 So I don't think we really need to introduce our first speaker, but I'm going to do it anyway. And Jason, how long have I known you? Ten years. Yeah, easily, over ten years. First time I met Jason, you know how he does awkward hugs? Yeah. He did a handstand and hugged me that way. Yeah, that's awkward to a different level. And he liked it. Okay, I wasn't going to say that part. It was a little fun. Back. He drinks the most Diet Pepsi out of anybody on the planet Earth. If you cut me, I fizz. He awkwardly hugs everyone in the universe. Ball of positivity. Just a wonderful guy who helped me in welcoming Jason Street. Hello, everyone. Where you go? Okay, so this is my legal disclaimer. I always like to start off with the legal disclaimer. I'm not a lawyer, though I played one on the internet successfully before. So when I talk about certain things and it says, well, why would you do that? You're evil. That's bad. It's like, well, yeah. It's like, remember the kittens. I'm adorable. It's like, I will not try to steal from you, kill you, or ruin your financially unless you pay me first. There's always a contract. I don't do this stuff for free. So remember when we used those sections, just remember that. And I know we're at DEF CON, so that means probably one-third of you are feds. And I do a lot of fed bashing in here, but it's not because I don't like the feds. It's just they give so many great examples of bad security. How could I not use them? And that's not my fault. So sorry, hashtag sorry, not sorry. So let's get going into it. I'm on another list, I'm sure. So here it goes. Toe-toe, because I pony, I pony not. It's quite simply the top three things that I really love my victims, target clients to do, that I love for them to do that because it makes it easier for me to rob them. And the top three things that I hate for them to do is because it makes it harder for me to rob them. And then a little bit of advanced some training and stuff that you can go and take back to your office. It's like, I don't do those talks where it's like, you know, it's like, here's just how it's broken. I like to help fix things too. My bio slide, this is like, if you want to go check me out on Twitter or you want to go visit my website, I do things, I hack things, and that's an actual picture that someone put up in their sock to warn them against me. And I told them, I said, congratulations, you've effectively stopped me and no one else. But I'm not going to be breaking into your building anytime soon. Congratulations. And especially at DepCon, you've seen a lot of really good technical talks. There's a lot of good hacking talks. There's a lot of good content here. And this is a good example of one of our problems with red teaming. It's like, I'm not a red teamer. It's like, so I'm going to make fun of them a little bit. They get in and when they get hired by a client, they go in and they're talking about how they're a ninja. It's like, I'm coming in and I'm like, I'm breaking in. I'm going through the door. I'm going through the skylight. It's like, I'm punching people in faces and seeing their plans. It's like all these different things that they're doing, everything short of putting on my robe and wizard hat. It's like all these different kind of attack vectors. And when they get done, they write this report and their clients are like, thank goodness, we're okay. They're like, no, look at all the stuff I broke. No, no, no. You guys are like ninjas. Y'all did so much. I mean, of course we couldn't withstand that. Of course we couldn't do other. So we're protected because it's like, we don't have to worry about those kind of attack vectors. It's like, so that's the upper left-hand corner. They're like, that's what everybody thinks is going on. And so what I try to do to my clients, I do security awareness engagements. I'm trying to teach them to be more security aware. I'm not trying to break something. I'm trying to help build something. So one of the things that I do is I tell them, look, I'm going to spend less than two hours on Google. And I'm not using Maltigo. I'm not using any other. ReconNG, none of that. I'm going to use two hours on Google. And I'm going to see what I can get. And then I'm going to walk into your building for the first time and see what I can walk into. And I've stolen computers that way from behind teller lines in banks. So it's effective. And what's even more effective is when you go to the client and you tell them, it's like, here's the report. And like, oh, wow. No, no. I had a shirt that said hacker on it and they still let me in your server room. There's a problem. You've got to address. And it's like, yeah, but you've got all this research. Like, no, that was 30 minutes on Google and Facebook on your employees' Twitter profile. And I was playing World of Warcraft at the same time. It's like, still haven't done Mekanon, so don't give me any spoilers. So I was like, that's what I tell them. It's like, so they don't have an excuse. There's no excuse for that. They have to take it seriously because they realize, I mean, I tell people, social engineering is so easy, even I can do it. It's like, and if I'm your common denominator, if I'm your threat model, you've got problems that you need to address. And that's what we need to start telling our clients and start telling our employers. It's like, not trying to show them how leaked we are, but tell them how bad the problem is and why it needs to get fixed. So, and the other issue, especially when it comes to our employers and companies, you look at the left and that's what your CEO expects. We need the fortress, you know? It's like, we need to build those, we need big, we need firewalls, we need bigger firewalls. We need, they need to be huge. China's APT is going to pay for