1 00:00:02,570 --> 00:00:09,530 stop yep mayhap thank you very much 2 00:00:06,109 --> 00:00:12,260 this is weaponizing late and in the next 3 00:00:09,530 --> 00:00:15,799 45 minutes to an hour I'd like to talk 4 00:00:12,260 --> 00:00:18,550 to you about what layer eight actually 5 00:00:15,800 --> 00:00:21,830 means and why we should talk about that 6 00:00:18,550 --> 00:00:23,420 so for those of you not really familiar 7 00:00:21,830 --> 00:00:26,299 with layer 8 00:00:23,420 --> 00:00:29,060 eight layer eight is a term that we in 9 00:00:26,300 --> 00:00:32,689 the InfoSec industry or ite generally 10 00:00:29,060 --> 00:00:36,469 have used to describe users the stupid 11 00:00:32,689 --> 00:00:39,530 people using our systems and we also 12 00:00:36,469 --> 00:00:42,379 have called them other names like PAP 13 00:00:39,530 --> 00:00:47,229 kak which is short for people exists 14 00:00:42,379 --> 00:00:51,229 between keyboard and chair our idiots 15 00:00:47,229 --> 00:00:53,539 basically and this was some kind of 16 00:00:51,229 --> 00:00:56,388 negative thinking I think that some 17 00:00:53,539 --> 00:00:59,299 people in the industry still have when 18 00:00:56,389 --> 00:01:02,209 we call our colleagues people that use 19 00:00:59,299 --> 00:01:04,129 our systems the weakest link we are not 20 00:01:02,209 --> 00:01:07,610 really doing them justice I think and 21 00:01:04,129 --> 00:01:10,100 this talk is relevant because as we 22 00:01:07,610 --> 00:01:14,630 proof day by day we in the industry are 23 00:01:10,100 --> 00:01:16,820 known I'm really managing in we are not 24 00:01:14,630 --> 00:01:19,220 really capable to solve our problems in 25 00:01:16,820 --> 00:01:21,410 the industry and we won't be able to 26 00:01:19,220 --> 00:01:24,620 solve them without the people using our 27 00:01:21,410 --> 00:01:24,950 systems so the problem is to get them on 28 00:01:24,620 --> 00:01:27,740 board 29 00:01:24,950 --> 00:01:29,840 the other alternative that every vendor 30 00:01:27,740 --> 00:01:32,810 at our say for example that is running 31 00:01:29,840 --> 00:01:35,270 now will tell you is just buy a box and 32 00:01:32,810 --> 00:01:36,860 put the Box in the network probably 33 00:01:35,270 --> 00:01:40,340 leave it unconsidered and it will solve 34 00:01:36,860 --> 00:01:43,400 your security problems little spoiler it 35 00:01:40,340 --> 00:01:47,210 probably won't what the boxin will do is 36 00:01:43,400 --> 00:01:48,980 they will create a lot of screens and a 37 00:01:47,210 --> 00:01:51,229 lot of information and a lot of 38 00:01:48,980 --> 00:01:55,040 dashboards for your secure operation 39 00:01:51,230 --> 00:01:56,690 center and it will be just wasted 40 00:01:55,040 --> 00:02:00,200 information because at the end of the 41 00:01:56,690 --> 00:02:03,110 day you will have not secured some of 42 00:02:00,200 --> 00:02:06,170 your humans and my phone conviction is 43 00:02:03,110 --> 00:02:08,228 that humans matter the original version 44 00:02:06,170 --> 00:02:11,239 of this talk was created together with 45 00:02:08,229 --> 00:02:13,939 Brian fight and some of the things you 46 00:02:11,239 --> 00:02:15,260 seen the talk are attributed to him this 47 00:02:13,939 --> 00:02:19,540 humans matter 48 00:02:15,260 --> 00:02:25,060 is from his own conference as well so 49 00:02:19,540 --> 00:02:28,430 before we get into how we can actually 50 00:02:25,060 --> 00:02:32,230 weaponize our alkyl leaks I would like 51 00:02:28,430 --> 00:02:36,190 to talk to you about how I think cyber 52 00:02:32,230 --> 00:02:38,929 actually impacts the physical domain 53 00:02:36,190 --> 00:02:40,880 let's start with something funny 54 00:02:38,930 --> 00:02:43,340 I've brought and I've said that I've 55 00:02:40,880 --> 00:02:45,230 brought a lot of gummy bears and when I 56 00:02:43,340 --> 00:02:47,299 did that I realized that I wouldn't be 57 00:02:45,230 --> 00:02:49,399 able to throw them at anyone because hey 58 00:02:47,299 --> 00:02:52,760 I suck at throwing and be you're quite 59 00:02:49,400 --> 00:02:56,360 far away so I'll just leave them there 60 00:02:52,760 --> 00:02:59,328 if you fancy that stuff then just 61 00:02:56,360 --> 00:03:01,730 perhaps and after my talk still I 62 00:02:59,329 --> 00:03:03,950 wouldn't mind you participating in show 63 00:03:01,730 --> 00:03:06,828 of hands if you want to who a few has 64 00:03:03,950 --> 00:03:11,780 heard of the great German pizza was five 65 00:03:06,829 --> 00:03:14,569 six years ago so for all of you who 66 00:03:11,780 --> 00:03:18,920 haven't five or six years ago we have 67 00:03:14,569 --> 00:03:21,108 two main portals selling fast food so 68 00:03:18,920 --> 00:03:23,089 you locked on you fancied a pizza or 69 00:03:21,109 --> 00:03:25,040 your pansies burger and you put your 70 00:03:23,090 --> 00:03:28,340 order in and the pond would just send 71 00:03:25,040 --> 00:03:31,280 the nearest delivery service to your 72 00:03:28,340 --> 00:03:33,260 home so basically the same lie traffic 73 00:03:31,280 --> 00:03:35,750 deliver ruin others what you have in 74 00:03:33,260 --> 00:03:38,870 your country but the funny thing about 75 00:03:35,750 --> 00:03:41,180 the two major place in Germany was they 76 00:03:38,870 --> 00:03:45,410 started ddosing each other on Saturday 77 00:03:41,180 --> 00:03:47,120 nights so basically the idea was if the 78 00:03:45,410 --> 00:03:49,519 other guy couldn't get the order then 79 00:03:47,120 --> 00:03:53,150 I'm getting the order but if both are 80 00:03:49,519 --> 00:03:56,260 ddosing then the other one then nobody's 81 00:03:53,150 --> 00:03:59,239 getting the order so people went unfed a 82 00:03:56,260 --> 00:04:04,069 little bit more serious is of course I 83 00:03:59,239 --> 00:04:06,380 wanna cry so people who are not really 84 00:04:04,069 --> 00:04:09,018 computer savvy or aren't online at all 85 00:04:06,380 --> 00:04:12,139 we're impacted by stuff that happens in 86 00:04:09,019 --> 00:04:14,329 the online world because hospitals 87 00:04:12,139 --> 00:04:17,599 couldn't do with a job because their 88 00:04:14,329 --> 00:04:22,130 systems were just blocked by ransomware 89 00:04:17,599 --> 00:04:25,880 and the last example where I learned the 90 00:04:22,130 --> 00:04:28,100 interesting term of swatting hope you 91 00:04:25,880 --> 00:04:30,830 knows what's what heinous basically yeah 92 00:04:28,100 --> 00:04:32,570 that's very good but how do we know it 93 00:04:30,830 --> 00:04:34,490 because they're idiots calling the 94 00:04:32,570 --> 00:04:36,260 police on somebody else because that is 95 00:04:34,490 --> 00:04:38,870 what swatting means special weapons an 96 00:04:36,260 --> 00:04:42,200 assault team and if you bear a grudge 97 00:04:38,870 --> 00:04:44,540 against somebody and maybe you're a 98 00:04:42,200 --> 00:04:46,760 teenager then you just call the police 99 00:04:44,540 --> 00:04:49,610 and tell them there's something horrible 100 00:04:46,760 --> 00:04:53,240 going on at that house and probably you 101 00:04:49,610 --> 00:04:55,430 should go and have a look so when I was 102 00:04:53,240 --> 00:05:00,530 a teenager we didn't have the internet 103 00:04:55,430 --> 00:05:03,950 yet because gray hair stuff so I do 104 00:05:00,530 --> 00:05:06,080 remember a friend calling a few services 105 00:05:03,950 --> 00:05:08,690 to his neighbor because he hated him and 106 00:05:06,080 --> 00:05:11,719 we found the funny at the time but it 107 00:05:08,690 --> 00:05:16,270 wasn't the police it was just the people 108 00:05:11,720 --> 00:05:19,490 you could call like a I don't know 109 00:05:16,270 --> 00:05:21,950 hospitals the police we didn't call or 110 00:05:19,490 --> 00:05:22,340 he didn't call so we thought that was 111 00:05:21,950 --> 00:05:25,039 funny 112 00:05:22,340 --> 00:05:29,330 in retrospect it was as dumb as this 113 00:05:25,040 --> 00:05:31,780 but the one thing that happened 114 00:05:29,330 --> 00:05:36,140 over the one example that I'm having is 115 00:05:31,780 --> 00:05:39,049 when two people had an online fight 116 00:05:36,140 --> 00:05:43,190 about one dollar and fifty in the game 117 00:05:39,050 --> 00:05:45,710 of Call of Duty 3 I think it was where 118 00:05:43,190 --> 00:05:47,900 the people let's call them a and B I do 119 00:05:45,710 --> 00:05:53,030 have the names but they are really not 120 00:05:47,900 --> 00:05:55,940 that important a thought that P should 121 00:05:53,030 --> 00:05:58,460 give him the $1 and 50 for an online 122 00:05:55,940 --> 00:06:01,550 nature they had and P didn't feel like 123 00:05:58,460 --> 00:06:05,060 it so a threatened to SWAT him and B 124 00:06:01,550 --> 00:06:07,790 said go ahead this is my address but he 125 00:06:05,060 --> 00:06:09,680 didn't give the right address so he gave 126 00:06:07,790 --> 00:06:12,170 an address where he used to live years 127 00:06:09,680 --> 00:06:16,430 and years ago and what happened this a 128 00:06:12,170 --> 00:06:20,390 asked his pal C just want this guy so C 129 00:06:16,430 --> 00:06:22,730 was known and very notorious for calling 130 00:06:20,390 --> 00:06:24,200 the police on other people he described 131 00:06:22,730 --> 00:06:26,570 a violent crime going on 132 00:06:24,200 --> 00:06:28,640 he said the son already has murdered his 133 00:06:26,570 --> 00:06:30,710 father and he has cornered the rest of 134 00:06:28,640 --> 00:06:32,690 the family in the bathroom and please 135 00:06:30,710 --> 00:06:36,289 couldn't the police come and have a word 136 00:06:32,690 --> 00:06:39,500 with him so the police went to the 137 00:06:36,290 --> 00:06:41,060 address that they had and they knocked 138 00:06:39,500 --> 00:06:43,550 so 139 00:06:41,060 --> 00:06:44,900 person D opened the door and for some 140 00:06:43,550 --> 00:06:48,380 reason we will never know 141 00:06:44,900 --> 00:06:52,099 he am he got nervous because he looked 142 00:06:48,380 --> 00:06:53,750 into the guns of a few people of the 143 00:06:52,100 --> 00:06:57,050 police people and he reached for his 144 00:06:53,750 --> 00:06:59,720 waistband maybe to scratch his ass but 145 00:06:57,050 --> 00:07:01,730 the police took that for he was to draw 146 00:06:59,720 --> 00:07:04,130 a weapon because they thought a Weiland 147 00:07:01,730 --> 00:07:07,120 crime is going on and they shot him and 148 00:07:04,130 --> 00:07:11,120 they killed him for one dollar and fifty 149 00:07:07,120 --> 00:07:12,770 which basically means that guy who 150 00:07:11,120 --> 00:07:15,080 wasn't in one line who wasn't even 151 00:07:12,770 --> 00:07:18,080 playing games got shot because of 152 00:07:15,080 --> 00:07:21,409 something that went on in the cyber 153 00:07:18,080 --> 00:07:22,640 domain so it isn't a question whether so 154 00:07:21,410 --> 00:07:25,970 I have impacts the physical domain I 155 00:07:22,640 --> 00:07:30,229 think that is pretty much improving it 156 00:07:25,970 --> 00:07:33,980 does and it doesn't even have the need 157 00:07:30,230 --> 00:07:38,060 of you to be online or in any way 158 00:07:33,980 --> 00:07:40,760 interested in cyber so how could we 159 00:07:38,060 --> 00:07:43,220 empower people how can we get our 160 00:07:40,760 --> 00:07:46,760 colleagues to be better at security 161 00:07:43,220 --> 00:07:49,580 because we tried for years or we as the 162 00:07:46,760 --> 00:07:51,830 industry to just tell them they should 163 00:07:49,580 --> 00:07:55,940 be more secure and somehow that didn't 164 00:07:51,830 --> 00:07:58,039 work so we came up with a few 165 00:07:55,940 --> 00:08:00,980 interesting examples I hope they are 166 00:07:58,040 --> 00:08:03,920 interesting to you as well so who of you 167 00:08:00,980 --> 00:08:07,130 has heard of the old TRO of the pen 168 00:08:03,920 --> 00:08:09,710 tester that just leaves a few USB drives 169 00:08:07,130 --> 00:08:11,690 at the parking lot at at some point they 170 00:08:09,710 --> 00:08:14,299 have network access because people are 171 00:08:11,690 --> 00:08:17,930 going to plug them in I've heard the 172 00:08:14,300 --> 00:08:27,500 story and actually it has been validated 173 00:08:17,930 --> 00:08:30,080 by by by by by the University of 174 00:08:27,500 --> 00:08:33,559 Illinois I was looking for that and they 175 00:08:30,080 --> 00:08:36,559 handed up about 300 USB drives and about 176 00:08:33,559 --> 00:08:39,679 half of them got plugged a so how do you 177 00:08:36,559 --> 00:08:43,309 counter that because the thing is most 178 00:08:39,679 --> 00:08:45,410 of us are still really helpful or we 179 00:08:43,309 --> 00:08:47,209 want to help if you were working at a 180 00:08:45,410 --> 00:08:48,920 company you found a USB Drive at the 181 00:08:47,210 --> 00:08:51,610 parking lot and it had a set of keys 182 00:08:48,920 --> 00:08:54,279 with it and maybe a little toy figure 183 00:08:51,610 --> 00:08:56,139 wouldn't you want to plug it in and 184 00:08:54,279 --> 00:08:58,720 what's on it just to find out who the 185 00:08:56,139 --> 00:09:00,490 person was to return it or if you're 186 00:08:58,720 --> 00:09:02,499 really person wouldn't you like to plug 187 00:09:00,490 --> 00:09:06,879 it in if it was labeled Bitcoin wallet 188 00:09:02,499 --> 00:09:09,550 or maybe finances 2019 so as an attacker 189 00:09:06,879 --> 00:09:11,829 I have a lot of social engineering 190 00:09:09,550 --> 00:09:14,589 vectors to make it more interesting and 191 00:09:11,829 --> 00:09:16,930 to get people to really plug it in and 192 00:09:14,589 --> 00:09:18,160 basically I'm talking to a roomful of 193 00:09:16,930 --> 00:09:20,800 security researchers or people 194 00:09:18,160 --> 00:09:22,689 interested in the topic so who if you 195 00:09:20,800 --> 00:09:26,050 wouldn't plug it it of course we would 196 00:09:22,689 --> 00:09:27,939 plug it in but of course we think we 197 00:09:26,050 --> 00:09:33,540 would do it in a secure environment and 198 00:09:27,939 --> 00:09:37,660 we would be very wary of the device but 199 00:09:33,540 --> 00:09:40,689 we build something that we call over the 200 00:09:37,660 --> 00:09:44,290 wireless detention station the way that 201 00:09:40,689 --> 00:09:47,050 works is you need to authenticate with 202 00:09:44,290 --> 00:09:49,509 your company card and then you plug in a 203 00:09:47,050 --> 00:09:51,639 USB Drive and you get all the files on 204 00:09:49,509 --> 00:09:54,459 the drive you select those that you want 205 00:09:51,639 --> 00:09:57,339 at your office PC and you click send and 206 00:09:54,459 --> 00:09:59,619 once you're back at your office PC you 207 00:09:57,339 --> 00:10:03,370 will have a link to network drive and 208 00:09:59,620 --> 00:10:05,110 you can download them pretty easy why 209 00:10:03,370 --> 00:10:07,809 did we build that we didn't have in mind 210 00:10:05,110 --> 00:10:10,000 that people should be able to plug in 211 00:10:07,809 --> 00:10:12,879 USB drives they found at the parking lot 212 00:10:10,000 --> 00:10:17,110 I would like to acquaint you with 213 00:10:12,879 --> 00:10:19,720 something that it is a story directly 214 00:10:17,110 --> 00:10:22,839 from big companies if you're working for 215 00:10:19,720 --> 00:10:24,579 a small company that's cool if you're 216 00:10:22,839 --> 00:10:25,360 working for a big company that might be 217 00:10:24,579 --> 00:10:28,180 cool as well 218 00:10:25,360 --> 00:10:32,889 but both have their own dangerous let's 219 00:10:28,180 --> 00:10:35,258 say and big companies like my company we 220 00:10:32,889 --> 00:10:37,059 do have some processes that are really 221 00:10:35,259 --> 00:10:42,670 really stupid if you have a closer look 222 00:10:37,059 --> 00:10:46,269 at it so assuming I wanted to have a 223 00:10:42,670 --> 00:10:49,628 presentation and I had to give it next 224 00:10:46,269 --> 00:10:51,069 day and I worked on it yesterday and I 225 00:10:49,629 --> 00:10:53,139 wanted to bring it to the office I 226 00:10:51,069 --> 00:10:56,079 wasn't allowed to do that because the 227 00:10:53,139 --> 00:10:58,269 USB drive would have to have put in an 228 00:10:56,079 --> 00:11:01,500 envelope that envelope gets sent to a 229 00:10:58,269 --> 00:11:03,490 different building in the same city 230 00:11:01,500 --> 00:11:06,279 somewhere there's some kind of magic 231 00:11:03,490 --> 00:11:06,480 would happen and they were labeled they 232 00:11:06,279 --> 00:11:08,639 were 233 00:11:06,480 --> 00:11:11,040 seal it and they would put it in an 234 00:11:08,639 --> 00:11:13,589 envelope and the internal Postal Service 235 00:11:11,040 --> 00:11:17,329 would bring it back to my desk and this 236 00:11:13,589 --> 00:11:19,709 would take about how long what you think 237 00:11:17,329 --> 00:11:23,939 three days if you were really really 238 00:11:19,709 --> 00:11:25,619 lucky more often four or five days so if 239 00:11:23,940 --> 00:11:28,589 you really have something important 240 00:11:25,620 --> 00:11:30,300 going on then it wouldn't work again 241 00:11:28,589 --> 00:11:32,670 assuming you have a presentation that 242 00:11:30,300 --> 00:11:34,469 you have to give the next day what are 243 00:11:32,670 --> 00:11:38,189 you going to do are you going to follow 244 00:11:34,470 --> 00:11:40,649 proper process no you won't so people 245 00:11:38,190 --> 00:11:42,660 would just pluck the USB drives into 246 00:11:40,649 --> 00:11:45,199 their office PCs and just keeping 247 00:11:42,660 --> 00:11:48,630 fingers crossed that everything is okay 248 00:11:45,199 --> 00:11:51,149 but with building that virus detention 249 00:11:48,630 --> 00:11:52,920 station basically what we did it is we 250 00:11:51,149 --> 00:11:56,190 gave them the the option to have it 251 00:11:52,920 --> 00:11:58,790 sooner and now you can plug in any kind 252 00:11:56,190 --> 00:12:02,250 of your speed drive that you find well 253 00:11:58,790 --> 00:12:06,060 this company policy again what do you 254 00:12:02,250 --> 00:12:08,250 think happens according to the written 255 00:12:06,060 --> 00:12:11,399 down company policy if somebody finds a 256 00:12:08,250 --> 00:12:13,100 USB Drive lying at the parking lot they 257 00:12:11,399 --> 00:12:14,850 should hand it over to building security 258 00:12:13,100 --> 00:12:17,490 so far so good 259 00:12:14,850 --> 00:12:22,319 what is building security going to do 260 00:12:17,490 --> 00:12:24,660 with the USB Drive so the written 261 00:12:22,319 --> 00:12:27,689 procedure is they hand it to the 262 00:12:24,660 --> 00:12:31,230 communal lost-and-found which is three 263 00:12:27,690 --> 00:12:33,089 kilometres away and the USB Drive gets 264 00:12:31,230 --> 00:12:36,300 lost basically because you could throw 265 00:12:33,089 --> 00:12:39,029 it away I still want to go there and say 266 00:12:36,300 --> 00:12:41,639 you know I've lost the USB Drive it's 267 00:12:39,029 --> 00:12:44,880 black about that size do you have one 268 00:12:41,639 --> 00:12:46,350 and see see what happens that would be 269 00:12:44,880 --> 00:12:49,769 interesting so we're still working on 270 00:12:46,350 --> 00:12:52,529 that part the people responsible for 271 00:12:49,769 --> 00:12:54,600 that said why this process is working 272 00:12:52,529 --> 00:12:56,810 why should we change anything that's the 273 00:12:54,600 --> 00:13:00,569 fun when you're working in a big company 274 00:12:56,810 --> 00:13:03,089 but basically now people can use thumb 275 00:13:00,569 --> 00:13:06,029 drives the way thumb drives are meant to 276 00:13:03,089 --> 00:13:08,699 be used the next thing I would like to 277 00:13:06,029 --> 00:13:11,010 talk about is fishing and of course 278 00:13:08,699 --> 00:13:14,010 fishing is still also something that is 279 00:13:11,010 --> 00:13:15,569 very effective if you want to get into 280 00:13:14,010 --> 00:13:19,860 networks if you want to get people to 281 00:13:15,569 --> 00:13:21,810 click on links and shop 282 00:13:19,860 --> 00:13:26,490 into the audience which of these things 283 00:13:21,810 --> 00:13:29,729 is malicious and of course it is 284 00:13:26,490 --> 00:13:32,550 terribly difficult to spot that without 285 00:13:29,730 --> 00:13:38,310 any kind of research link shorteners 286 00:13:32,550 --> 00:13:40,229 like but we and Google and whatnot are 287 00:13:38,310 --> 00:13:43,109 making it nearly impossible to see 288 00:13:40,230 --> 00:13:45,120 whether this link is malicious or it is 289 00:13:43,110 --> 00:13:47,370 you have to follow it and you have to 290 00:13:45,120 --> 00:13:49,709 have a look and then you can maybe tell 291 00:13:47,370 --> 00:13:52,620 if it's malicious I'm assuming with an O 292 00:13:49,709 --> 00:13:54,989 with a zero as I know this is actually a 293 00:13:52,620 --> 00:13:59,459 link that gets back to Amazon because 294 00:13:54,990 --> 00:14:02,399 they have that Amin and this is the IP 295 00:13:59,459 --> 00:14:04,859 address of our our own website so it's 