 This is my talk. I want you to understand I have to start with this slide because I'm going to say things that might sound a little, you know, bad, mean, spiteful, mean, hateful, you know, all those other adjectives. I'm adorable, okay? I'm a wonderful, fluffy person and stuff, you know, who does not like doing bad things unless people pay me. I would never try to kill you unless you pay me to try it, okay? I promise. So when I tell you those really harmful, terrible things that I'm going to be talking about, let's just remember the kittens, okay? Title of my talk, steal everything, kill everyone, cause total financial ruin or how I walked into misbehaved. Quite simply, it's because of the security fails. It's like I'm going to explain to you that the physical security and stuff, you know, is one of our biggest weaknesses because people can understand two-dimensional versus three-dimensional when they're walking up to the front door. Jason E. Street, I have lots of letters behind my name, I promise. Let's start off with who I am. I've got a day job and a night job. My day job is I'm the AVP of information security at a financial institution. My boss is going to love this on Monday. What I do is I work in a cubicle with a lot of cool action figures around it. I monitor firewalls. I watch IDS systems. I build out our infrastructure. I find more creative ways to secure it and to go after people who are coming after us. I do all the day-to-day blue team stuff. My main job is blue team, is defense. My night job is the CIO strategy of one solutions where I do pen testing maybe like three times a year and stuff. You know, it's like basically I do speaking engagements like this around the world. It's like I've written a book dissecting the hack and I also do some other writing and that's what I do at night. I respond to incidents during the day. I create incidents for other people at night. Best of both worlds. I love these pictures because you see the first picture with the baseball cap. That was me standing outside for an hour in front of an industrial park building, a security facility on a Sunday with no traffic and the security walked by twice and did not think to stop me and asked me what are you doing on the sidewalk just watching our building. He didn't put it in his report either so bad on him. The second picture you know looking dapper in the glasses is actually me going to apply for a job. Yes, I'm wearing a black hat collared shirt because I like to come with warning labels and I did not get the job unfortunately. I was way under qualified for that one. I didn't get their data so you know win-win. These are my two favorite pictures of engagements I've been on. The one I'm wearing the I'm a liability shirt I think is the best one because I stole a car in that shirt. I was at a hotel off the coast and the valet gave me the car and I had explained to him I can't get in this car right now and he's like why is this because I'm stealing it. It's like they paid me to do an assessment. I'm a liability and yeah it took him a while to figure that out. So finally I had to say you might want to take this back. I think the owner is going to want it. The second one the next one is my favorite. One of the most secured facilities I've ever seen in my life right across the street from ground zero SWAT teams you know with canine units with their machine guns walking through the concourse eight security guards in the main elevator lobby and stuff not including the business lobby. That's me in the upper floors wearing an actual valid badge and a shirt that says your company's computer guy. I like that. I like that picture a lot. We'll get more to that story in a little bit. So I do have a CISSP. I think the code I think say that I have to put a sun's new quote in my talks. There it is. We're in the intro halfway through so far so good. We're going to talk about the one fact that we have to face when we're dealing with this subject. We're talking about the two rules that I go by when I'm doing an engagement and the three outcomes from those two rules and hopefully a good conclusion discussion. Let's face it. You're going to the awards ceremony right after this but still we can we can hope. Why this talk. I gave a talk last year on the 36th strategy was talking about the beginning of social engineering. It was talking about things that you could do to try to get into the buildings. That was the part one is quite frankly I got some feedback afterwards going like man Jason that's some basic concept stuff. You know it's like you weren't showing any kind of NLP or because I can't. I am not a professional social engineering expert. I don't know about NLP. I don't know the psychology facial recognition mind ninja techniques. I still get in. I have a hundred percent success rate of getting into facilities when I'm doing a social engineering engagement. So it's not that I'm that great trust me. Anybody will tell you that it's our security is that weak. So these are educational and hopefully in a funny way kind of talk just to give you an onset of where to go look for more stuff and then hopefully have a good chuck away or doing it. OK. You're not going to learn anything new but hopefully you'll remember something that will make you go look at something else and you'll be better for it. So this is part two because now I'm not talking about the social engineering part so much as this is all the damage I'm going to do after your security guy let me through the front door because number one fact I'm getting in. OK. This is the I took this picture. I kid you not. I'm going to meet the guy for the first part of our meeting and as soon as I opened up I got into the concourse and I saw the door the employee door for the secured area. I was