secure360 conference

I’ve finished the mid-May 2-day secure360 conference here in St. Paul. It was generally quite good even though it was very corporate-focused. Security is security no matter what you’re protecting. But first off I got my lanyard! That’s a Marvel’s Agents of S.H.I.E.L.D. reference for those not familiar.

The best session was the first one I attended – Users: your first line of defense (click for Slideshare) which had many immediately useful tips.  Taking cues from social psychology, Ari Elias-Bachrach focused on methods for influencing people for making effective training.  Some tips include

• Use positive advice: rather than tell someone “don’t run in the house” instead say “we walk in the house.”  Frame things not as “don’t do” but instead “how to do” the right thing.  And be sure to tell people what they should be doing.  So instead of “don’t use weak passwords” frame it as “you should use strong passwords and here’s how to do that.”
• Use real images in your presentations, not the usual clip art.  Take this
  Users are never going to encounter a man in a ski mask on a laptop.  Instead use a picture of a real phishing email.
• Use language appropriate to the audience and not technical security terms.  He mentioned using the general term virus rather than the technically accurate term of malware.  This spawned a good discussion.  The idea being, use a term that is commonly known.  Malware was agreed to be almost common but virus was more strongly common.  I am torn between being accurate vs. understandable in this case.
• Try making trainings about home or personal computing but all the concepts apply to the office.  For example, hold an optional brownbag about how to protect your kids on the internet or how to protect your computer at home from hacking.  People will come to those and then all the concepts apply equally at work.

Now, on to the social psychology tips.  Some of those included

• commitment: people tend to stick with a position when they say it out loud.  This works especially well in groups — that causes more stick.  So instead of stating “the security of our data is important” use the question “do you think the security of our data is important?” directed at someone in the group.  And then ask “why do you think that?”
• social proof: people do what everyone else seems to be doing. They tend to follow the crowd.  So be careful with how you state statistics.  If you state negative statistics like “35% of our users have weak passwords” people will think it’s ok since that many people do it.  Instead flip it and say something like “98% of our users ignored phishing emails” which makes people think that the don’t want to be part of that other 2%!

Such a great session.  There’s even more good information in the slides.

Later in the day I saw a session by the FBI on the National Cyber Investigative Joint Task Force (NCIJTF).  The task force is made up of members from many federal agencies.  The complexity of the organizations involved was daunting.  The FBI is charged with outreach on cyber security.  The agents that presented were great speakers – very funny.  They shared a website on DDoS attacks called Digital Attack Map which visually shows attacks going on each day.  A tool the government is launching this summer is Malware Investigator.  The site aspires to be a national malware repository providing you with analysis of code you submit.  It will even run the code on various operating systems and report on what the code did.

The second day opened with a keynote by Theresa Payton who was White House CIO in the mid 2000s and the first woman to hold that position.  She was a great speaker — answering many questions from the audience and really engaging people.  She had a great story about how they got people to review required information.

They had an orientation program for the Blackberries where people were guided through a giant binder of rules and regulations.  They were finding that people were waiting long periods of time to report devices stolen.  They discovered the language in the policy instilled the fear of God so strongly that people were afraid to notify IT — of course after too long it’s not likely that you will recover a device (or be able to wipe it) but if you are able act fast maybe you can.  Anyway, they adjusted the policy wording but the culture really dreaded the Blackberry orientations.  Her team came up with the idea of a Blackberry happy meal.  When someone got a Blackberry they got a bunch of candy, a card with info about what to do if you lost it, and the big binder of rules.  The focus of the Blackberry meeting was instead to highlight the top things to be aware of, get the candy, and they are asked to review the binder later.  They piloted it in one division and it was huge success.  Soon other divisions were jealous of the Blackberry happy meals and the Blackberry orientation was desired and not dreaded.

She also highlighted some realities

• It’s not just about preventing a breach anymore, a breach is inevitable.  It’s important to know how you will respond and practice (simulate) a breach.
• It will always be cheaper to hack then to protect.
• It takes an average of 229 days to detect a breach.
• Kits for creating mobile hacks are getting cheaper and cheaper.  Get ready.
• The “internet of things” is going to be trouble as those devices are not secure.  The first internet-connected fridge was made into part of a botnet soon after it was available.

She also mentioned the tool shodanhq.com that can help scan for poorly configured devices on the internet.  Very interesting but also scary as anyone can use the tool.

I then attended “Stuff My Industry Says” by Kellman Meghu (that is the PG version of the title, or is that G these days?).  He apparently had a very popular Star Wars-themed presentation last year.  I wish I could have seen that.  Anyway, he had various stories interspersed with his views on where security is going.  One story was about NetFlix and their chaos monkey.  To better test how resilient their network was they created a “chaos monkey” application that randomly shut down services or servers.  If they can engineer a network to survive the chaos monkey, it should survive most things that can go wrong.

He also spent some time on software defined networking that even further abstracts the network layer through the open flow standard.  The network is aware of applications running on it.  Applications request access, a flow is created taking in account policies managing the network (bandwidth, security, etc.), and traffic flows.  He really sees this as where things are going — merging your policies and networking.

I attended another security awareness session — clearly this is on my mind.  It was a panel presentation moderated by Christophe Veltsos (aka DrInfoSec who worked on our Information Security Assessment).  The panel had an interesting array of folks from people creating security awareness training to one whose company is hired to test virtual and physical safeguards. Some of my takeaways were

• Add the Verizon Data Breach Report to my sources of my annual information security report.
• Consider gamefication with points, levels, badges and prizes.
• Figure out what metrics to use to assess the program.

All-in-all it was a good two days.  I was impressed with the gender diversity of the crowd – 40% women maybe.  Especially because some of my Educause colleagues tweeted about the Educause security conference really lacking women attendees. I came away with several concrete ideas to evolve our security awareness training and learned a few new things as well.