it. It's like, that's what's going to happen, right? It's like, and then you go to them for a budget and what happens? Well, we'll give you that to the right. It's like, that's how much fun that you're going to have. I'm sure you'll make it work, you know? Stangers to go alone, take this and you're good. Which is a problem as well. So, we have to start balancing the budget. It's like, what happens when we don't have enough resources but we're still expected to secure everything. So, that's another conundrum that we're facing and once again, I say one of the biggest solutions on that is always going to be your users. It's always going to be the people. So, let's get more into, this is actually one of my offensive talks but I do get a little ranty. Sorry about that. So, one of the first things that I love, I love when I come into a company, employees are not empowered or educated to question the unusual. That's amazing. And we're talking good employees, we're talking people that are smart, they know what they're doing, they know how to do their job, but no one's ever told them that part of their job was security. So, therefore they didn't have to worry about that part. They're inside a secured building. The only thing worse than no security is a false sense of security. Because when you get past that guard with the badge reader or you get past this elevator lobby, it's like, well, you're safe. Good. Except for I go usually through the freight elevator and I'm inside your building and now you're not so safe, but you still think you are. And this leads to one of the engagements that I was on at the beginning of this year. And it was a location, it was like an undisclosed location because they're probably still upset with me maybe. And I went in and I had one of the USB Ninja cables. It's like just got the cool MG cable. I've not seen that one yet, the LMG cable. I can't wait to play with that one. But I got the USB Ninja cable and it's a lightning cable. It looks like a lightning charger cable and you can plug it into a machine. You don't even have your phone attached to it, but you can charge your iPhone too if you like it. And it comes with a detonator. It's not called a detonator, but I like to call it that way because it makes me sound cooler. And you got two different payloads by two different buttons. So I literally walk up to people in this one section, there's like eight of them sitting in this open office thing because we all love those. And I went up to them and I said, excuse me, I'm doing a USB rights check. We're making sure our domain policy doesn't allow you to actually charge your devices on your computers because you have certain outlets for that that you're supposed to be using. So I just need to do that check real quick. And so I plug the cable into their computer. There's no phone attached to it. It's just a cable. I plug it in. And I could, you know, I couldn't walk away or I can do something like that and do it all discreetly or like reaching my pocket and push the button and see what happens. Oh no, I pulled the detonator out. It's got a little box with an antenna and I'm like, I go boop. It doesn't really go boop, but it sounds cool when you say boop. It's like so boop. And all of a sudden notepad pops up on their screen. It automatically types out to test completed successfully. Thank you for your cooperation. Smiley emoji. Little odd, don't you think? Little odd, it's like, you know, some guy plugs in a cable and your notepad's typing like it's possessed. I mean, these people must have dealt with ghosts in the before because not one person out of eight questioned that. Not one person out of eight questioned a cable being plugged in and a payload deploying. That's a problem. That is not cool. It's like, I mean, and I was looking at sketch, I mean, I was dressed as one of the scariest things I can do as a business person. They should have realized something. And so that's a problem. We need to educate our users. We need to let them know that that's part of their responsibility. Now, one of the things I hate, not the CIA, I'm sorry guys that are in here, no, is open lobbies are very secured and very wide, you know, clean lobbies because it's hard for me to loiter. I don't know if that's really what the CIA lobby looks like. Can anybody tell me what it looks like? Just checking. Okay, so it's like, so, I mean, can I tell people like the only way I'm going to get the CIA headquarters is coming in through the back door with a bag over my head. So it's like, so, I don't know if I'm ever going to actually see what that front lobby looks like. But yeah, it's like, those open spaces are horrible because where can I loiter to check out what the traffic patterns are like? It's like, how can I get reconnaissance? How can I actually try to do any kind of Wi-Fi attack or RFID attack? So this reminds me of another story. It's like, I was in Moscow, Russia in November, in November, going to a couple of hacker conferences and I was at the one in Moscow and six of friends knew I was in town and so I'm already on a list right now. Someone's like, is he on that list? I am, trust me. Any list that any Fed is thinking about putting me on, I'm already there, don't waste your time. So I go there and it's like in some friends room, Kaspersky was telling me, hey, you want to come down into the headquarters. And I'm like, I'm friends with Eugene. And I'm not joking, I really am friends with Eugene. It's like Metal Meta Conference. He was an awesome guy. Really funny. It's like, I said, yeah, I want to show up and then check out and see what the place looks like. So I get in there and I'm looking at you. I mean, I've got my hoodie on. It's freaking cold in Moscow, November, FYI. And so I get in there and I got my bag and there's this lobby