like oh you got to be joking me. I walked right over pushed one three five. Guess what. I got in. You just I would have tried five three one or three one five. You know I would try but look see how they're rubbed off. I mean it's just look at the guy's face when I showed up 10 minutes before our meeting and no one knew I was there. So that was fun. Here's another one. I went to go to apply for another job and when I'm on these engagements I like to be bad. So when I signed in to the receptionist I stole the pen. I'm a bad guy. It was what we do. So as I go as soon as I finish getting the pen and signing in I asked to go where the bathroom is. It's not because I drink so much for you can die at Pepsi. It's just because I get lost very easily and I will wander buildings looking for that darn bathroom for hours. She can't believe where the things I can get into. Well I'm going through and I actually happened to stumble into the security area part of the employee area while I was looking for the bathroom and I found the employee entrance and this is like the security guy at this facility actually bragged about their million dollar security system and I looked at the door and I saw this little rod thing and stuff you know that was the what was latching the door with and I was like only if I had a condom or something you know that protect that little rod and keep the door from keep the door closing and then making it latch and then I remembered oh wait I got a pin. So I took the pin that I stole put the cap on the rod the door shut perfectly and it didn't latch. So I leave it's like I come back in about 20 minutes or so it's still there. I'm now in the security facility and no one knows. So that was fun. I am not a actually we're right here. Okay. So I'm not a master locksmith. I tell people I don't have to be a master locksmith. Okay. If your people will let me through the front door. Okay. I don't have to be a massive ninja coder which I'm not. It's like if I can just steal the hard drive with all your data. Here's some of my master lock picking skills in action. I'm I'm terrible with the lock picks but I'm awesome with cardboard. So here's another key. I love forging emails and putting them on iPad. The key is to put them on iPad. If you forge an email and print it out they're going to look at you fake. Oh this is you just you just type this up. You put it on an iPad. The blue hyperlinked stay hyperlinked and also it's like it's on an iPad. It's magical. You must be telling the truth. It's like so it's like so they're going to go and say it's okay. It's like so I was up in that secured facility in New York. The network guy noticed an unusual amount of traffic coming from the CFO's assistance computer and it's going to their main server and it was meek and so he comes over and he asks it's like what's going on. What are you doing? I start telling him exactly why I'm there. I spent two hours on Google creating this email making it sound like the owner the new owner of this company was upset and sent an email to the other company that he owns to send one of his guys out and to go and look at the network and I made it sound very political. I made it sound like there's urgency and that they it was supposed to be surprised so no one knew I was supposed to be there. So I showed this to the the networking guy well he sent me to his office we went to his office and we talked to the CIO for about 10 minutes and the employee then started to escort me around to all the other computer desk and stuff you know so I could plug in my malware and I had an employee escort so I had to be okay. So it's like I actually can finish the rest of the engagement and stuff you know having someone help me and make sure that the people knew I was okay to be there and plugging in my USB devices and doing whatever else I needed to do so I really love that email. I've got two rules but guess what looking for PCI is not one of them. I don't care about your HIPPO or HIPPO I don't care about your Sarbanes Oxley I don't care about your ISOs and Lester got Linux on them I don't really care I just want to F you up I just want to mess you up in the worst possible way I want to be the worst thing to ever happen to you at the worst possible time. Okay remember the kittens so this is where I got my my two rules I got them from Serenity which was based off the series Firefly which Fox cancelled Midi Dynafire and the two quotes are very simple I aim to misbehave and let's go be bad guys that's it I'm just trying to do bad to team it up it's like you know red team it's like don't act surprised when we try to kick you below the belt it's like bank managers are still being kidnapped today taken to their home their family held hostage overnight until they go open up the bank for bank robbers that's not funny that's real this stuff still happens another thing is this is one of these things that we people talk about this is not a new concept what we're doing this is from 1992 the movie sneakers it's like so people hire you to break into their places to make sure no one can break into their places it's a living well this one's old now because it's not a very good one it's gotten pretty good now business is pretty good with this but this is a concept it's not new it's something that we still have to keep revisiting stuff you know better people than me talk about it a little bit more technically and stuff you know like I said I'm I'm the comedy relief on this but let's keep going so another thing we have to understand is management is not proactive they are reactive so Dana Irwin said in 2008 the best way to get management excited about a disaster plan is to burn down the building across the street hello everyone like to introduce myself I'm the fire so what we're going