 Make sure you tap that you're going to tap that right there, and you're going to hit start like that All right, next up we have kashish mytho with no one left behind security defense through gamification including CTFs Please give them a warm Torcon. Welcome. Thanks guys. Yeah So I'll be presenting on no one left behind security defense through gamifications. You guys can still hear me cool Right, so I actually work as a security education engineer at Elevate security Before that I was working at duo and I've worked at a couple of banks before that So just to let you guys know I have an Indian accent. This is how I speak I'm not trying to do a bit or I'm not trying to pretend to be a poo. So this is the next 20 minutes of your life Okay, so Why why should you guys listen to me, right? So I did my bachelor's and master's at CMU. So I have a bit of idea about security I have gone through security education training at more than five organizations with varying scale I'm a member of PPP. So hopefully some of you guys know us and A lot of the security that I have learned is through CTFs. So I think you know that can be replicated for other people Okay, so let's do some exercise before lunch, right? How many of you actually have some sort of education security? You know security education information security training at your company's show of hands So pretty much the entire room I can see a couple of people not raising hands. Probably they're not paying attention, but that's fine So out of those people, how many of you think that the training that you guys get Actually helps an employee fighter sophisticated or a dedicated attacker Okay, you guys put your hands way faster than I anticipated like I had follow-up questions But I can literally see two people's hands up. So yeah, basically the idea is we have training today, but I Don't believe and the industry doesn't believe that you know It helps you fight against a sophisticated attacker or it actually helps a lot of people Contribute in a positive manner to the security posture. So that's you know, basically The issue that we're trying to solve So the idea behind my research my work this presentation is to improve the security skills and the security behavior of Technical as well as non-technical employees. Remember like we don't want to leave anyone behind. That's basically the idea So what are some of the issues with current day or you know industry standard security training? Firstly, there is a one-size-fits-all solution, right? So if you're a security engineer or if you're a developer you don't get the same sales training as a sales guy or a sales engineer, right? So why do we give the same security education or the same security training to everyone else in the company? That doesn't make sense second a Lot of times it's assumed that the employees especially non-technical ones aren't good enough to do something It's not that case a lot of times. They just don't care. So we have to address that Third a lot of times training actually takes place But the organizations don't care about measuring the effectiveness of training So, you know that you were at x-level before that you did some training Whether you went above below you remain the same the organization doesn't care or they don't measure it or they don't collect feedback so you really don't know how effective it was whether it helped the employees or not and One thing I want to note out here is Compliance and attendance requirements or completion. They are not, you know measures of effectiveness So if somebody comes up you go up to your CSO or your CU and say, okay, 70% of the people completed the training That means nothing But you don't know whether you know it helped them whether their security posture improved or not And lastly we care about retention So if they learn something and they forget it in the next day, you know, they don't really implement it The training isn't as successful. So these are some of the issues that we want to fix Before that, let's actually talk about why gamification can help So the idea here is Gamification provides a bunch of you know advantages that traditional video based or you know Even looking through a doc and answering some MCQ's doesn't so one of them is like the points levels Just like you know, you play in a video game There is a puzzle based format, right? So a lot of times you're answering security questions or You're actually solving a CTF challenge. So it's more like a competition rather than, you know, just like an MCQ test If you implemented company-wide there's often healthy competition between the employees they want to like, you know Outscore each other on points, etc We have tried this at some of the companies that I've worked at so you can organize like a CTF night Where a lot of people do this together. So it's like a fun activity for them to do and You know prizes, which is one of the biggest motivations. Anyways, so yeah For those of you who are not familiar with CTF's so CTF's basically stands for capture the flag As it stands today, it's a info set competition mostly played by, you know security folks or people who are interested in security It's a web based Version of the actual physical game So I'm sure like some of you might have heard the physical game where you go around in the real world finding clues and Ultimately you get a flag or an object. So it's like a online version of that Instead of finding flags, you basically find strings of alphanumeric characters, which give you the points You have both attack and defense based challenges a lot of different categories like, you know reversing Web crypto forensics Other stuff which actually help you gain a lot of practical skills that you need to succeed as a security engineer Or even as a developer thinking about security Some of the famous CTF's you might have heard of our Defcon CTF seesaw CTF You know plaid Google CTF Pico CTF. I think there's one going on outside also. So yeah So I went to CMU where we actually organized Pico CTF That's as far as we know the world's largest hacking competition this year because 2017 more than 18,000 students play So it's catered more towards, you know high school students college students