and it's got some really cool open lobby and there's like two guards on either side of the receptionist desk area, but one's like really attentive, like right there by the where the employees go to badge in and there's also this really cool elephant dolly statue, you know, Salvador dolly statue, which is you should go check out on the internet. It's cool. There's these long leather couches and I'm like, awesome. And I can't help being bad. It's like, I'm not trying to rob them, but I always like to check to see what security is like and how it works. It's just one of those things that I do. I don't ever go anywhere with it, but it's like cool to figure out. I was like, where's the cameras? What's going on? So as literally, as soon as I get in there, I'm not going to the desk to the receptionist to log in. I just wanted to go and check to see what kind the security was like. I found out very quickly before my butt touched leather Ivan. I don't know if his name is Ivan, but he looked like an Ivan. Okay. This guy was like huge. It's like he was like his shirt was like two times too small or muscles four times too big. I don't know which it's like Ivan starts walking over to me and he goes like comrade, can I help you get to the receptionist? Are you meeting someone? I don't know how to do a Russian accent. But I was like, I mean when you're that big, you don't have to be rude. He was very polite, very friendly and it's like just don't break me in half please, you know. And so I was like, so but I will tell you this right now as soon as he said that's like, oh yes I'm supposed to be here. Let's go and do whatever you need me to do right now. And that was perfect. That's what it's supposed to be. You're supposed to have your security that engage. They're not supposed to just be looking at a screen. They're not just supposed to be I went into this building one time and by badge, my visitor badge was printed on regular paper and I just walked by and not into security hey, what's going on? And they opened the door. That's not the way it's supposed to be. It's like you've got to make sure they're questioning, make sure they're looking for the proper IDs, make sure that they're paying attention of what the lobby looks like, what kind of foot traffic is going on. You don't want someone, you want someone like Ivan, you don't someone like me going around it's like getting into your buildings. So once again, you know, you can't talk about bad security without mentioning the TSA even once. And sorry for any TSA. I'm joking, TSA is not in here. It's like going to take security seriously for that. So one of the biggest problems is no egress filtering or internal monitoring. One of these things, one of the payloads that I have on my bash money, it's like, thank you hack five, it's like no plug, but it's like the payloads that I have is I plug it in and it telnets to tau.blinkylights.nl It's a wonderful payload because what happens in your command prompt, it runs ASCII Star Wars which is amazing. Not so amazing is why in the world is Bob in accounting able to telnet to the Netherlands without anybody wondering why that's going on. That's a problem. Why do we have this egress filtering problem? How can you lose 1.83 terabytes of data from your network, Sony and not have someone think about what's going on here? I mean the networking department should have at least said, hey, do we need to increase the bandwidth? You know, it's like someone should have noticed something. One terabyte of data should not go to Paraguay. It's like and not have someone question. That's all I'm saying. No offense to the Paraguayans. So that's one of the things we have to do. We have to do proper egress filtering. People go and say they keep assuming and they keep with this idea that our internal networks are safe. I'm sorry, the attack is coming from within the house. That's where it's at. Do not let just blind egress filtering. It's like make sure you're monitoring. Make sure you tell that all ports are allowed for all your users to connect outbound. Because who's actually going in and just like trying to like connect and just break it right into the firewall. No, you're sending an email. You're sending a malicious link. The user does all the work for you. They run the payload. Now you have them calling back to your command and control center with a secure connection and they're established inside your network. It was they started it. They didn't start the fire but it was the other guy. Still, it's bad. I'm full of these guys. I'm sorry. You have to make sure that you're monitoring your internal network. Because if you're not, don't worry. Eventually I will be. That's not something you really want. One of the things that I hate though and I mean I hate with a passion dual factor authentication. What a bummer. Okay. I go through. I mean I buy all the cool proxmars. I got the boss cloner. I got all these really cool RFID cloning tools. You've got one of the key fobs that don't do nothing but it looks like really cool when it lights up and people think you're serious. It's like I got all those tools and it's like and then I get to a door and boom there's a keypad. I'm like oh well this was unexpected. I guess I'll just wander around and act like I'm on the phone until someone can let me in. And so you have to have dual factor authentication. You have to have multi factor. And also trust me when you're having you can't just say you have dual factor authentication have RFID badge reader and then a keypad that has been so worn down with the number two and a four and a one and a three and go we're secure. I wonder what that passcode is. It's like you know what could that be? It's like you have to make sure that you're changing the keypads. You've got to make sure that you're using