like this but don't worry don't worry it's like everybody thought like that's 2020 jason is 20 21 now oh no it's still the dumpster fire still going it's like we've added some sparklers and some like pretty fireworks every once in a while they'll go off and go oh that's nice and then more dumpster fire okay it's still a dumpster fire this librarian actually said friend liberty wrote um you know i'm double masking e-lunch in my car and spending time on my days off to advocate for vaccines for library workers and today my employer send a phishing test in the form of a fake vaccine

notification email to all employees i'm living but live it i would be like oh no that's not gonna stand it's like i'd be laying hands at this point it's like you you are messing with people's lives at this point telling them that they can get a vaccine telling them that they can get there's hope and then going yo you shouldn't have clicked that link you're not getting a vaccine you're getting a write-up are you kidding me one of the things that gets me it's like and this is the email reserve your copy 19 vaccine today i am telling you there is a special place in hell for people like that okay people who do this

are right up there with the spam callers microsoft call center you know uh employees trying to house you know it's like not the real microsoft but you know the fake microsoft to call place and the people who put nickelback in elevator music it's like there's a special help for you okay straight out it's like that is just wrong and guess what you may have not had an insider threat before those emails but i promise you got one now do you want to help you know how do you make disgruntled employees you take grunt employees and you disam you get their hopes up you crush them you ground them down you tell them uh things like this you

treat them as suspects you treat them as enemies you treat them as enemy combatants you treat them as untrusted you do not treat them as allies do not treat them part of your time and congratulations you've got just some disgruntled employees do you think the only people that were upset about those emails were the ones that clicked the link every employee after they heard that was upset you your threat uh pool increased dramatically that day for both those companies horrendous they're bad and they should feel bad about it because that's not what you do so it's like you're not helping your situation so you got to understand the the red teamers the pin testers once they're done with

the engagement they're gone poof like the winds you know they ride off in the sunset because they're cool probably on a chopper and stuff you know it's like oh like because that's how they imagine themselves i'm sure with the wind blowing foo you know bullcrap okay they're gone who picks up the pieces the client the employer they have to now start working and making sure that those uh flaws are corrected but also confidence is restored because the the regulators aren't caring about what actually gets done or who got hurt and i'm not saying it before anybody starts hashtagging me not all red teamers okay it's like i'm not saying all red teamers okay so screw

that it's like but the majority of what i've seen it has been like that and i'm tired of it i'm tired of just not fixing the problem so solution number one because i come with solutions it's like i'm not one of those speakers who likes to say look how much i broke this i don't know how to fix it but i broke it really good it's like because like i said i'm not a red teamer it's like so um you got to learn to lose so the clients can learn to win and very simple and let me and let me break it down it's like um i've made that mistake before it's like i have done this

it's like i hate hypocrites the most and i get hypocritical sometimes uh but i try not to as much as possible i have done this i everything that i talked about bad about a red teamer with the attitude with the approach i have done it's like i have broken into places and just gone hey this is oh man that is like bad it's like i have broken in badly it's like i have done things that have upset people i i promise people uh that i mean i i was like there was like once again it was on the spur of the moment i tell the bank manager i was going to give them all this equipment

and i had to tell them no all right i've told people it's oh this is what's going to happen and i've disappointed them it's like so i have done that but the most important thing i realized i was doing that was hurting them the most was i wasn't giving them a win i was just kicking him i kicked him some more and i'm like oh you look a little down wait hold on i got something for you another kick and it's like and that was because i thought that's what my job was i thought my job was to punch people in faces and see if they had a plan i didn't realize people not may not

react kindly to that i didn't realize you know not everybody likes you going into their company and saying how ugly their baby is that's i mean and i've seen some pretty ugly babies but people may not respond to that properly all the best intentions so i learned something it was on this one job where i learned the importance of giving them a win where it's like i had a choice where i could have left after i successfully compromised their location i could have left but i saw the employee down the hallway who who had let me in the door who messed up who failed and let me in the door but i saw the looks on her face

