Everything Old is New Again

it's Muffy hello everybody how you guys doing today we're gonna join your b-sides yes yes so I have a special affinity for this b-side event because I originated it about six years ago I was the one who started to say yes San Antonio needs meet sites after being basically harassed into it by the other b-sides Texas folks which included Michael Gough and Michele clinger from Austin and VFW there so I'm very glad to see how wonderfully this has grown and how I mean others even game everybody let's get even [Applause] three years ago and it was like I'm giving away my baby kind of thing but every year he has approved this thing and brought more and she's always been

amazing no no no so it's been but it's been it's amazing okay so go ahead and tell you a little about my little bit about myself my name is Cindy Jones I'm originally from the Los Angeles area and I went to I was a psych major in college um human mind is really scary scary place to be messing around the I took a had some weird stuff happening with a couple of my classes and so I took a break no it's revaluated what I wanted to do with my life how I'm where I want my career path to be kids clinical psychology was not wasn't my jam turned out it wasn't my jam but that's what

college is for right the discover what the heck you're good at what you want to do so I ended up getting a temp job this temp job had me doing I was working for a computer peripheral company so basically they were selling what they call the multimedia kits or CD ROMs and sound cards in a box and it came with all kinds of games you put this in your 386 or your 46 computer and all of a sudden you had sound and you had cd-rom and you could play these awesome games and I was putting typing in model numbers and addresses and I was bored to tears so they saw that I was kind of

poking my nose and didn't necessarily belong it's just a little data entry person and they create a role for me and that was an associate tech so time moves forward I get better and better at my job I've been working again you know doing working on BBS's and stuff for years right I'm BBS's and playing games things for a really long time so and I know how to talk with you you know my old modem I can get it figure out what comport to put something on so why shouldn't I be good at this too so the evolution of my role within that organization certainly at the very bottom of the data entry person and brought me into a spot where

I was running all their online services now in all fairness all the online services at that point in time was prodigy and CompuServe so it's been a while I've been involved in this game for a little bit of a little bit of time here so what I found out during that time frame was computers just made sense right the human mind was a really freaky place to be there's some abnormal cyclic psych classes that I was taking you know it's about doing profiling for violent criminals and it was just messed up in there so peers were logical they did exactly what we told them to do you can't even imagine no at the time that they're switching

out it's still doing exactly what you told it to do right you just told to do it wrong so be it so that company went out of business I got laid off there's a mass layoff which was really beneficial for me because I was able to go ahead providing retraining the state of California at the time was like you know we will go ahead and give you you know certification course which would you prefer Novell or Microsoft Microsoft sounds kind of cool I've been playing trying to be drivers working this ready street for these peripherals for months now so yeah let's go ahead and do this so I ended up getting my MCFC within t35 one I have a

six-digit Microsoft number that starts with the three once again I've been in this game for a little bit so that's how I got into it all that's how that was my baseline for like really starting to get into computers and IIT getting that certification was great got me into positions where I was able to start doing support for people because once again you know as a psych major so my thing is I'd like to help people I want them to do feel well like they're doing well and that's still what I'm doing today my I've evolved you know to now I'm running it I work as a consultant right that's my jam so I did a little

bit I've always done a little bit of the hacking side of things and I was sick such a good part my grandmother's toaster I couldn't put it back together but when those little red lines wasn't working so I want to see what was going on with that so couldn't get it back working again but that's okay so I've only done that and one thing I found is that I like taking things apart I want to find out why things are wrong even live ones in too scary place to be messing around with computers I can do that I did it well I been going started you know your your natural evolution when you're going ahead and doing

computer IT work security just kind of happens right nowadays we were talking about this earlier with Kathleen and went through the career track that you know that just kind of it just evolved for me we didn't have information security majors when I was in school you know I was there too even if you were lucky you could find something I had to do with computer information systems but even that was far between certainly not the school that I was at so falling into security and realizing that you want to go ahead and protect what's out there just kind of happen for me it was a kind of interesting like an eye-opening experience here because it

