Stopping Cyber Boom (You Can Stop Stupid)

hi there I'm giving this type of recording a shot I've never actually recorded something using PowerPoint recording or whatever they call this thing slideshow anyway it'll be interesting to see how it turns out and hopefully it turns out well but I'd like to thank the people from besides Athens for having me supposedly keynote L though you know maybe next year I'll be there live which I'm looking forward to anyway let's talk about this presentation for lack of a better term this presentation I shouldn't say it came about because of this but its iconic the first time I was going to give a presentation of this nature I was actually speaking at Kwan Khan which is kind of for lack of a

better term East Side's Iowa and it was in Davenport Iowa flew there and anyway I was talking I got there right before my session which was going to be after lunch but I had a chance to be there at lunch and I was on the buffet line and what happened was somebody in front of me they saw a table next to the buffet line and the table was giving out stickers and the stickers essentially said don't click on Sh asterisk T so I'll just say don't click on quote-unquote stuff so now anyway the guy looks over at it and he's your typical system admin type and he goes oh I need a lot of these stickers I go

really he's like yeah I got a lot of users that click on stuff and I'm like they do he's like yeah I'm like well you must give your users a lot of stuff to click on that he's like what do you mean I'm like well how can they click on stuff if they don't have stuff to click on I mean they're using your computers aren't they so I care they're using your servers they're using your email it's like you're giving them all the stuff to click on and I go and by the way if you know they're gonna click on stuff what are you doing to stop the results of the clicking on stuff he's like what are you

like I go let's face it users can click on quote-unquote stuff unless there is stuff to click on and the only way the users have stuff to click on is if you give it to them and then as important you enable them to essentially create the damage that you actually care that they click on stuff so hopefully you see like a lot of people they he see this title and they're like oh my god another presentation that you know insults the user for lack of a better term I'm not here to insult the user this is more an insult to the profession because frankly and I'm going to come back to this as a critical point right now users are

considered 90% of the problem users attacks and everything and then it's like the result is oh let's create you know let's make the user the human firewall let's make them the last line of defense and all that other crap the reality of the situation is that looking at this problem in the wrong way and we need to stop looking at the user problem as a problem resulting and centered on the user and I'll talk about this later I don't want to go through the whole presentation right now on the first slide so I'll give you something more to work so before we actually talk about what creates the problem let's look at the definition of what is stupid and I

realize you're all you know a lot of people they're from Greece although now that it's being able to be viewed from all over the world generally whether it's in English or whatever language or one you know look at the concept of stupid stupid is defined as having or showing a great lack of intelligence or common sense you know and generally when we talk about hiring stupid users and all that sort of stuff again what are we talking about you know we're saying ok stupid is these people are just no common sense ok let's break that down a little bit though let me ask you this question do you hire people with a great lack of intelligence in other words are

you looking to hire stupid people and if you do have somebody who is really that showing a great lack of intelligence whose fault is it for hiring them in the first place what do you put somebody with limited intelligence in a position of responsibility where they can click on something embro in your network again whose fault would it be even if the user actually is stupid for them to be in the position to cause your network harm now let's take this a little bit further you hire people with a great lack of common sense in other words you know are you hiring like the people are necessarily lacking of intelligence but they don't have general common sense from my psyche

my background is in psychology and from my psychology days you can't have common sense without common knowledge and if people don't have common sense it means you're not providing them with common knowledge you know did you provide people with training so that they can have the common knowledge to exercise common sense and again it's common sense that a user will fail and if a user fails did you expect a failing that's common sense so again the problem is it's common knowledge that people will eventually fail so again if you're not accounting for this you're the one who is quote unquote Ecklie stupid which again is leading to this slide if you are calling your users stupid who's

really the stupid one the users or the people who are putting them in this position knowing that they're eventually going to be stupid so let's take a step back though as I mentioned at the end of the day it's not really you I'm not calling you stupid I guess now I'm calling security awareness people stupid but not even them you know the problem is we've been trained to look at the user problem and I'm going to refer to it as the user problem you know as being centered on the user themselves you know we've been fed a whole bunch of crap we hear terms like the human firewall we hear you users are the first line of