the right I mean it doesn't have to be that cool where it's like the changing the combinations and you need to know the algorithms. That would be cool if you could do that but it doesn't have to be that. Just something that doesn't so people can guess what the next passcode is going to be. And another thing about dual factor authentication it's like by going in and seeing the company. I saw just recently that made some mistakes but they also did something really amazing. They segmented their office building. It's like it was in this big high-rise office building but you could not get to the other section of the same suite without using a badge. And I had snuck in through the freight elevator so I'm like I get there and I get to the door and I'm going oh I'm going to back up. I'm not going that way. I go over here it's like oh maybe okay I'm just going to go to the break room and try to reorganize. And so I mean because that will stop at yours it's about delaying the attacks. I mean I eventually stole a woman's badge who left it on the desk and everything but still it took time and that's what you want. You want to be able to stall attackers time. It's like how many people here have a fireproof safe or fireproof? No one. They're fireproof up to 3 hours. They're fireproof up to 6 hours. They're fireproof up to 12 hours. It's like the more money you spend the more your safe can withstand a fire. Explain that to your executives. The more money they spend the longer you can withstand an attack before it gets detected, before it gets responded to. That's what you're looking at. You're not trying to stop the risk. You're trying to slow the attack as you can. So that would slow me down. That would slow me down. That whole attack surface by being segmented that was an opportunity moment. It's like I didn't plan for that. I mean look at me. I don't adult very well. I don't plan for much. I mean I just yoloed it and then I was stuck. If I wasn't just lucky enough to have an uneducated employee on their security awareness it's like the other attack that you do is you just wait with your phone. Everybody done that? You know you wait with your phone like you're talking to someone. And then when someone opens up the door you don't even acknowledge you just walk right through like you're supposed to be there. That works very effective. It's like you shouldn't let that happen. But we have to have multi-factor authentication. You have to have that segment. There's got to be steps. It can't just be I open the door I own everything. If you're not well for you you're going to have a bad day. Now another thing that I see a lot of is everybody that's got procedures. We all got policies of procedures. But how many people use them? And once again another great example it's like thank you U.S. Government Air Force. Two civilians somehow breached an Air Force base and were found only when one of them told the airmen she had been kidnapped right here in Nevada. But it's like what kind of problem do you have with your base security on an Air Force base that the guard didn't notice oh there's a guy driving in with no in a regular like a Honda Civic and very fast and very frustrated and there's a woman like you know up on the glass it's like it's okay. That's a problem. A lot of procedures failed on that do you think? A lot of procedures that failed. And this is not the first time that something like this has really badly happened on an Air Force bases. One of my favorite stories was during the height of the Cold War a Russian agent went into Germany on an Air Force base in Germany and he walked in took a went to the tarmac went to one of the jet fighters detached a missile from the plane then he wheelbarrowed. I don't know. I'm hoping he stole it. They didn't tell me. I didn't read the history. I don't know if he actually found it there or he brought it with him but I hope he stole it there. So he took a wheelbarrow wheelbarrowed the missile back to his car stuck it in the back of his Mercedes Benz. We're in Germany. It's like and then drove off. But before he did, don't worry. It's like he put the red tag on the tip of the missile because German laws are German laws. You don't eff with those. Okay. So he had a he then drove that home disassembled the missile and piece by piece melded it back to Russia and they got a very efficient mail system. You got to handle that. Okay. And like every piece made it. We all have to agree some procedures failed. Some policies were probably not properly enforced. Those are issues and you can always say if that can happen to the Air Force it can happen to anybody. It's like especially if it's happening to the Air Force no if it's the Air Force. I don't have to worry about top secret clearance. Look at me. So it's like it's all good. So that's one of the things you have to talk about. You need to make sure that it doesn't matter how nice your policies and your procedures are on paper if they're not being enforced from the top up you don't have a policy. If your CEO has an exemption on the password reset policy congratulations you don't have a security policy. If your executives think that those rules and those security policies don't apply to them I've got a surprise for you the people they report to they think it doesn't matter to them either. And the people that report to them they don't think it matters either. So by the time you finish within six months no one is actually following the policy except for Bob in the mail room going like I'm supposed to do this you know it's like there's my stapler I'm good you know it's like no fits of bobs or people in the mail room are counting but still that's what you got to do you've got to make sure that up on high the executives follow the same security policies as everybody else does. That's