296 00:14:02,399 --> 00:14:07,200 and the last thing actually the first 297 00:14:04,860 --> 00:14:09,329 thing goes to Securitate and the last 298 00:14:07,200 --> 00:14:13,500 link goes to the slides so they should 299 00:14:09,329 --> 00:14:16,439 be up tomorrow evening I think but my 300 00:14:13,500 --> 00:14:19,800 point is we try to get users to read 301 00:14:16,440 --> 00:14:24,060 male headers we try to get users to read 302 00:14:19,800 --> 00:14:28,740 links and to interpret whether a male 303 00:14:24,060 --> 00:14:30,810 was malicious or not and it's been a 304 00:14:28,740 --> 00:14:32,550 long time since I've read male had us to 305 00:14:30,810 --> 00:14:36,390 find out whether man is malicious or not 306 00:14:32,550 --> 00:14:38,160 and Brian came up with the term we 307 00:14:36,390 --> 00:14:40,980 should look for indicators of 308 00:14:38,160 --> 00:14:44,910 because that is much more easy much 309 00:14:40,980 --> 00:14:47,190 easier and I'm going to enter the 310 00:14:44,910 --> 00:14:50,339 indicators and I hope you will you will 311 00:14:47,190 --> 00:14:52,019 agree that if there's one or more of 312 00:14:50,339 --> 00:14:54,029 these indicators in an e-mail you can 313 00:14:52,019 --> 00:14:57,000 safely throw it away in a business 314 00:14:54,029 --> 00:14:59,760 context because this is not going to be 315 00:14:57,000 --> 00:15:03,029 anything you want to deal with first 316 00:14:59,760 --> 00:15:05,939 thing as always is money because at the 317 00:15:03,029 --> 00:15:09,390 end of the day people want to make money 318 00:15:05,940 --> 00:15:15,120 and the scammers want to get your money 319 00:15:09,390 --> 00:15:18,420 or this is the end goal so whenever 320 00:15:15,120 --> 00:15:20,850 someone in a male wants money from you 321 00:15:18,420 --> 00:15:22,769 then just get very suspicious because 322 00:15:20,850 --> 00:15:24,839 why and it doesn't matter what the 323 00:15:22,769 --> 00:15:27,930 context this just get very suspicious 324 00:15:24,839 --> 00:15:31,800 and that's also for for private emails 325 00:15:27,930 --> 00:15:32,910 as well Mario this goes together with 326 00:15:31,800 --> 00:15:38,699 threats 327 00:15:32,910 --> 00:15:41,279 so the threat is you could buy a you 328 00:15:38,699 --> 00:15:43,439 could get an email saying we noticed 329 00:15:41,279 --> 00:15:46,079 that you downloaded this software the 330 00:15:43,440 --> 00:15:49,589 software is our intellectual property so 331 00:15:46,079 --> 00:15:52,529 you need to buy you need to pay us 200 332 00:15:49,589 --> 00:15:56,910 euros and we will let it slip but if you 333 00:15:52,529 --> 00:15:59,040 don't we're just actually we are going 334 00:15:56,910 --> 00:16:02,160 to sue you and probably will end up 335 00:15:59,040 --> 00:16:05,790 paying 5,000 euros so this is a threat 336 00:16:02,160 --> 00:16:07,860 another threat is just implying that 337 00:16:05,790 --> 00:16:10,290 somebody has done something illegal 338 00:16:07,860 --> 00:16:12,360 because this is a motivator as well most 339 00:16:10,290 --> 00:16:15,209 of us do not want to do something 340 00:16:12,360 --> 00:16:17,009 illegal and if you get a mail saying we 341 00:16:15,209 --> 00:16:21,529 noticed that you did that that that is 342 00:16:17,009 --> 00:16:24,720 illegal and just to clean the slate to 343 00:16:21,529 --> 00:16:29,550 to make your name good again you have to 344 00:16:24,720 --> 00:16:31,410 pay this fair amount it's something for 345 00:16:29,550 --> 00:16:35,849 most of us where we would react and say 346 00:16:31,410 --> 00:16:38,550 ok are out of fear maybe I'm going to do 347 00:16:35,850 --> 00:16:42,259 that even if I am not sure I get that 348 00:16:38,550 --> 00:16:44,819 but the risk is too high 349 00:16:42,259 --> 00:16:48,000 another good indicator of is 350 00:16:44,819 --> 00:16:51,899 romance and I'm using the term very 351 00:16:48,000 --> 00:16:56,220 loosely so whenever you get a mail from 352 00:16:51,899 --> 00:16:59,100 a nice Russian lady who really has 353 00:16:56,220 --> 00:17:03,779 developed an interest in you and you 354 00:16:59,100 --> 00:17:05,789 alone then just think about the context 355 00:17:03,779 --> 00:17:10,770 and think about what where she got your 356 00:17:05,789 --> 00:17:13,740 name one of the spam emails I got years 357 00:17:10,770 --> 00:17:16,619 ago that I still very very much cherish 358 00:17:13,740 --> 00:17:18,480 in my heart started with them we found 359 00:17:16,619 --> 00:17:24,539 your name in the database of real 360 00:17:18,480 --> 00:17:26,459 reliable persons in Germany be cool but 361 00:17:24,539 --> 00:17:30,000 flattering of course enrollments and 362 00:17:26,459 --> 00:17:32,880 things like that and are good indicators 363 00:17:30,000 --> 00:17:35,429 as well and one indicator that nearly 364 00:17:32,880 --> 00:17:41,070 every time plays some kind of role as 365 00:17:35,429 --> 00:17:44,370 well is urgency as for my example 366 00:17:41,070 --> 00:17:46,620 earlier on you pay 80 euros now and 367 00:17:44,370 --> 00:17:48,840 you're okay or 5,000 euros late 368 00:17:46,620 --> 00:17:51,239 because we need to sue you there's 369 00:17:48,840 --> 00:17:54,480 always a time limit like you have to do 370 00:17:51,240 --> 00:17:56,640 it within the next 24 hours or 48 hours 371 00:17:54,480 --> 00:17:59,580 but very often this is a very short time 372 00:17:56,640 --> 00:18:02,280 living limit and that is a quite nifty 373 00:17:59,580 --> 00:18:06,210 psychological trick because as soon as 374 00:18:02,280 --> 00:18:08,730 you put somebody to a decision and give 375 00:18:06,210 --> 00:18:10,650 them only a small amount of time the 376 00:18:08,730 --> 00:18:14,100 brain works differently as if you don't 377 00:18:10,650 --> 00:18:16,350 have a time limit because you you just 378 00:18:14,100 --> 00:18:18,149 don't really think thoroughly about it 379 00:18:16,350 --> 00:18:20,550 you think about the consequences what 380 00:18:18,150 --> 00:18:25,110 happens and if the time limit is already 381 00:18:20,550 --> 00:18:27,928 ticking then you are probably paying 382 00:18:25,110 --> 00:18:28,469 it's some of them ransomware does that 383 00:18:27,929 --> 00:18:31,260 as well 384 00:18:28,470 --> 00:18:35,730 like just pay us within the next six six 385 00:18:31,260 --> 00:18:38,670 hours or the price will triple so you're 386 00:18:35,730 --> 00:18:41,100 not thinking well and all of these 387 00:18:38,670 --> 00:18:44,190 indicators actually are for business 388 00:18:41,100 --> 00:18:45,959 emails as well as private emails and the 389 00:18:44,190 --> 00:18:47,970 next thing that's also a little bit 390 00:18:45,960 --> 00:18:52,080 psychological and I still need to do a 391 00:18:47,970 --> 00:18:54,870 few tests on that but when we read 392 00:18:52,080 --> 00:18:56,040 emails or when people really mails they 393 00:18:54,870 --> 00:18:58,620 want to do something with it 394 00:18:56,040 --> 00:19:00,450 so either you want to answer or you want 395 00:18:58,620 --> 00:19:03,959 to tick that box that you've dealt with 396 00:19:00,450 --> 00:19:08,130 that email just putting it to trash 397 00:19:03,960 --> 00:19:11,100 doesn't really satisfy that need to do 398 00:19:08,130 --> 00:19:14,730 something with the email so in your 399 00:19:11,100 --> 00:19:17,490 business context if you can put in a 400 00:19:14,730 --> 00:19:19,260 button that says forward this email to 401 00:19:17,490 --> 00:19:21,179 your security team whether your security 402 00:19:19,260 --> 00:19:23,340 team is might be a secure operation 403 00:19:21,179 --> 00:19:27,840 center or your main security team 404 00:19:23,340 --> 00:19:30,178 whatever then somebody who got a fish or 405 00:19:27,840 --> 00:19:31,709 spam I can click that button the mail 406 00:19:30,179 --> 00:19:34,980 gets forwarded to the relevant people 407 00:19:31,710 --> 00:19:38,460 and I feel good about it because it has 408 00:19:34,980 --> 00:19:40,140 been dealt with and every social 409 00:19:38,460 --> 00:19:44,370 awareness platform that does phishing 410 00:19:40,140 --> 00:19:46,050 campaigns that I have looked at just 411 00:19:44,370 --> 00:19:47,550 that kind of thing they implement a 412 00:19:46,050 --> 00:19:49,409 button where you can just deal with the 413 00:19:47,550 --> 00:19:52,919 email because then it's out of your mind 414 00:19:49,410 --> 00:19:54,690 and it's actually a very good thing not 415 00:19:52,920 --> 00:19:56,580 for the secure operation center because 416 00:19:54,690 --> 00:19:59,010 those guys very often complain that they 417 00:19:56,580 --> 00:20:00,449 get such a lot of spam it's not best BAM 418 00:19:59,010 --> 00:20:03,090 it's the spammers it's going to just be 419 00:20:00,450 --> 00:20:05,610 sent to them but on the other hand this 420 00:20:03,090 --> 00:20:10,860 these are always fishes and emails that 421 00:20:05,610 --> 00:20:13,439 pass all of your controls that means the 422 00:20:10,860 --> 00:20:15,629 domains are not blacklisted yet whatever 423 00:20:13,440 --> 00:20:18,090 the attachment is is not recognized yet 424 00:20:15,630 --> 00:20:21,360 so it's a valuable source of Intel 425 00:20:18,090 --> 00:20:23,970 actually to treat your filters so it 426 00:20:21,360 --> 00:20:30,209 benefits it's beneficial to all our 427 00:20:23,970 --> 00:20:31,650 sites and now comes one of the things I 428 00:20:30,210 --> 00:20:33,600 really love to talk about that is 429 00:20:31,650 --> 00:20:36,750 reverse social engineering and I've got 430 00:20:33,600 --> 00:20:38,840 an example for you who of you has heard 431 00:20:36,750 --> 00:20:43,200 about CEO fraud 432 00:20:38,840 --> 00:20:45,659 so CEO fraud basically has nothing to do 433 00:20:43,200 --> 00:20:51,960 at all with computers it's just a plain 434 00:20:45,660 --> 00:20:54,690 old scan and to put it well it's it's 435 00:20:51,960 --> 00:20:56,790 it's very simplifying but basically 436 00:20:54,690 --> 00:20:58,950 someone claiming to be the CEO of a 437 00:20:56,790 --> 00:21:02,070 company sends a mail to somebody within 438 00:20:58,950 --> 00:21:04,500 the company and says you know I'm in 439 00:21:02,070 --> 00:21:07,139 country X we really need to acquire a 440 00:21:04,500 --> 00:21:11,550 company set can we make a transfer of 441 00:21:07,140 --> 00:21:13,470 300 huh 300 thousand euros today so of 442 00:21:11,550 --> 00:21:15,600 course the person