i saw her talking to another employee they were discussing me she knew she made a mistake she was trying to correct it and i could have left and made the win red team once again score or i could keep going and let them catch me i could let them fix their mistake and catch me and that changed my whole life and my whole outlook on how to do red teaming and that's the reason why i don't red team anymore i am a security awareness operative it's like someone from uh hacking the box gave me that and i appreciate it it's like that's what i call myself now i am a security awareness operative i do security awareness engagements

i'm there to teach employees the i do a three-day engagement the first day is mostly recon maybe some light you know breaking in or some light looking around see what i can get into causing some mischief day two i am the worst possible thing to happen to you at the worst possible time the worst possible way it's like i'm great at parties i just go in and i try to tear you up and then on the third day i get caught the third day i work at it i mean trust me i've had to work at it but i will get caught by your employees because i will not just give them something to look down on

i will give them something to look up to on the second day after every engagement i wait for about two minutes and then i come back in and i talk to every single person i don't fill out a report i don't write a report and give them a memo for three months later i educate them right then and there and that takes time and that takes effort because people don't like hearing what you just did in the moment but you have to let them know hey you did this this was wrong i'm a bad guy i was doing bad things now you know the next time someone like me comes in it's not going to be me but they try to

do stuff like that now you know that's bad i shouldn't do that do you have the number to contact for security so you can contact them the next time something like that happens do you know what to do the next time you see someone that's suspicious good because that's what you needed to know that's what you need to learn the company hired me not to file a report on what you did wrong my your company hired me to educate you and give you a training exercise so you would be better prepared for if a real attack happened just that conversation alone will create allies in your infrastructure it'll create people that feel like they're you're trying to help

empower them and educate them and make them better at their job instead of someone trying to break something and get a gotcha and just show a finding that that they failed on and trust me they get pissed i had one lady who after i told them and i already talked to the the the client i i talked to the the person to my point of contact i talked to the head of their i.t department who i was like after the compromise and explained and then i went back and started doing the education to all the employees that i compromised i came across this one way she's like i'm calling the police and i'm like huh so oh you're not

supposed to be here i'm going no no no i wasn't supposed to be here before but i'm supposed to be here now i will show you no no i'm gonna call i'm like it doesn't work like that you're just being a sore loser at this point it's like i've already won i'm just letting you know the game's over you can't you can't do call backsies it's it doesn't work that way that's not how this works not any of this works so i've had situations where they've been very upset but if any social engineer worth their weight uh insult it's like should be able to at least social engineer themselves out of that they should be at least a social

engineer the employees that they've compromised into feeling better about the engagement it's like because that's some real work anybody can walk into a building and plug in a usb drive or tell people they're with it and they need to do an audit i'm i know everybody can do that because i do that and if i can do it anybody can okay i am not sophisticated any way shape or form it's like ask anybody you've seen me eat it's like i am not a sophisticated person it's like so you got to understand that that's the main part of your job is to educate the users to educate the employees on what their failings were and how to improve on it

so solution two it leads right into it we have to start educating and empowering your employees plus enforcing the actual policies that help i've literally got this article on on this if you want to look at it about the three e's it's like trust me i've been harping on this for a decade or more it's like this is very important that we need to get doing more in our environment the first one is educating you cannot educate your employees with a quarterly little seminar or video or something telling them about what their policies are your computer policies are that doesn't work they need to know on day one of orientation that guess what your job responsibilities are what we

hired you for this this and this and also securing your equipment you're responsible for securing your equipment to making sure you secure your email communications by not clicking unknown links by not going to unknown websites to maintaining security on your equipment that the company is giving you that is company equipment you're responsible for give them the responsibility let them understand the gravity of that situation and guess what they're still not going to care about your data but they're going to know that they'll lose their job if they don't they'll start understanding that that is always been a responsibility of theirs it's not an afterthought it's not something that's been tacked on afterwards because if we're not training them

immediately what to do on day one and how to secure themselves and how to report the problems then we can't get mad when they keep getting compromised and we need to start empowering them we need we can't just educate them we need to get them involved it's like i do i've done talks i've done training classes on how to create security awareness programs and one of the biggest things that companies can do is to actually get your employees involved in your information security program in a fun way because security ain't fun i mean for me it's a blast but you know for most people it's not fun it's like so you've got to show bob and