important. So now I went through that really quick because I want to get to some really good stuff not just to be funny okay hopefully I did get some chuckles I was very happy about that especially after the night I had I'm stressing myself but now we want to get to the serious stuff those are some of the things that I did or didn't do to get into a building or break in or rob people so what can you take back to work I've got some questions I have questions for you to tell your employers or ask your employers or ask your users or ask your security team that maybe something needs to be done it's like some of the things that some changes that could be made these are some of the questions that are always uncomfortable and it's like some questions that you just may give you a fresh look at and that's what I'm hoping I'm doing is give you a fresh look at it one thing is Robert Hansen he was a malicious insider he was malicious in his intent and the execution of his compromise I can tell by some of the faces who the feds are that's awesome and it's like I can read faces to people but so he was a bad guy he was a really bad guy but then you've got some genius over at the TSA administration sorry no not sorry the TSA administration who allowed in a public publication published published the picture of the TSA keys does anybody need a copy of the TSA keys because you can 3D print them thank you Johnny Xmas it's like you can actually print them out now which one was an insider threat both both are insider threats we get so focused on looking for attackers looking for people that are doing something maliciously wrong we don't realize some people with the best intentions are totally hosing you down they are totally messing up your security system I had a thought once there it went so I was talking about more on insider threat so it's like we're going a little bit further on that and we'll slide that over to here this is an insider threat correct this is also a problem with policy this was a story that Joseph Cox released I'm going to go all the way here and see if the mic works okay knew the custom border patrol said the traveler and license plate image data hacked from its contractor was not found on the dark web because remember a contractor took it against their policy against the contractor's policy they had the data available on their internal network they moved it to their internal network then they were compromised and the contractor was like oh okay I guess we got to report that we got owned but everything's fine and the border control was like we searched the dark web you're good you know and I'm sure there was literally their PR guy was asking their tech guy what does that mean nothing but it makes it sound really cool when you get owned that you search the dark web because it's the dark web okay so that worked out well for them up to about maybe three hours later when a reporter searched the dark web and found over 300 gigs of the data available for download so what was your insider threat there your first one the employee that went against policy and downloaded the data onto the internal network another insider threat was the team that allowed that to happen in that contractor's company but what else Homeland Securities Response Team they failed you don't go and try to assure people unless you know facts it's like there's nothing more scarier than we're from the government we're here to help, don't worry that's almost as bad as saying I'm from the internet, I'm here to help you it's like that never usually ends well people so you gotta understand that those were all insider threats but hardly any of them were malicious and I got my other story, remember that one when I lost it, it's like here it is so we had an executive who worked at a bank branch and he was a great employee he was hard working, he was dedicated he really really wanted to do his job so much in fact he calculated how much time he was losing in the conference room and not being able to respond to emails not being able to see what was going on getting his emails on his computer or sending things out while he was in a meeting with sales or meeting with other people that he could have been responding at the same time and working and doing diligent work for his company that wonderful employee, legit good guy decided to put a linksus router underneath the conference table connect the internal network to the internet port and voila now he can connect and get his emails everything else that was wonderful until I was able to connect his access point and get access to everything else but he was not malicious he was not trying to do something harmful so you need to understand not all insider threats come from the bad guy sometimes it just comes from and I mean this in the funny way but also the nice way it just comes from human stupidity it's like sometimes we just go and I'm like you think? you think? maybe? yeah that's a bad thing so here's another thing that you need to ask who do your employees ask for identification from especially not that janitor guy he's a little sketch I'd definitely ask for him but who else? CEOs executives who would you ask for identification all of them yes I even threw a little surprise in there because if you look the security guards got an actual ID badge but you look at all of them my friend Ben Tin just told me this at a party here in Vegas which is the reason why I love summer camp is he gave me this story to share and I did tell him I wasn't going to give him credit for it but I just did so sorry but he found this one client that what they did was they played a game of where's Waldo it was amazing gamification for security awareness for their users around the company one employee would have a where's Waldo picture on his ID badge and he