that is targeted will 443 00:21:13,470 --> 00:21:18,690 be in finances and they will have the 444 00:21:15,600 --> 00:21:22,709 ability to do that hopefully but very 445 00:21:18,690 --> 00:21:24,660 often there is again written procedures 446 00:21:22,710 --> 00:21:26,910 that do not allow the person to do that 447 00:21:24,660 --> 00:21:29,750 but what do you do if you get a mail 448 00:21:26,910 --> 00:21:34,530 from the CEO you might act upon that and 449 00:21:29,750 --> 00:21:36,600 if that goes on then basically that pupi 450 00:21:34,530 --> 00:21:38,910 a person at the company will end up 451 00:21:36,600 --> 00:21:41,389 transferring money to a scammer 452 00:21:38,910 --> 00:21:45,809 because they've been socially engineered 453 00:21:41,390 --> 00:21:49,440 the fake CEO said this had to be done 454 00:21:45,809 --> 00:21:51,660 and they followed with it this is 455 00:21:49,440 --> 00:21:54,960 something that sounds very silly if I 456 00:21:51,660 --> 00:21:57,090 simplified and if I just say basically 457 00:21:54,960 --> 00:21:59,400 somebody from the outset says give me 458 00:21:57,090 --> 00:22:01,949 money and people in the company do that 459 00:21:59,400 --> 00:22:03,720 but please bear in mind that Google and 460 00:22:01,950 --> 00:22:06,150 Facebook helped for that for one hundred 461 00:22:03,720 --> 00:22:09,060 million dollars combined and there are 462 00:22:06,150 --> 00:22:10,830 many companies who fall for that in the 463 00:22:09,060 --> 00:22:12,210 millions this is not a scam that brings 464 00:22:10,830 --> 00:22:14,279 in a few thousand euros 465 00:22:12,210 --> 00:22:16,320 you really if you do that and if you 466 00:22:14,279 --> 00:22:18,289 pull that off you get millions because 467 00:22:16,320 --> 00:22:21,029 you target companies that are picking up 468 00:22:18,289 --> 00:22:23,970 one of the companies at the places where 469 00:22:21,029 --> 00:22:26,190 I live that is Nuremberg in Germany fell 470 00:22:23,970 --> 00:22:29,129 for that scam and they shelled out 40 471 00:22:26,190 --> 00:22:31,440 million euros oh the good thing was it 472 00:22:29,129 --> 00:22:35,070 didn't really break the whole company 473 00:22:31,440 --> 00:22:39,389 but it put a dent into it into the cash 474 00:22:35,070 --> 00:22:42,928 flow positive so what could we actually 475 00:22:39,389 --> 00:22:45,719 do to make that better and another 476 00:22:42,929 --> 00:22:49,710 company in Nuremberg came up with a 477 00:22:45,720 --> 00:22:52,799 hilarious idea so they've got so many 478 00:22:49,710 --> 00:22:55,259 emails with CEO fraud that they got 479 00:22:52,799 --> 00:22:57,869 bored with it they really got annoyed 480 00:22:55,259 --> 00:23:00,059 and what they did was they told every 481 00:22:57,869 --> 00:23:03,299 employee you know if you get an email 482 00:23:00,059 --> 00:23:05,789 just forwarded to the sock and the sub 483 00:23:03,299 --> 00:23:08,399 would then go and change the email 484 00:23:05,789 --> 00:23:11,759 address slightly so that is not noticed 485 00:23:08,399 --> 00:23:15,508 and start communicating with the scammer 486 00:23:11,759 --> 00:23:18,869 I would say no see oh very nice to hear 487 00:23:15,509 --> 00:23:20,970 from you and you know I am not allowed 488 00:23:18,869 --> 00:23:24,240 to transfer such large large sums of 489 00:23:20,970 --> 00:23:26,460 money but probably you have forgotten 490 00:23:24,240 --> 00:23:30,110 that we have this this very new 491 00:23:26,460 --> 00:23:32,820 brand-new payment portal payment portal 492 00:23:30,110 --> 00:23:35,610 yeah we do have the payment portal and 493 00:23:32,820 --> 00:23:38,639 you can do all of your transverse 494 00:23:35,610 --> 00:23:41,580 yourself have you forgotten your login 495 00:23:38,639 --> 00:23:43,139 details and as a scam of course I've 496 00:23:41,580 --> 00:23:44,519 opened my login details because I've 497 00:23:43,139 --> 00:23:46,529 never had them in the first place 498 00:23:44,519 --> 00:23:48,929 so they asked for user ID and password 499 00:23:46,529 --> 00:23:51,119 they're getting it they are moving on 500 00:23:48,929 --> 00:23:53,220 they are ticking a box saying yeah yeah 501 00:23:51,119 --> 00:23:55,740 I've read terms and conditions and 502 00:23:53,220 --> 00:23:59,279 everything's okay and they are presented 503 00:23:55,740 --> 00:24:01,860 with a portal where you can enter who 504 00:23:59,279 --> 00:24:05,220 should receive the money which account 505 00:24:01,860 --> 00:24:08,340 and how much so basically is this camera 506 00:24:05,220 --> 00:24:10,139 that's the check mode right because if I 507 00:24:08,340 --> 00:24:12,059 can transfer the money to myself and I 508 00:24:10,139 --> 00:24:15,418 don't need anybody else then that is 509 00:24:12,059 --> 00:24:18,450 very good except of course um 510 00:24:15,419 --> 00:24:20,879 it does not happen what happens is that 511 00:24:18,450 --> 00:24:25,909 at the moment where the scammer presses 512 00:24:20,879 --> 00:24:29,039 send or transfer the I then so the long 513 00:24:25,909 --> 00:24:30,690 number describing the account and the 514 00:24:29,039 --> 00:24:34,079 account name and it's getting 515 00:24:30,690 --> 00:24:37,259 blacklisted and it's a lot more 516 00:24:34,079 --> 00:24:39,418 difficult to get a new bank account then 517 00:24:37,259 --> 00:24:41,759 it is to get a new email address I guess 518 00:24:39,419 --> 00:24:45,539 this is something that most of you will 519 00:24:41,759 --> 00:24:48,479 are creating so this company is building 520 00:24:45,539 --> 00:24:50,249 up a list with blocked eivin's because 521 00:24:48,479 --> 00:24:53,339 they are used for fraudulent purposes 522 00:24:50,249 --> 00:24:55,349 and at the moment we are trying to build 523 00:24:53,339 --> 00:24:57,359 a database on that and we're trying to 524 00:24:55,349 --> 00:24:59,458 share the information but the fun thing 525 00:24:57,359 --> 00:25:03,119 is if you're one of the good guys 526 00:24:59,459 --> 00:25:04,709 trying to stick to GDP PR and you're not 527 00:25:03,119 --> 00:25:06,359 really allowed to do that because you 528 00:25:04,709 --> 00:25:10,669 haven't asked the scammer whether he's 529 00:25:06,359 --> 00:25:10,668 okay with you using their personal data 530 00:25:12,440 --> 00:25:19,589 yeah exactly and so at the moment we've 531 00:25:16,829 --> 00:25:21,869 we still try to figure out a way how we 532 00:25:19,589 --> 00:25:23,849 can share the data and make it 533 00:25:21,869 --> 00:25:27,599 accessible for all the people who would 534 00:25:23,849 --> 00:25:30,139 have an interest in that but again human 535 00:25:27,599 --> 00:25:32,789 rights and other things come into play 536 00:25:30,139 --> 00:25:34,939 the very good thing is at the end of the 537 00:25:32,789 --> 00:25:37,469 day this camera won't have the money and 538 00:25:34,940 --> 00:25:40,739 they will have been tricked into giving 539 00:25:37,469 --> 00:25:43,579 out valuable information without having 540 00:25:40,739 --> 00:25:46,289 anything in return 541 00:25:43,579 --> 00:25:48,359 I'd also like to talk a little bit about 542 00:25:46,289 --> 00:25:52,349 passwords I know this is one of the 543 00:25:48,359 --> 00:25:54,119 topics that is controversial and that is 544 00:25:52,349 --> 00:25:58,379 still something that we need at the 545 00:25:54,119 --> 00:25:59,789 moment but still I think there's so many 546 00:25:58,379 --> 00:26:03,119 things that need to be said about 547 00:25:59,789 --> 00:26:05,849 passwords especially with this 548 00:26:03,119 --> 00:26:10,649 discussion about passwords saves during 549 00:26:05,849 --> 00:26:14,820 last one or two weeks I mean a strong 550 00:26:10,649 --> 00:26:18,329 password is always better than something 551 00:26:14,820 --> 00:26:20,820 that you can come up with but a non 552 00:26:18,329 --> 00:26:22,619 security person can come up with if it 553 00:26:20,820 --> 00:26:25,559 comes from a password safe or if it is 554 00:26:22,619 --> 00:26:28,370 generated if it's generated and if it's 555 00:26:25,559 --> 00:26:31,399 really really good then the chances are 556 00:26:28,370 --> 00:26:33,439 that you won't be able to actually keep 557 00:26:31,400 --> 00:26:35,510 it in mind especially if you have 558 00:26:33,440 --> 00:26:37,520 passwords that are different for the 559 00:26:35,510 --> 00:26:40,670 hundreds of websites and logins that 560 00:26:37,520 --> 00:26:42,800 you're using so the left one would be a 561 00:26:40,670 --> 00:26:49,130 very good password but do you know why 562 00:26:42,800 --> 00:26:51,260 it isn't sorry no not because of the 563 00:26:49,130 --> 00:26:57,410 remembering but it's on a slide that is 564 00:26:51,260 --> 00:27:00,410 being recorded but this is something 565 00:26:57,410 --> 00:27:02,270 that most of my passwords look because I 566 00:27:00,410 --> 00:27:03,860 can't remember them I've got them in my 567 00:27:02,270 --> 00:27:05,570 password safe and I've got a possible 568 00:27:03,860 --> 00:27:09,620 that I hopefully can remember to access 569 00:27:05,570 --> 00:27:12,439 my past would say and even if somebody 570 00:27:09,620 --> 00:27:14,030 is holding a gun at my temple in telling 571 00:27:12,440 --> 00:27:17,150 me I should tell them my passwords I 572 00:27:14,030 --> 00:27:19,100 can't because again old and I'm going to 573 00:27:17,150 --> 00:27:22,040 forget them anyway so why do you have to 574 00:27:19,100 --> 00:27:24,350 say remembering them so I think we can 575 00:27:22,040 --> 00:27:26,450 agree on that what we probably can't 576 00:27:24,350 --> 00:27:30,070 agree upon at least a few people can't 577 00:27:26,450 --> 00:27:33,380 is when you when you're talking about 578 00:27:30,070 --> 00:27:35,840 khalif's or empowering layer 8 or other 579 00:27:33,380 --> 00:27:38,840 people who are not as tech savvy then 580 00:27:35,840 --> 00:27:42,139 I'd like to take into account also you 581 00:27:38,840 --> 00:27:44,959 Nam for example or your your friends 582 00:27:42,140 --> 00:27:48,200 that are not online and all the people 583 00:27:44,960 --> 00:27:50,929 who a little bit online every now and 584 00:27:48,200 --> 00:27:53,630 then have a Facebook account or any 585 00:27:50,929 --> 00:27:57,530 other account where they do a little bit 586 00:27:53,630 --> 00:27:59,750 of stuff and very often if you can get 587 00:27:57,530 --> 00:28:01,700 them to use a password safe that's great 