SlideShare una empresa de Scribd logo

Effective user training

Descargar como ODP, PDF
Ari Elias-Bachrach
Ari Elias-Bachrach

Too often user training gets a bad rep in the information security industry. Too often this is because training is done extremely poorly. In this presentation I show that training works, can be effective, and give suggestions for putting together a good training program.

Tecnología
1 de 39
Users: Your First Line Of Defense 1 Users: Your First Line of Defense Ari Elias-Bachrach Defensium llc May 2014 http://bit.ly/effective_training
Users: Your First Line Of Defense 2 About Me Ari Elias-Bachrach ● Application Security nerd, training instructor ● Former pen tester ● Former infosec engineer ● Wanted to increase my impact on security ● Make CBTs ● Trainer ● Develop e-learning classes
Users: Your First Line Of Defense 3 This Talk Will Cover Effective Training For Non-Security Personnel Why We Do Training How To Give Advice Make Training Relevant Use Social Psychology
Users: Your First Line Of Defense 4 Why We Do Training
Users: Your First Line Of Defense 5 Attackers Are Targeting End Users More Source: 2014 Verizon Data Breach Investigations Report
Users: Your First Line Of Defense 6 Technical Problems Have Technical Solutions. Non-Technical Problems Have non-Technical Solutions.
Users: Your First Line Of Defense 7 Training Works Source: Threatsim, 2013 State of the Phish
Users: Your First Line Of Defense 8 Training Works Source: 2013 Verizon Data Breach Investigations Report
Users: Your First Line Of Defense 9 How To Give Advice
Users: Your First Line Of Defense 10 Give Positive Advice. Instead of telling people what NOT to do, tell them what to do No Running In the House! In The House We Walk
Users: Your First Line Of Defense 11 The Security Industry Gives Advice Mostly in the Negative Form Don't click the link 1,500,000 results Report a phishing email 54,400 results
Users: Your First Line Of Defense 12 The Security Industry Gives Advice Mostly in the Negative Form Cross Site Scripting 2,710,000 results Output Encoding 110,000 results
Users: Your First Line Of Defense 13 Give Positive Advice Common security advice: - Don't click the link - Don't use “product” - Don't use easily guessable passwords - Don't have any of these vulnerabilities
Users: Your First Line Of Defense 14 Give Positive Advice Good security advice: - When you get a phishing email.... - use “other product” - To make a good password... - Code in the following way....
Users: Your First Line Of Defense 15 Training Needs to be Relevant
Users: Your First Line Of Defense 16 Pick Your Topics Based on Real Needs What causes our IT incidents here? ➢ Phishing attacks? ➢ SQL injection? ➢ Viruses coming in through sneakernet? ➢ Loss/theft of laptops and smartphones?
Users: Your First Line Of Defense 17 Training Needs to be Relevant Don't Rely on Gimmicks – Focus on Concrete Things People See
Users: Your First Line Of Defense 18 Training Needs to be Relevant Don't Rely on Gimmicks – Focus on Concrete Things People See
Users: Your First Line Of Defense 19 Training Needs to be Relevant Don't Rely on Gimmicks – Focus on Concrete Things People See 8:00 10:30 12:00 2:00 5:00 Get to work and hold door open for “coworker” Write some code for a new web application Get an email from the helpdesk with instructions to fill out a form Discuss work over lunch in restaurant Go home. Leave desk unlocked
Users: Your First Line Of Defense 20 Do Not Teach Them The Language of Security, We Need to Speak Their Language 256 pages
Users: Your First Line Of Defense 21 Do Not Teach Them The Language of Security, We Need to Speak Their Language Vulnerability SQL Injection Confidentiality AES Encrypted Bug Prepared Statement Eavesdrop Protected
Users: Your First Line Of Defense 22 Use Social Psychology – There are Six Factors of Influence 1) Reciprocity 2) Commitment 3) Social Proof 4) Liking 5) Authority 6) Scarcity
Users: Your First Line Of Defense 23 Reciprocity – A Person Feels Like They're Repaying A Favor
Users: Your First Line Of Defense 24 Commitment – Once Committed to a Position, People Stick to it Source: Yes: 50 Scientifically Proven Ways to Be Persuasive, Noah J Goldstein
Users: Your First Line Of Defense 25 Commitment – Once Committed to a Position, People Stick to it Click-through doesn't do much If you can get people to read and sign a physical document, especially in a group, they're publicly supporting the position.
Users: Your First Line Of Defense 26 Commitment – Once Committed to a Position, People Stick to it Do you think that the security of our data is important? Why?
Users: Your First Line Of Defense 27 Commitment – Asking Questions Can Force a Person To Commit to a Position Compare these 3 options If you get a phishing email, please call the help desk. The next time you get a phishing email, will you call the service desk? The next time you get a phishing email, what will you do?
Users: Your First Line Of Defense 28 Liking – People are More Likely To Be Influenced By People They Like People like people who: ● Look like them ● Are Attractive ● Make them feel good (compliments, etc.) Not really possible for infosec to use this right? :-)
Users: Your First Line Of Defense 29 One Way to Make A Department More Likeable is To Humanize it. Source: petrelocation.com
Users: Your First Line Of Defense 30 One Way to Make A Department More Likeable is To Humanize it. Who should this email be sent from? 1) The IT Security department 2) A person
Users: Your First Line Of Defense 31 Social Proof – Do What Everyone Else is Doing People do what they perceive everyone else to be doing.
Users: Your First Line Of Defense 32 Social Proof – Do What Everyone Else is Doing “Last year our company had 237 incidents caused by people using weak passwords.” “Last year our company had 37 incidents caused by people clicking on links in phishing emails” These Statements are actually detrimental!
Users: Your First Line Of Defense 33 Social Proof – Do What Everyone Else is Doing “In a company audit, we found that 95% of our employees are using strong passwords.” “Last year we received 25,000 phishing emails, of which 99% were caught by the spam filter or ignored by the recipients.” These are much better
Users: Your First Line Of Defense 34 Authority – Some People's Positions Are Influential Source: Rusch, Jonathan. The "Social Engineering" of Internet Fraud Nurses were told to: ● Via an order over the phone ● Administer an unauthorized drug ● Above the maximum dosage ● From a Doctor they'd never heard of 95% did as they were told
Users: Your First Line Of Defense 35 Authority – Some People's Positions Are Influential Who is an authority where you work? ● Manager ● VP ● CEO ● IT Department
Users: Your First Line Of Defense 36 Scarcity – People Are More Likely To Want Something Perceived as Scarce While supplies last! Act now! This offer ends soon! Sale ends...
Users: Your First Line Of Defense 37 Conclusion Why We Do Training How To Give Advice Make Training Relevant Use Social Psychology
Users: Your First Line Of Defense 38 Further Reading To Sell is Human Predictable Irrational Influence Dan Pink Dan Ariely Robert Chialdini
Users: Your First Line Of Defense 39 CSRF: Not All Defenses Are Created Equal Ari Elias-Bachrach ari@defensium.com @angelofsecurity Defensium llc http://www.defensium.com