just kind of sticks so well because not only can I protect things but I can also help the people in the organizations and the individuals that I'm there to represent and to go ahead and get them into positions where their stuff isn't being spread all over the internet right so falling back to that hacker lifestyle and I started going to DEFCON I think it was 13 or 14 I don't remember but I got a lot out of the classes a lot of the tuxedni are the talks they weren't doing classes but when the advantages to being means that I was I was a super timid individual I would be like I go to a talk and I go back to my room when they

started showing it on I never spoke to anybody ten years ago if you would've told me I was standing right here nope not my reality I just wouldn't that wouldn't be me but I did get a lot out of Def Con and of the talks that I saw there and I started feeling like I need to get something back so it's not volunteering started off is he's like austin ended up building starting to build this which was awesome and and I swear there's a point to all this background information I'm not just saying all this the one of the the culmination recent culmination of all this volunteer work that I do and I do a

lot was the DEF CON asked me to go for the first iteration of Def Con China to help organize it and I was like yeah I'm damned I'm going to China it sounds awesome right so about 30 days ago I got a plane I went to China I helped organize the first Def Con China it was amazing it was such a cool event totally different than what you would expect from a desk on right but it was what it was because it was China it's a totally different vibe over there and you've got to do you and it was an eye-opening experience as far as being in a area where nobody needs to speak English in

China so it's really interesting from a communication standpoint as well so while I'm over there this amazing country that they didn't really have a lot of time to check out I realized that you know it's absolutely beautiful here but the pollution was really really bad so I leave I go ahead and we do to that Def Con in China we have an amazing time we leave there and on the way back starting to feel a little mint not feeling great you know it's been a busy few days I mean I'm just tired I land on Monday Tuesday and I'm relaxing and I'm writing this talk because I have to give this talk in three days or two days time

in Salt Lake City so choose Wednesday I get on a plane fly at Salt Lake City Thursday I feel kind of kind of worn out get up in front of an audience they put me in the bigger my head Oh last call everybody if you want beer that's call and feel a little worn out feel that kind of really actually really worn out in Salt Lake City I get up on the big stage where I'm standing in front of about 350 people which was the most intimidating thing ever q drew never spent I thought I'm gonna be a breakout session and I give my talk well the next that night and get back to my hotel and I'm sick not just sick

which I apparently I contracted them again I have no recollection of what this talk was in Salt Lake City so today you guys are four more so basically this is not something you're not going to hear anything new here you're not gonna hear a single thing new once again everything old is new again because the world is still an ugly place okay my job as a consultant I go out there and my job is the same your baby is ugly your security program sucks here here here here here's the recommendation so we can maybe improve things right it can be anything from vulnerability management to you no inventory systems to your death the shop is just running

you know hodgepodge all over you guys what are you guys um and when you go when I go into a shop nine times out of ten the c-suite they just don't you know they're not the pigs on the ground they're not seeing the day to day operations are happening so you'll go ahead and I'll have a you know a kickoff meeting with the stakeholder level stakeholders going so what do you think give yourself a score in scale you know what if I what's your how do you think your security program is running oh yeah I'd say we're stalling for okay you're wrong I can't tell them that once I go ahead and start getting into it I

can start evaluating the organization different aspects of it and be able to tell them how and why they're wrong and what they need to go ahead and invest it so telling people that their baby is ugly is it's difficult in the best of times but it can be straight out from battle in the worst of times so with the advantage of having that psychic this background in psychology I have very strong communication and so being able to take it to that level and we talked about this a little bit earlier as far as being able to communicate with different levels of personnel whether they're technical non technical leadership whatever the case may be but developing that skill set is very

important and maintaining that is extremely important be able to get your point across and so when you're going ahead and you're talking these people and they're telling you there are security programs at a4 and they're wrong it's not their fault they just they only know what they're aware of right so going in and going once again is just spending some time performing analysis making the recommendations helping to prioritize what they want to do next is super important so when you're going ahead you're talking these folks there first thing is like well you know you're coming back here and you're telling us that on a maturity scale we're we're barely managed you know we're not we're not standardized what