accounting what's in it for him and the best way to do that is to actually get them involved say hey company-wide every quarter we're giving out a thousand dollars you know which is about 50 euros or something i don't know but we're giving out a thousand dollars it's like uh every quarter in a drawing amazon gift card whatever you know uh just whatever kind of card and and you do that and that way your budget doesn't change it's going to be a thousand dollars every quarter but the people you participate that get involved in the raffle will increase and you do it very simply if you report a suspicious email one entry into the drawing

at that suspicious email turned out to be a actual fish you get 20 entries you stop someone at the gate because they don't have their badge that's 10 points it doesn't matter come up with your own rules but make it a competition because guess what your employees still don't care about your data but that's that thousand dollars is a thousand dollars right you know it's like that that's something they care about that they care about getting that entry into the raffle so get them involved make it a competition stop making it like it's extra work for them make it where it's a part of their job responsibility and hey there might be a bonus involved

that's how you empower your employees and then also another little flame war that i started was because yes jason was seen in a talk saying that you should fire people that clicked on a link yeah if you have a delivery driver who totals your 70 000 van you might give them a talking to if they crash your van three times seriously you know they're not your still employee after the first one so that's what you have to do with phishing someone clicks a link on a suspicious email and goes somewhere they're not supposed to and causes an incident write them up take them to a specialized intense class specifically where it's a one-on-one with another security

professional and the the person the guilty party and give them the class on why they need to take email security more seriously the second email they click oh they get another talking to they get another class but then they get restrictions on their email then they get maybe monitoring software put on their email saying it's like hey we're going to use it sorry but this is a probationary period for the next three months we're going to have to monitor this we can't trust you with the emails you're clicking them show them there's repercussions to it and on the third time that they click the link that's a malicious they're gone fire we fire employees over less employees

clicking the link can cost 300 million dollars ask target wasn't even their company it was the hvac company guy clicked on a link cost him over 300 million dollars that's a lot of vans there's a lot of crashed vans right there is that employee still working there maybe because it was just an email just click on an email so we need to start doing better with that and one important thing one important thing that we have to get through more than anything else is there is a pass for human stupidity it's called education and people who say otherwise are stupid so miss me with that noise okay because i'm tired of hearing it it's like if you're constantly

going into a company and you're getting you're going in with the same exploit and i've heard red teamers brag like oh my gosh i broke into this one company oh yeah same exploit i used the same ex boy from last year and i got in isn't that hilarious no you're pathetic okay it's like that means you were such a lousy job of talking to your client and explaining to them what the threats were and what the risks were that you allowed them to get compromised with the same exploit you should be ashamed of yourself one of the best jobs i've ever done was in january of 2020 you know before everything went to you know heck but you

know 2020 january you know what happened in that job the best job i've ever done i got caught like a mofo oh my gosh brand new receptionist never seen me before it's not like oh they knew you from the week the year before no they didn't i changed my look up i changed i was in disguises i was like inspector clouseau but no uh but no i wouldn't disguise this and everything it's like not very good ones because you know i'm on a budget but still this was an employee who'd never seen me before stop me out of the gate i was so impressed i still compromised the the client i still gave them value i still showed them some

flaws they needed to work on but man every section i went to i eventually had an employee who said no i don't know who you are i'm gonna have to talk to security i need to talk to the i.t department who's your supervisor uh no you're not allowed to touch my computer unless there's been an email or i've been notified that you were coming and i haven't been so i can't help you i was it literally it's still good it was one of the best i was i was like a school kid i was so effing happy i mean and this wasn't me trying to fail this wasn't me trying to give them a win things

were winning they were doing their job because i taught them i gave them a lesson the year before i showed them what all that did was verify that i did a good job the year before and this and also a good job on them because they deserve credit because they took it seriously and the management worked with it and took those findings and they implemented the suggestions and they kept continued educating their employees that's a win not going back the same next year and and getting with the same exploit that's pathetic so i told you cats with laser eyes i was burning stuff down but you know here's where we get that what's a virtual so we're going to get

comfortable uncomfortable mental silence anyway that's to let you know i'm just done

