 The next talk, this coming talk that we have right now is a very, very good segue from Chris' keynote. But before I introduce you to Catherine and Chris, I want to take a few minutes to give a public service announcement. And around the second talk, before the beginning of the second talk, I want to give a public service announcement on a topic which I'm sure some of you may be familiar with, sexual harassment. I want to just let everyone know that it is absolutely not, like it is an absolute no-no. Like, just don't do it. It is giving the security community a black guy and ultimately a tech community a black guy. Completely wrong. Don't do it. Don't go there. Don't do anything stupid. All right, we'll leave the Code of Ethics and the Code of Conducts here at DEF CON. Just don't even go there. I mean, that's all I'm going to say. Just don't do it. Just don't give this community and cyber security a black guy and a bad name as it already has. That's all I want to say. Because, you know, we here, especially the Wallachiep and the Packet Hacking Village, I mean, it's absolutely a no-no. Don't go there. Okay, so now it is my pleasure to introduce you to the next two speakers. And these next two speakers, I guess the best thing I will say is they don't need a lot of introduction. And a lot of what you may have heard about the speakers, especially the gentleman to my right, half of what you heard is not true. So without much ado, it is my pleasure to introduce you to Katherine Oman and Chris Roberts. Thank you. It's our pleasure to be here. This is my first time presenting at DEF CON Wallachiep. Chris has done this multiple times in various places, so he will no doubt be a little more comfortable with this than I am. Absolutely. So just a quick bit about where this presentation came from. Basically, I had been sitting in on a bunch of B-sides conferences and some other conferences, and in particular a keynote that Chris Nickerson gave in which he talked about some of our failings as tax and geeks and hackers. And I started to think about the topics of the conversations that had been going on in these conferences and realizing that there seemed to be a missing piece. And then in following some of what Chris talks about in his blogs and some of the talks he gives, I started to put together in my own head an idea of where I could take that topic and then reached out to Chris and said, would you be a part of this? And he fortunately for me said yes. So with that, we're going to talk about a situation in which an organization has ultimately been hit with some sort of horrible ransomware because we never hear that these days. There's never any cases of ransomware. So while Catherine's sorting out the geek stuff that we all do a wonderful job, can you guys hear me now with this stupid thing? Alright, brilliant. So what Catherine's failing to say is the fact that let's face it, if any of you follow me on Twitter or LinkedIn or anything else like that, there are somewhat regular occasions when I want to actually taser most levels of users, managers, executives, lawyers. Actually lawyers I don't want to taze. We just want to take them out in the field and shoot them. And so I'm occasionally known for that kind of an attitude. So when Catherine actually came up and said, hey, I want to do a talk on how we communicate with people, especially when the shit does hit the fan. It was one of those where I had to take that step back and go rather than being the somewhat rambunctious, rather annoying person that I can be on a fairly regular basis. I actually had to go, how do we effectively communicate with the various different teams and various different groups that we have? Are you good? I do like it when we have a technical audience as well. The six of us are helping. At this point you're going to be watching it on a small, oh there we go. Well done. Where the hell did he go? There he is. Well, yeah, actually yeah, we probably can. If any of you have seen the Twitter feed this morning, there's an entire small distillery in the back there. Alright, I'm going to hand it over for a second. Alright, so first, even though you know who he is, we'll talk a little bit about me because most of you probably have no clue who the heck I am. Okay, so who are we? Well, that's me, sort of, at least. I like to sleep a lot. Alright, fine. This is really me. I've been at the University of Buffalo for 17 years. I've been in security for about 10 of those. I have some certifications and some degrees. I'm probably way overeducated for what I do. And none of my degrees, by the way, have anything to do with any of this, really. So, that's sad. Alright, so why should we care about this topic? I don't know. So, what are the odds of being hit with something like ransomware? Well, they're pretty good. In 2016, we had a small number of these, right? This is the United States, 1,093 breaches. We're already past that at the halfway point of the year. And what they're predicting through the end of 2017 is over 1,500 breaches specifically targeting, or specifically involving malware of one variety or another, and in many cases ransomware. So, you know, many of you have probably seen these quotes, right? There's only a couple types of companies out there, the ones that have been hacked, those that will be. And now we're talking about the ones that will be again, because most of the time it's not just a one and done. They get hacked, somebody pops them, and it's not too long, even after the cleanup, that they'll be hacked again. I can tell you that there is a hospital in my neck of the woods that got popped. And I can tell you that DNS for that particular hospital is still wide open. And this happened months ago. They still haven't addressed some of the basics. So, you know, what do we do out there? Well, in some capacity, whether we're hacking for good or for evil, in theory we are some form of infosec professional, right? And as infosec professionals, we're really good at some things. We're really good at like diagnosing and fixing things, most of the time, right? Like Rob came up and helped diagnose and fix the problem we were having this morning. So we're pretty good at this. There are some