588 00:27:59,750 --> 00:28:04,160 then they should use a password safe 589 00:28:01,700 --> 00:28:07,730 nothing wrong with that on the other 590 00:28:04,160 --> 00:28:09,980 hand if they don't want to do that then 591 00:28:07,730 --> 00:28:14,000 let them write the passwords down in a 592 00:28:09,980 --> 00:28:17,240 little notebook the thing is we as an 593 00:28:14,000 --> 00:28:18,980 industry are very very keen or some of 594 00:28:17,240 --> 00:28:24,440 us are very keen to say this is not 595 00:28:18,980 --> 00:28:28,130 secure and well if you have a look at 596 00:28:24,440 --> 00:28:30,470 everyone and try to find something one 597 00:28:28,130 --> 00:28:33,440 size fits all for everyone everyone then 598 00:28:30,470 --> 00:28:35,900 you might be right but if there's a 599 00:28:33,440 --> 00:28:38,330 burglar standing in your grandmother's 600 00:28:35,900 --> 00:28:40,490 flat next to the computer flipping 601 00:28:38,330 --> 00:28:42,050 through a password book this burglar 602 00:28:40,490 --> 00:28:44,420 doesn't exist 603 00:28:42,050 --> 00:28:46,760 because if the burglar is in that flat 604 00:28:44,420 --> 00:28:49,070 he's looking for valuables he's looking 605 00:28:46,760 --> 00:28:51,470 for money he's little jewelry he's 606 00:28:49,070 --> 00:28:53,510 looking for other stuff and even if he's 607 00:28:51,470 --> 00:28:54,890 flipping through the freakin password 608 00:28:53,510 --> 00:28:56,629 book then you just changed your 609 00:28:54,890 --> 00:28:59,480 passwords afterwards because you know 610 00:28:56,630 --> 00:29:01,670 he's been there but there's no harm in 611 00:28:59,480 --> 00:29:03,710 letting them write down the passwords 612 00:29:01,670 --> 00:29:05,330 and if they can write down their 613 00:29:03,710 --> 00:29:08,510 passwords then they are going to be 614 00:29:05,330 --> 00:29:11,030 better than password 1 or 1 2 3 4 5 6 615 00:29:08,510 --> 00:29:13,280 and all the other stuff that we see year 616 00:29:11,030 --> 00:29:16,940 by year as the top 10 passwords in the 617 00:29:13,280 --> 00:29:20,149 world so this is something to think 618 00:29:16,940 --> 00:29:24,970 about if they want to use to FA or MFA 619 00:29:20,150 --> 00:29:28,400 then let them this is always great but I 620 00:29:24,970 --> 00:29:33,080 think we need to have a little bit of a 621 00:29:28,400 --> 00:29:36,950 change of thinking and think about that 622 00:29:33,080 --> 00:29:38,750 10% of security is better than 0% and we 623 00:29:36,950 --> 00:29:42,440 can't get everybody to a hundred percent 624 00:29:38,750 --> 00:29:44,930 or 99 percent of 98 so everything we can 625 00:29:42,440 --> 00:29:47,090 implement we should do but if people are 626 00:29:44,930 --> 00:29:49,190 not really interested in it we can't 627 00:29:47,090 --> 00:29:51,740 force them to do it so let's find a way 628 00:29:49,190 --> 00:29:54,380 how we can make it reasonably safe 629 00:29:51,740 --> 00:29:58,460 doesn't have to be completely safe and 630 00:29:54,380 --> 00:30:02,030 if you think that this is a bad approach 631 00:29:58,460 --> 00:30:04,610 then please also think about that guy 632 00:30:02,030 --> 00:30:07,160 who ignores the smartphone's security 633 00:30:04,610 --> 00:30:08,959 and his role in the world and whether he 634 00:30:07,160 --> 00:30:10,340 or whether your nan needs a better 635 00:30:08,960 --> 00:30:12,500 security than the President of the 636 00:30:10,340 --> 00:30:17,090 United States of America it's just 637 00:30:12,500 --> 00:30:19,460 something to think about one thing I 638 00:30:17,090 --> 00:30:21,770 haven't seen in the wild and there are 639 00:30:19,460 --> 00:30:24,440 reasons for that is kind of a male 640 00:30:21,770 --> 00:30:27,379 forward as a service again to protect 641 00:30:24,440 --> 00:30:30,350 the people at your company you could 642 00:30:27,380 --> 00:30:33,160 have you could register a domain that 643 00:30:30,350 --> 00:30:37,149 has nothing to do with your company and 644 00:30:33,160 --> 00:30:40,250 offer everyone forwarding email address 645 00:30:37,150 --> 00:30:42,140 so the reason for that is your email 646 00:30:40,250 --> 00:30:44,390 address if you only have one I'm 647 00:30:42,140 --> 00:30:48,050 assuming most of you in the room have 648 00:30:44,390 --> 00:30:49,730 way more than one but most people who 649 00:30:48,050 --> 00:30:52,700 are online just have one email address 650 00:30:49,730 --> 00:30:55,370 and that is the most critical asset 651 00:30:52,700 --> 00:30:57,500 because if is an attacker control 652 00:30:55,370 --> 00:30:59,719 email address I control all their 653 00:30:57,500 --> 00:31:01,760 accounts because what happens if I reset 654 00:30:59,720 --> 00:31:04,880 the password it gets sent to the email 655 00:31:01,760 --> 00:31:07,790 address for that account and if I can 656 00:31:04,880 --> 00:31:10,670 read that I can get into any account for 657 00:31:07,790 --> 00:31:15,470 that email address if you forward that 658 00:31:10,670 --> 00:31:18,440 if I register at the platforms with a 659 00:31:15,470 --> 00:31:20,690 forwarded email address then you even if 660 00:31:18,440 --> 00:31:22,940 that platform gets breached they do know 661 00:31:20,690 --> 00:31:25,100 my forwarded email address they still do 662 00:31:22,940 --> 00:31:27,920 not know my real email address and it's 663 00:31:25,100 --> 00:31:30,080 harder to attack on the other hand there 664 00:31:27,920 --> 00:31:33,020 are many problems with what if the 665 00:31:30,080 --> 00:31:36,139 person leaves the company and so on and 666 00:31:33,020 --> 00:31:38,030 so forth this is why we haven't 667 00:31:36,140 --> 00:31:40,850 implemented it yet but I think this 668 00:31:38,030 --> 00:31:43,070 would be a good idea even if you can get 669 00:31:40,850 --> 00:31:45,500 people to have forwarded email address 670 00:31:43,070 --> 00:31:47,990 just a real email address that is just 671 00:31:45,500 --> 00:31:53,540 one more layer of abstraction that makes 672 00:31:47,990 --> 00:31:57,620 it harder to attack them and one thing I 673 00:31:53,540 --> 00:32:01,670 also want to have probably most of you 674 00:31:57,620 --> 00:32:04,159 won't be giving awareness trainings I'm 675 00:32:01,670 --> 00:32:06,020 assuming but if you are working at a 676 00:32:04,160 --> 00:32:08,990 company that most of you will probably 677 00:32:06,020 --> 00:32:11,870 receive awareness trainings which can or 678 00:32:08,990 --> 00:32:15,980 cannot be something that is really 679 00:32:11,870 --> 00:32:18,678 really bad we do have something called 680 00:32:15,980 --> 00:32:20,840 virtual training company and it's like a 681 00:32:18,679 --> 00:32:22,850 flash game from the 90s where you have 682 00:32:20,840 --> 00:32:26,540 to walk through a virtual company and 683 00:32:22,850 --> 00:32:26,780 you see that bill is on fire what do I 684 00:32:26,540 --> 00:32:30,020 do 685 00:32:26,780 --> 00:32:30,770 well I go for a coffee I'll grab a fire 686 00:32:30,020 --> 00:32:33,500 extinguisher 687 00:32:30,770 --> 00:32:36,470 I call security so it's it's bloody 688 00:32:33,500 --> 00:32:39,040 stupid and it's actually I think some of 689 00:32:36,470 --> 00:32:43,010 the questions are just insulting because 690 00:32:39,040 --> 00:32:45,649 yeah of course it's you don't go for a 691 00:32:43,010 --> 00:32:49,370 coffee if there's a burning rubbish bin 692 00:32:45,650 --> 00:32:53,150 but on the other hand I'm working in 693 00:32:49,370 --> 00:32:55,428 various companies since 1990 I've never 694 00:32:53,150 --> 00:32:58,550 really encountered a burning rubbish bin 695 00:32:55,429 --> 00:33:01,550 so it's it's not a use case that has to 696 00:32:58,550 --> 00:33:05,060 be dealt with daily and another thing is 697 00:33:01,550 --> 00:33:07,940 fear uncertainty doubt are enemies of 698 00:33:05,060 --> 00:33:08,990 security in my eyes because they always 699 00:33:07,940 --> 00:33:10,640 tend to 700 00:33:08,990 --> 00:33:12,590 fear tends to be something that is 701 00:33:10,640 --> 00:33:16,549 really powerful if you want to get 702 00:33:12,590 --> 00:33:18,260 somebody to modify their behavior fears 703 00:33:16,549 --> 00:33:21,379 something that will help you in the 704 00:33:18,260 --> 00:33:23,870 short run until that person realized 705 00:33:21,380 --> 00:33:26,059 realizes they've been tricked and then 706 00:33:23,870 --> 00:33:27,639 they will show the opposite of the 707 00:33:26,059 --> 00:33:30,379 behavior that you wanted to have 708 00:33:27,640 --> 00:33:34,850 uncertainty is always bad and doubt 709 00:33:30,380 --> 00:33:37,130 because you should make very clear what 710 00:33:34,850 --> 00:33:39,830 you up to what people have to do or 711 00:33:37,130 --> 00:33:43,460 should do and have to do again is a is 712 00:33:39,830 --> 00:33:47,330 bad worrying because you need to get 713 00:33:43,460 --> 00:33:51,289 them on board you shouldn't talk down to 714 00:33:47,330 --> 00:33:53,418 them but I'm getting to that later if 715 00:33:51,289 --> 00:33:55,070 you're doing awareness trainings don't 716 00:33:53,419 --> 00:33:56,770 do multiple-choice click this because 717 00:33:55,070 --> 00:34:02,320 it's always see right 718 00:33:56,770 --> 00:34:05,149 somebody tried various multiple-choice 719 00:34:02,320 --> 00:34:07,370 forms and the solutions and they always 720 00:34:05,149 --> 00:34:09,799 take see and they never got a passing 721 00:34:07,370 --> 00:34:10,879 grade but see is very open the option 722 00:34:09,800 --> 00:34:14,089 that you have to take if there's only 723 00:34:10,879 --> 00:34:19,460 one choice and nobody really likes to do 724 00:34:14,089 --> 00:34:21,469 that so there was the human hacker Jenny 725 00:34:19,460 --> 00:34:23,750 Radcliffe there was one of her podcast 726 00:34:21,469 --> 00:34:28,069 with Tyra where they were discussing 727 00:34:23,750 --> 00:34:30,139 that they would laugh if people were the 728 00:34:28,070 --> 00:34:32,450 watercooler being excited about the next 729 00:34:30,139 --> 00:34:34,700 security awareness training but nobody 730 00:34:32,449 --> 00:34:38,750 is it's like yes the platy training 731 00:34:34,699 --> 00:34:41,149 again today crap so maybe we can do 732 00:34:38,750 --> 00:34:44,089 something to make that better what we 733 00:34:41,149 --> 00:34:45,168 did and this is very sneaky I know we 734 00:34:44,089 --> 00:34:49,460 didn't call it security awareness 735 