SlideShare una empresa de Scribd logo

Developing The Human Firewall

F
Fwintle

Presentation to RSA Europe 2009

1 de 37
Descargar para leer sin conexión
Developing the Human Firewall Frank Wintle PanMedia 20/10/09 | Session ID: PROF-105 Classification: Intermediate
Agenda A Journey to the East It’s not just technology The power of story f Four rules for happiness 2
A wilderness of mirrors...
Secrets Betrayed
From first man to fifth?
One author’s theory...
Sex and secrecy
A housewife and mother
Who is the hacker? Who is the spy?
An engineer calls...
... and checks under the desk
Now wires have ears “Keystrokes recorded so far is 2706 out of Keystrokes 107250 ... <PWR><CAD>fsmith<tab><tab>arabella <CAD> CAD <CAD> arabella <CAD> <CAD> arabella exit tracert 192.168.137.240 telnet 192.168.137.240 Ci ” Cisco”
New weapons, new fronts, old battles
Wedded to mystery
A true story?
Nonsense as science
Science as nonsense
Backs to the Facts “The h “Th human mind is l i d i less di t b d b a disturbed by mystery it cannot explain than by an explanation it cannot understand.” David Mamet The Water Engine Mamet,
Typical defence: silver bullets Key features: • Sexy name • Pretty diagrams • C Complex t h l l technology • Flashing lights • Rack mountable • Reassuringly expensive
The criminal’s approach Social engineering plus technology • Phishing • Trojans & rootkits + • Laptop theft • In person intrusion
Why social engineering? • Social engineering can be g g used to gain access to any system, irrespective of the platform. • It’s the hardest form of attack It s to defend against because hardware and software alone can’t stop it.
The difficult sell! The money you spent on security products, patching systems and conducting audits could be wasted if you don’t prevent social engineering attacks … You need to invest in Awareness and Policies
Countermeasures Countermeasures require action on physical and psychological levels as well as traditional technical controls Physical: Psychological: – in the i th workplace k l – persuasion i – over the phone – impersonation – dumpster diving – conformity – on-line – friendliness
Staff awareness • Educate all employees - • Train new employees as everyone has a role in they start protecting the • Give extra security organisation and thereby training to security their own jobs guards, help desk staff, • If someone tries to receptionists, telephone p , p threaten them or confuse operators them, it should raise a red • Keep the training up to g flag date and relevant
Which point of view? “The single most important problem in science is to reconcile the first and third person accounts of the universe...” V S Ramachandran
Third person
First person
Wooing the audience “I CAN THINK of nothing that an audience g won't understand. The only problem is to interest them; once they are interested, they understand anything in the world." Orson Welles
Telling the STORY Once upon a time.... O ti And then one day.... A d th d But what they didn’t know.... Climax and resolution
Understanding the mind “Narrative is the primary human tool for explanation, prediction, evaluation and planning” ------- Mark Thomas, The Narrative Mind “We live, and call ourselves awake, and make decisions by telling ourselves stories” ------ Julian Jaynes, The Origins of Consciousness
Games with a purpose EXECUTIVE GAMES COULD HELP STEM CYBERCRIME, FIRST EXPERTS TOLD Kyoto, Japan – June 30, 2009. Senior executives should play special computer games and watch animations to help them understand the scale of the threat from cyber-crime and win their support for improvements in security, one of Japan’s top Internet protection experts said yesterday at the 21st annual conference of FIRST, the Forum of Incident Response and Security Teams. Dr Suguru Yamaguchi, member and adviser on information security at the Japanese Cabinet Office National Information Security Centre, was giving the opening keynote address at the five-day conference, which got underway at the Hotel Granvia, Kyoto. “We need to find ways to help corporate executives actually to visualize what goes on when a computer network is under attack,” he said. “Just explaining in words isn’t enough – the words are too dense, too technical – what we should do is design special games and animations which will bring the severity of current threats vividly alive in the executives’ imaginations.” g y y g
Everyone hates a sermon... “Audiences shrink from sermons…” Akira Kurosawa
Everyone loves a story “I think that I have made them aware…” I aware
“They just don’t get it...” “We concealed the very things that made us right – our respect for the individual, our love of variety and argument, our belief that you can argument only govern fairly with the consent of the governed, our capacity to see the other fellow’s point of view... so it wasn’t much wonder, was it, it if we opened our gates to every con-man con man and charlatan?” George Smiley (John Le Carré)
A human firewall
Four rules for a good life 1. Exercise 2. Love 3. Disdain 4. 4 A project
Need more information? Frank Wintle PanMedia frankwintle@panmedia.co.uk @p +44(0)7850 102194