are trying to you know get them Interested in cyber security and think about security as a career and this year we had a Exponential increase in the number of participants to 18,000 and One of the things that we added this year was the gamification version So you could still go and play, you know the black and white text command line interface and just you know solve the challenges Or as you can see in the picture you can go and you know play The puzzle based or the video game format you still are solving security challenges But you know sometimes you get hints and stuff like that. So this has you know really appealed to kids So we discussed about some of the security issues earlier, right? How do CTFs actually address some of those issues? So firstly you can create customized content as I discussed earlier you don't want to provide the same level of training to everyone and What CTFs or CTF challenges allow you to do is actually Define it in terms of their job functions or whether they work in a tech space or a non tech space Whether they work as a sales engineer a security engineer a lawyer a finance person and also on their job function So yeah, sorry the job level. So, you know, whether they're you know starting whether this Supposed to be see so whether they're supposed to be you know VP of sales So you can customize the challenges based on that one advantage apart from all of this that it provides you is You can also evaluate their scale or their level of security awareness beforehand before providing the training So you don't want to provide redundant training to employees Like if I already know everything there is to know about fishing or most of the stuff and you start by saying okay This is what spam is or this is what how a fishing link works my interest is gone in the first five seconds So you don't really want to do that So you can you know fix this by actually starting them with more technically evolved CTF challenges So yeah, like I have a couple of examples of you know non-tech challenges that you could create So you guys can take a minute to probably read through it and Yeah, just to clarify like these are dummy accounts that we create so we're not encouraging them to break real world accounts or anything. It's all simulated Yeah, so the idea behind this challenge is to you know Educate them not to use any publicly available information in their passwords similarly another challenge that we created is this as You guys can probably guess the lesson here is don't reuse your passwords and have different passwords and if you need a password manager with that That's fine So yeah, the other thing that I would be discussed about is motivation So this is actually one of the toughest parts to solve And that's why this it makes this area hard because you're trying to deal with a wide array of people, right? So everybody has their different set of motivations So you need to kind of appeal to all and you know create a solution that works for pretty much everyone And that's why you know, you can use a bunch of gamification rewards So some common things that you know book is manager appreciation in your one-on-one If you guys have like a public shout-out forum or like a slack channel giving the guy credit there a lot of people like swag Gift cards, you know slack badges. So this is this is something that has to be customized As per your organization depending on where you work and what your employees value You have to give them that incentive. We actually ran a survey at one of the companies And we offered them either a gift card or you know, like a recommendation letter from their You know engineering manager and inevitably everyone chose the recommendation letter Except for security engineer security engineers wanted the gift card. So Yeah Yeah, the other thing is to actually analyze the result of the CTFs So just like we mentioned earlier There there isn't enough, you know analysis of how their security awareness changed before and after So CTFs kind of do that for you automatically So if somebody solves let's assume a phishing question or like, you know a password hygiene question or a reversing challenge So you know, you know what level they were at earlier And you know at least the bump that they've gotten by solving these challenges The other thing is you can measure this very well. You can measure this on an individual level You want to saluate in terms of team or you know, measure the entire company. This can be done So you get a lot more insight into who is it working for who is it not working for and stuff like that and Finally a lot of research has shown that active learning And you know experiential learning is much better than passive in term for in terms of, you know, retaining it longer So firstly what we use in CTFs is learning by doing methodology So instead of teaching me what a Caesar cipher is or you know, how to decrypt a message You just ask me to do it and I learn as I do it The other thing is CTFs actually help employees get into the attacker mindset So a lot of people who are not as familiar with the security space as security engineers are it Gets there, you know thought process going about how could their attacker, you know Go about breaking the system for me or how could they attack me and then also a follow-up of you know How I could try and you know defend against there or how I could stop this Yeah, as I mentioned experiential active learning much much more retaining than you know Like passive learning just looking at a video or just leading a doc There are some other ancillary benefits So you can find out what level of security awareness and employee is before giving them the training It's highly scalable So a lot of solutions that were discussed here or at other conferences is you know Like having a tabletop exercise or having one-on-ones with the employees So that doesn't really scale but for this you all you have to do is deploy one You know CTF with different challenges throughout your company and you have the back end to analyze So it scales like even if you scale from hundred to five hundred people You know, there's not a lot of work The only incremental work is maybe after every six months You