Recomendados

Ethics By ZAK
Ethics By ZAKEthics By ZAK
Ethics By ZAK
Tabsheer Hasan
 
Employment and Social Media: An Introduction to the Rules for Human Resource ...
Employment and Social Media: An Introduction to the Rules for Human Resource ...Employment and Social Media: An Introduction to the Rules for Human Resource ...
Employment and Social Media: An Introduction to the Rules for Human Resource ...
Elizabeth Lewis
 
MySQL 1, introduction
MySQL 1, introductionMySQL 1, introduction
MySQL 1, introduction
Fahri Firdausillah
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
Jason Hong
 
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Jason Hong
 
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Jason Hong
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917
Evan Francen
 
From complainers to advocates social media & analytics
From complainers to advocates social media & analyticsFrom complainers to advocates social media & analytics
From complainers to advocates social media & analytics
Telerx
 

Recomendados

Ethics By ZAK
Ethics By ZAKEthics By ZAK
Ethics By ZAK
Tabsheer Hasan
 
Employment and Social Media: An Introduction to the Rules for Human Resource ...
Employment and Social Media: An Introduction to the Rules for Human Resource ...Employment and Social Media: An Introduction to the Rules for Human Resource ...
Employment and Social Media: An Introduction to the Rules for Human Resource ...
Elizabeth Lewis
 
MySQL 1, introduction
MySQL 1, introductionMySQL 1, introduction
MySQL 1, introduction
Fahri Firdausillah
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
Jason Hong
 
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Jason Hong
 
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Jason Hong
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917
Evan Francen
 
From complainers to advocates social media & analytics
From complainers to advocates social media & analyticsFrom complainers to advocates social media & analytics
From complainers to advocates social media & analytics
Telerx
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small Business
Art Ocain
 