would wear that and it would be a valid badge for his login for other login information and if an employee spotted the where's Waldo they got a hundred dollar gift card anytime someone spotted Waldo they got a hundred dollars did people go and say I'm going to be more security conscious I want to make sure my company is protected I want to make sure that my data is protected I want to make sure there's no strange intruders in my building because there's safety problems there's privacy concerns no they said I want a hundred bucks let me start looking at these name tags they still are never going to care about your data but you can make them be concerned about security in other ways by showing you what's in it for them what are the positive aspects for them that's one of the things that you have to do and so that was an amazing thing I'm totally stealing that by the way but you know I made it public so too bad but yet that is a wonderful thing to do for your employees started where Waldo's competition here's another one what does your social media profile really say about you that's a key question it's like I don't run in-map anymore in-map is a great tool it's like I don't go and mess with the OSI model I mean I go with layer 8 right off the bat please don't make me do all number 7 like I said but after all those other layers that are really cool layers you got layer 8, the human layer I don't have to bypass your firewall if I can bypass your receptionist it's like if I can find out information from social media if I can I don't scan your network I don't scan your firewalls I scan Twitter I scan your about page I scan those kind of information because that's the information that I gather that convinces the person to click the link I had a CEO and I told the story before so I repeat again sorry it's like a lot of people have heard my stories before but one CEO hired me to do a pen test it's like a spearfishing attack it was about page and Twitter his Twitter profile to create the spearfishing that was all I used to target him and he was the one that hired me and he clicked the link within 12 hours of receiving the email it's like that's not a testament to what I can do it's a testament to how people aren't properly prepared for it and anybody can be susceptible it's like if I tell you that you've won a million dollars it's like all you have to do is change your name and compare $3,000 to Western Union to this wonderful person in Ghana it's like people are a little bit people are going like maybe not that one not clicking on that one but if I tell you that I'm your co-worker that I really enjoyed your going away party last Thursday night and I hope you enjoyed the vacation and Cabo San Lucas it's like with the family Josh and Trish and Brian it's like are you going to click on that link that I provided in there or the pictures that I took from your going away party are you going to click on those links possibly because we're not telling them to be cautious of those things we're not telling them to be curious about well why would they send it to me like this and they're saying that their email is coming from this address it's like my internal email address but it's responding to something else because I hovered over the link because all your employees hover over the links of the front page right good you're not liars that's awesome so yeah so you got to watch those things you got to teach your employees to be more suspicious and be careful what they post it's like I want to tweet my life I'm just trying to make other nations say it's happier and use less resources of tracking me but still a lot of people like to tweet their life you got to do it responsibly you got to do it obfuscation most of the time that I tweet somewhere it's like something that's cool I'm already gone it's like some people don't have that option some people are just broadcasting right out there I saw a bank on their Facebook page at their barbecue showing everybody what their badges look like and if you want to see why InfoSec drinks go do a search on Instagram for hashtag new job hashtag new badge that will make you cry okay it is sad it's like have a bottle of you know whiskey I don't drink alcohol it's like one of those big bottles of alcohol that's really strong it's like probably vodka right so it's like have them have that it's like when you start looking at those things now another thing is phishing is one of the leading causes of compromise but your employees really take it seriously we're talking about zero days still people everybody like bringing their barnophone to DEFCOM because I'm worried about the zero days the nature says it's going to attack me with yeah that'll happen keep waiting it's like everybody's worried about these zero days and I can still and I have friends that still find MSOA67 on their network that's 11 years old that's a 5,327th day why are we worried about those it's like you only worry about you know it's like that bad meme with the one girl and the guy and the other girl it's like you know everybody's looking at that zero day and here's the description what about me so I don't know no there's a zero day as soon as you get to two days two old were done it's like I'm sure IT compliance will take care of it that's a problem so you've got to understand that phishing is one of your severe problems because that's attacking human nature and one of the biggest things that I use to attack companies and organizations is human nature a false sense of security like it's never going to happen to me and curiosity and gentleness it's like oh I want to be kind I want to be helpful I'm an employee I'm supposed to help one of the best ones though is it's never going to happen to me was he something depressing go to the new search feature and search