Our Adventure with an Awareness Training Escape Room

for stellar technology software as a service provider or don't draw a big foundation

anyway how many of you are responsible for awareness all right how many do you have to go through where

for in our case we're going over two hours training I wanted to do something a little bit different so we thought of doing an escape room anybody ever done an escape room all right so we failed it down a little bit basically it's a 60 minute in order in our case we did it for 60 minutes or however you want your challenges are it's a themed room where you find you go through different solve different puzzles to get hands about the game then the winner

I so where do you want to start is with your objective if anybody's ever done any instructional design while we start with your objectives a lot of people try to do room a go ahead and play the puzzle and figure out the regular objectives first make it relatable to everybody so to do it where you get multiple groups working together I always say build essential so in our organizations we have diversity of people in accounting and Finance we have customer service we have technology we have developers we have IT security so we have a very broad spectrum it's nice to bring people together in vision where they can learn from each other we kind of work together

and work you know we had a lot of people that work together for the first time that have been with the company for years our mission in this instance we have a situation where she was in the game or assigned to a major security team what is a stimulating compromise plus one credit card record so if we can't define what one credit card record that is what do you have to report on all of them right so we need to define that one just to get scope the rolls the game masters always right there was a 60-minute limit all information associated with the game was classified we're all very worried about this because this took about three weeks

to get everybody through thought people would tell each other you know try this or try that you know no turns out they're very competitive and they they all those secret close all policies have to be followed all workstations and partitions cannot be moved and again a master is always right penalty's gave them hints like any other escape room so if you had a hint five-minute penalty at a security policy fell it was five to ten minutes penalty and if you broke any of the general rules five-minute penalty so when you're thinking escape room you probably think something very elaborate instead of oh you're gonna have to really get this one through your boss to make it happen

all that up so we had a conference room all right and it was small enough where we can move it around to different conference room but you have a timer on the screen of some cardboard partitions we've got two laptops for my teeth that were no longer used they were just recycled a lot of facilities people we got some doorknobs and about a box on Amazon so all in us this one hundred and three dollars so yeah so very easy to do all these slides are on we did this at the sand security we're in a summit so if you want the slide Google stands awareness summit archive I'll be on there also we have some printouts and

things like that so there's two PDFs out there so if you want the file we use to create this they're out there as well are you so objective one demonstrate password can you believe me Esther crap so we always tell users be careful with passwords that is the last line of defense after something like this so real quick any guess what the username is not the password what's this now user hey we're right all right so our user is a where and he gets on the password Lila need a number in there 20:18 and we need a special character explanation point right because users are excited about passwords right so they always always the explanation point

so we highlighted in case they weren't getting it highlighted it with the neon light or whatever it's called no to this for later on the Lego house multi color objective to want to identify and properly stored PII the I being personally identifiable information not familiar with that this is our sensitive this is where we were able to get away from the technical people and let our Finance and Accounting people go in so your organization's all have some type of software platform so you can look towards that in our case we were able to go in we do bank reconciliations for a number of our clients and in our case we had the hunting and finance people had

to go in about where the error was in the file I always left on the desktop now when they found out what that file was what the doc can I be with on that file was theirs PII is printed out material left on that back helical as well so if they look up the transaction ID we've come across this alright so based on the they have the social security number and they're printed out on a desktop now this is a vendor list actually alright so this is probably a lot of the organizations have this any of you are consultant what do you give you depend 99 Social Security number right not an EIN so a lot of organizations ladies they

have the ein which aren't protected and but when they have consultants or any independent workers typically using local security numbers there's an easy place to find PII in the organization

all right subtle clues throughout right objective free to the level of protection should be proportionate to what we're protecting in this case we had our access cards that we're using and they're in the box so it's really not suitable to store anything securely in there you can pop out or step on it it's also wood or you can five five eight nine from the transaction ID we props earlier and unlock the lock now once we were in there we had the access card so a lot of us use those hid access cards we had four players there were three cards if we add eight fire to there were seven carts so there's always one card short somebody didn't get one

also when there was a Caesar cipher a brief explanation as to how to use the decipher objective for demonstrate compliance of physical access control policy so how many do you have right you people trying it once in a while so we thought for sure we're gonna get no penalize somebody here everybody that went through all the little stuff not one person walkthrough so basically you scan your card on the first one it'll turn green you're able to pass if turned red or if you didn't have a card then you pass so everybody's turning green except for the one person without a card they had to stay on that side of the room naturally they were just urged