defense the last line of defense there's a lot of you know I don't know how many people work out and know the concept of what's called bro science it's like the Bros in the gym always say Oh eat more protein bro do more cardio bro whatever it is but we have the same type of bro sciences I would call it in the security awareness profession people take a book they take some research they're like oh this sounds right you know let's talk psychology for example you know when we talk psychology you know it's like psychology the problem with psychology is that it's the individual person that you're focusing on and that sounds noble that sounds great the reality though is

you can't go ahead and generate an awareness program for each and every individual in your organization you have to look at things like organizational psychology sociology where you're actually looking at the organization as a whole and basically saying my job as an awareness professional to reduce the overall risk of the organization and I need to focus on what are the best ways to move the organization in the right direction as opposed to how do I move each and every individual in the right direction the end of you because think of it this way if you have an organization with a thousand people are you going to be able to actually influence each and every individual

person within the organization no but if you look at all the other sciences that are out there you look at the other disciplines that are out there they're able to do something useful and the reason why most awareness people and security people aren't being as useful as those other professions is because we're being fed the wrong type of information we're being fed Oh fo Kisan the individual and make the user but that's not the way it works in any other discipline it's not the way it should work with you here because here's the fundamental problem people are focusing on the proximity of the error they're saying the user clicked on something so therefore we need a better user we need

a smarter user and so on and that's just wrong I'll talk about that but it's the analogy like again the analogy if we're saying like in the cybersecurity world is if a canary dies in a coal mine the solution is a healthier canary that is fundamental fat out wrong if a user fails the user is essentially our canary in the coal mine the user is our canary of our overall architecture our overall security infrastructure because if a user fails the user has been put in a position where they can fail the user has then been like what cause the user for lack of a better term to fail you know why did the canary die and then okay so

there fails what are we doing after the user fails to stop the damage from being realized and I'll go through in a bit so anyway I don't know how many people around the world are going to recognize this guy but if you've ever seen the show Seinfeld this is Newman and actually Newman and Seinfeld really has nothing to do with this I just needed some funny depiction for accounting and when you stop and consider accounting think of it this way if you're inside a large organization what happens if you don't fill out your time card properly you don't fill out your time card properly you're not going to get paid if that's the rule of the

organization if you go on a trip and you travel take an airplane flight and you go ahead and your policy says in order to be reimbursed you need to have the property of the propria tree seats so yes if you go ahead and you don't submit receipts you're not going to get reimbursed and what happens in most organizations you could for example by a thousand dollar plane ticket you can then spend two thousand dollars or less use euros you can spend a thousand euros on a plane ticket two thousand euros on a hotel then you could spend another five hundred euros on food and then if you don't hand in like when I travel if

I don't hand in five euro receipt for my starbucks Frappuccino I am NOT going to get reimbursed for everything they send back the entire they send back the entire expense report saying you need the one receipt why do they do that they frankly do this because this is the process this is the way they enforce it and think about it this way me handing in the receipt is essentially you know their fraud protection for their whole accounting process and what they have learned is people frankly not that they don't distrust everyone but they have learned that there is the potential for fraud in submitting expense reports so therefore they have implemented the appropriate processes the appropriate

accounting procedures and you know it's annoying they lay out these in advance they tell you what you have to do you do it if you don't do it you don't get reimbursed that's unfortunately the case that's their mechanism if a user ruins the Nick on the other hand what happens user ruins the network they're like oh please don't do that again you know frankly I would rather have an organization reimburse me an extra five euros for my Frappuccino then suffer a 3/4 of a billion dollar incident because their network was taken down because somebody clicked on the wrong link so anyway consider that that's accounting you know there's also another analogy I like to use scuba diving I

happen to be a master scuba diver trainer and when I train people actually the first time I ever heard the expression you can't see am T can't cannot stop stupid was when I was taking my scuba instruction instruction the scuba diver trainer the course director as he's known came in and was telling us you know you can stop stupid and I'm like sitting there thinking you know what we're sitting here and our job is essentially as scuba instructors to stop stupid what are we doing as instructors I mean I don't know how many of you in the audience are scuba certified if you are the awesome if you're not get certified it's awesome but you know before you go ahead

and if you assuming you take an appropriate course there are dive certification bodies I'm an instructor in the professional association of dive instructors Patti there's other ones like SSI and you know and a few others anyway all these people have established standards and before you go ahead and take dive instruction first thing you need to do is take coursework the coursework is essentially how not to get yourself killed in other words how not to do stupid things then you're supposed to get in the water the water before you get in the water you have to have your health form filled out which is to stop you obviously from injuring yourself that's obviously critical then after