just for the sentence it was a quiet neighborhood there are some grisly things happening quiet neighborhoods people murders and deaths people going up to the neighbors and go like I didn't know about the hidden basement it's like he seemed like a really nice guy it's like those are really I want to live in a really loud urban area because those seem like a lot safer to me it's like those quiet neighborhoods are like really sketchy so it's like that's because we don't we never expected to happen to us it's always a quiet neighborhood until it's not it's always someone else that got compromised until it's not it's always someone else that clicked on the link until it's not he clicks on all the links we knew what's going to happen eventually okay so you have to watch out for those things test those things and we talk about testing things what about do you let your security systems make sure they are operating as intended because here's another mistake by the NSA where they improperly over over collected call data records for a second time last year documents show we're doing privacy concerns about the surveillance program due to expire in December I love that have you ever noticed that the NSA and Facebook almost the same have never accidentally given you a notification like oh by the way we're doing some changing settings and we accidentally made your profile a little bit more secure we accidentally blocked you down to private we accidentally made sure that your account says no when it's that mistake it's like woohoo wide open sorry about that Instagram it's like everybody can see everything how did that happen our marketers think us but it's like you may not so you have to test those who has a firewall and has sent malicious packets to it who has an IDS system that sent something besides an e-car to it who's got an IPS system who's got an IPS system to see it's working who's actually testing who's activating ransomware not in your environment don't worry I'm not thinking crazy I know it's F-con okay I'm not thinking crazy but who puts it on a segmented network and then runs it on their endpoint solution to see if it actually stops the ransomware it actually stops the compromise are you testing those devices and I don't mean having the sales engineer come in to show you all the bells and whistles all the flips and the flops and it's like there you go look how protected you are we discovered all these different things oh you're lucky you came to us in time we're done I'll see you later in about three months it's like but you were contacting me every day for a year but I know but we're good now it's like you're secure so you've got to test those products you can't just assume they're going to be done by default anybody who ever put a snort installation it's like you're going to have a bad day and one of the last things I want to talk about is what measures do you have that helps you justify your budget and your actions because guess what I got some bad news for you it's like the better you are the less you're seen there's nothing more comforting than going into a management budget meeting at the end of the year and telling your CFO hey you notice how you didn't really notice anything going on in the company this year if you give us two million dollars more next year we'll make sure you see nothing going on next year it's like a mob hit man hey got a nice network hate to see something happen to it you know it's like give me a little bit more on the big I can make this work that's a problem we have to show them something we have to show them numbers we have to show them metrics and you have them and you're not using them you got to create these charts you got to create numbers I mean everybody loves pie it's like give them pie charts it's like make them get these metrics how many quarantine emails did you get from your email gateway how many viruses were detected in your network how many firewall alerts did you get how many IPS rules went out how many actions that you had to investigate those are all numbers and when you want to get really scary you start looking at your internal networks like how many servers do you have patched currently how many servers how many workstations do you have patched separately how quickly do the data come out for your antivirus network how quickly do they get rolled out how quickly do the Microsoft patches you know it's patched Tuesday so that means it's a reverse Wednesday by this point Monday it's like that's how that works right it's like so do you have those things out and if it's Java you're just doing it every other day but still get those alerts get those numbers put those out there because your executives are not going to understand that per se but it's tangible it shows them numbers it shows that you're doing something okay because when they go by your cubes and they see you know the Game of Thrones action figures and the Nerf guns sometimes they may question themselves it's like why do we have these guys here after all you know it's like you've got to show them results you got to show them that you're doing something and they're getting their money's worth and one of the last things I want to leave it at is educate and empower your users how many people have noticed this is my 10th year speaking at DEF CON it's like I am a broken record I'm waiting for people to acknowledge it so finally I decided after 10 years I'm just going to up and confess it I only have one major message and that your people are your solution not your liability fix them stop trying to offset your failings and your misconfigurations and you're not properly teaching your employees onto them and take ownership of it we need to educate our users we need to make them understand that they are part of the solution not part of the problem