[cs615asa] [[HW #N]] Human Layer Security Summit Summary

[Charles Magyar IV]

Hey everyone,

I attended the Human Layer Security Summit presented by Tessian last Wednesday.  They've provided recordings of the sessions here:
https://www.tessian.com/blog/key-learnings-march-human-layer-security-summit/<https://www.tessian.com/blog/key-learnings-march-human-layer-security-summit/?utm_campaign=typrospectattendednonlegal&utm_medium=email&_hsmi=113970065&_hsenc=p2ANqtz-9lkH0ZSAx6GqSwgf3Wbnv0hsOFxF0wQSbZ8BuoeRsHA-W0vNFjzodzfgWFWQf58rqsvaZWFQ5hUf_0UOY2HU-XV_kVTQ&utm_source=marketing>


My perhaps long winded report and thoughts about each presentation is both attached and pasted below.


TL;DR
1) Don't assume all your defenses are thwarting every attack.

2) Know who is most at risk in your organization to be targeted
by an attack.

3) Treat the humans in the company as powerful assets who
make mistakes.  The human element is key to success.

4) Align security to your business's values.



### Why This Event? ###

A couple weeks ago, the almighty YouTube algorithm suggested a video
of someone going through a Capture the Flag (CtF) hacking challenge.
Curious, particularly because there's a CtF project in this class, I
clicked, watched and got hooked.  Naturally, this led me to following
the person (John Hammond), and then the Twitter algorithm got involved.

HackerOne had a tweet about the Human Layer Security Summit, and some
other stuff (no cats though).  Seeing that HackerOne was followed by
both John Hammond and Jan Schaumann, I went down the rabbit hole.

The Human Layer Security event was, in no small part, an advertisement
for Tessian's Security solutions.  However, there were some interesting
ideas and people presenting which I think made it worth the few hours.

The "Human Layer" that all the presentations either focused on or alluded
to is the layer of security that is the best and worst part - the people.
It's the best part because humans can naturally do so many things that
are complicated to code, and they are the worst because they can make
mistakes and be malicious.  To the latter point, it was described that
most security problems aren't from evil insiders, but rather people just
making mistakes.



### Presentation: "How to Hack a Human" ###

Mistakes like clicking on "Hey I'm African king. Sned me bank info,"
are largely not the issue anymore  Society has grown to recognize the
absurd phishing attempts.  Evil-doers have also grown.  One of my favorite
speakers was Jenny Radcliffe.  She described how targeted phishing attempts
can be much more successful, rather than these blanket nonsense e-mails.

A targeted phishing attempt would be an e-mail curated to most effectively
trick the end user.  There's a lot of information on social media that we
give out for free.  One conceptual example started with noticing an executive
was attending some conference via Twitter.  Then, an e-mail to the executive
during that time could result in a "Out of Office, please send requests to
XYZ" feedback.

Now you know the executive is gone, and who is handling requests.  Even
better, if you can get e-mails between the executive and this other person,
you can see how their relationship is.  How do they talk to each other?  Do
they share links?  All this is used to impersonate and get the target to
let down there guard.

It's just wild to me that this is this person's job.  It sounds both super
fun and particularly annoying.

Some big takeaway quotes that I resonated with are:

"If a person protects themselves, they protect the company" (Summary)
This is particularly useful for training.  If you can explain
how being defensive on the internet is useful to the individual,
that in turns aids the company.

"Know your people well, or someone like me will" - Jenny Radcliffe.
One of the best ways to defend against attacks on the "human layer"
is to know your staff.  Know if they're stressed out.  Know how they communicate,
and let them know you as well.  If they're stressed out, they're more likely
to make mistakes (such as sending e-mails to the wrong addresses, or opening
suspicious files).  If you and them have a relationship, it would be easier
for them to "sus out" an imposter posing under your guise.

The biggest elements in a targeted phishing attempt will always be the same:
1) Rush the target ("I need this now!")
2) Mention money (It's important, and the goal)
3) Ask to break the rules (of course)
4) Be emotional (Get them to drop their guard)



### Presentation: Fixing the Gap in Phishing Security with Machine Learning ###

This presentation was one of the more Tessian sales oriented, although
you could apply this to "convincing the company to pay for some kind of
security."  This applies to the supply chain and to your own company.

One important detail is that your suppliers' weakest link is
also your weakest link.  If you don't co-operate on a business level to build
up your supply chain's security, and their data gets leaked, the news is
going to devour whoever affected has the biggest name.

To convince administration, it was noted to always back up the request
to invest in security with data.  Quantify risk - what's the % chance,
how much reputational damage is caused, how expensive would a legal battle
be?  Quantifying something like reputation is difficult and was mostly
glossed over any specific way of doing that, which is unfortunate, but
really it's mostly guessing anyhow.

I liked the idea of convincing the higher positions of the company that
security is worth investing in by holding a "live-table" event.  Basically,
emulate a possible situation and find out "what would we do?"  It reminds
me of the student gatherings in high school where the teachers and staff
pretend one student died in a drunk driving accident, in order to freak
out the kids to never drink and drive.  I'm not sure if the results
are there, but I can imagine pretending a data-breach happened would be
the only way to get to some CEOs...



### Presentation: Product Launch for Tessian ###

This presentation was explicitly about Tessian product.  In particular,
how their client handles e-mails for users to help security.  Rather
than fake phishing and playing "gotcha!" with the staff (and making them
hate you), the tool gives something akin to "Hey, are you sure you want to
send a document to this outside-the-company e-mail address?"  It turns out,
this is the best way to catch the human mistakes a busy person can
accidentally fall into.

For those that ignore these warnings and regularly participate in poor behavior,
the software gives its users ranks.  The higher the rank, the higher risk
the user is.  A user who exhibits a behavior of clicking on every link will
probably have a bad score, especially if they're in a department with access
to sensitive information.