that they want you to do a swimming test you know it's it's a general it's not that you actually are a good swimmer they just want to make sure primarily you don't freak out of water after a few minutes so you know you basically have to swim up I forgot like 300 meters 300 yards you have to tread water for about 10 minutes or whatever it happens to be and again that's just to show you're comfortable and not going to kill yourself then finally they put you in equipment they go ahead lay it out tell you how to put it together as an instructor I'm supposed to make sure you put it together properly then you get in

the water in like three feet of water where you're not going to be able to drown yourself even if you wanted to well I guess if you really wanted to you'd find a way but even in three they put you in three feet of water then as everybody gets comfortable they slowly bring out give you the basic skills then when it comes time to be certified they give you tests once again to make sure you know the material then you go in the water as an instructor and this is what the video the graphic is you know you're sitting there and you're supposed to go down on a platform in very calm water and essentially and usually the water is

not supposed to be below 10 meters deep you know more frequently it's about five meters deep again where it's very hard to cause harm and as an instructor I'm supposed to go one student at a time and certify people I have regulations that before I put people in the water I check everybody's equipment I have to make sure that all the environment is safe I have to know where how to call it ambulance I have to know where the hyperbaric chamber is the closest one I have to be able to call have a first-aid kit have oxygen the facility where at also has insurance I have insurance the dive school has insurance it's a whole bunch of one risk

mitigation after another from putting people in the water slowly and everything and one thing I want to point out is obviously if I'm the instructor here and I don't know if my curse is actually pointing there but if I'm the instructor here I'm essentially was supposed to do one student at a time and the big thing is in the back upper right hand corner it's hard to see but there's somebody hovering there that I'm assuming based on the picture is an assistant instructor or a dive master when I take students in the water to certify them if I have more than two I always want to bring somebody there in because you always know a student might

do something quote/unquote stupid despite whatever you tell them despite the best training there was one time for example I was in the process of certifying people like and having them demonstrate the water skills one at a time and I looked at the corner of my eye and there was this one guy ready to crawl under the deck and I'm like sitting there thinking I told everybody never to do that because you could actually get wedged in there if you don't know what you're doing with your equipment getting caught and so I started having to go over luckily the dive master working with me saw this and he was able to stop him too but people

are going to do that but again everything is about risk mitigation from start to finish so another one that's critical is safety science and I'm keeping telling you all these practical implementations of how people and other environments stop quote unquote stupid safety science is a very well-defined business discipline and safety science it like looks for what happens if somebody gets injured in the workplace you know obviously that cost people money there's besides of the insurance rates if somebody gets injured on a manufacturing environment it could shut down the manufacturing for an unlimited period of time depending on what's going on so what you're doing is safety science has learned there's old school safety science old school said

old school safety science was about the user why did the user do something stupid new school safety science is again for lack of a better term essentially the user is just a part of a system and that's all the user is that if a user injures themselves in some way the system put them in the place to caused jury and then somehow the system let the injury be realized and how did this system work to mitigate the injury or stop death or damage as best as possible some people in safety science they stop they look at all enabling factors they look at the user is just the proximity of the error and the proximity is just the symptom if a user

is somehow able to injure themselves that user is not the problem that injury is the symptom of the overall problem and that's what's most critical and we don't look at it in the same way that other professions do and let's start talking about you know the unfortunate case of the Mac 737 Jets I don't know how many people remember that now but we really should take a hard look at this I mean it's really critical to do it so anyway the whole thing about safety silence a terror and all that sort of stuff when the 737 max Jets crash I believe it was Lyon air and I forgot the name of the other air aircraft that crashed or the other

airline but what happened was initially everybody said oh the pilots you know the plane went into the ground clearly it's pilot error and it's like you know was it really pilot error when they started doing the studies and everything the answer let's take a step back could the pilots have saved the planes the answer is actually yes the pilots could have saved the planes but there were so many other issues that put the pilots in damage because in the first place where did this problem initiate the problem initiated years before in changing the planes because the 737 max Jets are almost why should say almost identical they are significantly the same as the other 737 Jets like the 737 hundreds 300