are you telling us we have a little five scale a five tier scale that we use and they're like well what's missing from our from our programs well a lot the first question that we have was the first thing we got is it's basically knowing what you've got it comes down to this like I said there's nothing to do with this talk this is the same problems we've been having for the past ten I go ahead and say 20 years what do you have within your organization what do you need to protect what's out there for hardware what's out there for software what kind of data do you guys have are you maintaining it in a format that can

be protected depending on the sensitivity level do you even have sensitivity levels specified for your data what you don't people don't these smaller organization I learned a lot from the DoD where they actually are very anal retentive about categorization and classification are they really good at it I guess that's up for debate it depends on what you look at so so how does this improve I mean how do we go ahead and get inventories of baseline systems of software of hardware and data I mean where is everything at right this is how the one way that these guys are going to improve and this is time and time again this is what I say almost

every single engagement that I am on I feel like a broken record you don't know what you have your Excel spreadsheet over there over there over there which is might be password protected but probably isn't but that doesn't matter because it's sitting on a final show that everybody has access to people just can't drop their heads around what they're doing wrong so understandably a lot of times we got IT shops that are also working as security practitioners that's problematic right there's too many hats you just can't do everything and keep the business running at the same time so has this gotten any easier I mean are there ways to go ahead and do this one of the there's a few different

four aspects of things that are helpful that we should be able to leverage within you know the technology that's available to us right now um enterprise licensing for example should make software licensing relatively simple right I mean you've got enterprise licensing for your operating systems for the most part you've got enterprise licensing for you know office office products whatever the case may be if you're running you know you can go ahead and leverage different aspects of configuration management tools for any operating system for pretty much any piece of software but doing what's out there is pretty limited patching you know we can go ahead and use everything from wsus in conjunction or with that it would out of conjunction

with SCCM you use puppet Jam whatever you want to do you should be able to keep your stuff up cut stuff right this stuff should happen it's not happening standardization once again you can go ahead most of those states the world runs on Windows it's you know SCCM is a great way to go ahead and ensure the standardization is being maintained your configurations are being maintained using all the aspects of your policy do the stuff that matters make these images secure before you forget them off your virtualization of hardware assets that should be really simply you go ahead and bring it up off of a template which is hopefully pre hardening they should be making life easier but it's not your

asset management tools having that information coming out directly out of your ESXi you know console plugging right in your asset management tool so they'll be able to keep abreast of what's going on in your virtualized environment that should be happening it's not so we've got a lot of challenges you know it's sad they're the same challenges we had ten years ago once again nothing's changed the technology names have changed the malware out there is different the vulnerabilities sometimes those aren't different because we're still looking at away still out there organizations are running just old old legacy applications and systems and they had say oh we can't upgrade well send a year-and-a-half technology the technology people are selling snake oil

and they're doing if you try to sell that snake oil but nobody finds out how to use it they don't have the personnel in place to be able to do that people's insecurities as a security practitioner you will never work that will not take place unless you're really what you want to do but there is work out there I mean I and you know if you want to take some time and not have a job and just kind of sit back figure out what your options are you have that option because you're an info center we are so highly sought after that you have the pick of the litter unfortunately I'm glad that you were in

addition to me people are feeling that so we have the biggest issue there as far as getting the right I'm going to say this and I kind of hate the fact I'm saying all right butts in the seats right the people who actually know the technology you know how to run this stuff and who effectively can go ahead and manage processes who can go ahead and in this forced policy assuming the policy is written properly appropriately well gonna know that a minute because it never is so let's talk about our current challenges as far as like software goes from a software perspective we've got people running local admin never install whatever the heck they want it doesn't

matter

there's no white listing a black listing because that's too hard that would take too much time once again you're halfway you see your tools patching it's a legacy system we can't patch that version of job we do that system again are they putting it off anywhere like sandboxing in it at all maybe going and using some kind of you know Citrix client or something accessing your still accessing anything the same torn up nasty website that might be only be internal but can't prove that so the standardization we were doing standardization oh we can standardize our desktops all of our desktops are the same image well that's great did your part of an image if you take your time