Recomendados

Preso3
Preso3Preso3
Preso3nolangage
 
hackers vs suits
hackers vs suitshackers vs suits
hackers vs suitsChris Hammond-Thrasher
 
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania preso
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania presoFortifying Network Security with a Defense In Depth Strategy - IDC Romania preso
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania presoNetwork Performance Channel GmbH
 
Enterprise 2.0: social networks behind the firewall
Enterprise 2.0: social networks behind the firewallEnterprise 2.0: social networks behind the firewall
Enterprise 2.0: social networks behind the firewallRandy Woods
 
ISSA_CISO_Forum_2015_Distribution
ISSA_CISO_Forum_2015_DistributionISSA_CISO_Forum_2015_Distribution
ISSA_CISO_Forum_2015_DistributionPhillip Mahan
 
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing FirewallInside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewallamiable_indian
 
Layered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsLayered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsMichael Kaishar, MSIA | CISSP
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
 

Recomendados

Preso3
Preso3Preso3
Preso3nolangage
 
hackers vs suits
hackers vs suitshackers vs suits
hackers vs suitsChris Hammond-Thrasher
 
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania preso
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania presoFortifying Network Security with a Defense In Depth Strategy - IDC Romania preso
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania presoNetwork Performance Channel GmbH
 
Enterprise 2.0: social networks behind the firewall
Enterprise 2.0: social networks behind the firewallEnterprise 2.0: social networks behind the firewall
Enterprise 2.0: social networks behind the firewallRandy Woods
 
ISSA_CISO_Forum_2015_Distribution
ISSA_CISO_Forum_2015_DistributionISSA_CISO_Forum_2015_Distribution
ISSA_CISO_Forum_2015_DistributionPhillip Mahan
 
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing FirewallInside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewallamiable_indian
 
Layered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsLayered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsMichael Kaishar, MSIA | CISSP
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
 
Defensive strategies
Defensive strategiesDefensive strategies
Defensive strategiesClaus Cramon Houmann
 
Are Your IT Systems Secure?
Are Your IT Systems Secure?Are Your IT Systems Secure?
Are Your IT Systems Secure?Nex-Tech
 
The Great Firewall of China
The Great Firewall of ChinaThe Great Firewall of China
The Great Firewall of Chinaguest00df536
 
The human factor
The human factorThe human factor
The human factorKoen Maris
 
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesDefense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesPantheon
 
Virginia Tech - New Employee Orientation - Computer security
Virginia Tech - New Employee Orientation - Computer securityVirginia Tech - New Employee Orientation - Computer security
Virginia Tech - New Employee Orientation - Computer securityvt-hr-service-center
 
2012 FEPA Presentation: Larry Hjalmarson
2012 FEPA Presentation: Larry Hjalmarson2012 FEPA Presentation: Larry Hjalmarson
2012 FEPA Presentation: Larry HjalmarsonFloridaPipeTalk
 
TechCoastRodriguezFinal
TechCoastRodriguezFinalTechCoastRodriguezFinal
TechCoastRodriguezFinalCarlos Rodriguez, CISSP
 
DC970 Presents: Defense in Depth
DC970 Presents: Defense in DepthDC970 Presents: Defense in Depth
DC970 Presents: Defense in DepthIceQUICK
 
Cyber security training for Non-IT Staff
Cyber security training for Non-IT StaffCyber security training for Non-IT Staff
Cyber security training for Non-IT StaffRajneesh G
 