700 900 whatever the case is and you know the the airlines and everybody thought okay they're basically the same however the reality was they were different the air the plane engines were moved a little bit forward which affected the balance of the planes which you might say oh no big deal it actually if you're not telling people the right things it is a bigger deal then there's also in the design of software there are these things called angle of attacks a OAS and these are sensors on the side of planes there are two of them now somewhere along the way early in the software design phase somebody went ahead and said hey we used to have it

that if one thing said it was going down and the other thing said it was going up you know one angle of attack was going down one was going up we used to alert the pilots that there was a problem here that there was a disagreement or we defaulted to the one that said you know one thing now what happened was the software was redesigned frankly not to let the pilots know that there was a disagreement between the plane apparently going up and the plane apparently going down that's number one then there were a whole other concerns about keeping the plane stable what happened however was that the pilots were never trained on the differences

the pilots were never told oh this could happen if the sensors were conflicting that the plane would automatically steer itself down because it thought it would the plane was going down and I know this might sound complicated if you're not a pilot the way a plane goes up as you pick up speed and the way you pick up speed is by angling the plane down so if the planes going down it angled the plane harder down or at least that the plane thought it was going down they angled the plane going down even faster and that's obviously a problem that's actually the way it should work but unfortunately the plane was not adjusting and the autopilot was

confusing the issue sorry I realize I make you know hopefully a very complicated issue hopefully I'm making it less complicated but hopefully you followed along and what happened then was that all of a sudden the pilots were fighting the autopilot and then at some point the pilot would turn off the autopilot and they got control of the plane then when they turned the autopilot back on which nobody said not to do the plane angled itself again and they were again fighting the planes why did the pilots make the era they were not trained properly the design of the planes happened and yes if the pilots reacted perfectly yes the pilots could have theoretically saved the plane but it's

not likely and I'm going a lot into this because your users are essentially the pilots of the 737 match jets you're putting them in positions where they without giving them the appropriate information now when you look at where do plane where does the blame actually fall going back to safety science what they found was that when they looked at a user error they found 90% of the time the user error was the fault of the environment not the users themselves so for example you know what's a user environment if somebody injures themselves for example could it be that there wasn't the appropriate warning if it could be that for example that Oh a piece of equipment fell on them

because the environment wasn't set up properly it could be and I'll give you one case where there was one time where I was working with a factory environment setting up their awareness program I spoke to the safety person the safety person said well we had a lot of problems where people were being injured because forklifts were driving down the warehouse and they were either walking people walking into them or the forklift ran into somebody else and what we decided to do was we went through all these different options we just decided let's paint a line down the down our warehouse factory floors and they've said okay now people are to stay to one side forklift stay to the other it

sounds really simple sounds really like you would have thought they would have done this they don't need it but it stopped approximately 90% of all injuries and then when you look at what were the other 10% of injury trial go the next slide generally was carelessness ignorant somebody said oh they didn't know which side was which some people were on their iPhones whether it was the driver whether it was the person walking you know the driver or the person walking into the forklift or whatever now the other 10% and I'm not saying people drive into somebody intentionally but in other environments for example computer environments we talk about empowering the users making the human firewall what happens if the user

actually has malice and people forget about that but anyway this other 10% I'll come back to malice but let's face it this way statistically three percent of the population worldwide are sociopaths or Psychopaths three percent that means these three percent of people will do you harm if given the opportunity so again remember that malice is also something we have to address because a user might make a mistake or cause harm intentionally and your awareness is going to do nothing but generally even that 10 percent that 10 percent is where your awareness program is going to fit in and do damage ninety percent your awareness is or 90% the problem will not be well addressed by awareness

but again it's still only 10% to the problem now the reality is awareness is only 20% of the 10% here's something from applied behavioral science anyway antecedent which is essentially information information you're hoping is the awareness program and you're supposed to essentially create awareness and awareness will impact the behavior behavior however creates a consequence now you do any behavior creates a consequence the consequence could be good bad or neutral so for example you tell a user I don't want you to reuse a password because we're using a passwords bad and then what happens is the user sits there says yeah but I don't want to remember a new password I kind of hear what you're saying but I don't want to

do it so I'm going to not follow your advice I'm going to reuse my password in my work account as I would for my YouTube account as an example so anyway the user does is what is the consequence for the user reusing their password the consequence for a user reusing their business password on their personal account is actually a positive consequence the user is being reinforced to do something bad why is that because what's the the user has one less password to remember and if the password is not otherwise compromised which does happen and the user is not held accountable for that you know the user has no the user has no reason to follow