00:34:45,168 --> 00:34:52,069 training it's just different formats one 736 00:34:49,460 --> 00:34:54,020 thing is called long night of the 737 00:34:52,070 --> 00:34:57,710 sciences this is open to the public this 738 00:34:54,020 --> 00:35:00,470 is every two years all kinds of 739 00:34:57,710 --> 00:35:03,530 companies just open their doors and show 740 00:35:00,470 --> 00:35:05,270 show up what they're doing and we 741 00:35:03,530 --> 00:35:08,030 educated people that we didn't know 742 00:35:05,270 --> 00:35:09,950 about password security and other stuff 743 00:35:08,030 --> 00:35:12,460 just by talking about it trying to make 744 00:35:09,950 --> 00:35:17,750 it interesting trying to engage them and 745 00:35:12,460 --> 00:35:20,089 I recently learned that one girl now is 746 00:35:17,750 --> 00:35:22,340 having an apprenticeship starting this 747 00:35:20,089 --> 00:35:24,500 year because she saw us 748 00:35:22,340 --> 00:35:26,210 doing that there so you're reaching 749 00:35:24,500 --> 00:35:28,400 people you just don't know whether 750 00:35:26,210 --> 00:35:31,330 you've reached them or not and you 751 00:35:28,400 --> 00:35:35,240 should have open formats I think so 752 00:35:31,330 --> 00:35:37,130 unlike here I mean please don't but you 753 00:35:35,240 --> 00:35:39,020 are free to leave if you wanted here but 754 00:35:37,130 --> 00:35:41,090 this is still a closed room if you have 755 00:35:39,020 --> 00:35:43,400 some kind of open office space we're 756 00:35:41,090 --> 00:35:48,470 just talking about security and chatting 757 00:35:43,400 --> 00:35:50,120 not just one person just always talking 758 00:35:48,470 --> 00:35:52,700 on the cells but having some kind of 759 00:35:50,120 --> 00:35:54,890 discussion and you can come and go as 760 00:35:52,700 --> 00:35:56,450 you please then people feel more 761 00:35:54,890 --> 00:35:59,210 comfortable because if they get or they 762 00:35:56,450 --> 00:36:04,399 can just leave and nobody bats an eye 763 00:35:59,210 --> 00:36:07,730 and using multiple channels really works 764 00:36:04,400 --> 00:36:10,520 well as well because we all take in 765 00:36:07,730 --> 00:36:13,760 information differently so we are 766 00:36:10,520 --> 00:36:15,530 writing blocks we are doing those kind 767 00:36:13,760 --> 00:36:19,160 of moments where you can come and go 768 00:36:15,530 --> 00:36:21,800 where we do discussions we do talks 769 00:36:19,160 --> 00:36:24,680 internally and it's all different 770 00:36:21,800 --> 00:36:26,720 formats the only thing is if you do it 771 00:36:24,680 --> 00:36:29,509 after hours then just please don't be a 772 00:36:26,720 --> 00:36:32,120 dick just be as nice and provide drinks 773 00:36:29,510 --> 00:36:34,160 as at least and a few crisps because 774 00:36:32,120 --> 00:36:40,850 people will stay if they have free beer 775 00:36:34,160 --> 00:36:44,330 or got me bears maybe hopefully one more 776 00:36:40,850 --> 00:36:46,250 thing that a lot of companies do but 777 00:36:44,330 --> 00:36:51,319 only to a certain extent is stopping 778 00:36:46,250 --> 00:36:55,070 themselves so very often you have some 779 00:36:51,320 --> 00:36:56,690 kind of Ultima some kind of mechanism 780 00:36:55,070 --> 00:36:58,880 that will scan your company from the 781 00:36:56,690 --> 00:37:01,580 outside but very often that is just port 782 00:36:58,880 --> 00:37:03,590 scanning right you check whether there 783 00:37:01,580 --> 00:37:06,410 are new ports open or whether the old 784 00:37:03,590 --> 00:37:08,480 ones are still working and that is 785 00:37:06,410 --> 00:37:11,480 farewell map sometimes you even hire 786 00:37:08,480 --> 00:37:13,580 somebody to do that but very often what 787 00:37:11,480 --> 00:37:18,110 you're doing is not seeing the complete 788 00:37:13,580 --> 00:37:20,480 picture what do I mean by that if you 789 00:37:18,110 --> 00:37:22,580 are only looking at the network level of 790 00:37:20,480 --> 00:37:24,650 your company then you will miss out on 791 00:37:22,580 --> 00:37:26,480 the whole social media thing and you 792 00:37:24,650 --> 00:37:29,090 will miss out on your users and what 793 00:37:26,480 --> 00:37:31,610 they are doing on the respective 794 00:37:29,090 --> 00:37:33,749 networks Twitter LinkedIn saying what 795 00:37:31,610 --> 00:37:38,799 have you 796 00:37:33,749 --> 00:37:41,890 so what you can do I mean you can't 797 00:37:38,799 --> 00:37:44,410 really marry often you can't just 798 00:37:41,890 --> 00:37:46,960 monitor everyone in the company we've 799 00:37:44,410 --> 00:37:49,180 got way more than 7,000 employees and 800 00:37:46,960 --> 00:37:51,039 I'm not really interested what all of 801 00:37:49,180 --> 00:37:54,190 them are doing on Facebook or Twitter or 802 00:37:51,039 --> 00:37:57,359 whatever I would want to sleep very 803 00:37:54,190 --> 00:38:00,339 quickly but if you educate them 804 00:37:57,359 --> 00:38:03,369 especially with the top portals like 805 00:38:00,339 --> 00:38:07,029 LinkedIn then you can have a really good 806 00:38:03,369 --> 00:38:10,299 result what we had we about half a year 807 00:38:07,029 --> 00:38:11,950 ago there was a person acting or having 808 00:38:10,299 --> 00:38:14,288 a profile saying they belong to our 809 00:38:11,950 --> 00:38:16,839 company and they were making friends 810 00:38:14,289 --> 00:38:19,239 with our clients and they are making 811 00:38:16,839 --> 00:38:20,769 friends with people working at our 812 00:38:19,239 --> 00:38:25,380 company really working at our company 813 00:38:20,769 --> 00:38:29,288 and so because nobody really knew them 814 00:38:25,380 --> 00:38:32,259 our users who were everywhere 815 00:38:29,289 --> 00:38:33,069 very good told us that there's something 816 00:38:32,259 --> 00:38:36,339 fishy going on 817 00:38:33,069 --> 00:38:38,859 so we were able to shut down that 818 00:38:36,339 --> 00:38:40,599 profile very quickly within a day we 819 00:38:38,859 --> 00:38:43,089 still think this is not an attack that 820 00:38:40,599 --> 00:38:45,309 was targeting us but we think this 821 00:38:43,089 --> 00:38:48,038 person wanted to look as if they were 822 00:38:45,309 --> 00:38:51,969 coming from us and targeting a third 823 00:38:48,039 --> 00:38:53,559 party which is in our case we've got a 824 00:38:51,969 --> 00:38:54,609 really strange business but I'm coming 825 00:38:53,559 --> 00:38:57,880 to that at the end if you're still 826 00:38:54,609 --> 00:38:59,170 interested this is not unusual for us 827 00:38:57,880 --> 00:39:05,049 that we are not the target but our 828 00:38:59,170 --> 00:39:09,099 clients are and playing into this is 829 00:39:05,049 --> 00:39:12,549 also cyber risk management so you're all 830 00:39:09,099 --> 00:39:15,400 familiar with threat intelligence all 831 00:39:12,549 --> 00:39:18,940 right presume so threat intelligence is 832 00:39:15,400 --> 00:39:20,950 something that tells you interesting 833 00:39:18,940 --> 00:39:23,049 data indicators of compromised about 834 00:39:20,950 --> 00:39:26,499 attacks that are happening now or that 835 00:39:23,049 --> 00:39:28,900 happened recently you will find out 836 00:39:26,499 --> 00:39:32,459 about IP addresses that might have 837 00:39:28,900 --> 00:39:35,979 attacked somebody or certain exploits 838 00:39:32,460 --> 00:39:38,380 that are just running right now maybe 839 00:39:35,979 --> 00:39:39,879 not probably not against you but against 840 00:39:38,380 --> 00:39:43,599 that person and they are sharing the 841 00:39:39,880 --> 00:39:46,510 data with you risk is a little bit 842 00:39:43,599 --> 00:39:51,160 farther away from in 843 00:39:46,510 --> 00:39:53,589 the terms of the timeline because a risk 844 00:39:51,160 --> 00:39:56,230 is something that might evolve into a 845 00:39:53,589 --> 00:39:58,990 threat but it isn't a threat really just 846 00:39:56,230 --> 00:40:02,470 right now one example is if you know 847 00:39:58,990 --> 00:40:03,790 that some of your users emails and 848 00:40:02,470 --> 00:40:06,040 passwords have been breached on a 849 00:40:03,790 --> 00:40:08,259 different site then you will know that 850 00:40:06,040 --> 00:40:10,240 this is a risk and somebody will try 851 00:40:08,260 --> 00:40:14,020 credential stuffing against your site 852 00:40:10,240 --> 00:40:16,328 with the same kind of credentials that 853 00:40:14,020 --> 00:40:21,009 have been lost on let's say yeah because 854 00:40:16,329 --> 00:40:22,930 everybody was on Yahoo and this again is 855 00:40:21,010 --> 00:40:25,270 something where you need to have time 856 00:40:22,930 --> 00:40:27,640 where you need to have access to various 857 00:40:25,270 --> 00:40:30,009 data sources like the dark web and 858 00:40:27,640 --> 00:40:32,348 others and where you have to research 859 00:40:30,010 --> 00:40:34,000 it's nothing it's not a solution out of 860 00:40:32,349 --> 00:40:36,760 the box where just snip your things and 861 00:40:34,000 --> 00:40:39,460 you've got the information it needs 862 00:40:36,760 --> 00:40:40,990 dedicated people trying to come up with 863 00:40:39,460 --> 00:40:43,960 the risks that your company is facing 864 00:40:40,990 --> 00:40:46,259 but if you can identify those then you 865 00:40:43,960 --> 00:40:50,369 can prepare accordingly and that will be 866 00:40:46,260 --> 00:40:53,740 very valuable where the attack comes and 867 00:40:50,369 --> 00:40:56,140 then finding the right language is very 868 00:40:53,740 --> 00:40:59,529 important and it's short information yet 869 00:40:56,140 --> 00:41:04,810 I already use cyber a lot and I've also 870 00:40:59,530 --> 00:41:06,760 got a new teacher cyber mic and I know a 871 00:41:04,810 --> 00:41:08,828 lot of the people in our industry do not 872 00:41:06,760 --> 00:41:11,619 like cyber I'm sorry if you have to 873 00:41:08,829 --> 00:41:13,690 suffer through that but as dr. Jessica 874 00:41:11,619 --> 00:41:16,720 Parker said all of our clients are going 875 00:41:13,690 --> 00:41:18,760 to refer to us with the term cyber and 876 00:41:16,720 --> 00:41:21,220 if you don't go where our clients are 877 00:41:18,760 --> 00:41:23,740 then we are leaving our clients in the 878 00:41:21,220 --> 00:41:25,450 dark and this talk is about getting in 879 00:41:23,740 --> 00:41:29,229 touch with our clients so I'm going to 880 00:41:25,450 --> 00:41:31,810 use cyber because they are using it so 881 00:41:29,230 --> 00:41:35,740 finding the right language this