things we're really not good at. One of the things we're really, really not good at is communication, right? I mean, I know many of you probably feel this way if you're ever dealing with folks who are less technical. And in some cases, even with those of us who are technical, it's not the computer, no. And I think in some cases we're still doing that. We're still blaming everybody else. All right. So, you know, we're not so good at verbal and written communication. We're really not. Another thing we're not particularly good at, speaking to that tasering, patience. We don't often have a whole lot of patience. So, given the fact that these are the things we're not particularly good at in this community, are there any repercussions? You think there are repercussions for us not communicating all this information well? Yeah, quite a few. Okay? You're going to have issues with people are going to lose trust. They're not going to want to come to you when there is a problem. And they need to be able to come to you when there is a problem. There are all these processes out there to start to educate folks, all these phishing programs that are out there. And the problem that I see with most of these programs that are in place these days is that at some level there's negativity. And if there's negativity, and I don't mean necessarily that you're even intentionally being negative with the users. I mean, if you're talking to a fellow coworker and you're saying something like, ah, Joe Blow fell for that again, you've got negativity on the brain. You're not thinking, okay, if this is a person who always falls for this stuff, what controls can we put in place? Now we know he's part of that one to five percent that may never learn. Okay, we can compensate for that. Absolutely. So it's also going to cause problems with communications, that there's going to be more conflict. You're going to have a more difficult time in the future. So ultimately, this is not ideal. So what happens when your company gets hit? Uh-oh, right? Now the shit's hit the fan. We now have to deal with it. And we're so caught up as techs in trying to fix the problem, and only saying what we absolutely need to is we can get back to fixing the problem that we don't realize we're making it worse on ourselves. So we need to frame the conversation with the audience we're going to have it with. So it's important to anticipate the questions that each level is going to ask you. Some of them are going to be the same and some of them are going to be radically, radically different. And how you respond to them is going to depend in part on framing of the questions that, or the answers that you're going to give to these questions to that particular level. And you need to consider how you're going to communicate this. So what kind of channels are you going to use? And there are some considerations regarding those channels. I mean, number one, given whatever hit you, you may not have all these channels available to you. And number two, depending on what's going on in your particular company, there may be legal implications, which is in part why we have that final bullet. Because that may be the only way you're allowed to tell people in some instances. And I mean, ideally if you can do this in person, I really think that's without a doubt the best way. But if you've got a company of 10,000 people, you may or may not be able to do that. So let's start talking about the end user and how we're going to communicate to them. So here's your average end user, right? And honestly, it's okay that they're at that level. There's nothing wrong with somebody being at this very basic level. And we need to understand that and make it okay in our own heads. Yes, it can be frustrating. So what is the end user focused on? Well, they're focused on their day-to-day existence, right? Getting their jobs done. You're going to use this as an opportunity, a training opportunity for them. Whether they were the ones, the one or one specifically responsible for what happened, which we all know with ransomware is very, very easy to do. But it doesn't really matter whether it was one particular person or a whole group of people. You're essentially going to use this as a teaching moment. And don't just teach them about why it's important at work. Explain why this is important everywhere. Whether it's at home, at work, with their kids. Because the more you explain to them about how this matters to them as people and not just employees, the faster you will get buy-in and the more they will understand. Absolutely. And you need to use effective and efficient communication to do that. And we're going to talk about what that actually means. So it sort of goes to what we've been saying, right? You want to talk to them at their level in a way they're going to understand. Be concise. Less is more. But that doesn't mean that you're going to talk down to them in some way. You may need to be judicious and leave out specific information because there may be corporate information about whatever's happened that they shouldn't necessarily know. But that doesn't mean you shouldn't try your best to answer their questions as honestly as possible. And you've got to be patient. Even if it means afterwards you go and you bang your head and tear your hair out and tazer. So, you know, be patient. Absolutely. Engagement is going to be your key. You need to engage whoever your audience is going to be. And as I mentioned, you need to be upfront and honest. If you do this lies-to-children thing, I mean, how many people know that when they have little kids and little kids ask a question that's really, seems simplistic at an adult level, but you're like, oh, how do I explain this to a kid? Like, you know, where do babies come from, right? So how many times you hear a question like that and you think, oh, I don't want to answer this. So I'm going to give them the stork story or something silly. And, you know, I mean, this is kind of a bizarre example. But the bottom line is it will come back to bite you because someone will inevitably tell them the truth in a way that they don't understand and then frightens them and you've done everybody now a disservice. So, you know, you