by that cuz everybody else got to play on the other side but we'll get back to them and recognize the risk of password reuse when I emphasized to r2 you'd be using a password okay if it gets compromised in one place that an adversary can have access to that password so first time first thing that happens when I switch them fill out their adversaries go out and they get see her name the password or trying it on all the bank

so what do you think the password is for this

20:18 explanation it was the same one so just by reading using that password they're able to get back in again all right so when they logged into that second terminal number 10 showed up on the screen that's what that might be for the good tip that's something we're driving home all right we'll get back to that though so this is exactly this is exactly what we wanted people to do when they came across me anybody has anybody ever worked best friend is what weight forward right all right communication backing information hearing inference alright so we wanted people to use whiteboard to work as a team so something as simple as this we said write it on the board

we'll come to you later on by fishing and emails so we put up on the other panel some wrench it out some phishing emails and some of them were real emails legitimate four of them were our face so again whiteboard we told them to write all the colors I'll have colors on top write all the colors down on the board cross off the ones that are real once they did that came up with this oh where do we see colors before I go building right alright so once we have those colors when they took the part to LEGO building the green Legos were wise the blacks would raise where you nobody means nothing right those letters

right now alright so next we wanted them to perform a manual site for or get back to our Caesar the number 10 on the board right we take those letters we have ofur is what they translate into

or all right on that desk was the wall people are figuring that out somebody else in people be tearing apart the desk at a dictionary guess what the combination was or for thank you alright next we one of them to do a file decryption 7-zip

pretty cool that you can do not only compress files but encrypt files so this is something that we kind of encourage people to use it outside of the work as well as so many people I talked to that we thought how to use it as a reserve up to their realtor or the bank or somebody like that and they're saying just email tonight except for them over and they they always come back with stories saying I told them no that's it they walked through the bank on duty now this is a big thing that happened I get asked all the time how things over weight but we want our users that way 7-zip is something that everybody and it's very

easy to use so in this case they had a file on that desktop they had to be inside that dictionary was a paper and had the password on it I'm sorry but so once they had that they were able to touch the file

open it up and we wanted them to knock a hatch I mean I really want

you went ahead they had a hash on the paper on that hat

we're related to so they were able to take that and log into account in that gmail account had a credit card capture so they were able to look at the credit card couch

the other an objective 10 demonstrate method and yes

you no no that was social security number yeah now that's good though thank you I saw they wanted to them demonstrate methods to send early again going back to 7-zip they could go ahead now and encrypt that file put a password on it and send that to us than the to an address we've set up for that so the clock stopped when security reporting address so we have most of you probably have some type of incident reporting platform or that company once the baby seat that of that email whatever the time standpoint and then they have to get us the password for it and visit or they sent it following other email once for that high some

bonuses we're gonna get a speed drive on the table and I wanted to have it do something woman but have time for that but now if they plug that information and clearly also with the passwords going back to that they put the wrong password entry something else really period time all right so from here like I said they can fit your organization somehow do something there Oh what kind of systems do you have or PII or

and again if you have any questions my informations on the first slide

you do this please let me know I'd like to hear how it went we're always looking to all the groups made it through in an hour actually

probably I think the most we gave out were two clues

these were ordinary employees dirty people hate they did not like it

yeah so actually we did a survey after this company went survey and the majority the people said absolutely they would much prefer this over the slice

you oh yeah that one crack safe and again you can get the full slide set as well as like the hash file that I created they're all out there on sand site

put it together he did this all done at night after hours and it probably the corset about I mean this is coming up with the ideas the concepts and everything else probably about 20 hours

you

right it was a full hour going in yeah so we had we the reset was about 15 minutes gave ourselves 15 but after cycling through I had it down it messed up the few times where we forgot to log them out of the key account that happened one another time we had those updates kicked off so you know this is the lighthouse

yep yeah so we're to try another game we just did it capture the flag which

a lot of things

so I went to the sands awareness summit and that was a August and on the drive back a FedEx was doing this on a larger scale and thought might be something I really wanted something

yes please reach out to me if you have any questions you

right one again for incident response yep breaches and back doors the back doors and breaches run by PAP have black hills information security so I would suggest you check that out just to do with your your security King yeah yeah yeah so check that out that's a good game I'm looking at other things too I'm looking right now to do remember like Oregon Trail and those games so I'm trying to do something like that right now I thought

right

all right I'll be around so thank you [Applause]