your ice so again there's the consequence and here's the reality if a user 20% when they've done studies only 20% of a user behavior will be impact by the information you provide them the consequences drive 80% of the behaviors so no matter what you tell people like if I tell people you have to wear a badge they're like okay maybe I'll start wearing a badge but if nobody else wears a badge they're gonna say hey why am i standing out I'm just gonna put it away it's a nuisance to keep my badge on and if nobody else wears a badge or tells them to they're going to keep their badges in their pockets at best

so anyway awareness is only 20% of the actual solution you have consequences which drive the other 80% now let's talk another science counterterrorism counterterrorism has the working philosophy of left a boom boom and writeable left a boom is essentially and I'll go to the neck lied work because it depicts it a little bit better so the left the boom is what you do to stop boom being an explosion and attack of some sort boom is the attack itself left a boom is how do you stop the attack from being realized right a boom is the attack has been realized what do you do to mitigate the potential damage so for example you know boom itself like let's

say boom is a terrorist explosion let the boom involves like intelligence people going ahead and figuring out okay who might potentially launch the attack how can I follow them how can i potentially stop them before they get close to launching the attack and so on then there's another aspect of left boom which is like hey where are my likely targets and how can I harden the target so for example unfortunately after the September 11th attacks airports started saying okay now we're going to go ahead we're going to implement better security better screening of passengers and so on whether you think it works or not is a separate issue but either way that those are the sciences and left a boom boom

and let's talk about this this is either giving the users the appropriate environment and having the user well actually this is like okay how can we stop the attack and contain the attack as best as possible now in a case of terrorism what happens is they say hey what we're going to do is we're going to go ahead and we're going to reinforce the airplane cockpits as an example you know in the case like the September Bente attacks a lot of people don't realize this but in the year or so leading up to the September 11th attacks there was an independent thing going on inside the Pentagon one of the 911 targets inside the Pentagon they did a

whole bunch of reinforcement of the facility they strengthened it they put blast walls in and so on and that stopped a whole bunch of death and damage inside the Pentagon and that's why the Pentagon was not as visual of an attack or representative of the September 11th attacks as the World Trade Center for example but that was a good case then you have the right of boom response like okay an attack has happened what do we now do so do we first off go ahead and make sure more people don't go into harm we have to make sure there are enough Hospital if you have to make sure first responders we also have to put plans in

place to make sure there aren't any secondary explosions going on how do we prevent that how do we prevent damage from secondary explosions if people know of the Boston Marathon bombings or remember that one of the bigger problems was there was a secondary to bombs one went off before the other and so that happens sometimes with terrorists who say okay I am going to do an attack and then wait for all the first responders to come in and then do a secondary attack to even hamper the response to it and create more death you know fair uncertainty and doubt which is really the focus of terrorism fear uncertainty and doubt so then it's like okay how do

I do this how do I then kind of catch the perpetrators and so on that's essentially the concept of boom now each phase a boom has protection detection and reaction built in obviously you know even if you say well left a boom that's to stop something from happening yes it's to stop something from happening but we still have to go ahead and start being proactive and saying hey we have bad people here our job is to stop bad people from doing bad things so we got to find the bad people we have to detect their attacks and hopefully mitigate the attacks before the attacks are launched so that's the protection detection and reaction with 90% accent

let's come back to our industry 90% of attacks in the cybersecurity industry tend to involve the user as the point of boom whether it's clicking on a phishing message whether its opening up malware whatever it is when you look at every study from the Verizon data breach investigation reports to every other study that has come out 90% of all significant attacks have targeted a user as the primary point of entry and our goal is to establish protection detection and reaction for each of these phases to look at user attacks in this boom philosophy Klingon what I want to start people to think of is user initiated loss that's a term I'm trying to get people to absorb and understand a

user does not create a loss a user initiates a loss your system has to allow the loss to be realized now the user might go ahead and be victim to somebody's attack but the loss again is not a loss until the user initiates it if we look at the user and a point of boom so anyway you know as we start doing this we have to start considering ok the user is in one way a canary in a coalmine but the user is essentially just a piece of the system a critical and pivotal piece of the system that is the focus of allowing the attacks to begin or a focus of mitigating the attacks and so on proactively so again