Protecting Your Professional Reputation Online
Protecting Your Professional Reputation OnlineProtecting Your Professional Reputation Online
Protecting Your Professional Reputation Online
Legal Media Matters
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Case IQ
 
From complainers to advocates social media & analytics
From complainers to advocates social media & analyticsFrom complainers to advocates social media & analytics
From complainers to advocates social media & analytics
Spencer Geren
 
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
Jason Hong
 
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Jason Hong
 
#FIRMday London 27 Nov 2014 James Bywater Talent Q " Making the right impact ...
#FIRMday London 27 Nov 2014 James Bywater Talent Q " Making the right impact ...#FIRMday London 27 Nov 2014 James Bywater Talent Q " Making the right impact ...
#FIRMday London 27 Nov 2014 James Bywater Talent Q " Making the right impact ...
Emma Mirrington
 
Hiperstation Application Audit: Privileged User or Insider Risk
Hiperstation Application Audit: Privileged User or Insider RiskHiperstation Application Audit: Privileged User or Insider Risk
Hiperstation Application Audit: Privileged User or Insider Risk
Compuware
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
CBIZ, Inc.
 
Social Media and The Law
Social Media and The LawSocial Media and The Law
Social Media and The Law
Our Social Times
 
Ethics in Product Development
Ethics in Product DevelopmentEthics in Product Development
Ethics in Product Development
Jennifer Fraser
 
5 Technology Trends Construction Contractors Can't Afford To Ignore
5 Technology Trends Construction Contractors Can't Afford To Ignore5 Technology Trends Construction Contractors Can't Afford To Ignore
5 Technology Trends Construction Contractors Can't Afford To Ignore
Gross, Mendelsohn & Associates
 
How People Care about their Personal Datatheir Data Released onReleased on So...
How People Care about their Personal Datatheir Data Released onReleased on So...How People Care about their Personal Datatheir Data Released onReleased on So...
How People Care about their Personal Datatheir Data Released onReleased on So...
Kellyton Brito
 
Linked In 29 In 29
Linked In 29 In 29Linked In 29 In 29
Linked In 29 In 29
jsteinberg
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthy
Russell Publishing
 
Social engineering
Social engineeringSocial engineering
Social engineering
ankushmohanty
 
Effective Training and Policy Takes the Fear out of Social Networking - Shawn...
Effective Training and Policy Takes the Fear out of Social Networking - Shawn...Effective Training and Policy Takes the Fear out of Social Networking - Shawn...
Effective Training and Policy Takes the Fear out of Social Networking - Shawn...
sdavis532
 
Social engineering
Social engineeringSocial engineering
Social engineering
Robert Hood
 
protecting your digital personal life
protecting your digital personal lifeprotecting your digital personal life
protecting your digital personal life
Nathan Lesser
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Boston Institute of Analytics
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Más contenido relacionado

Similar a Effective user training

Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Case IQ
 
Hiperstation Application Audit: Privileged User or Insider Risk
Hiperstation Application Audit: Privileged User or Insider RiskHiperstation Application Audit: Privileged User or Insider Risk
Hiperstation Application Audit: Privileged User or Insider Risk
Compuware
 
How People Care about their Personal Datatheir Data Released onReleased on So...
How People Care about their Personal Datatheir Data Released onReleased on So...How People Care about their Personal Datatheir Data Released onReleased on So...
How People Care about their Personal Datatheir Data Released onReleased on So...
Kellyton Brito
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthy
Russell Publishing
 
Effective Training and Policy Takes the Fear out of Social Networking - Shawn...
Effective Training and Policy Takes the Fear out of Social Networking - Shawn...Effective Training and Policy Takes the Fear out of Social Networking - Shawn...
Effective Training and Policy Takes the Fear out of Social Networking - Shawn...
sdavis532
 

Similar a Effective user training (20)

Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small Business
 
Protecting Your Professional Reputation Online
Protecting Your Professional Reputation OnlineProtecting Your Professional Reputation Online
Protecting Your Professional Reputation Online
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
 
From complainers to advocates social media & analytics
From complainers to advocates social media & analyticsFrom complainers to advocates social media & analytics
From complainers to advocates social media & analytics
 
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
 
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
 
#FIRMday London 27 Nov 2014 James Bywater Talent Q " Making the right impact ...
#FIRMday London 27 Nov 2014 James Bywater Talent Q " Making the right impact ...#FIRMday London 27 Nov 2014 James Bywater Talent Q " Making the right impact ...
#FIRMday London 27 Nov 2014 James Bywater Talent Q " Making the right impact ...
 