to get to now is we're going to get to the fun part and the fun part is talking about all the different ways we can start those fires okay I love this one this is this is what I call the trifecta of bad because yes I've stole the phone or cloned it yes I've got the laptop 30 laptops unsecured in this facility they had no laptop lock cables because they were secure by the time I did the exit interview I started seeing laptop lock cables which was good for them also the badge because you know my arms may get tired I might need to take make trips so it's like uh so they had me an employee badge I appreciated that okay I am I do feel bad about this one um because I am a CISSP advocate of ethics so please no one report me let's make this off the record I'm sure no one's watching um not about the laptop because I have no problem stealing the laptop I mean the guy left the cable on it for me he was just giving it to me and I'm not talking about the screwdriver because I need to steal something maybe you know that was bolted down because you know I like to be thorough um I was a little hungry and I stole one of the cookies I'm sorry okay let's go on um I love this because you know people expect security not to be that thorough so they get their laptop lock cable they're told to fasten it to the desk but that's hard you have to bend down so uh let's just lift that cable over the the desk and no one's gonna pull it and you know what most security doesn't uh pull the cable to see if it's actually secured but I'm not security I'm the thief I'm going to pull the cable I'm gonna try to steal it also kudos for this guy because he had it for uh firmly attached to the uh the desk he had it uh he had it locked to his laptop but I'm telling you when it's the code zero zero zero zero I'm gonna try that one I'm gonna try one one one I'm gonna try nine nine nine I'm gonna if you're geek I'm gonna try zero zero zero seven so sorry about that one um also they like to move the one like the last number or the top number they'll move one in either direction and that's it so that way they can just go deek I'm unlocked deek I'm locked I'm gonna try those also when I'm in engagements I'm going through all your drawers wait hold on that didn't sound right uh I'm gonna go through all your desk and your cabinets okay and I'm gonna be looking for stuff because nice honest and co-workers are not gonna go looking through your desk I'm not a nice honest and uh co-worker uh this guy had his laptop locked totally correct everything was right and then he put the keys in his top drawer so now the non today I still hit his laptop but now I have a nice really shiny laptop cable and stuff you know I can protect from someone stealing it because I hate it when they steal my stuff that I stole I'll always why this picture was in here is because I stole the iPod because that's like totally freaking retro how awesome was that this is another trifecta it's like I stole the purse I stole the car keys and yes I stole the phone let the record state I did not steal the lunch okay I felt really proud about that but but now let's hold on let's let's cut it for a second I took the car keys took the driver's license out of her purse I then go to the parking lot to find out what car it is I unlocked the car I go back and put her car keys back she comes back after work I'm in the back seat with a gun telling her that I've got a driver's license showing her that I know where she lives that I've got people there that will kill her family she does not go back into that facility steal all their data that I need and then come right back out and that we're tracing and we've got our phone cloned and we can monitor it employees need to know that their personal belongings are theirs but the impact can be severe for them as well as the company that's why they need to secure their stuff now let's remember the kittens real quick okay when you have this many frowny faces on a slide you're just effed okay it's just game over you literally gave me a blank check just steal your your credit and your identity and trust me my credit sucks so I'm taking it you know thanks for leaving the social security card there because it's got your signature on us I know exactly how to forge it it's like that was very helpful not many people are that kind so oh when I stole the first car the guys were cheated and let some people know that I was going around and doing stuff like that so I said we'll screw you two o'clock in the morning I walked in grabbed three Mercedes Benz and a beamer and just took them with me less than 66 seconds so Nicholas Cage beats that the look on the guy's face when the manager's security face when I walked to him and I dropped him those four keys was priceless I wish I could have included the picture but it's on my desktop at my home so so some countermeasures employees need to know that this stuff matters for them as well make sure they're locking their desk securing their property they secure their property at home they secure their property at their in their car they need to secure their property at work also no tailgating you got to be sure that they understand that they shouldn't tailgate it's like they shouldn't because you know what I'm doing I'm coming in the wheelchair and I've got like four books and it's like oh man Jason you're a douchebag and I'm like yes I'm a bad guy I'm trying to steal from you do you really think I care that you're going to feel lesser about me because I'm not supposed to be in a wheelchair no I'm evil it's like so what I'm going to do is like and trust me when I go up to that door and I got these books you're really going to be the asshole who's not going to let me in the door I mean seriously no you're going to let me in and I thank