stop trying to create technology to fix your users start getting your users on board to protect your technology and everybody succeeds so that was the rant part I promised so get right there for a second I promised Chris I'd be under 50 or he would under punishment of death and I think he was actually not joking so I've got 7 more minutes of questions or some questions you and then you what kind of metrics do I look for when doing a phishing campaign or the phishing or all the different kinds of phishing all those kinds that are all in and squishy but yes one of the key things is mostly just the numbers and one thing that I've seen done in the past and I highly recommend not to is you make sure you never record the name to executives about who actually clicked it's like every person that clicks on their first email test should be reeducated they said oh you clicked on the link we need to reeducate you need to go through another class the second time I think they should be done through a more stringent class and they should have restricted access and this is the one that's going to make everybody love me it's like on the third one they should be fired or extremely penalized it's like people keep letting do you let a delivery driver wreck your delivery van more than three times without you thinking you made an unwise choice I mean he keeps getting an accident turning left should we make him where he just only has to turn right or maybe we should get another delivery driver it's the third car cars are like what 50 grand computers are $300 million target thank you for telling us what that is but we're still letting them click the links and go unpunished about it so there needs to be education but there needs to be enforcement yes what's your question yes he asked insurance companies cyber insurance companies you know all the cybers will actually have policies that give you discounts for doing security awareness for your things I don't know I'm not one of those guys who's going to come up here and act like I know all the different answers to all the questions if I don't know something I'm going to tell you I don't know I know Jake Coons does risk based security and he is a way better person that would be able to answer that question you can check them on Twitter I think is the letter J Coons KLUNS and ask him that it's like that's a way better source than I am on questions like that any other questions no you just told us you didn't know the answer Jason screw you it's like no here goes one yes 10 years long I'm a veteran of the cyber wars I would say yes it's like he asked it's like is it getting better is the landscape getting better is security getting better is the community going out better and yes I think it's actually getting better I think we're doing better and reaching out and understanding what the problem is it's hard to tell when you go to certain conferences and all you see are blinky boxes it's like I mean oh look at this blinky box we turn the red lights to blue 10,000 times more AI and machine learning in this one protected by the blockchain it's like that can be a problem but understand that I think it's getting better because we're understanding that it's not just technology I think more people are looking into trying to do social engineering I think another good one is like with the social engineering village doing a conference in February in Orlando it's like they're trying to help train their users and trying to get people to understand that that's the human element that is your biggest point of failure in your network and how to protect against it yes that was a plug but you know I really trolled that guy really bad so I felt bad yes yes yes it's like when you want to use the character statistic train do lunch and learns train your he asks is like was there any other way besides the Waldo what else could we do to help train our users in a positive way do gamification it's like but that's part of the gamification but I will say this do lunch and learns teach your users how to reconfigure their wireless router online their home router how to teach them how to change their privacy settings and and see what their children are doing on facebook and instagram the sick talks and snapchat and whatever it is out there that everybody's doing that I'm too not cool enough for it's like do those show them those lessons and guess what's going to happen they're still not going to care about your data but they're going to bring that security consciousness back to work and they're like I'm not going to fall for this game at home I'm not going to do it here either so teach them how to protect themselves teach them how to protect themselves at home where it matters to them it's like and they will protect your data when they're at work I got one minute any quick question that I can like overlong and make chris mad at me after all yes one more sorry chris what would I do with people that are purposely doing open all the emails because they think they're protected by the I would fire them it's like there was a huge twitter drama and stuff on that because I was like how dare you and I'm like no it's like and policies don't matter procedures won't matter if there is not an enforcement employees are going to do only what is required for them to keep their job the reason why they're clicking on so many links is because you're not telling them for them one of the responsibilities they have to keep their job is to be secure as soon as you educate on that that's one of their job responsibilities that's one of the things they need to do to stay employed and feed and clothe their children guess what they will start taking it seriously it's like and until that you're not going to have it I'm done I won't drop the mic he told me not to thank you