you want to stop the user initiated loss potential you want to stop the actual loss should it be realized and you want to mitigate the loss after the initiation of the loss as well so let's work user initiated loss from left to boom through to right a boom so in left to boom what is your goal your goal is to actually stop the user from being in a position to initiate the loss and using a phishing attack for example this is for example what all these web Conte know web content filters put out there this is what your email you know anti-malware filters anti-malware servers put out there they're all there to prevent the user from being in the

position to initiate the loss a user can never click on a phishing message of the phishing message does it get to the user again users can't click on Seth unless you give the user stuff to click on so again you got to stop these attacks from reaching the users and I'm also going to say simultaneously we should be creating a culture and what I mean by culture are the consequences again antecedents create behaviors behaviors create consequences consequences go back and reinforce or harm behaviors now what I mean by this is for example you know if users take equipment out you should have a culture that has people lock up their equipment proactively you know you

should have an environment a culture that stops users from theoretically talking about work outside of work you know and then also look at users potentially as aiding detection like users can start to see vulnerabilities and if the users can be aware and start seeing things in progress like for example stop a tailgater from coming in the building you know I think there's a quote Marcus I first heard from Marcus Ranum again you don't care that and this was regarding getting into a hacker getting into a computer system he's like you don't care that a hacker gets into your system you care what they do once they're in the system and that's a critical point but if you can stop the

hacker from gain in the system or you can stop a social engineer from getting in your buildings for example like tailgaters that stops the attack so you don't have to worry about what they're doing once they're in in the first place and mitigate this throughout now here's another piece of the issue and and most importantly governance and this is the part that a lot of people for when awareness and everybody else just don't get right before an inch look at an entire process from start to finish and say how should that process be laid out you know I mentioned accounting before accounting basically goes ahead and says ok here's what we need to spend money here's how we need

to spend money here's how we're laying out the process that if money is to be spent here's the authentication that has to be here's the forms that have to be filled out here is the all the equipment and everything all of these things have to be clearly defined so what you should be doing is you should be looking at processes in a left of boom philosophy from start to finish and say how should this process be performed so looking at it I'm going to use the example of fishing and I can't remember if it's later in my slides but using the example of fishing I'm gonna go ahead and say you know what from a fishing perspective

I realize fishing is a problem I'm first going to go ahead and use Demark I'm gonna go ahead and like subscribe for example to the end anti-phishing working group blacklist and so on and start banning you know and start going ahead and filtering out harmful messages as best I can that's number one number two I'm gonna go ahead and I'm gonna have my email servers filter out beds you know potential phishing messages filter out malware and so on and I'm gonna set that up then I'm gonna have the user come in and governance says ok now here's this what is my user environment going to be like my user experience because user experience is as important if not more

important than awareness itself because you want to lead the people into the right decision making and so you're going to have a good user experience that said this for example this message is from outside the organization you're then going to go ahead and give the user potential warnings and then so on but then I'm gonna realize you know what a user might still click on that message what am I going to do from a governance perspective I might not give my users admin privileges on their system I'm not giving them admin privileges on the system they can't download a bunch of malware in general that would cause harm then I'm going to have web content

filter that's going to stop them from going to malicious web sites and give away their passwords and so on and I'm gonna look at this whole thing from a governance perspective from start to finish but people aren't doing it that way they're like oh well we have this user get them not to click on stuff that doesn't work look at it from a start now boom so boom is where a user is given the opportunity to initiate a loss then the question is do they do it do they detect it to be more prevented more importantly do they sound the alarm and remember this boom can be from accidents it could be from carelessness it could be malicious it could be

because the cursor was their computer was running slow in the cursor was in the wrong part of the screen and had a lab and the user and the user clicked they thought they were in the right place but the system was in a different place and that has happened before it as well but either way a good user can cause damage a bad user can cause damage even a stupid user can cause damage and yes despite the fact I'm saying most of the problem is from the professionals the reality is there are some really stupid users out there let's not discount that but anyway boom is where a user can do this now the question is

have you laid out user actions like what should a user do at any given point in time so for example a common phishing attack is accounts payable fraud where some attacker comes and says hey I am so-and-so from this company you pay me money every month I need you to change the bank account so that from now on all my payments go to my new bank account now that could be a legitimate business request but it could also be and more frequently a fraud now the question is have you laid out to the user specifically what they are supposed to do the problem with most organizations and I realize all more FUD he's back in