is an 882 00:41:31,810 --> 00:41:40,540 example from last year's Def Con and the 883 00:41:35,740 --> 00:41:43,959 person writing that got evicted from the 884 00:41:40,540 --> 00:41:48,779 hotel very soon but after talking to the 885 00:41:43,960 --> 00:41:51,730 DEF CON organizes the hotel staff was 886 00:41:48,780 --> 00:41:54,280 there they let him in again reluctantly 887 00:41:51,730 --> 00:41:56,230 but they did but if you only read that 888 00:41:54,280 --> 00:42:00,230 tweet without being in the security 889 00:41:56,230 --> 00:42:02,150 industry then this might be scary 890 00:42:00,230 --> 00:42:05,450 because just a few months before the 891 00:42:02,150 --> 00:42:08,720 treat shooter killed 58 people from his 892 00:42:05,450 --> 00:42:13,220 hotel room so attacking people in Vegas 893 00:42:08,720 --> 00:42:16,850 is a little bit of a touchy subject if 894 00:42:13,220 --> 00:42:19,250 you just put that treat out then without 895 00:42:16,850 --> 00:42:20,660 context that's bad and context is 896 00:42:19,250 --> 00:42:25,160 something you need to give your users as 897 00:42:20,660 --> 00:42:27,379 well not talking down to them of course 898 00:42:25,160 --> 00:42:30,830 is the next thing because everybody 899 00:42:27,380 --> 00:42:32,150 likes to be patronized right so we don't 900 00:42:30,830 --> 00:42:36,500 like it why should we do it with our 901 00:42:32,150 --> 00:42:39,380 police and there are ways of finding 902 00:42:36,500 --> 00:42:42,350 something and finding how we can talk to 903 00:42:39,380 --> 00:42:45,380 people this is another example where I 904 00:42:42,350 --> 00:42:47,779 blanked out the uses in most cases when 905 00:42:45,380 --> 00:42:51,890 it is something where I'm not sure that 906 00:42:47,780 --> 00:42:54,619 it's still online and that was somebody 907 00:42:51,890 --> 00:42:57,319 saying come on we as an industry are not 908 00:42:54,619 --> 00:43:00,200 that bad right and somebody who is 909 00:42:57,320 --> 00:43:02,380 developing apps and software said 910 00:43:00,200 --> 00:43:05,180 personal opinion yes you are and 911 00:43:02,380 --> 00:43:07,460 obviously outside of our little bubble 912 00:43:05,180 --> 00:43:11,509 people really don't like us that much 913 00:43:07,460 --> 00:43:13,940 but this is due to us in the industry 914 00:43:11,510 --> 00:43:16,790 most of the people I'm talking down to 915 00:43:13,940 --> 00:43:19,340 users for 20 years and it is changing 916 00:43:16,790 --> 00:43:22,640 I'm happy it's changing but just let's 917 00:43:19,340 --> 00:43:25,010 carry on searching for dialogue with 918 00:43:22,640 --> 00:43:28,100 people instead of just you know telling 919 00:43:25,010 --> 00:43:30,710 them what to do and what not another 920 00:43:28,100 --> 00:43:32,930 thing that you can avoid is ritual for 921 00:43:30,710 --> 00:43:35,330 rituals sake whenever you identify a 922 00:43:32,930 --> 00:43:36,919 process in your company or something 923 00:43:35,330 --> 00:43:38,869 that doesn't make sense and people just 924 00:43:36,920 --> 00:43:41,390 do it because we've always done it that 925 00:43:38,869 --> 00:43:43,220 way then just try to come up with 926 00:43:41,390 --> 00:43:47,529 something that I'll say we don't need 927 00:43:43,220 --> 00:43:47,529 that this is one of the examples I found 928 00:43:49,520 --> 00:43:54,240 and I think it illustrates why it is 929 00:43:52,319 --> 00:43:56,520 very important to understand the 930 00:43:54,240 --> 00:43:58,229 security measures and where they are 931 00:43:56,520 --> 00:44:00,660 implemented and whether they make 932 00:43:58,230 --> 00:44:03,960 whether it makes sense to transfer them 933 00:44:00,660 --> 00:44:09,779 to other processes in that case of 934 00:44:03,960 --> 00:44:11,700 course it doesn't another thing that 935 00:44:09,780 --> 00:44:14,760 might be more important than it looks 936 00:44:11,700 --> 00:44:17,790 like at the first glance is locking your 937 00:44:14,760 --> 00:44:20,599 screens so very often for a lot of the 938 00:44:17,790 --> 00:44:23,160 companies I worked for they had this 939 00:44:20,599 --> 00:44:24,750 very good company culture saying you 940 00:44:23,160 --> 00:44:26,970 know all the attackers are on the 941 00:44:24,750 --> 00:44:30,109 outside we don't have anyone on the 942 00:44:26,970 --> 00:44:33,270 inside who would be a bad guy or girl 943 00:44:30,109 --> 00:44:36,470 which might be right on the other hand 944 00:44:33,270 --> 00:44:39,960 if you consider that I don't have 945 00:44:36,470 --> 00:44:42,060 numbers from last year but usually a lot 946 00:44:39,960 --> 00:44:44,670 of the attacks come from the inside as 947 00:44:42,060 --> 00:44:48,599 soon as you don't call them it attacks 948 00:44:44,670 --> 00:44:50,520 but also for a better world or 949 00:44:48,599 --> 00:44:52,440 people just clicking stuff without 950 00:44:50,520 --> 00:44:55,490 knowing what they are doing they are not 951 00:44:52,440 --> 00:44:58,920 an attacker in the traditional sense but 952 00:44:55,490 --> 00:45:01,069 their actions result in a compromised 953 00:44:58,920 --> 00:45:03,630 Network so that makes them attackers and 954 00:45:01,069 --> 00:45:06,359 very often if your company is speaking 955 00:45:03,630 --> 00:45:09,930 up and if your company has interesting 956 00:45:06,359 --> 00:45:11,700 stuff or interesting data then the 957 00:45:09,930 --> 00:45:15,450 chances that you have somebody that 958 00:45:11,700 --> 00:45:21,299 would steal the data if they are being 959 00:45:15,450 --> 00:45:26,790 offered 500k or maybe even 5000 K 5000 K 960 00:45:21,300 --> 00:45:27,240 yeah 5000 euros or quid then they would 961 00:45:26,790 --> 00:45:30,210 do it 962 00:45:27,240 --> 00:45:32,368 so mocking your screen and not giving 963 00:45:30,210 --> 00:45:35,130 other people access to your mail to 964 00:45:32,369 --> 00:45:39,150 everything that is open on your laptop 965 00:45:35,130 --> 00:45:45,329 it's really important basically what we 966 00:45:39,150 --> 00:45:47,609 are doing is amateur hour I get to the 967 00:45:45,329 --> 00:45:50,010 pro version but if I see an unlocked 968 00:45:47,609 --> 00:45:51,480 screen of one of my teammates I'm going 969 00:45:50,010 --> 00:45:53,520 to send an email to the team saying 970 00:45:51,480 --> 00:45:55,560 tomorrow there's free cake I'm going to 971 00:45:53,520 --> 00:45:58,740 provide free cake or maybe a beer after 972 00:45:55,560 --> 00:45:59,089 work something small something that 973 00:45:58,740 --> 00:46:01,729 doesn't 974 00:45:59,089 --> 00:46:04,369 costs too much because people then 975 00:46:01,729 --> 00:46:06,769 follow up on it you know if you return 976 00:46:04,369 --> 00:46:09,259 to your desk and you find out that you 977 00:46:06,769 --> 00:46:11,930 promised Kate for 10 people the next day 978 00:46:09,259 --> 00:46:13,759 then most people are not enough of a 979 00:46:11,930 --> 00:46:16,190 dick to not follow up on that and they 980 00:46:13,759 --> 00:46:19,489 will bring cake but they will also lock 981 00:46:16,190 --> 00:46:21,979 their screen the next day or at least 982 00:46:19,489 --> 00:46:25,640 after two or three times and when I say 983 00:46:21,979 --> 00:46:27,950 this is the amateur version after giving 984 00:46:25,640 --> 00:46:29,420 that talk at another conference somebody 985 00:46:27,950 --> 00:46:31,910 came up to me and said you know what we 986 00:46:29,420 --> 00:46:33,859 do we've got mattress rolled out wide 987 00:46:31,910 --> 00:46:35,390 group policy so I only have to press 988 00:46:33,859 --> 00:46:38,380 this and that key combination and that 989 00:46:35,390 --> 00:46:41,960 my mail goes out automatically yeah 990 00:46:38,380 --> 00:46:46,329 that's one way to do it we are not that 991 00:46:41,960 --> 00:46:48,499 professional in that respect and 992 00:46:46,329 --> 00:46:52,569 something that you have to bear in mind 993 00:46:48,499 --> 00:46:56,660 is it's no use to have one dedicated 994 00:46:52,569 --> 00:46:58,940 security person within a team and teach 995 00:46:56,660 --> 00:47:02,719 them and give them all the advice and 996 00:46:58,940 --> 00:47:05,630 they have to be the multiplicator and 997 00:47:02,719 --> 00:47:07,849 get it into the team things like that 998 00:47:05,630 --> 00:47:11,059 because it doesn't work you have to 999 00:47:07,849 --> 00:47:14,839 educate every individual the way that 1000 00:47:11,059 --> 00:47:17,420 works works very well for us is when 1001 00:47:14,839 --> 00:47:20,029 we're doing trainings or giving security 1002 00:47:17,420 --> 00:47:23,059 awareness advice we are rarely talking 1003 00:47:20,029 --> 00:47:25,160 about the office we are very often 1004 00:47:23,059 --> 00:47:28,069 talking about how people can protect 1005 00:47:25,160 --> 00:47:31,069 themselves at home because people are 1006 00:47:28,069 --> 00:47:33,019 more interested in that and very often 1007 00:47:31,069 --> 00:47:36,349 they have the feeling that if they are 1008 00:47:33,019 --> 00:47:39,919 at their office PC they are protected 1009 00:47:36,349 --> 00:47:43,190 anyway because we've got lots of people 1010 00:47:39,920 --> 00:47:45,019 doing security and they have the feeling 1011 00:47:43,190 --> 00:47:46,309 they are protected anyway it doesn't 1012 00:47:45,019 --> 00:47:50,238 really help when they click phishing 1013 00:47:46,309 --> 00:47:53,329 links but for the personal life and they 1014 00:47:50,239 --> 00:47:58,130 are more appreciative of what they hear 1015 00:47:53,329 --> 00:48:01,969 and so the whole education really works 1016 00:47:58,130 --> 00:48:04,969 well if you educate everyone and I know 1017 00:48:01,969 --> 00:48:07,339 I still have some minutes but I thought 1018 00:48:04,969 --> 00:48:08,660 originally I was too quick so I I went 1019 00:48:07,339 --> 00:48:11,830 through something a little bit faster 1020 00:48:08,660 --> 00:48:13,029 I'm nearly at the end we were 1021 00:48:11,830 --> 00:48:15,069 talking about stop focus at the 1022 00:48:13,030 --> 00:48:16,750 beginning and I also have a lot of 1023 00:48:15,070 --> 00:48:19,870 stockholders this is my favorite stock 1024 00:48:16,750 --> 00:48:21,930 photo somebody used it like I've got 1025 00:48:19,870 --> 00:48:26,109 rude yeah 1026 00:48:21,930 --> 00:48:28,899 but what I want to say is we should also 1027 00:48:26,110 --> 00:48:31,770 eat our own dog food there's nothing 1028 00:48:28,900 --> 00:48:34,480 worse than the security team not 1029 00:48:31,770 --> 00:48:36,640 actually doing what they tell other 1030 00:48:34,480 --> 00:48:39,040 people to do and I've had that at my 1031 00:48:36,640 --> 00:48:41,140 company as well we had a security team 1032 00:48:39,040 --> 00:48:43,480 and if you wanted to do a proof of 1033 00:48:41,140 --> 00:48:46,629 concept with any kind of appliance new 1034 00:48:43,480 --> 00:48:48,910 software whatever you would get some 1035 00:48:46,630 --> 00:48:50,530 network share at the end of the universe 1036 00:48:48,910 --> 00:48:53,259 so to speak with no connection to 1037 00:48:50,530 --> 00:48:55,000 anything and you had to be confined to 1038 00:48:53,260 --> 00:48:56,890 that and be happy you couldn't access it 1039 00:48:55,000 --> 00:49:01,630 really you couldn't test it really but 1040 00:48:56,890 --> 00:49:03,850 everything else was too scary so imagine 1041 00:49:01,630 --> 00:49:06,040 my surprise when I was invited to be 1042 00:49:03,850 --> 00:49:09,700 part of a proof-of-concept for software 1043 00:49:06,040 --> 00:49:12,130 that they evaluated and it was just in 1044 00:49:09,700 --> 00:49:14,560 the office Network you know no firewalls 1045 00:49:12,130 --> 00:49:17,620 no borders because that's how it works 1046 00:49:14,560 --> 00:49:19,509 and it's much easier and stuff like that 1047 00:49:17,620 --> 00:49:22,089 really makes me angry because if you 1048 00:49:19,510 --> 00:49:24,010 have security guidelines everybody 1049 00:49:22,090 --> 00:49:26,140 should stick to them especially the 1050 00:49:24,010 --> 00:49:27,730 people writing the damn guidelines 1051 00:49:26,140 --> 00:49:30,240 because if you can't follow the 1052 00:49:27,730 --> 00:49:35,470 guidelines who else should you know 1053 00:49:30,240 --> 00:49:39,399 makes it senseless so basically I hope I 1054 00:49:35,470 --> 00:49:44,200 get across the point that it doesn't 1055 00:49:39,400 --> 00:49:46,900 really make a difference if you own for 1056 00:49:44,200 --> 00:49:48,370 some reason this just went out but 1057 00:49:46,900 --> 00:49:51,280 you're not really missing out on a lot 1058 00:49:48,370 --> 00:49:52,960 but if somebody from the technical point 1059 00:49:51,280 --> 00:49:56,290 of view could actually have a look I 1060 00:49:52,960 --> 00:50:00,040 wouldn't mind because I can hold that up 1061 00:49:56,290 --> 00:50:01,930 but it's no use but this light says 1062 00:50:00,040 --> 00:50:04,540 conclusion in cooperation at the moment 1063 00:50:01,930 --> 00:50:06,819 my conclusion my cooperation is please 1064 00:50:04,540 --> 00:50:09,130 think about hiring more people and 1065 00:50:06,820 --> 00:50:12,810 getting more security awareness out 1066 00:50:09,130 --> 00:50:17,380 there in a meaningful way instead of 1067 00:50:12,810 --> 00:50:19,930 instead of anything don't know doesn't 1068 00:50:17,380 --> 00:50:21,790 matter there really I promise you the 1069 00:50:19,930 --> 00:50:25,690 slides that come now are really boring 1070 00:50:21,790 --> 00:50:27,730 no more funny memes well 1071 00:50:25,690 --> 00:50:31,240 the very last slide is very funny but I 1072 00:50:27,730 --> 00:50:33,700 think but on the other hand we can show 1073 00:50:31,240 --> 00:50:37,180 you you doesn't matter so instead of 1074 00:50:33,700 --> 00:50:39,308 investing into new appliances that just 1075 00:50:37,180 --> 00:50:42,848 give more work to your sock or more data 1076 00:50:39,309 --> 00:50:48,309 that is not relevant just please try to 1077 00:50:42,849 --> 00:50:49,930 invest it in your people and also know 1078 00:50:48,309 --> 00:50:51,670 your threats especially know your 1079 00:50:49,930 --> 00:50:55,118 threats when it comes to social and when 1080 00:50:51,670 --> 00:50:58,660 it comes to other things that are user 1081 00:50:55,119 --> 00:51:01,809 related and not tech related I've put in 1082 00:50:58,660 --> 00:51:08,319 some links you can take a photo of that 1083 00:51:01,809 --> 00:51:11,740 slide in just now but they will be bare 1084 00:51:08,319 --> 00:51:14,819 with me my website is called cyber stuff 1085 00:51:11,740 --> 00:51:18,939 Todd oh yeah right thank you very much 1086 00:51:14,819 --> 00:51:20,769 and I will put the slides online as I 1087 00:51:18,940 --> 00:51:24,700 said probably tomorrow evening and you 1088 00:51:20,769 --> 00:51:26,890 will have the links there that's just a 1089 00:51:24,700 --> 00:51:30,250 little bit about the stuff that we we 1090 00:51:26,890 --> 00:51:33,339 have been talking about I also am a 1091 00:51:30,250 --> 00:51:35,529 regular on send security podcast in 1092 00:51:33,339 --> 00:51:37,990 English which is probably more valuable 1093 00:51:35,529 --> 00:51:41,019 to you because I also do with the German 1094 00:51:37,990 --> 00:51:42,609 send security podcast you're happy to 1095 00:51:41,019 --> 00:51:44,200 listen to it but if you don't understand 1096 00:51:42,609 --> 00:51:48,339 German it might be even more confusing 1097 00:51:44,200 --> 00:51:51,129 and thank you very much for listening my 1098 00:51:48,339 --> 00:51:52,990 name is Stephan Hagar my handle is at K 1099 00:51:51,130 --> 00:51:55,059 if you want to follow me on Twitter I 1100 00:51:52,990 --> 00:51:56,740 appreciate that you can have gummy bears 1101 00:51:55,059 --> 00:51:59,920 for that and that is a very cheap way to 1102 00:51:56,740 --> 00:52:02,258 persuade you I work for a company called 1103 00:51:59,920 --> 00:52:04,720 dot F in Germany and what we are doing 1104 00:52:02,259 --> 00:52:07,660 is we are writing software for tax 1105 00:52:04,720 --> 00:52:10,180 accountants and tax consultants and this 1106 00:52:07,660 --> 00:52:12,368 sounds for everybody outside of Germany 1107 00:52:10,180 --> 00:52:14,828 like something that is pretty boring 1108 00:52:12,369 --> 00:52:18,700 probably is but it is a big market in 1109 00:52:14,829 --> 00:52:21,160 Germany so we have 7,000 people and we 1110 00:52:18,700 --> 00:52:23,109 are I think amongst the five largest 1111 00:52:21,160 --> 00:52:26,680 software producers in Germany it's just 1112 00:52:23,109 --> 00:52:28,960 behind Microsoft OSAP so it's a really 1113 00:52:26,680 --> 00:52:32,680 big market in Germany but they say that 1114 00:52:28,960 --> 00:52:37,010 70% of wealth literature on tax is 1115 00:52:32,680 --> 00:52:39,890 written in German so they might be right 1116 00:52:37,010 --> 00:52:43,340 as for the last and hopefully it's 1117 00:52:39,890 --> 00:52:45,368 slightly hung it's like okay any 1118 00:52:43,340 --> 00:52:45,369 questions 1119 00:52:59,740 --> 00:53:02,209 yeah 1120 00:53:01,010 --> 00:53:05,060 so the question is what we were thinking 1121 00:53:02,210 --> 00:53:07,910 about Mach phishing attempts and social 1122 00:53:05,060 --> 00:53:10,460 awareness campaigns I think it depends 1123 00:53:07,910 --> 00:53:12,740 on the company culture and it depends on 1124 00:53:10,460 --> 00:53:14,810 what you're doing the uses and what 1125 00:53:12,740 --> 00:53:16,910 happens if somebody accidentally clicked 1126 00:53:14,810 --> 00:53:19,220 clicks a fish if you're in the kind of 1127 00:53:16,910 --> 00:53:22,609 company where that is very hierarchical 1128 00:53:19,220 --> 00:53:25,129 and where any kind of mistake will give 1129 00:53:22,609 --> 00:53:29,630 you the slip then this is a really bad 1130 00:53:25,130 --> 00:53:32,240 idea if you have a rather good aware 1131 00:53:29,630 --> 00:53:34,550 user base and they know that this is 1132 00:53:32,240 --> 00:53:37,520 happening and you can gamee find it 1133 00:53:34,550 --> 00:53:38,810 to a point where you can actually have a 1134 00:53:37,520 --> 00:53:43,220 list where you see you're better than 1135 00:53:38,810 --> 00:53:45,080 marketing or your department is so never 1136 00:53:43,220 --> 00:53:47,839 go down to the individual just make it 1137 00:53:45,080 --> 00:53:51,380 teams it can be a good idea if you 1138 00:53:47,840 --> 00:53:53,930 repeat it say three times a year maybe 1139 00:53:51,380 --> 00:53:56,750 four times a year not more often because 1140 00:53:53,930 --> 00:53:58,910 that becomes annoying on the other hand 1141 00:53:56,750 --> 00:54:01,400 I think and I'm a firm believer that I 1142 00:53:58,910 --> 00:54:04,609 don't know how I can get there but I 1143 00:54:01,400 --> 00:54:08,480 think a user at the office PC should be 1144 00:54:04,609 --> 00:54:10,700 able to click anything they see without 1145 00:54:08,480 --> 00:54:13,520 any kind of fear because it's the job of 1146 00:54:10,700 --> 00:54:15,410 the security team to make sure that they 1147 00:54:13,520 --> 00:54:17,990 can click anything without anything 1148 00:54:15,410 --> 00:54:19,940 happening at the moment we have that no 1149 00:54:17,990 --> 00:54:21,770 company because our office network is 1150 00:54:19,940 --> 00:54:24,500 not connected to the internet so yeah 1151 00:54:21,770 --> 00:54:28,880 click on the fish and that is why all 1152 00:54:24,500 --> 00:54:33,530 the social media we have social 1153 00:54:28,880 --> 00:54:36,710 awareness campaign people trying to get 1154 00:54:33,530 --> 00:54:38,540 us to try the product and whenever we 1155 00:54:36,710 --> 00:54:40,220 said you know we have that we have 1156 00:54:38,540 --> 00:54:42,950 separated our network from the internet 1157 00:54:40,220 --> 00:54:45,230 and B no we won't whitelist your fake 1158 00:54:42,950 --> 00:54:46,730 domains because that is not the test 1159 00:54:45,230 --> 00:54:50,940 we won't watch this the domains for any 1160 00:54:46,730 --> 00:54:52,410 scanner so please try it in the 1161 00:54:50,940 --> 00:54:54,210 environments with these constraints 1162 00:54:52,410 --> 00:54:58,049 because this is how a criminal would 1163 00:54:54,210 --> 00:55:02,099 have track nobody took up the chance to 1164 00:54:58,050 --> 00:55:03,780 improve under any other Christians and I 1165 00:55:02,099 --> 00:55:04,770 can throw gummy bears but i'm reaiiy 1166 00:55:03,780 --> 00:55:07,640 really suck at that 1167 00:55:04,770 --> 00:55:14,819 so if I wanted to throw them to you I'm 1168 00:55:07,640 --> 00:55:19,170 sorry in advance yeah see questions 1169 00:55:14,819 --> 00:55:20,790 sorry no more Christmas I'm the one 1170 00:55:19,170 --> 00:55:21,900 standing between you and break so I 1171 00:55:20,790 --> 00:55:24,619 won't do that any longer 1172 00:55:21,900 --> 00:55:24,619 thank you very much