Developing The Human Firewall

Developing theHuman Firewall

Frank WintlePanMedia20/10/09 | Session ID: PROF-105|

Classification: Intermediate

Agenda

A Journey to the East

It’s not just technology

fThe power of story

Four rules for happiness

2

A wilderness of mirrors...

Secrets Betrayed

From first man to fifth?

One author’s theory...

Sex and secrecy

A housewife and mother

Who is the hacker? Who is the spy?

An engineer calls...

... and checks under the desk

Now wires have ears

“Keystrokes recorded so far is 2706 out ofKeystrokes recorded so far is 2706 out of 107250 ...

<PWR><CAD>fsmith<tab><tab>arabellaCAD<CAD>

<CAD> arabella<CAD><CAD> arabellaexittracert 192.168.137.240telnet 192.168.137.240Ci ”Cisco”

New weapons, new fronts, old battles

Wedded to mystery

A true story?

Nonsense as science

Science as nonsense

Backs to the Facts

“Th h i d i l di t b d b“The human mind is less disturbed by amystery it cannot explain than by anexplanation it cannot understand.”

David Mamet The Water EngineDavid Mamet, The Water Engine

Typical defence: silver bullets

Key features:• Sexy name• Sexy name• Pretty diagrams

C l t h l• Complex technology• Flashing lights• Rack mountable• Reassuringly expensive

The criminal’s approach

Social engineering plus technologySocial engineering plus technology

• Phishing• Trojans & rootkits+ Trojans & rootkits• Laptop theft• In person intrusion

+• In person intrusion

Why social engineering?

• Social engineering can be g gused to gain access to any system, irrespective of the platform.

• It’s the hardest form of attackIt s the hardest form of attack to defend against because hardware and software alone can’t stop it.

The difficult sell!

The money you spent on security products, patching systems and conducting audits could be wasted if you don’t prevent social engineering attacks …

You need to invest inAwarenessAwareness

andPolicies

Countermeasures

Countermeasures require action onphysical and psychological levelsphysical and psychological levels

as well as traditional technical controls

Physical:i th k l

Psychological:i– in the workplace

– over the phone– dumpster diving

– persuasion– impersonation– conformity– dumpster diving

– on-line– conformity– friendliness

Staff awareness

• Educate all employees - • Train new employees as everyone has a role in protecting the organisation and thereby

they start

• Give extra security organisation and thereby their own jobs

• If someone tries to

training to security guards, help desk staff, receptionists, telephone

threaten them or confuse them, it should raise a red flag

p , poperators

• Keep the training up to flag gdate and relevant

Which point of view?

“The single most important problem in science is“The single most important problem in science isto reconcile the first and third person accountsof the universe...” V S Ramachandran

Third person

First person

Wooing the audience

“I CAN THINK of nothing that an audience gwon't understand. The only problem is to interest them; once they are interested, they understand anything in the world."

Orson Welles

Telling the STORY

O ti A d th dOnce upon a time.... And then one day....

But what they didn’t know.... Climax and resolution

Understanding the mind

“Narrative is the primary human tool for explanation, prediction,evaluation and planning” ------- Mark Thomas, The Narrative Mind

“We live, and call ourselves awake, and make decisions by tellingourselves stories” ------ Julian Jaynes, The Origins of Consciousness

Games with a purpose

EXECUTIVE GAMES COULD HELP STEM CYBERCRIME, FIRST EXPERTS TOLDEXECUTIVE GAMES COULD HELP STEM CYBERCRIME, FIRST EXPERTS TOLD

Kyoto, Japan – June 30, 2009. Senior executives should play special computer gamesand watch animations to help them understand the scale of the threat from cyber-crimeand win their support for improvements in security, one of Japan’s top Internet protection expertssaid yesterday at the 21st annual conference of FIRST, the Forum of Incident Response and Security Teams.said yesterday at the 21 annual conference of FIRST, the Forum of Incident Response and Security Teams.

Dr Suguru Yamaguchi, member and adviser on information security at the Japanese Cabinet Office National Information Security Centre, was giving the opening keynote address at the five-day conference, which got underway at the Hotel Granvia, Kyoto.

“We need to find ways to help corporate executives actually to visualize what goes onwhen a computer network is under attack,” he said. “Just explaining in words isn’t enough – the words are too dense, too technical – what we should do is design special games and animations which will bring the severity of current threats vividly alive in the executives’ imaginations.”g y y g

Everyone hates a sermon...

“Audiences shrink from sermons…”Akira Kurosawa

Everyone loves a story

“I think that I have made them aware ”I think that I have made them aware…

“They just don’t get it...”

“We concealed the very things that made us right – our respect for the individual, our love of variety and argument our belief that you canvariety and argument, our belief that you can only govern fairly with the consent of the governed, our capacity to see the other fellow’s point of view... so it wasn’t much wonder, was it if we opened our gates to every con-manit, if we opened our gates to every con man and charlatan?”

George Smiley (John Le Carré)

A human firewall

Four rules for a good life

1. Exercise

2. Love

3. Disdain

4 A project4. A project

Need more information?

Frank WintlePanMedia

frankwintle@panmedia.co.uk@p+44(0)7850 102194