Their pitch about this score is to do it department by department, and turn
it into a game.  For example, the department with the lowest average risk score
at the end of the month "wins."  (Whatever "winning" may be).

By giving ranks and tracking them, this also makes it easier to quantify
the success of the application.  Although it makes me wonder if Tessian
could artificially reduce risk rank over time to help the security team
convince the administration during budgeting that the price-hike from
Tessian is totally worth the investment.  ...  Just a thought.



### Presentation: Driving secure user behaviors with a radically
different approach to phishing training

At this point I received a medical phone call and missed a majority of
this presentation.  The biggest takeaway I caught at the end of the
presentation was to "bring people along with you" and to "build security
culture."  This is mostly in regard to using less of the "gotcha" phishing
e-mail training on the staff.  "Adults don't learn well by fear-mongering
and punitive measures," so the alternate approach is to really explain
and communicate importance of security.  Communicate how impactful it is,
to the company and particularly to the individual.


### Presentation: A security culture against data exfiltration ###

This presentation is mostly a re-hash about how humans are the most
integral part in all of this.  It re-emphasises how treating staff
like spraying a cat with water isn't good enough to promote security.
Also, busy people tend to cause the issue, not malicious.

"Never assume malice for what can be explained by stupidity"
- someone smart, whom I don't remember the original person.

If you're looking to review any of these, I would skip this one.



### Presentation: Relation 15 ###

How do you build a team to establish and promote secure practices in
the company?  This presentation focused a lot on the interpersonal
relationships you can build both with the staff and executives.

A focal point is that you should "be part of the team," and get
your coworkers to believe you care about the company.  It aligns your
goals with theirs, and they'll trust you more.  An interesting point
was communication is not about the pitch, but about how it is received.
The words you use don't matter if they don't land in the other's mind.

For some, that's putting security into business terms.  Dealing with
executives, you want to make sure you give them no surprises, and when
you present a problem, try to have a possible solution ready.  In meetings,
don't have your valid points overruled by someone's emotion.  If you surprise
an executive with bad news, their frustration could take over the meeting
and you lose talking points - even if what you're trying to communicate is
valid.

Specifically about building a team, the speakers would rather pull in
people with specialties rather than specifically security focused people.
The idea behind this is that you know security, so you can teach a
communication specialist (for example) about security, but you couldn't
teach another security person about the ins and outs of communication
technology.

In getting the company on board with security, the best way is to invite
yourself to others' meetings.  I found this hilarious and great.  No one
is going to want to attend your security meeting.  Instead, find a meeting
that has the people you need to talk to, and take a few minutes from their
general meeting to talk about security.  They're more likely to listen to you
and be more attentive, because they were already preparing to be more engaged
from the beginning.

The presentation ends with the quote "People will forget what you said,
what you did.  People will remember how you made them feel."
- Maya Angelou

Applying this quote here is to get people interested in security, and not
just lawyer them about it.



### Presentation: Security Predictions in the next 1, 5, & 10 years ###

All the panelists agree that Machine Learning is going to be more important
in security in the coming years.  Samy Kamkar makes some good points that
its important to remember that malicious hackers will use uprising technology
to become more effective, but at the same time, the defenders will as well.
It will always be an arms race.

Nina Schick believes there will be an increase in insider threats.  I found
Kamkar's reply poignant - what threats have ever reduced over time?  He points
to buffer-overflow attacks that used to be mitigated within an OS are again
an increasing issue to the Internet of Things with all of its micro-OSes.

It's also pointed out here that an insider problem doesn't necessarily mean
a malicious insider.  It's just that targeted phishing, with the astounding
amount of data we provide the internet, is trickier to handle and likely
to become more prominent in the future.

A term "Zoom Fatigue" describes why 2021 may have the worst of these targeted
attacks, and it's because we're all online now....all the time.  Even more-so than
the previous years when people were writing about the insane amount of time
an average person spent on a computer.  Conceptually, "Zoom Fatigue" is that
society is sick and tired of being on a computer.  This leads to people
making more mistakes, opening bad e-mails, and possibly just uninterested
in secure practices.

Speaking of mistakes, the panelists talk about how many of attacks on
Cloud applications are due to misconfigurations.  Make a point to set up
your security properly so you don't become a botnet!

When asked explicitly how they view security in the next 1, 5, 10 years,
the panelists had this to say:

Samy Kamkar - We're going to lose trust.  We're going to stop trusting
firewalls, routes, etc.  Just because another machine is on your
VPN will not mean you can trust them.

Nina Shick - AI will be the biggest thing due to the explosion of data
availability.  It is project 75% of enterprises will be using
applications that utilize Machine Learning.  AI will be both
a weapon and the defense.

Dan Raywood - AI.  Due to how humans are predictable, utilizing AI
to evaluate patterns to deploy attacks is going to be an issue.
Society is going to need people with advanced skill sets
comprising of AI, Data Management, and Data patterning.



### End ###

Watching some of the videos may be more effective than reading this
huge wall of text.  I particularly liked "How to Hack a Human,"
and "Relation 15."  The last presentation was also interesting, but
it is noticeably edited and that makes me feel like we're missing out
on some interesting dialogue.

The big picture is that security starts and ends with humans - not your hash
function.  I think that relates a lot to our course in CS615 as we sit atop
Layer 9 of OSI, the Political Layer.  Some food for thought...is the Human
Layer above or below the Political Layer?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.stevens.edu/pipermail/cs615asa/attachments/20210311/e7ade0df/attachment-0001.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: cmagyar_hwN_write_up.txt
URL: <http://lists.stevens.edu/pipermail/cs615asa/attachments/20210311/e7ade0df/attachment-0001.txt>