you can figure that image with the GPIOs with pax policies with white listing and black let's see technology did you go ahead and take take the initiative to implement the toolset that you already have in place completely and fully did you think to go ahead and hire a third party on a contract basis to get this movie so we're all you have to do is enable your users or your administrators to strictly administer it as opposed to having to set something up from the ground up leverage these things not happening and then you get me a new Bolton management so this is what the ugliest areas one of them there's a few really ugly rias the vulnerability

management programs I see them in all of those of maturity we don't want to hit our network devices take him down maybe 15 years ago I mean maybe you should have read some of those Network Devices that shape you know what what's happening here um other places oh we don't do anything over wireless well when you think about walking into an organization that runs everything on wireless now everybody's got a laptop you're walking in there and everything is connected via Wireless not a single one of those hosts is being hit they don't want to do bone scans over wireless why is that well we've never been able to do it successfully before well why is that

once again process issues when we go ahead and look at Hardware issues the challenges associated with hardware's it's just alcohol systems for lack of a better term because safe Hardware I'm still also referring to virtualized systems back in the day we had desktops very few people had laptops laptops just work you know very few people needed to be mobile part of the mobile workforce nowadays almost everybody gets a laptop um the you had a three year refresh you if there was a hardware vulnerability nine times out of ten you're ahead and it was probably gonna be something that was older anyway it was gonna be the latest greatest technology it was gonna be rotated down to anyway so you're

always on a lease program you know we buy things always so there was that aspect BYOD never heard of it before now what have you got when you're looking at virtualization you're talking about you know I've been to before dev shops bringing systems up and down and up now you can't keep track of that there's just no way to do it unless you actually have something feeding into an inventory system it's going to give you that information so ensuring that even the hardware vulnerabilities that are to be present or the virtualized versions of those abilities to be able to be honest it's almost impossible has that changed at all no the cloud shiny give me a new

instance oh look I don't need it anymore take it back down what's in that instance what was in that instance who's transferring data then it's what's it for we just have that information it's it's the same kind of thing it's virtualization there's just no way to keep track of it effectively or there's no I shouldn't say there's no way I don't see it effectively be managed you can look at your asset management systems and see if you can do some automation there they're not necessarily I haven't seen a very successful asset management system very successful implementation of an asset management system that was able to go ahead and maintain that kind of information the customization that would have to take

place between all the cloud environments between the AWS the eyes or instances your virtualization instances what people are running on their desktop so bringing up their owns you know bring up their own VMs on their desktops keeping track of that information that's really difficult to find very difficult to manage almost impossible to go ahead and include an asset management so what is all this equate to basically for lack of a better term rogue' devices these are things that your IT shop your security shop nobody knows they're out there what do you do about that you've got systems and have they been patched how long because once again they're on the wireless they can't let's do any vulnerability scans they

certainly can't be aware of the latest passing to get pushed because they're only checking into wsus what's a well because well we don't go in and require anybody to go on the VPN we're not using the alphabet appropriately it's not checking in with home it's just going about its business you know people are just going about their business on the outside of the world so so what can you do I mean if you've got everything out of the Sun here we've got options with BYOD you it's it's a losing battle right it sounds like the losing battle what are you going to do oh look that zero trust that's it that'll save the world right

well you guys can't even manage your patch management you can't manage I'm saying you guys I'm not but you guys need organizations out there they're zero trust is only gonna be effective as your ability to effectively manage certificate authority pushing those hardware certs out and ensuring that they were useful right so that is the solution probably not if you can't get your patches pushed

okay data challenges for goodness sake do it data inventory every organization in the world should do a data inventory I probably can count on one hand of the since I've been with my current employer I'll be doing about the only people I know who to have solid data inventory we put this way a lot of people I know who have solid data inventory are legal teams legal offices that's the only place I have found it medical offices they might think they do but they go it's really you just can't you can't wrap your head around it there's always gonna be an Excel spreadsheet somewhere it's gonna have social security numbers medical diagnoses whatever the case may