Defense in Depth – Your Security Castle
Defense in Depth – Your Security CastleDefense in Depth – Your Security Castle
Defense in Depth – Your Security CastleCoastal Pet Products, Inc.
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Companydanielblander
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
presentation on cyber crime and security
presentation on cyber crime and securitypresentation on cyber crime and security
presentation on cyber crime and securityAlisha Korpal
 
Cyber Security - The New Threats to Internal Controls
Cyber Security - The New Threats to Internal ControlsCyber Security - The New Threats to Internal Controls
Cyber Security - The New Threats to Internal ControlsDecosimoCPAs
 
FireWall
FireWallFireWall
FireWallrubal_9
 
Cyber Security for the Employee - AFP Annual Conference 2016
Cyber Security for the Employee - AFP Annual Conference 2016Cyber Security for the Employee - AFP Annual Conference 2016
Cyber Security for the Employee - AFP Annual Conference 2016Brad Deflin
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
nullcon 2010 - Underground Economy
nullcon 2010 - Underground Economynullcon 2010 - Underground Economy
nullcon 2010 - Underground Economyn|u - The Open Security Community
 
Raoul chiesa - Auditing the hacker mind - da wargames a underground economy
Raoul chiesa - Auditing the hacker mind - da wargames a underground economyRaoul chiesa - Auditing the hacker mind - da wargames a underground economy
Raoul chiesa - Auditing the hacker mind - da wargames a underground economyCRS4 Research Center in Sardinia
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...Hackito Ergo Sum
 

Más contenido relacionado

Destacado

Are Your IT Systems Secure?
Are Your IT Systems Secure?Are Your IT Systems Secure?
Are Your IT Systems Secure?Nex-Tech
 
The Great Firewall of China
The Great Firewall of ChinaThe Great Firewall of China
The Great Firewall of Chinaguest00df536
 
The human factor
The human factorThe human factor
The human factorKoen Maris
 
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesDefense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesPantheon
 
Virginia Tech - New Employee Orientation - Computer security
Virginia Tech - New Employee Orientation - Computer securityVirginia Tech - New Employee Orientation - Computer security
Virginia Tech - New Employee Orientation - Computer securityvt-hr-service-center
 
2012 FEPA Presentation: Larry Hjalmarson
2012 FEPA Presentation: Larry Hjalmarson2012 FEPA Presentation: Larry Hjalmarson
2012 FEPA Presentation: Larry HjalmarsonFloridaPipeTalk
 
DC970 Presents: Defense in Depth
DC970 Presents: Defense in DepthDC970 Presents: Defense in Depth
DC970 Presents: Defense in DepthIceQUICK
 
Cyber security training for Non-IT Staff
Cyber security training for Non-IT StaffCyber security training for Non-IT Staff
Cyber security training for Non-IT StaffRajneesh G
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Companydanielblander
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
presentation on cyber crime and security
presentation on cyber crime and securitypresentation on cyber crime and security
presentation on cyber crime and securityAlisha Korpal
 
Cyber Security - The New Threats to Internal Controls
Cyber Security - The New Threats to Internal ControlsCyber Security - The New Threats to Internal Controls
Cyber Security - The New Threats to Internal ControlsDecosimoCPAs
 
FireWall
FireWallFireWall
FireWallrubal_9
 
Cyber Security for the Employee - AFP Annual Conference 2016
Cyber Security for the Employee - AFP Annual Conference 2016Cyber Security for the Employee - AFP Annual Conference 2016
Cyber Security for the Employee - AFP Annual Conference 2016Brad Deflin
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 

Destacado (19)

Defensive strategies
Defensive strategiesDefensive strategies
Defensive strategies
 
Are Your IT Systems Secure?
Are Your IT Systems Secure?Are Your IT Systems Secure?
Are Your IT Systems Secure?
 