Hiperstation Application Audit: Privileged User or Insider Risk
Hiperstation Application Audit: Privileged User or Insider RiskHiperstation Application Audit: Privileged User or Insider Risk
Hiperstation Application Audit: Privileged User or Insider Risk
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
 
Social Media and The Law
Social Media and The LawSocial Media and The Law
Social Media and The Law
 
Ethics in Product Development
Ethics in Product DevelopmentEthics in Product Development
Ethics in Product Development
 
5 Technology Trends Construction Contractors Can't Afford To Ignore
5 Technology Trends Construction Contractors Can't Afford To Ignore5 Technology Trends Construction Contractors Can't Afford To Ignore
5 Technology Trends Construction Contractors Can't Afford To Ignore
 
How People Care about their Personal Datatheir Data Released onReleased on So...
How People Care about their Personal Datatheir Data Released onReleased on So...How People Care about their Personal Datatheir Data Released onReleased on So...
How People Care about their Personal Datatheir Data Released onReleased on So...
 
Linked In 29 In 29
Linked In 29 In 29Linked In 29 In 29
Linked In 29 In 29
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthy
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Effective Training and Policy Takes the Fear out of Social Networking - Shawn...
Effective Training and Policy Takes the Fear out of Social Networking - Shawn...Effective Training and Policy Takes the Fear out of Social Networking - Shawn...
Effective Training and Policy Takes the Fear out of Social Networking - Shawn...
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
protecting your digital personal life
protecting your digital personal lifeprotecting your digital personal life
protecting your digital personal life
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Último (20)

HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

Effective user training

  • 1. Users: Your First Line Of Defense 1 Users: Your First Line of Defense Ari Elias-Bachrach Defensium llc May 2014 http://bit.ly/effective_training
  • 2. Users: Your First Line Of Defense 2 About Me Ari Elias-Bachrach ● Application Security nerd, training instructor ● Former pen tester ● Former infosec engineer ● Wanted to increase my impact on security ● Make CBTs ● Trainer ● Develop e-learning classes
  • 3. Users: Your First Line Of Defense 3 This Talk Will Cover Effective Training For Non-Security Personnel Why We Do Training How To Give Advice Make Training Relevant Use Social Psychology
  • 4. Users: Your First Line Of Defense 4 Why We Do Training
  • 5. Users: Your First Line Of Defense 5 Attackers Are Targeting End Users More Source: 2014 Verizon Data Breach Investigations Report
  • 6. Users: Your First Line Of Defense 6 Technical Problems Have Technical Solutions. Non-Technical Problems Have non-Technical Solutions.
  • 7. Users: Your First Line Of Defense 7 Training Works Source: Threatsim, 2013 State of the Phish
  • 8. Users: Your First Line Of Defense 8 Training Works Source: 2013 Verizon Data Breach Investigations Report
  • 9. Users: Your First Line Of Defense 9 How To Give Advice
  • 10. Users: Your First Line Of Defense 10 Give Positive Advice. Instead of telling people what NOT to do, tell them what to do No Running In the House! In The House We Walk
  • 11. Users: Your First Line Of Defense 11 The Security Industry Gives Advice Mostly in the Negative Form Don't click the link 1,500,000 results Report a phishing email 54,400 results
  • 12. Users: Your First Line Of Defense 12 The Security Industry Gives Advice Mostly in the Negative Form Cross Site Scripting 2,710,000 results Output Encoding 110,000 results
  • 13. Users: Your First Line Of Defense 13 Give Positive Advice Common security advice: - Don't click the link - Don't use “product” - Don't use easily guessable passwords - Don't have any of these vulnerabilities
  • 14. Users: Your First Line Of Defense 14 Give Positive Advice Good security advice: - When you get a phishing email.... - use “other product” - To make a good password... - Code in the following way....
  • 15. Users: Your First Line Of Defense 15 Training Needs to be Relevant
  • 16. Users: Your First Line Of Defense 16 Pick Your Topics Based on Real Needs What causes our IT incidents here? ➢ Phishing attacks? ➢ SQL injection? ➢ Viruses coming in through sneakernet? ➢ Loss/theft of laptops and smartphones?
  • 17. Users: Your First Line Of Defense 17 Training Needs to be Relevant Don't Rely on Gimmicks – Focus on Concrete Things People See
  • 18. Users: Your First Line Of Defense 18 Training Needs to be Relevant Don't Rely on Gimmicks – Focus on Concrete Things People See
  • 19. Users: Your First Line Of Defense 19 Training Needs to be Relevant Don't Rely on Gimmicks – Focus on Concrete Things People See 8:00 10:30 12:00 2:00 5:00 Get to work and hold door open for “coworker” Write some code for a new web application Get an email from the helpdesk with instructions to fill out a form Discuss work over lunch in restaurant Go home. Leave desk unlocked
  • 20. Users: Your First Line Of Defense 20 Do Not Teach Them The Language of Security, We Need to Speak Their Language 256 pages
  • 21. Users: Your First Line Of Defense 21 Do Not Teach Them The Language of Security, We Need to Speak Their Language Vulnerability SQL Injection Confidentiality AES Encrypted Bug Prepared Statement Eavesdrop Protected
  • 22. Users: Your First Line Of Defense 22 Use Social Psychology – There are Six Factors of Influence 1) Reciprocity 2) Commitment 3) Social Proof 4) Liking 5) Authority 6) Scarcity
  • 23. Users: Your First Line Of Defense 23 Reciprocity – A Person Feels Like They're Repaying A Favor
  • 24. Users: Your First Line Of Defense 24 Commitment – Once Committed to a Position, People Stick to it Source: Yes: 50 Scientifically Proven Ways to Be Persuasive, Noah J Goldstein
  • 25. Users: Your First Line Of Defense 25 Commitment – Once Committed to a Position, People Stick to it Click-through doesn't do much If you can get people to read and sign a physical document, especially in a group, they're publicly supporting the position.
  • 26. Users: Your First Line Of Defense 26 Commitment – Once Committed to a Position, People Stick to it Do you think that the security of our data is important? Why?
  • 27. Users: Your First Line Of Defense 27 Commitment – Asking Questions Can Force a Person To Commit to a Position Compare these 3 options If you get a phishing email, please call the help desk. The next time you get a phishing email, will you call the service desk? The next time you get a phishing email, what will you do?
  • 28. Users: Your First Line Of Defense 28 Liking – People are More Likely To Be Influenced By People They Like People like people who: ● Look like them ● Are Attractive ● Make them feel good (compliments, etc.) Not really possible for infosec to use this right? :-)
  • 29. Users: Your First Line Of Defense 29 One Way to Make A Department More Likeable is To Humanize it. Source: petrelocation.com
  • 30. Users: Your First Line Of Defense 30 One Way to Make A Department More Likeable is To Humanize it. Who should this email be sent from? 1) The IT Security department 2) A person
  • 31. Users: Your First Line Of Defense 31 Social Proof – Do What Everyone Else is Doing People do what they perceive everyone else to be doing.
  • 32. Users: Your First Line Of Defense 32 Social Proof – Do What Everyone Else is Doing “Last year our company had 237 incidents caused by people using weak passwords.” “Last year our company had 37 incidents caused by people clicking on links in phishing emails” These Statements are actually detrimental!
  • 33. Users: Your First Line Of Defense 33 Social Proof – Do What Everyone Else is Doing “In a company audit, we found that 95% of our employees are using strong passwords.” “Last year we received 25,000 phishing emails, of which 99% were caught by the spam filter or ignored by the recipients.” These are much better
  • 34. Users: Your First Line Of Defense 34 Authority – Some People's Positions Are Influential Source: Rusch, Jonathan. The "Social Engineering" of Internet Fraud Nurses were told to: ● Via an order over the phone ● Administer an unauthorized drug ● Above the maximum dosage ● From a Doctor they'd never heard of 95% did as they were told
  • 35. Users: Your First Line Of Defense 35 Authority – Some People's Positions Are Influential Who is an authority where you work? ● Manager ● VP ● CEO ● IT Department
  • 36. Users: Your First Line Of Defense 36 Scarcity – People Are More Likely To Want Something Perceived as Scarce While supplies last! Act now! This offer ends soon! Sale ends...
  • 37. Users: Your First Line Of Defense 37 Conclusion Why We Do Training How To Give Advice Make Training Relevant Use Social Psychology
  • 38. Users: Your First Line Of Defense 38 Further Reading To Sell is Human Predictable Irrational Influence Dan Pink Dan Ariely Robert Chialdini
  • 39. Users: Your First Line Of Defense 39 CSRF: Not All Defenses Are Created Equal Ari Elias-Bachrach ari@defensium.com @angelofsecurity Defensium llc http://www.defensium.com