want to update the challenges and get the employees to work on your challenges So that's much easier than you know running the exercise for those five hundred people And yeah, like another thing is you can measure their awareness their effectiveness as you train them So, you know, they are being trained by doing those challenges And if you solve a particular tough challenge, you understand that the employee, you know gets that thing So it kind of works both ways. You know what level they are and you know as they improve their level you Constantly get updated So yep, these are some of the advantages Some key takeaways from my slide for my presentation, sorry So I think all of us agreed or at least by show of hands That was a consensus that current methods of security training and awareness are not great Training needs to be customized and you know based on job function and level to have maximum return on investment Really important to motivate your employees so that they actually care about security and you know Want to be involved in contributing to the security posture active and experiential learning Helps retain better than passive and yeah, like whatever training method you guys adopt be sure to actually measure the effectiveness of it afterwards We've we've seen CTFs work great. So give it a shot at the organization Questions Yep Yeah, so it depends on how you want to frame the war game, right? So for example, there was a talk here yesterday Talking about, you know, how to simulate war games as tabletop exercises So, you know that can also work But in my opinion that's not a really scalable solution because you're having that exercise per team or per group that you want to manage But if in the other case like for example CTFs or the case that you mentioned where you can deploy it once and everybody can You know play at it play at the game or play the game at their own time That helps a lot because as I'm presuming you're from, you know that organization and you want to deploy it You don't want to spend time on developing content or organizing that Tabletop exercise again and again. So yeah, like Gamification and war games help because of the ideas that I mentioned CTFs is one way to do it And also it's like a scalable way to do it. You don't have to deploy challenges again Any other questions Sorry, I'll get to you. Yeah Yeah, so there are a couple of products. So if you want to like try a beginner CTF Pico CTF is actually one of the good ones because It's catered towards people who pretty much have like, you know, who's just starting security So if you want to like deploy it throughout the organization and give it to non-technical people, that's a good one As of today, there is no good customized You know per organization solution So if that's what you're looking for that doesn't exist and that's why you're speaking about it If it already existed, I could have just pointed you guys to that saying like don't listen to my talk Just like see that so that cool. Yeah, so somebody in the audience. I mean, you can come talk to me afterwards I don't want to when make it a vendor page, but yeah You had a question Yep Yeah, so this was our experience also So we have kind of a head start because we run CTF as part of PPP we play in CTF So, you know, we understand the space of forming problems The other thing is You have to do some interaction with you know, you're non-tech employees because I'm presuming that's where the biggest challenge for you Was you have to kind of understand what level they are at and create challenges accordingly So for example the challenge about password creation like not not using the passwords that I Sure, let me actually pull it up Yeah, so this might be something that's you know completely trivial to your tech employees and you'll be like You know, why am I wasting time with this? But there's not something for you know, the non-tech employees So that's one. Yeah, that's the my best recommendation like as you do it more often you'll get better at it any other questions You have another question. Yep. Yep. I know where you're coming from Exactly. Yep So, yeah, there is one company that's doing this for education in general not security education and We are doing this at my company. So if you want to talk about it, I can tell you But basically his question was you actually evaluate someone at the start that I mentioned So in GRE what happens is if you miss easy questions in your next section you get, you know Questions of a lower aptitude and if you answer really hard questions, then your you know scale of you know increases So you kind of vary the content based on the candidate or the employees previous answers So, yeah, that actually helps again You know keeping them engaged because if you give easy questions to people who know the stuff They'll lose interest you give really hard questions to people who have no idea what's going on It's going to go over the head and they're not going to care Yep. Yep. Yeah, so like there are actually people who have made a living out of you know Security behavior like behaviors in general. How how do people change their behavior? So for example the motivation piece We got inspired by this researcher out of Stanford So he does that for a living like his whole life is dedicated to changing people's behaviors similarly The other people working on this they have had you know a bunch of years of experience of how to actually train people So, yeah, we take that and go Yep Yep. Yep. Yeah, so basically what we do is we create like a fake Twitter account It can depend on you know what the organization needs are so we can actually create like a fake account within their portal So in that case, you know, you have more visibility you can put in rules with Twitter They don't allow you to do a lot of that But we've managed to make it work for both cases that I have myself created fake Facebook accounts with that employee and You kind of have to trust or tell the employees not to change the like passwords But yeah, like if somebody wants to mess with you, there are a bunch of ways that they can do that Okay, I think we are out of time if you want any more questions. I'll be right outside. Thank you