The Great Firewall of China
The Great Firewall of ChinaThe Great Firewall of China
The Great Firewall of China
 
The human factor
The human factorThe human factor
The human factor
 
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesDefense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
 
Virginia Tech - New Employee Orientation - Computer security
Virginia Tech - New Employee Orientation - Computer securityVirginia Tech - New Employee Orientation - Computer security
Virginia Tech - New Employee Orientation - Computer security
 
2012 FEPA Presentation: Larry Hjalmarson
2012 FEPA Presentation: Larry Hjalmarson2012 FEPA Presentation: Larry Hjalmarson
2012 FEPA Presentation: Larry Hjalmarson
 
TechCoastRodriguezFinal
TechCoastRodriguezFinalTechCoastRodriguezFinal
TechCoastRodriguezFinal
 
DC970 Presents: Defense in Depth
DC970 Presents: Defense in DepthDC970 Presents: Defense in Depth
DC970 Presents: Defense in Depth
 
Cyber security training for Non-IT Staff
Cyber security training for Non-IT StaffCyber security training for Non-IT Staff
Cyber security training for Non-IT Staff
 
Defense in Depth – Your Security Castle
Defense in Depth – Your Security CastleDefense in Depth – Your Security Castle
Defense in Depth – Your Security Castle
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Company
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
presentation on cyber crime and security
presentation on cyber crime and securitypresentation on cyber crime and security
presentation on cyber crime and security
 
Cyber Security - The New Threats to Internal Controls
Cyber Security - The New Threats to Internal ControlsCyber Security - The New Threats to Internal Controls
Cyber Security - The New Threats to Internal Controls
 
FireWall
FireWallFireWall
FireWall
 
Cyber Security for the Employee - AFP Annual Conference 2016
Cyber Security for the Employee - AFP Annual Conference 2016Cyber Security for the Employee - AFP Annual Conference 2016
Cyber Security for the Employee - AFP Annual Conference 2016
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 

Similar a Developing The Human Firewall

Raoul chiesa - Auditing the hacker mind - da wargames a underground economy
Raoul chiesa - Auditing the hacker mind - da wargames a underground economyRaoul chiesa - Auditing the hacker mind - da wargames a underground economy
Raoul chiesa - Auditing the hacker mind - da wargames a underground economyCRS4 Research Center in Sardinia
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...Hackito Ergo Sum
 
Social Media & the Changing Face of Work
Social Media & the Changing Face of WorkSocial Media & the Changing Face of Work
Social Media & the Changing Face of WorkMathias Klang
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat MitigationRoger Johnston
 
Smart Phones, Stupid People: Will technology make us stupid?
Smart Phones, Stupid People: Will technology make us stupid?Smart Phones, Stupid People: Will technology make us stupid?
Smart Phones, Stupid People: Will technology make us stupid?Mathias Klang
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
Will technology make us stupid?
Will technology make us stupid?Will technology make us stupid?
Will technology make us stupid?Mathias Klang
 
Human Element In Security
Human Element In SecurityHuman Element In Security
Human Element In SecurityVineet Sood
 
Special Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on CybersecuritySpecial Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on CybersecurityMichael Rushanan
 
iPhone Living: On using and being abused by technology
iPhone Living: On using and being abused by technologyiPhone Living: On using and being abused by technology
iPhone Living: On using and being abused by technologyMathias Klang
 
Information security consciousness
Information security consciousnessInformation security consciousness
Information security consciousnessCiarán Mc Mahon
 
Engenharia Social: A Doce Arte de Hackear Mentes
Engenharia Social: A Doce Arte de Hackear MentesEngenharia Social: A Doce Arte de Hackear Mentes
Engenharia Social: A Doce Arte de Hackear MentesRafael Jaques
 
LATEC - UFF. MATÉRIA - ENGENHARIA SOCIAL - Rafael Jaques
LATEC - UFF. MATÉRIA - ENGENHARIA SOCIAL - Rafael JaquesLATEC - UFF. MATÉRIA - ENGENHARIA SOCIAL - Rafael Jaques
LATEC - UFF. MATÉRIA - ENGENHARIA SOCIAL - Rafael JaquesLATEC - UFF
 
Surviving Apps and Clouds
Surviving Apps and CloudsSurviving Apps and Clouds
Surviving Apps and CloudsMathias Klang
 
Empowered Citizens or Digital Dairy Cows
Empowered Citizens or Digital Dairy Cows Empowered Citizens or Digital Dairy Cows
Empowered Citizens or Digital Dairy Cows Mathias Klang
 