don't want to do that. Nope. And you need to reassure them. If there's somebody who is terrified of what's happened, you know, you don't want to lie to them, but you want to assuage their fears, which means answering their questions. And if they come to you and they say, oh, my computer is doing this weird thing. We had recently at the university, I had an email from a woman who was very concerned because she'd received an email and somehow thought that by receiving this email that had no links and no attachments and nothing in it that it could have infected her machine because she could tell it was spam, right? So she was very concerned about this and didn't understand. And I had to explain to her, no, this won't impact your machine at home. No, you're okay. It didn't impact your online banking. I mean, you know, we as techs know, if you get a text email that has nothing attached to it, chances are you're probably okay, right? You just delete it and go on with your life. But these people, perception is everything. They think it's reality, and we need to take that into account when we're talking to them. Move on to middle management now. Calm down, it's all good, right? They're going to be focused on whatever business process they're responsible for, and that could be radically different at different companies. You could have a couple of middle managers. You could have a ton, could have an HR person, an IT person. I mean, you could have a zillion of these, right? So depending on what particular business process they're involved in, that's the thing that they're going to be really, really focused on. And once again, you need to be talking to them at a level that they can understand. And again, we're talking about effective and efficient communications with them. Help them understand what's going on. Middle management is hard. So here's what an ideal middle manager looks like, right? They have this huge set of skills. How many of you have ever seen an ideal middle manager has all these skills? Raise your hands. Anybody know any of these? Yeah, because typically, typically they're like this, right? There's no such thing as an ideal middle manager. They don't have all those qualities. They might have a couple, and that's a good thing. But typically they don't have all of them. So how do we talk to real ones? We're going to engage with them. It's a tough place being a middle manager. All the people who are above you want to keep you where you are, and all the people who are below you want to be who you are. And so you're getting pressure from both above and below, and you're trying to do your job. So how do you manage that? Well, as the IT person, or the red team or the blue team, whoever you are in that position, you're there to help them. Help them look good. Ultimately, that makes everybody's job easier. You need to be empathetic, which is really hard sometimes when you've never held that job. And that means having a full plan. You know, to what Chris was saying, this whole idea of we walk in, we break stuff, we leave. Well, we don't want to just walk in, break stuff, and then say, okay, we need to get here. You need to help them figure out how to take all those steps, and that means a full, complete plan to get there. Not, well, you need to follow these guidelines and just read them and do what they say. Well, that's not useful. You need to do more than that. So the plan's got to include everything. What happened, what your end goals are, and the actual specific steps, working with the middle management to figure out how you're going to get there. So these are just some of the things that you need to keep in mind in your plan. But management also needs to be responsible for their users' behavior. Now, what does that mean? Does that mean that, like, you need to take the onus somehow or the managers have to say, oh, it's my fault that, you know, Joe Smith didn't bother to pay attention and he clicked on something? No, it means what I was talking about earlier. You're always going to have some portion of your user base that isn't going to do the right things. No matter how many times you tell them, no matter what training they go through. So what this means is, you're going to help middle management understand that they need to figure out who they are. Because the other people, they can figure out who they are and they can educate them. And those people that they can't educate and there's no way to get around that, you can have them work with them to put controls in place to deal with that percentage. Because, and if they and you don't know who they are, then there's absolutely nothing they can do. So management has to take that responsibility on. It doesn't mean necessarily they have to go to each and every person and find out they can delegate this, but they need to find out and it needs to be part of what they're doing and you need to help educate them to realize that. And these are just some of the areas in terms of engaging with middle management that you need to consider which direction they need to go. You're going to coach and encourage a different form of collaboration, but do they need to manage stuff? Do they really need to control stuff? Is it stuff they can delegate? They're all these different factors. And this kind of goes back to some of the questions that you need to make sure there are answers for. If we're talking about some form of ransomware, there's always the question of do we pay? And ideally, as Infosec people were going to tell you, that's probably not a good idea. But maybe there's a situation where the company decides that's in their best interest for some reason. They need to know this answer long before this happens. And if they don't already know this answer before it happens, they better have this answer ready for upper management before that upper management comes calling. So let's talk about the C-suite. So they're going to focus on the big picture stuff, right? You need to think when you're walking in there, it's going to be like as if you've got 30 seconds in an elevator to have that conversation. So now you even need to be more concise with what you're talking about. Very, very, very specific details. And