Mayo Clinic data security officer

• Behavior management is new term they use
• Not just tech folks in these positions but educated HR folks
• Example used was 2FA implementation
  • planned for all things the humans could do and have a plan for it like here is how you get your Apple ID if you forgot it
  • expect questions but also who will they ask. Inform the people they will ask in advance and deeper
• set tiers and design messages for each tier
  • social engineer the executives with being non-techie and unassuming
    • deal with providers who are different too
    • high level targets like financial folks.
• keep message simple brief and relevant
• use communication channels in place to get support
  • what to protect?
  • how to protect?
  • what is impacted?
• thou shall or thou shall not approach doesn’t work
• password locker vs password manager message – which one is better
• phishing campaign should share results in medical style like the reason we keep doing it like a booster shot to your security awareness vaccine
• allow groups to compete for numbers in phishing campaigns and post scores for everyone to see
  • competition starts to feed awareness
• teach employees about protecting kids with same behavior you want from them
  • volunteer to do it at school and invite parents

NCSA public private partnership National Cybersecurity Alliance

• DHS funding
• 25 companies funding
  • this is a national problem for public and business safety
  • education and awareness programs including Cybersecurity awareness month and Stop Think Connect. Data privacy day was Jan 28
  • working to bring CSF down to SMB levels
  • catch a problem you get a prize and start teams to look for problems and get discussions.
• FB group worked to trick sec team and win a prize
  • people know the pwd matters but they still don’t do it right so just teaching them to know about it is not helping
  • market research is basically what you have to do.
• Don’t just tell them what to do figure out what message will work.

SAN securing the human all about Cybersecurity awareness programs

• how do we communicate the behavior we need others to do
  • most people are geeks so we need better commutators
  • stop being complex.
  • find most bang for buck change in behavior
  • every behavior has a cost and you find where the cost is too expensive

Security training for the masses

• teach that it is everyone’s responsibility
• don’t worry about specific app worry about behavior
• Snapchat is great example. Ask kids to explain it to you
• stranger danger and crossing street lessons for safety so is Cybersecurity
  • adults cross street safely every day. Teach this the same way. No tech details required
• resistance and resilience. Try not to see it but if you do then know what to do when it happens

Cyberreason season selling machines in a botnet

• THIS IS WHY WE HAVE TO HAVE EVERYONE INVOLVED
• attackers have vulnerabilities too just have to use them back
• openings to networks are found by hackers and then they sell them on the darknet
• Adware machine sold up a chain based on value of the machine
• $5 basic
• machine that does e-commerce or financial next level
• enterprises connections at all it is an adware botnet jackpot where they resell access via adware access
• darknet site offer to just tell you if there is a machine in your network Russian site asthetic?
• there is a code of conduct for black market
  • only buy and sell RDPs or SSHs and we don’t know how they end up here we just connect buyer and seller
    • the RDP or SSH gives access to command and control machine
    • fair price trading – no rip offs here
      • Hacker can resell it but I still have to pay the 80% commission again
• filter for US-based machines and you get a long list
  • found a $14 machine at subsidiary of Microsoft
  • intel data center machine sold for $13
  • Houston TX medical center sold for $18
  • Wellstar health system in ATL sold for $17
• freeware or click fraud all low risk threats then sold by machine one at a time – spray everywhere and resell them