you for that your employee is not going to your employer is not going to but I will also if you see some see something say something you don't have to personally tackle the guy if you think he's suspicious okay you do have to call security you need to start empowering the employees to understand they are part of your security team and they need to start acting like it so yeah here's the real warm and fuzzy side we're actually going to talk about how you know to kill everyone because that always brings up a crowd on a Sunday night this is uh taking pictures at 2 30 in the morning I'm in a hotel somewhere uh different hotel than the car and I'm inside a mechanical room I'm wearing Pepsi pajama bottoms over some cargo pants with some really bad things and a white t-shirt and I'm barefoot because I took all my clothes off in the bathroom and the guest area of the hotel and changed into that and then started walking around and see what I could do I could do a lot because you notice one important fact in this picture there are no padlocks on any of the switches I will tell you this right now I've got some OCD like you wouldn't believe okay if that switch is on I'm turning it off if that switch is off I'm turning it on and if by golly if there's a red button I'm pushing it twice okay that's just how I roll now I want you to understand I'm not a total jerk okay it's like because yes I'm going to start a fire in this room and yes it's going to have some poisonous chemicals in it so the smoke will go through the ventilation system that's right there but I'm not totally terrible because I mean it's 2 30 in the morning who wants to get woken up at 2 30 in the morning listening to this ringing alarm sound going off so I'll silence the alarm system for you because it's like I mean I don't want to be rude the only thing worst and having that alarm going off in your ears and stuff you know someone throwing cold water on your face when you're trying to sleep I'll turn the sprinkler off system off for you too okay it's like I don't want anybody to get all you know wet and drenched and stuff you know there's a fire going on that'd be dangerous oh wait hold on yeah maybe not okay so another place that I like to I think it's great to kill people is the kitchen it's like this guy didn't even ask who I was there but you know most people don't so just to bring that home here's a nice little video is there any law enforcement from Malaysia in here okay this was okay good this was a video that I took in Malaysia in a Malaysian hotel I was wearing this shirt and I'm in Malaysia I don't blend well so let's see what happens here we go I didn't edit this video because I don't want you to think you know shenanigans it's like you made it yourself look poor or something like that but no so you'll get to see me doing exactly everything that I did including right here where I should have turned the other way but I turned this way but I didn't know what the building was like so let's walk down this corridor first yay I'm walking as fast as I can I'm walking pretty fast it's just a long border we'll say and if I wanted to steal some tables there I go I was like wow that was a let down I'm sure I'm impressing people that are in the audience right now so I decided to keep going I'm a hacker we don't give up the first try right so now if you get motion sickness or sea sickness take gramamine or look away for a second okay because this gets me wasn't joking so I come up against this door here and I'm thinking oops there we go so I come up against this door and I'm thinking oh this is awesome the reason is because it's secured and it's got stuff in there that you want protected so you put a padlock on it but then you don't padlock it so one thank you for that what could you be protecting I don't know let's see here oh I did not go in there with the Newsy or an AK-47 I did not bring C4 with me I just walked out of that closet with napalm I just walked out with poison so let's see what I can do well first I got to find a place to do that that's going to be a long search you know looking for the proper place to deploy this kind of stuff let me turn around and oh I'm in the kitchen that was quick so let's walk through here everybody say hello to this guy he didn't say hello to me the jerk I'm if it was a little bit later at night I'd be you know tampering with right there's the refrigerator for the food supply I would destroy your food supply even if you detected it was poison it would be useless you'd have to destroy all of it that's some that's some coinage right there here I'm going into another room I could have gone to some of these other doors I wasn't really trying especially since I didn't have permission I mean I'm in since they didn't know at first it's like they said it was okay first afterwards here's the mechanical areas this is where I started my mechanical fires using the napalm you notice those two guys there so I have to use social engineering counter measures let's listen my counter measures hey how's it going it was going okay and then I kept moving so here we go through the rest of it that's just me showing you more places that I would spread the napalm I like saying napalm that's what it sounds like one of the other things you notice that they protect guest information really well you know in the computer systems you know you can't go to the front desk and ask where someone's staying but obviously you can walk into the kitchen because every person their room number and their name is right there for room service so that's pretty low tech now I'm going through this and I'm thinking to yourself because like you're saying well Jason all you're doing is walking around the freaking place what's that well basically first of all dude I told you