be credit card information if you're in a nightmare scenario with that's entirely possible as well but it's almost impossible to go ahead and wrap your arms right for whatever reason the lawyers have got it right I'm seeing them doing it appropriately I don't know how now these are only the ones I've seen so and I'm not one so don't quote me to this but they're doing better than most policies are the first step understanding categorization classification having those policies pushed out to everybody in your organization so they're aware of what to be you be on the lookout for if they have any kind of if there's any very firm variances from what they know to be

the fact that the policy that they need to be pushing against they need to be brought you know they need to be able to bring that to somebody's attention they need an escalation path please the best way should pass include that in your policies and procedures it really hurts if they just say oh I saw this but I didn't know who to talk to they talk to their boss they're bustable I saw up I didn't know how to talk to it it never goes anywhere they need to have avenues of reporting this information um so data flows that's something else that when I work for the DoD I have to say that was the most

I learned so much from looking at data flow diagrams for any system network or overall environment right having that information spelled out there will be information going from this web server it will be taking place coming in over four four three over four four three going down going to this application server then to this database server with port information specify you know exactly what traffic is supposed to be taking part taking place on your network right to be able to monitor that information to know what some strange traffic is taking place seeing your database server talking to some kind of random whatever it may be some minutes and taking it out that's problematic this should be important this should be

brought to somebody's attention that people aren't even aware in the baseline communication technology they don't even see the communication path that they need to be be aware of as a baseline so one thing that I always push is the ability to have the data flow diagram across the board at a system level at a network level just throughout the organization so and have the appropriate protections put in place my goodness it's data just are you are you alerting on this data are you are these you're having that baseline is established and monitoring for anything but when you've got the protection mechanisms in place just verify are you learning all this information are the alerts so cumbersome

that people are because they're just too much you don't have peace of use case is set up with you so I mean how bad can that get alert to the t gives a real thing let me tell you I routinely filter things into a folder because I just don't have time to deal with it I can't imagine somebody is getting you know so how do I meet some of these challenges believe it or not there might be a light somewhere it's sudden in the end of subtitle it's not all doom and gloom it's not all horrible there can be beautiful babies out there they're not all likely there really can't be beautiful babies how can we

change it how we can get things from the state they're currently in into a more positive more mature environment to where we can feel confident that our data as individuals and corporate data is being protected that sounded really positive I hope it's true but it's been a long time and it still isn't much different securing what you got protect all of your sensitive data that means encrypt encrypt again encryption bar encrypting transit you crypt at rest encrypted database just encrypted stuff it's not you have one encryption system out there you're keeping your track with one set of keys you can do that for more encrypt some more just keep doing it it's fine this is fine it's not going to slow down here

it used to be I used to have people say well if I go ahead and able a tablespace encryption on my database that's gonna slow down the application too much you know what don't be seen seeing nobody seemed to notice it if you're at a trading company to remember like a stock market trading trading organization yeah I can see it impacting you there because we're talking milliseconds we need to worry about but when you're in your standard environment you're nobody is gonna notice that please encrypt go ahead and specifying access control monitoring my goodness monitor and fine-tune your alerts get somebody in there to help you have somebody go ahead and say no this is

useless this is a false positive it's been flagging for six years now and it still doesn't matter and it really didn't matter because nobody was taking action on it anyway so even if it did matter it's a foregone conclusion you're already pwned I'm pushing for security development training you're devs my gosh train your devs which rolls right into education as well let people know what's appropriate what's inappropriate

but I'll be training them securely okay so there's your question are they getting security training along with their development okay so how rates if you're in the data um only those who need access get access encryption encryption know where it is on fight I feel like I'm repeating myself because somebody needs to because nobody's changing anything over the past 20 years people this is something that needs to be addressed you've got to get back to basics go ahead and start doing this testing peer review static buzzing