Control cloud social media
Control cloud social mediaControl cloud social media
Control cloud social mediaMathias Klang
 
Conference about Social Engineering (by Wh0s)
Conference about Social Engineering (by Wh0s)Conference about Social Engineering (by Wh0s)
Conference about Social Engineering (by Wh0s)Marta Barrio Marcos
 
My iPhone Self & Facebook Family: Is technology changing us?
My iPhone Self & Facebook Family: Is technology changing us?My iPhone Self & Facebook Family: Is technology changing us?
My iPhone Self & Facebook Family: Is technology changing us?Mathias Klang
 

Similar a Developing The Human Firewall (20)

nullcon 2010 - Underground Economy
nullcon 2010 - Underground Economynullcon 2010 - Underground Economy
nullcon 2010 - Underground Economy
 
Raoul chiesa - Auditing the hacker mind - da wargames a underground economy
Raoul chiesa - Auditing the hacker mind - da wargames a underground economyRaoul chiesa - Auditing the hacker mind - da wargames a underground economy
Raoul chiesa - Auditing the hacker mind - da wargames a underground economy
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
 
Social Media & the Changing Face of Work
Social Media & the Changing Face of WorkSocial Media & the Changing Face of Work
Social Media & the Changing Face of Work
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat Mitigation
 
Smart Phones, Stupid People: Will technology make us stupid?
Smart Phones, Stupid People: Will technology make us stupid?Smart Phones, Stupid People: Will technology make us stupid?
Smart Phones, Stupid People: Will technology make us stupid?
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
 
Will technology make us stupid?
Will technology make us stupid?Will technology make us stupid?
Will technology make us stupid?
 
Human Element In Security
Human Element In SecurityHuman Element In Security
Human Element In Security
 
Special Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on CybersecuritySpecial Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on Cybersecurity
 
iPhone Living: On using and being abused by technology
iPhone Living: On using and being abused by technologyiPhone Living: On using and being abused by technology
iPhone Living: On using and being abused by technology
 
Information security consciousness
Information security consciousnessInformation security consciousness
Information security consciousness
 
Engenharia Social: A Doce Arte de Hackear Mentes
Engenharia Social: A Doce Arte de Hackear MentesEngenharia Social: A Doce Arte de Hackear Mentes
Engenharia Social: A Doce Arte de Hackear Mentes
 
Engenhariasocial
EngenhariasocialEngenhariasocial
Engenhariasocial
 
LATEC - UFF. MATÉRIA - ENGENHARIA SOCIAL - Rafael Jaques
LATEC - UFF. MATÉRIA - ENGENHARIA SOCIAL - Rafael JaquesLATEC - UFF. MATÉRIA - ENGENHARIA SOCIAL - Rafael Jaques
LATEC - UFF. MATÉRIA - ENGENHARIA SOCIAL - Rafael Jaques
 
Surviving Apps and Clouds
Surviving Apps and CloudsSurviving Apps and Clouds
Surviving Apps and Clouds
 
Empowered Citizens or Digital Dairy Cows
Empowered Citizens or Digital Dairy Cows Empowered Citizens or Digital Dairy Cows
Empowered Citizens or Digital Dairy Cows
 
Control cloud social media
Control cloud social mediaControl cloud social media
Control cloud social media
 
Conference about Social Engineering (by Wh0s)
Conference about Social Engineering (by Wh0s)Conference about Social Engineering (by Wh0s)
Conference about Social Engineering (by Wh0s)
 
My iPhone Self & Facebook Family: Is technology changing us?
My iPhone Self & Facebook Family: Is technology changing us?My iPhone Self & Facebook Family: Is technology changing us?
My iPhone Self & Facebook Family: Is technology changing us?
 