I was showing you the physical stuff not social engineering but since you asked let's go try some social engineering because let's see what happens if someone notices me so I'm going to go talk to the head chef and the manager of the hotel you have a Wi-Fi cable so I asked him if he's using Wi-Fi or cable I got an iPad and I've got my hacker shirt and I was like using Wi-Fi I'm questioning him the stuff you know and he's saying he's using cable that's just a corrupted photo I love the way they smiled and like the guy in the back window was just like you know photo bombing mean stuff you know going what's going on with that guy it's like and then I just left that was it so that's how easy it can be and it's like and we talk about social engineering it's just easy as just saying how's it going and stuff you know and talking to someone people don't expect bad things to happen until they happen so some of the counter measures one of the key ones that I could not stress enough is create a code word make sure people understand that first of all make your employees understand that this stuff happens workplace violence happens I mean for gosh sakes I got this information off of workplaceviolencenews.com it happens so often they've got a website for it for gosh sakes that's depressing okay so you got to understand that that happens so set up a code I tell people like especially with receptionist code oh my god he's got a gun run panic we're all going to die is not the best code okay it is effective it does you know raise a thing but it may not be the best I always tell them to suggest something like a code periwinkle Mr. Perry Winkle to HR Mr. Perry Winkle to HR and I'm hoping that someday someone institutes an actual code periwinkle because I think that's just funny saying periwinkle another one is conduct routine safety checks not just safety checks of your equipment but of your people as well when I walked around for an hour I noticed one thing at that facility there was this one door that I could easily jimmy and it had a camera that was right over it but I couldn't tell by the angle because where the other two cameras were spaced if I walked diagonally from the other parking area they wouldn't see me except for that one camera and if that camera was angled at the right way I could totally bypass it so I talked to the former head of security there and I told him it's like dude it's like this is where I can get in he's like whatever it's like come with me he takes me into this office the security office it was empty showed me the computer screens the TV monitor screens they were all turned off he turns them on the one camera that was not working was that one I looked him dead in the eye and I said in all seriousness like oh I guess I wasn't the only one that had that idea you may want to check your inventory I did mention he was the former head of security at that facility okay good okay so let's talk about you know financial ruin let's talk about the espionage and I hate to break some people's feelings and stuff I heard some people's feelings and just say it's not just the Chinese okay 70s the 80s 90s it's like the French were doing awesome with it so sorry to you know to insult actually I'm complimenting my French friends because they did a great counter espionage thing with the CIA and stuff back in the 90s with the Boeing incident you can Google that one CIA wish you wouldn't so that was fun so let's talk about some of the things you can do there once again this many frowny faces not good because you know what I'm an environmentalist I am do you know how many poor senseless trees die every day due to those printouts that you leave beside the printer well you know what they will not die in vain when I visit I'm taking all of them I'm going to liberate those trees I'm going to liberate all and you know what I'm such an environmentalist I will take the ones that are still printing out just to make sure you don't forget them those trees will not die in vain when I'm there it's like you know nothing I like and this is so sad this is actually a Dilbert comic strip is that they still use shred bins to put all your you're telling me all your confidential data all the stuff that needs to be shredded let's put in a big blue bucket this is all the confidential and this is done in D.C. and this is done in financial institutions this is done in like DOD contractors offices and what my favorite is the DOD contractor's office it's a secured area the office the office the actual offices of the executives they're actually secured locked where security cleaning crew can't go in because of all the top secret data so what do they do at night they put the blue bucket outside their door yes that's awesome I mean I mean I'm sorry it's awesome for the bad guys oh dude yeah when I get to the point where I can just stick malware and into your hard drive it's just gonna be a fun night for me not for you that really yeah step con get with it one thing we're going off your workstation is when you see that USB drive in your exchange server it's not gonna end well for you okay I know where that USB drives been you don't want it in your exchange server okay and I mean and you're thinking it's like what kind of damage is that you can do going after our exchange server in that case should be Gary but we can go and say well then how about your accounting server me and the 25 other employees that are also me they're now getting pay checks from you say well it's okay it's not gonna be too bad or I could just do a wire sniff this was like from my part one talk you know just do a wire sniff for your traffic sniffing passwords are hard you got to configure all the stuff of Linux you got to get the wire like I said I'm not that technical I'm not that