the news but you know because of their taking away his gun but anyway Elmer Fudd is the Bugs Bunny character and he was always looking for the Westly web and he only recognized Bugs Bunny dressed as Bugs Bunny if Bugs Bunny put on a costume or a disguise he could not recognize Bugs Bunny the problem is most awareness programs are essentially saying there are bad people out there that use tricks look out for bad people doing tricks and the thing is you're always creating Elmer Fudd's you're getting people is that the hacker is that the westley wabbit as Elmer Fudd would say is that the westley wabbit trying to trick me you don't want people determining

whether it's the Westly wabbit you want people following the one right way to do it right if somebody comes in and says I need you to for example to change account payable information you should have a process that the person says hey you know what maybe it is the right person maybe it's not but my process is I have to verify that what is the appropriate person to request this I then have to confirm it with X Y & Z I then have to do a separate confirmation send out an actual physical letter call the person up or whatever the case is but there should be policy specific to how people do it right not getting

people to be afraid on what can go wrong and it sounds like a very fine line but it's a the line now we move on to write a boom in this case for whatever reason a loss has been initiated either through accident malice ignorant whatever the case is now your environment should expect this maybe they don't expect the attack but your environment your technical architecture should expect that a user might potentially cause harm in one way or another what can you do to protect the environment what are the expected harmful actions a user can take and how do you stop and mitigate that what can user initiated loss look like and what protections have you done and a

lot of people aren't doing that so for example let's say a person falls for the trick of the accounts payable fraud and changes this what are you doing to verify that changes have been made does your system account for that happening so for example a user clicks on a phishing message we expect that all your systems out there saying ok we have web content filters that stop the attack you know that pick up the click we have malware detection that stops the malware from being loaded or detects it after it is loaded and isolates the system and so on that's right a bit more important do you go back and analyze an incident why did the incident occur what caused the

incident could we have stopped the incident from being initiated in the first place could we have filtered out the incident before it got to the point of a user initiating the loss but what you can't do is you can't go back and say oh it's the users fault you might say how did the user get in the position why did the user do it but the user itself was not the class the system as a whole caused the loss not the user individually now the thing is this sounds different but safety science does this all the time accounting does this your brethren in accounting inside your organization are there every time there's an accounting error they looked

at why did this accounting error happen operations does this if there's a loss in operations if a factory goes down if something slows down if deliveries go down depending on what your organization is if engineering or computers go down computer operations go down why did the operations go down how could we prevent it the medical profession is infamous for this if if a patient dies in a hospital hate hospitals around the world generally have weekly gatherings or monthly gatherings whatever it is where the doctor has to defend how what happened with this patient what could have been done differently from both the doctors perspective as well as the systems perspective because again from the doctors perspective you know you

look at well gee did this act which might have caused the death but really the doctor didn't make that one decision isolated from all other decisions there were a lot of other infamies of information that got to the doctor if for example they asked if the doctor had another piece of information could they have done something different and so on so you've got to go ahead and think of yourself if a user caused loss and the loss was either realized or not realized perhaps you know what could we have done differently and that's cool you learn much more this way so anyway consider this and again the concept is if 90% of incidents result from some form of user initiated loss

shouldn't the strategy be used for all your losses as well thinking okay well what happens where are my losses coming from you know it's like the other 10% it's like okay this is where my boom was from a technology perspective how did this from a technology perspective get happen as well so anyway we'll take that there and just consider that that's another presentation now I realize this is a very us centric feature but I've already beat to death the accounting and like accounts payable example but there's a big piece of fraud in the u.s. which is known as w-2 fraud which is around tax season and what happens is every year at the end of the year you

companies have to send their employees what's known as w-2 forms which the employees they use for filing taxes that's critical for obviously a lot of things and it's the same thing in a lot of other countries where people pay their taxes annually and they get their annual salary information what taxes were collected and so on now what happens in this case is and us w-2 fraud a bad person you know criminal goes ahead and usually sends a message to the HR like some low-level HR account representative they found randomly on LinkedIn or something similar and what they do is they send a message that says to the effect I'm the CEO of the company I'm

traveling so I can't do this myself but I need you to send out an update I need you to send out the latest w2 information the tax information to our new accounting firm here's the information please send it out or send it to me so I could send it to that now they expect a well-meaning employee to go ahead and do you know and and like do this now you would say who would fall for this this happens in the unit u.s. about 2,000 times a year at least that we know about if not more frequently again this is just what we know about and gets reported but anyway so 2,000 times a year in the