all this information needs to be addressed before it gets with weather into the production environment it's a little okay because having too much fun now let's see the lactation decided to go to town line or whatever whatever other you know so going scurrying once we go ahead and secure the data we need to go ahead and secure your access hole dates access it really is a thing stop giving everybody access to the world in some of these smaller organizations they know they just say it's easier and I get that because they have you know three guys running IT one of them is now the official head of security being able to go ahead and specify the holes getting after the

application layer specifying roles within their scary is saying one of the most impressive role based access control systems I've ever seen is a very large HR application I was working with the Air Force and we were determining they were it was for the Air Force personal and paid systems the affix program it's a congressionally mandated program it was going to take I think 163 disparate Air Force personnel and paste systems which include everything from leave time to bonuses to sign on but everything I mean everything they're going to combine all of this in one beautiful system this is that that was their goal and the program I'd other works it's today I got out of it about

three and a half years ago thank goodness but as a part of that we were we were performing what we considered to be the beginning of blueprint of this new tracking system and it was I have never been more impressed with the granularity of the application of the application level for those users this was using PeopleSoft so you can take that as you will but the granularity that was present there and the ability to create custom rules to access various aspects of data was so impressive to me I was just like wow this is amazing I've recently seen the same type of granularity in Salesforce applications like that they've got it down you know if you have the opportunity to see the

security settings for any of these applications take that learn from it and apply it to the rest of your world I mean you'd be amazed at what you can actually do to go ahead and narrow down the scope of what somebody has access to there for narrowing down the scope of what they can um stop giving people local admin please stop giving people local admin in addition to that go ahead and make sure that your domain admins are reasonably assigned if necessary if they only need privileged access for specific tasks give them access for those tasks they don't need to have domain admin to do their job nine times out of ten be sure they're using run ads

for goodness sake don't let them make sure they have two separate accounts so there you generally user account doesn't have admin domain and rights these are very basic concepts

[Music] actually use the configuration recovered that in just a minute um be sure to monitor your highly privileged accounts as well not only when you're active providing the access to folks go ahead and be sure that you're looking at the access that they're having having that you accounts one user base one administrator base for anything with elevated privileges is imperative especially when you're going in and tracking things down it just makes it so much easier to see this domain admin wasn't just joke you know first got last it was first taught last - game teaching them how to go ahead and what the responsibilities are for usage using those accounts monitoring them make sure that you want to look for not

only failed login attempts but you also want to look for any kind of long term absence of logins and then a plethora of them so these people who are they happy to counsel you don't need it until once a month they have to run a report do it find a different way to give it to it really isn't that hard you look at you know if you go ahead and you look at do you the ways that the systems are configured and what the processes are that need that type of access you can go ahead and very granular once again going back to that granularity level of providing these specific access they need and alert once again it's your

alerts in place and make sure that they're seeing it properly you so when you've got thirty five systems out there you've got your your carbon black running you've got your whatever I mean blue so you had carbon oxide good example but you've got like say you've got like 30 systems and everything is providing information all over the place okay windows logs you've got the logs of pulling up so here you go NetFlow data you got everything going into your one network configuration system and you're having a moderate each of these individual systems to go ahead and get useful data stop doing that by way to consolidate all this information all this information together develop use

cases based on that single that single lens it's a much more effective way to manage your security than going ahead and having to look at different consoles for different things across the board it's one way where a lot of things look by the crews look to the cracks for weeks potentially most at their own with the length of time realized Verizon's no I understand we need to report this is this is reported but I mean it's a solid people understand this I think yeah it was I mean having that slip by just on your own side that's just devastating um go ahead and include NetFlow data anomalies will pop up you'll see the differences there collect log data from workstations

that's where nine times out of ten you're gonna see activity starting yeah and Michael's got products as well some great cheese spectacular cheat sheets for that look at the information that's coming across your work stations not just don't just rely on your antivirus or whatever the case is to go ahead and provide you a you know anomalous activity which may not be sufficient develop use cases for user behavior go ahead and leverage you be a it's important if all of a sudden Joe who's sitting next to you normally is logging in from wherever Egypt and you know he just took his wife out to dinner there's a problem somebody's got access right so go ahead