you know bright it's like a well and I just get them off your monitor okay I love this one I actually tried bracket leave blank bracket first I gave them the benefit of the doubt okay and yes it was just hit enter this is my favorite of all time you know why because this was at a pharmaceutical bio whatever research lab and stuff you know where I'm supposed to be doing with rocket scientists right the password first of all they shouldn't have written it down at all but the password was that scratched out was actually an alphanumeric special character password it was very complex and it was hard so they scratched it out and put it to welcome so and it was all lowercase I tried the capital first because you know they're rocket scientists the one thing worse than seeing me in pepsi pajamas you know ask my curio is actually seeing me in this suit because if I'm in this suit I am out to screw you over terribly okay because I'm wearing my best to do I call it the best to do because I think it sounds cool and I'm reliving my childhood if you want to know more about the best to do and all these little toys it's in my part one talk that I did last year and it's like but those uh but now I want you to know I've got a best to do 2.0 let's let's see some of those things okay I've got some video recorder usb pins right here none of them are keeping one in my pocket I'm going to actually be going in and leaving them in your little cupholders that you leave so I can record you logging in your passwords carrying on your conversations things like that so that's awesome if I'm the tech guy I got my nice little handy 8 gig usb flashlight video recorder that I'm still your data off of and as you remember the little bouncy Dramamine that was because it was taken on my 4 gig audio video recorder watch when I walk into your facility I'm a walking talking Google streetcar okay I'm capturing everything I can now I got another device since then too that's to my 2.0 vest this was something that was given to me by a three letter agency in DC I'm not the only reason why he gave me this this device and stuff you know which cost billions of dollars research he said was that I was to never talk about it in public so this device he gave me is actually a usb keystroke logger it's undetected by any antivirus she can plug it in it's very streamlined it's undetectable stuff you know it's very hard to spot when you actually plug it into the vice and it records all the keystrokes you're right I'm lying I got it off a think geek think geek I like to put this for you know for the qsa's and for your for your executives you know that you want to talk about this slide students have you know and tell when you get back and tell them about these things let them put it in a different way that they understand a little bit better the risk matrix available at a geek and gadget website well we discovered that's a near certainty okay being able to log the CEO's keystrokes yeah I'm gonna go with catastrophic on that one now you see all these other devices you see all these pens you know these devices those were acquired it's like you know from a very I mean you have to be a select group of people okay to be able to get access to that kind of technology I mean I think everybody is familiar with that kind that kind of access I think everybody here has that access it's called frequent flyers I mean you talk about hackers getting this kind of data okay I'm an accountant I really hate my boss I really hate my job I want to go somewhere I want to steal a whole bunch of stuff from the company first how can I do that oh I'm on this flight oh look sky mall oh I can put keylog stroke keystroke logging and spyware on his my boss's computer oh I can you know have a USB recorder and stuff you know pin and take video of our company secrets and yes I can actually have a voice recorder so I can record our top secret confidential conference meetings this is not hard that is one of the biggest things you know you hear I see these talks and it's like these guys are like the rock stars and they're like they're super leading stuff you know and they deserve all the credit all the stuff but I'm telling you it's not just that I'm the reverse of that I'm the guy saying it's so easy even I can do it okay it is like it's just the general stuff people are so busy protecting their stuff from these very high level attacks they're forgetting oh SQLI oops sorry Sony you know it's like it's sometimes it's a low-hanging fruit it really is the low-hanging fruit they're going to go after so you've got to be protecting that as well you got to be protecting from these kind of threats as well this is one I love this one I took these pictures this is the pony plug from pony express I took these pictures at a bank branch out on the out on the west coast and I did four branches four attempts four successes after the fourth one they told me to stop the reason why is because I walked in I was wearing a blue DEF CON shirt work shirt I come with warning labels and I told them it's like I'm here to check we have been having brownouts at the corporate office and we need to check to make sure that the power fluctuations aren't affecting your operations here so what I'm going to need to do is I'm going to plug this device into your here plug into the network so you can take the readings and report back to the home office exactly what's going on and by the way I need to go in and check your make sure all the computers have proper power surges and UPS units working I used a face false name that I had no idea your identification for I used a fake company and a fake phone number I signed into their vendor log if I would have come in there with a ski mask and a shotgun every single person would have reacted exactly the right way they've been trained to handle that they were not able to they did not expect the geek factor and they walked me through the teller area the drive-through area and through the back rooms where the actual money is not the shiny little fault thing but the big saves with the actual money in it what kind of damage could I have done what I did do was I plugged in my pony device this one with the power unit and seven I see the power UPC on the right I like that one the best because I had to get the bank manager to get out of her seat so I could plug it into behind her desk and what I do right after that it's like I can I don't have to go to my car I don't have to phone home I go to the bank lobby and I've got backtrack five on a zoom tablet and it's like I've got it already connected to the pony express I'm pawning you before I even get out your door okay so what are some of the countermeasures there's only one major countermeasures people okay and that quite frankly is just going to be stop printing what happened to this paperless office for gosh sakes it's like make sure you're doing proper DLP making sure you're talking about we there was a recent report about how some of these data leakages are mostly coming from insider and threats from the actual employees themselves so make sure you're watching you're doing dual diligence making sure that not everything is being shared open so so now what can we do like I said I'm the blue team I like it when we win I love I am I kid you not I am rooting so hard for the good guys when I go on an engagement okay I mean I look at some of those employees sometimes I'm like you've got to be effing you're believing what I just said seriously and it's like and then they let me in and I'm like oh my dude obviously I was a bad guy it's like so we needed what do we need to do though we need to educate empower and enforce our workforce our employees and the best way to educate them is to stop this one simple phrase stupid users stupid users clicked on an email stupid users went to a website that weren't supposed to go you know what if I'm in the security department stupid me for not educating my employees properly on how to handle those kind of threats okay and another thing is if I hire an employee and on the first day they don't even have a driver's license and on the first day of work I tell them here's the keys to my Bentley go do some deliveries and they break and they crash that car who's the idiot the one that started driving and the one that gave them the keys we're giving them technology they don't know how to use they need to start being educated properly on how to use it then when they screw up we can say it but not until then we need to educate our employees and let them understand where they're going to do we also need to empower our employees and by empowering them I don't mean starting a union okay so don't get all upset with me you know management types okay we need to let them know one simple fact they are part of the security team from the CEO to the mailroom you are part of the security team it is part of your job and your duties to make sure you're protecting the company data and they need to know that and they need to enjoy that they need to understand you as information security has access to the biggest intrusion detection system known to man all those employees on the front line they're saying oh that looked weird that shouldn't have happened let me call somebody that's what you need to start doing you need to start empowering them you need to start letting them know that it's required I've got a guy who sends me 15 freaking emails okay a week on a phishing scam or some kind of other thing that he thought was weird and he wanted to he wanted to make sure I knew about it you know what I say every single time awesome thank you very much I appreciate it because that 16th one is not going to be a false positive it's going to be something we need to respond to I'd rather get a thousand false positives from people that are actually thinking about it because if they're sending it to me that means they're thinking about security we do walkthroughs in our facility during our day job and we look under keyboards for passwords I mean at first we actually started finding them okay that was bad it's like but then we started not finding them but we still do it you know why because every time you do that everybody in that area is going oh they're checking for something we got to make sure creating that security awareness without shoving it down their throat that's how you do it that's how you do it and then you enforce it okay not with a baseball bat but oh gosh that would be fun but no it's like not with a baseball bat but with positive enforcement when someone stops me when I don't have a visible badge it says what are you doing what are you doing there I report them to their supervisor and I say awesome job that person did what they were supposed to do that person is protecting our data we've got it where we put a list of stuff you know and our bulletins and stuff you know employee bulletins saying people that got kudos for security they did the right thing they did it the right way and you know what that breeds competition because that freaking susie and accounting she's always getting the credit for doing that stuff well I can do it too you know I can stop someone if I don't think they have a proper badge that's how you enforce it it doesn't have to be negative you've got a workforce you've got a human IDS system out there just waiting to be used start using them okay so as soon as you as soon as you stop saying stupid user and start saying my co-workers in the information security department we're going to start winning so here's some links and there you go