u.s. you know this email message gets to an HR rep so what should happen in the first place mail filtering should stop this message from getting to the HR rep in the first place also they could tag the email is coming from outside the company and if you tagged it at least that's a red flag for the user their user experience at least says hey wait a second there's something suspect now at the point - boom though what is the process for releasing this information to begin with so I don't look at this as tax information like oh this is tax it's special I would look at this as this is PII personally identifiable information that should

therefore be treated sensitively and if I'm an HR person the HR person should be sitting there saying what is the process for sending out PII to a different person whether it's the CEO or not and that process might involve it's like hey as a HR low-level analyst is not supposed to send it out it might only be sent out with the you know through the head of Human Resources and that head of Human Resources has to get the approval of the general counsel for example to send information outside the company so that should be a process and now theoretically should the HR analyst you know can the head of Human Resources be social engineered can a general counsel

be social engineer the answers possibly but at least you're not relying upon a low-level analyst to deal with a sociopath a highly skilled criminal which is what you're doing but anyway at the point a boom the HR person should receive the training to know what to do they should be reinforced and then let's assume for example that the HR analyst says I know what I'm supposed to do but I want to get promoted so I'm going to send out this information or let's even assume they trick the head of HR in the general counsel there should be warnings about attaching sensitive information to an email and sending it outside the company and even if they people don't listen to

that there should be data leak prevention software that stops the information from actually leaving the company so that's a way of putting together the entire process to mitigate this it's not just the fault of the user for sending out the information and clicking on but again consider the overlap I gave you the example of tax information at the end of the year this could be for all PII this could be for all CEO fraud data leak prevention stops a variety of attacks filtering incoming email obviously stops multitudes of attacks tagging of email as external stops a variety of gives people different warnings and triggers and again warning of attachments the same way this can stop by stopping that

problem you could stop wide variety of other problems and thinking about it think about all the overlap again if we're stopping 90% of the problem the overlap and adding the countermeasures that I mentioned should go a long way in stopping the other 10% of it well basically I just beat that to get to death but anyway if you can mitigate 90% it with robust countermeasures perhaps the last 10% might also be stopped there now here's the thing a lot of people still say I right you just said awareness is just a little piece of the puzzle you know let maybe we just give up awareness no awareness is still critical because what you need to do is

you still do the user can still stop so much damage users have been able to detect a variety of attacks and so on but the other part is every countermeasure is about returning more than a cost and people generally spend so little on their awareness program they've got one incident that one incident more than pays for whatever they spent on the awareness so again awareness is still mandatory it's about risk management and it's still one critical step in the whole process that needs to be addressed you can't have that crap about the human firewall but at least you have that about the user as a place of Risk Reduction so again this comes down to

are you throwing around random tactics or are you using a strategy the random tactics what I'm referring to are well we're gonna put some anti-malware up we're going to give some awareness training we're gonna go ahead and maybe put data leak prevention in place or so on but people are looking at that as just random acquisitions of technology or random acquisitions of tools or awareness though you're throwing tactics you need to have a comprehensive strategy the mitigating user-initiated loss because if you don't have that essentially you're again doing is you're creating your canary in the coal mine but you're saying you know what we need healthier Canaries we healthier Canaries who aren't going to die from gas now let

me be specific you do need reasonably healthy Canaries you need to make sure that your canary doesn't just die of old age your canary doesn't die of a heart attack or whatever else so you need healthy Canaries but basic Canaries that are reasonably healthy that they can be expected to be to not die randomly because you don't want a coal mine deserted because a random canary just dropped dead however just making healthier Canaries doesn't solve the overall problem that you need to solve so anyway the highlight now okay obviously by my current book that's available advanced persistent security it's awesome I do need your input though my next book not available for sale just yet is called

you can stop stupid obviously based on this title and if you want to drop me an email go ahead and let me know which book cover you prefer the one on the left or the one on the right the stop sign or the one that is interesting because obviously I want a good book with a good cover but if you need to get a hold of me here's my information and I look forward to getting your questions again thank you for listening hopefully you're still listening now and feel free to reach out at any time thanks and thanks again to the people from besides Athens and I look forward to hopefully seeing you in person next year