any questions anybody want to you know start with the screaming at me or you know tell me how i'm wrong first are you gonna wait till put that on twitter i don't care whichever so you know go for it so um guys anybody watching this stream on swap card on the bottom right of your screen there is a live discussion tab and you can open that up go into the questions section and throw in any questions you have uh until questions are coming true actually uh jason we had a discussion like a little chat going um on the on swap card and there are so many people who resonate with what you're saying um there was basically discussion saying

um there seems to be like this macho attitude for red teamers which doesn't really work and one of the people watching your talk there was saying he really prefers to be an advocate for doing things right he is a red teamer and he most prefers the feeling of finding something that's gone wrong and actually going to the people who are supporting the application or system whatever that might be and actually help them secure that and that's absolutely the way to go and this is how you make allies and and gonna embed the security mindset to the other teams uh rather than being the person who's out to get them that really doesn't work and when you talk about matcha that

that's one of the things that that's one of the funniest things about the whole freaking red team mystique because you know why you want to know the top five best red teamers out there all women it's like you want to know some real good red teamers it's like you know if you want someone that's going to be able to bring get a woman on your team okay because men are so short-sighted and so narrow-minded and stuff you know it's like they're usually pretty quick and like you know circumventing any kind of control it's like and they're good at their jobs it's like they're good at the tech they're good at social engineering and they're good at breaking into places

it's like trust me it's like i i can do it pretty over just like going in like you know with the help desk it's like they get i mean yes i i can name at least uh five people uh that are way better than i am uh i can name at least 20 people that are better than i am but the top five are all women and we're also talking about the um educate and obviously if something is wrong you need to educate the employees definitely and then obviously that's from my own experience but i've worked in about about seven different companies in my career so far everybody wants to do it or because they

have to do it it's some sort of you know audit thing you have to have your security training program in place and as most of us know this does entail those lengthy policies you know death by by powerpoint and all that reach 100 pages of the information security policy have you done that yeah but nobody wants to spend the money for the stuff that really works and there's one place i've worked in the past i won't say who and it was actually the only place where i found the training program interesting now i'm a security professional i do find security stuff interesting but even i can't say through all those you know 10 page policies but at that

one place um they actually spend the money and um use third-party software for it obviously i i can't say who they are because it might be seen as advertising but it was basically really snappy and funny funny like two to three minute videos it was so funny that you actually enjoyed every time i got a notification that you know a new video has been added to your security channels like stop stop whatever it is i'm doing i'm going in there and i'm gonna watch the video and it's the stuff you remember obviously i never learned anything new because thank god you know i really had that knowledge already but for somebody who isn't this was such a great way to

actually get them engaged and you're talking about the gamification as well each video you watched you're on different points and badges and all that so there was competition going on you know who is going to get the half day off because you know they're ranked up that stuff actually works well that's good yeah exactly i'm actually working on a security awareness thing for companies right now and it's all funny it's like you know because my whole thing is it's like i try to be funny through the talk i mean they'll be debating about if that actually worked or not but i like to be humorous through the mild talk because if you're laughing you're paying attention and you're awake

it's like so i try to keep it engaging because i want them to understand what i'm saying not just like we're just waiting for what's the next weird or wacky thing he's gonna say it's like and they're still listening to it and i have we have one minute i have two questions i'm not sure we can get through them so i'll fire them off quickly have you found that firing people for clicking on phishing links has encouraged compliance and increased company security of any company um i don't have any hard data on that it's like i'm not uh trust me if i don't know an answer it's like i'm not one of those people gonna be acting like i do

it's like i'll tell you straight outside i don't know the answer to that i am telling you this though we fire employees for misusing company resources all the time we fire employees for going to adult websites or other sites that they're not why aren't we treating malicious spam websites or malicious links or phishing email sites the same as we do porn sites there are sites that they shouldn't be going to it's like and they should be and you're and after the third try sometimes they just want to see it and it's like and that's not someone you should have in your company brilliant um okay we've reached the end of our time thank you very much uh jason um

i hope you enjoy some sleep now yeah yep time to go to bed now thank you very much i i greatly appreciated it it's like uh hopefully i won't wake up to too many flame wars uh when i get up but uh i do appreciate it thank you so much for having me thank you jason