With the August 5th & 6th show fast approaching, we are continuing our series highlighting some of the coolest presentations that are scheduled to take place at Security BSides Las Vegas.
For those who don’t already know, Security BSides events are organized by-and-for the security community, and attracts some of the most innovative security practitioners from around the world, and BSidesLV has the reputation for being one of the biggest events of the series.
We previously featured sessions on vulnerabilities in URL schemes, a talk on conference swag hacking strategies, a session on how to be successful in social engineering attacks, another on attacking Drupal, and one titled IDS and NSM: Cut the Sh**!
Next up is a talk being presented by Casey Dunham (@CaseyDunham) and Emily Pience (@obfusicationx2), titled Pwning the Hapless or How to Make Your Security Program Not Suck, which will explore the lack of security awareness most employees continually make which can lead to a major security event, as well as discussing useful training, resource organization and allocation.
The presenters will walk attendees through a few scenarios – some successful and some not – and share what they have learned about human behavior and how it can be applied to enforcing security policies by creating a “culture of care.”
We discussed the session with Pience, an insurance industry professional with ten years experience of working for three of the biggest U.S. based disability insurance companies. Her co-speaker Casey is a Security Engineer with a history working for commercial financial firms.
“Customer data is our business. Whether within the financial or healthcare industries, the root of our business is to safely house and transmit information to and from trusted parties,” Pience said.
“With the growing demand of increased access – in healthcare, from providers, employees, visitors and patients, from a variety of devices, increased federal enforcements of privacy and security requirements under the new HIPAA Omnibus Rule, there is an ongoing challenge of ensuring patient and customer information is adequately protected.”
Pience points out that numerous breaches within both the healthcare and financial fields have involved lost or stolen devices that are unencrypted, and that these kinds of mistakes by employees continue to be the biggest security threats to all businesses.
The session will examine why these breaches keep occurring and how you as an IT professional – or merely an employee with the safety of your customers’ data of concern – can help your business create useful prevention strategies that employees will pay attention to, as well as how to train employees to not be susceptible to social engineering attacks.
“Technical solutions will not be discussed specifically, as the focus will be on employee awareness, education and how we can do better,” Pience said. “By working through a few scenarios that we have personally encountered, we will address the topics of ‘why to care’ – or problems with people caring about security – testing your people, getting the ‘peons’ out of the loop, and rewarding security efforts.”
Pience says she and Casey are passionate about this topic because, as employees of Fortune 100 companies with large training budgets for security awareness, they continually see the same security mistakes being made by employees – both techy and non-techy – over and over again.
“With everyone wanting instant access to their own data – personal banking, medical records and bills – and companies clamoring to provide this access in multiple forms, the opportunities for human error have increased infinitely, and the human errors we have seen publicized in the media have been ‘duh’ lapses by ‘intelligent’ people,” Pience said.
“In many cases, the efforts of the people responsible for the security of an organization fail to properly get their point across, and it is even harder when trying to explain something that doesn’t have a quick fix and involves more technical astuteness on the part of the user – oftentimes the difference between a successful security campaign and a non-successful one is simply communication.”
The session will be of utmost interest to anyone who handles or protects customer data on a daily basis, or creates proprietary programs and processes of obtaining customer data within company systems.
“We feel it may be more vital to those who have influence over in creating, sponsoring or financing security awareness programs within companies handling customer data, as these people are better able to identify their specific audience and create effective training with levity they will better prepare their workforce to prevent lapses in judgment and error,” Pience said.
“Security developers will be aware of how to introduce changes to their applications that will create checks and balances to gain access to customer data, thus preventing employees from accessing data without appropriate information.”
Pience said she and Casey are hoping audience members come away with new ideas for creating security training within their own company, and a renewed sense of awareness of how important and effective these trainings can be within their own organization.
“And we hope that during this presentation someone who has already been running an awareness program or is putting one together will leave with at least one idea that can make their program more effective,” Pience said.
“We are also hoping that developers come away with the notion that they can create checks and balances within their proprietary systems to prevent attacks, and we hope they find inspiration for changing or upgrading their programs to include such checks and balances.”
While there will always be people who remain computer operators rather than true users, Pience and Casey point out that as generations of more technologically aware people enter the workforce and hacking force, there will be new methods of exploiting human error and lack of awareness.
“Developers can create new ways to assist in creating processes that will prevent opportunities for common attacks and human errors,” Pience said.
- What I Learned as a Con Man
- Confessions of a LinkedIn Imposter: We Are Probably Connected
- Grounding Anti-Phishing Programs in Cognitive Foundations
- Manipulating People for Fun and Profit
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls: Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock