BruCON 0x09 Building Security Awareness Programs That Don't Suck
sapran
51 views
28 slides
Oct 05, 2017
Slide 1 of 28
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
About This Presentation
My slides from BruCON 0x09.
Slide Content
How to Build Efficient Security Awareness Program s That Don’t Suck Vlad Styran CISSP CISA OSCP Berezha Security
password123
7eh_vveakest_l1nque!1
Social Engineering Hi-tech & lo-tech human hacking Influence principles Reciprocity Commitment Social proof Authority Liking Scarcity
Anti- Social Engineering
“Social engineering is cheating.” – A CISO I once met.
What next?
Raise Awareness
Stop trying to fix human behavior with tech only
Give people responsibility (back)
Security isn’t always a business problem, but it’s always a human problem
The Tools Fear Incentives Habits
Fear The key to humanity’s survival Teaches us to deal with threats “Dumps” precursors of dangerous events
Moar Fear We need to be told what to be afraid of Overdose leads to phobias and disorders Reasonable amount helps to learn Memory needs refreshing
Social Incentives Competition: getting ahead of others Belonging: getting along with others
Social Incentives Competition: getting ahead of others Belonging: getting along with others
Habits Trigger Routine Reward Repeat
Habits Trigger Routine Reward Repeat
Attack methods: phishing, impersonation, elicitation, phone pretexting, software exploits, baiting… Influence principles: scarcity, reciprocity, social proof, authority, liking… Security context: anything of personal or business value – privacy, access, trust, confidential data… You receive an email with an urgent request to provide confidential data . The pizza delivery guy is staring at you while holding a huge pile of pizza boxes at your office door . An " old schoolmate " you just met in the street is asking you about the specifics of your current job . You receive a call from a person that introduces themselves as the CEO’s executive assistant and asks you to confirm the receipt of their previous email and open its attachment . An attractive, likable human is asking you to take part in an interview and is going to compensate that with a shiny new USB drive (in hope you insert it into your working PC later).
Type of attack + Influence principle ⊂ Security context =
CASE STUDIES
CASE STUDIES
Human is the weakest link; by default We can be taught security; we’re wired for that Drive security with fear, social incentives, and habits; not money Knowing attack types, influence principles, and security valuables is essential
“How to stay safe online” guide: Text https:// github.com/sapran/dontclickshit/blob/master/README_EN.md Mind map http:// www.xmind.net/m/raQ4 Contacts: https://keybase.io/sapran
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 51
- Slides 28
- Age 2979 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views