and build out use cases for UVA here we go secure development bring security in at the very beginning of any project they can throw the red flags in the very beginning so that you're not having to go back and fix things if you're a developer bring security in make them your ally find out what it is you need to know get training call o wasps say hey Oh wasp come on down and do a bunch of learn for us we'd love to hear you talk because we wanted you need to know on the on the platform that we're building on we need to know that what the situations like will develop subscribe earlier where the

application where is our web app is the problem but that's not happening that's not the reason for the failure teach your devs how to code securely use W datasets in development please stop music from production data in dev that is just expanding your the potential for breach across two completely different environments open segmented really i'll flats your network who's managing that have you tested it you've got its dev ever been the goal on a pen test no yeah live in access to production stop giving your devs access to production for goodness sake let them push up to a you know have it very specific on who can push things into production stop giving them access to production yeah stop

giving them access to production it's not necessary if they're using it for troubleshooting purposes then have a duplicate set suppose that and finally my favorite favorite topic is education because I still believe that there is hope believe it or not with all my grumpy and my complaining and my turning into my mother and finding fault with every single aspect and every single thing about my career and personal life I still believe that there's a there is hope so the only way this is gonna happen go ahead and get your users trained get them trained on security basics high value account holders c-suite anybody who's hot with high visibility give them specialized training they're talking about seneschal

targets of you know a lot more fishing activity than joke you user is make sure this is happening folks do security training on the wall make sure that your development shop is getting their training but also make sure that your administrators are getting appropriate training there they need to know that they are also a high-value target and once again because you're probably not using dual accounts that their user account is this that much more valuable and make them sure they are aware of this make sure they sign off on their responsibilities that they are aware or Ted that they need to protect that account excuse me perform baseline and ongoing testing of educational effectiveness it sounds really good so

if you don't have a security awareness program and you in your shop at this point in time I would strongly suggest you guys do some sort of fishing exercise and I see this a lot a lot of places just don't have security awareness training and it is a being one of my top five recommendations go ahead and make sure this starts happening but develop a baseline do a fishing hit the whole darn company you know make it do it well use a service to do it I mean rapid seven pounds an aspect of the Metasploit down or we've had it for a while but it's getting pretty sweet it's pretty nice fun to play with to that I recommend because I

work around seven but go ahead and or hire a professional organization knocking fish me still does a pretty decent job I see Larry up there so I know you guys need some fishing exercise it's a digital the sense and they're local fish means no fins

so yeah but go ahead and develop a baseline see how your your organization spins this the first time see how it affects them perform use your awareness tree and never ever love all the holy in the world do not make it anything that could be punishable behaviors should not be punished there really should be opportunities to learn please treat your users as if they are learning something and they shouldn't be targets for your kind of your your negative feedback but go ahead and do that baseline develop that baseline see where you're at initially rerun that fishing engagement two months after they do the training see how it evolves see if anything took maybe you need to revamp your education

maybe your education program is in the best in the world there's a different way to present it to them doing munched words you know keeping it constantly making sure that people are engaged with their education is important right if you're just sitting there clicking through a CBT every year because it's required because you know you've got to go ahead and find where that floppy disk needs to go when you're getting rid of it yeah that's not going to do anybody any good so go ahead and engage your audiences on an individual level maybe on a group level maybe as a rule-based level but general security where this education needs to include all aspects of your organization

including your marketing department so this is something that I don't I love talking to the people in marketing and saying we need to go ahead and build out this appear awareness training program but we want to have a mascot we want this mascot we've all posters up on the wall with this mascot the security awareness tips we want little squishy dolls then we're gonna hand out to people whenever we have our little pal and they're gonna get those then - they're gonna get them as prizes along with a $5 gift card to Starbucks and they're gonna get this for participating and responding to security awareness training events right make it a thing have them bring it home

let the lessons be transferable to their wives that's how you're gonna go ahead and make a difference and get people to actually pay attention so as I said these are registered okay so that's me that's my talk after being on absolutely literally laying I think was my deathbed for six days with pneumonia coming back from death calm so anybody have any questions

I'm done granting thank you guys very much [Applause]