yet they need to be very broad in nature because what that C-level is focused on is going to be an overview of the company at various levels. So here are kind of the bullet points. You're going to describe very generally what happened. You're going to talk in technical terms. Even if they understand technical terms, that's not where their brains are. That's not what they're thinking about. You're going to provide this best case, this worst case, and the most likely scenario because that's, again, what they're thinking about. The overall big picture. What is the possibility of this being a complete catastrophe? And not only that, you want to try to tell them if you know something about underlying causes of what happened in ransomware case. It's probably somebody clicking on something they shouldn't have. And what are the consequences going to be for that organization if they can't get their data back and you've talked to the other IT people and maybe their backups haven't worked in the last year. And remember, of course, there are people too. Sometimes I know it's really hard to remember, but at the end of the day, most of them go home, some of them to families, and they're trying to have lives too. And it's really, really hard on them to have this hanging over their heads. So, again, be empathetic with them. So metrics. Metrics are going to be something really important at this level, but not just any metrics. You want metrics that are really meaningful. Something that is meaningful and measurable is going to be far more useful. And I can give you an example from my own institution. So one of the things that we put in place is that for emails that come in with links that go out to websites that have done some sort of a screen scrape and look just like our Shibboleth login page, we've put in a redirection, and that redirection goes to an educational page. You've arrived here because you clicked on a bad thing and just so you know. The tool that we use to put that in place actually gives me click metrics. I can say, by doing this, we prevented X number of people, because I can even sort by IP address, from going to this space. And what that tells our folks is, hey, this tool we bought, it's giving us some value for that in a context that is important to our management. And, you know, your CFO often knows those fiduciary legal requirements for their company. So let that person teach you and turn around and help them understand the requirements and the regulations with an IT that correspond to that. Work together on that in the CFO land. In the COO land, there are a couple different kinds. I'll let Chris talk a little more about this. And there may be some very basic things that a company hasn't even done. I mean, speaking of boxes with blinkies, right? So if you have a company that hasn't made executables unavailable in email, does it really matter what shiny, blinky box you put in the front of it? Probably not, right? So ultimately, the question then becomes, was the message received? You've now had these conversations with these different levels. So how do you know if that message was received? Well, one of the things you're going to do is you're going to pay attention to body language, right? So we're going to talk a little bit about that. This is our last topic. Caveat. This assumes the person to whom you are speaking is not a really good actor. And there are people out there who are amazing actors. They have a persona at work that you would never, ever see at home. So remember that what we're going to tell you next is really about a tool, you know, the set of tools you can have in your toolbox. It's not like the be all end all. So in terms of non-verbal communication, you know, what do you think's going on there, right? You're going to look at your body posture, your facial movements, your gestures, handshakes. Somebody's breathing, right? But the problem with looking at these verbal cues is are they always going to tell you the same thing? So if you look at these examples, what they all have in common is that they could be interpreted in multiple ways. So any one particular clue that you're getting may not be, because you can read all kinds of things about this stuff. And in fact, when I was putting this together, I found a whole bunch of websites that said things like, you know, oh, if you have this kind of movement, it means this. So any one of these by itself can be very misleading. So you have to consider, you've got to ultimately synthesize these non-verbal cues together. If you put them together, that's ultimately how you should be arriving at whatever you think is going on. So if you have, as these give an example, raised eyebrows and fleeting eye movement as well as, you know, they're grabbing hard at something, they're probably very uncomfortable. But, you know, if they're just grabbing a hold of something, that may not have anything to do with discomfort. It may be that they're just thinking about something else at home that's making them stressed out. Yeah. Or whatever their beverage choice might be. Get to know them, right? Ultimately, it's our job to educate, not adjudicate. When you are talking to these folks, this is not a judgment. Don't taser them. It's essentially a judgment-free zone. Whatever they tell you, whether it's your end user, your mid-level manager, or your C-level folk, you know, teach them. Don't judge them for their beliefs or their thoughts or, you know, whatever they're communicating to you, help them understand. Learn what they know and trade knowledge with them. And as many times as I hear, oh my God, there are these jerks who are in security, because there certainly are, right? Be the change. If there are all these jerks and you want to see fewer jerks, be one of those folks who isn't a jerk. And teach your friends to not be jerks. We can't affect change without changing ourselves. So be the change you want to see out there. And with that, we just have some thank yous. I wanted to thank my university Chris's company for allowing him to be here. And of course, Wall of Sheep for having us. We can't thank you enough. Yes, thank you so much for coming. If you have questions, we're happy to take some questions.