Developing The Human Firewall

  • 1. Developing the Human Firewall Frank Wintle PanMedia 20/10/09 | Session ID: PROF-105 Classification: Intermediate
  • 2. Agenda A Journey to the East It’s not just technology The power of story f Four rules for happiness 2
  • 3. A wilderness of mirrors...
  • 5. From first man to fifth?
  • 9. Who is the hacker? Who is the spy?
  • 11. ... and checks under the desk
  • 12. Now wires have ears “Keystrokes recorded so far is 2706 out of Keystrokes 107250 ... <PWR><CAD>fsmith<tab><tab>arabella <CAD> CAD <CAD> arabella <CAD> <CAD> arabella exit tracert 192.168.137.240 telnet 192.168.137.240 Ci ” Cisco”
  • 13. New weapons, new fronts, old battles
  • 18. Backs to the Facts “The h “Th human mind is l i d i less di t b d b a disturbed by mystery it cannot explain than by an explanation it cannot understand.” David Mamet The Water Engine Mamet,
  • 19. Typical defence: silver bullets Key features: • Sexy name • Pretty diagrams • C Complex t h l l technology • Flashing lights • Rack mountable • Reassuringly expensive
  • 20. The criminal’s approach Social engineering plus technology • Phishing • Trojans & rootkits + • Laptop theft • In person intrusion
  • 21. Why social engineering? • Social engineering can be g g used to gain access to any system, irrespective of the platform. • It’s the hardest form of attack It s to defend against because hardware and software alone can’t stop it.
  • 22. The difficult sell! The money you spent on security products, patching systems and conducting audits could be wasted if you don’t prevent social engineering attacks … You need to invest in Awareness and Policies
  • 23. Countermeasures Countermeasures require action on physical and psychological levels as well as traditional technical controls Physical: Psychological: – in the i th workplace k l – persuasion i – over the phone – impersonation – dumpster diving – conformity – on-line – friendliness
  • 24. Staff awareness • Educate all employees - • Train new employees as everyone has a role in they start protecting the • Give extra security organisation and thereby training to security their own jobs guards, help desk staff, • If someone tries to receptionists, telephone p , p threaten them or confuse operators them, it should raise a red • Keep the training up to g flag date and relevant
  • 25. Which point of view? “The single most important problem in science is to reconcile the first and third person accounts of the universe...” V S Ramachandran
  • 28. Wooing the audience “I CAN THINK of nothing that an audience g won't understand. The only problem is to interest them; once they are interested, they understand anything in the world." Orson Welles
  • 29. Telling the STORY Once upon a time.... O ti And then one day.... A d th d But what they didn’t know.... Climax and resolution
  • 30. Understanding the mind “Narrative is the primary human tool for explanation, prediction, evaluation and planning” ------- Mark Thomas, The Narrative Mind “We live, and call ourselves awake, and make decisions by telling ourselves stories” ------ Julian Jaynes, The Origins of Consciousness
  • 31. Games with a purpose EXECUTIVE GAMES COULD HELP STEM CYBERCRIME, FIRST EXPERTS TOLD Kyoto, Japan – June 30, 2009. Senior executives should play special computer games and watch animations to help them understand the scale of the threat from cyber-crime and win their support for improvements in security, one of Japan’s top Internet protection experts said yesterday at the 21st annual conference of FIRST, the Forum of Incident Response and Security Teams. Dr Suguru Yamaguchi, member and adviser on information security at the Japanese Cabinet Office National Information Security Centre, was giving the opening keynote address at the five-day conference, which got underway at the Hotel Granvia, Kyoto. “We need to find ways to help corporate executives actually to visualize what goes on when a computer network is under attack,” he said. “Just explaining in words isn’t enough – the words are too dense, too technical – what we should do is design special games and animations which will bring the severity of current threats vividly alive in the executives’ imaginations.” g y y g
  • 32. Everyone hates a sermon... “Audiences shrink from sermons…” Akira Kurosawa
  • 33. Everyone loves a story “I think that I have made them aware…” I aware
  • 34. “They just don’t get it...” “We concealed the very things that made us right – our respect for the individual, our love of variety and argument, our belief that you can argument only govern fairly with the consent of the governed, our capacity to see the other fellow’s point of view... so it wasn’t much wonder, was it, it if we opened our gates to every con-man con man and charlatan?” George Smiley (John Le Carré)
  • 36. Four rules for a good life 1. Exercise 2. Love 3. Disdain 4. 4 A project
  • 37. Need more information? Frank Wintle PanMedia frankwintle@panmedia.co.uk @p +44(0)7850 102194