The Humanity Behind Cybersecurity Attacks | Mark Burnette | TEDxNashville

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

you I wrote my first computer program when I was in the fifth grade and I've been working with computers ever since then and there's one thing I know a computer will do as it is programmed every single time it won't deviate from its programming it can't this means that computers are consistently consistent whether it's executing program code or calculating the results of a fact set a computer will act the same way and reach the same result every single time now let's contrast that with humans while the human brain is without a doubt the most sophisticated computing device on the planet humans unlike a digital computer react differently depending on the circumstances the time of day the amount of stress in a situation the person's physical or emotional health all of these things can impact how an individual reacts for example most people would react differently if someone approached him with a hand outstretched like this than if it were outstretched like this I'm a big sports fan another way to think about this is to look at the example of a football player I played college football and in my four years on the gridiron I am proud to say that I was never sat I never threw an interception and in fact I never lost a single yard now if you know anything about the game of football you know that those are amazingly impressive statistics for a quarterback I wasn't a quarterback I was a place kicker it is true however that I never missed a kick in college and yes I did kick and hit some this is a picture of me taken from some grainy video footage warming up before a kick anyway the reason I was able to hit all of my kicks is because of the consistency that I developed by establishing a routine and doing the same thing over and over and over again and that's what a place kicker strives to do establish consistency do the same thing over and over and over that way all things being equal a kick will sail straight and true every single time of course in the game of football all things are not always equal the weather the condition of the turf the snap and placement of the ball a fight with a girlfriend before the game any of these things can impact how a player reacts which can introduce variables into the kicking motion that can cause the kick to go awry I wanted to establish this important distinction that computers don't make mistakes but people do because it forms the basis for the rest of our time together Target Home Depot Marriott Saks Fifth Avenue Sony Hilton JPMorgan LinkedIn Macy's and Panera Bread what do all these companies have in common no they're not my stock portfolio all of these companies suffered a cyber security breach so significant that they felt compelled to announce it publicly to warn their customers and business partners that it had occurred and this happened despite the fact that they employed full-time cyber security experts and they had deployed defenses intended to be nearly impenetrable so why despite their best efforts where these companies still compromised the answer is simple because of people like you and me because of our humanists you see despite the fact that these companies had built systems and configured him in a secure way and despite the fact that they had installed technology and develop policies to protect information and despite thousands of hours spent training their workforce data security measures humans at these organizations held the keys to systems and the data that they contain and that's still true today in nearly every company on the planet the majority of my career has been spent in cybersecurity designing and implementing cybersecurity programs and protections the easiest way to describe the goal of a cybersecurity program is that it should keep private data private by preventing access to that data from unauthorized individuals another way to say it your stuff should be your stuff nobody else should be able to see it sounds easy doesn't it well it isn't there's a lot that goes into putting a cybersecurity program in place and as we've already seen it's clearly not easy since so many organizations are struggling with it so why though despite their efforts do companies continue to get hacked well I'm about to lay it out for you over the next few minutes you'll come to learn why cybersecurity is so difficult for most organizations and why the person on your left the person on your right or even the person in the mirror may be partially responsible for the fact that companies continue to get breached good news is I'm also gonna tell you how to stop being a part of the problem and start being a part of the solution before we go any further I've got a surprise for you but it involves audience participation so I'd like everyone to please stand up you would go ahead and stand up thank you earlier today the event organizers placed a gift for each of you under your seat and now is the time in the program where you can turn around and retrieve your gift so go ahead and turn around and get your gift what do you think did you find it what it's not there it's not what they assured me it would be there the organizers promise me that gift would be there I've I don't know what to say I can't believe that you fell for my ruse have a seat and I'll explain what I mean I've been on this platform for about five minutes and prior to today I didn't know most of you despite that fact that we didn't have any real relationship you happily carried out my request in hopes of receiving a gift you trusted what I said because it seemed legitimate and that my friends is a prime example of why you and I are the cause of most cybersecurity attacks a key reason that hackers are so successful in compromising organizations it's because people regularly fall for their cybersecurity scams and this results in the attacker getting access to systems or getting a password that can be used to further attacks as I've watched person after person fall victim to various cybersecurity scams over the years I've identified three traits or characteristics of humans that make us especially susceptible to cybersecurity attack people are curious people are trusting and helpful and people are uninformed let's take a look at each of these with some examples the primary characteristic of humans that makes us susceptible to cybersecurity attacks is our curiosity this curiosity has fueled the advancements in technology that we enjoy today as well as astounding developments in health care that allow us to live longer and healthier lives but this same curiosity is what causes us to ignore that little voice in our head that tells us not to click on the link or open the file hackers have exploited this curiosity over the years with many attacks including things like the Anna Kournikova virus the i-love-you virus and attacks like this one that my team has done one of the teams that I'm responsible for conducts simulated cybersecurity testing for organizations around the world in essence companies hire us to break into their systems and if we get in we tell them how we got in and how to fix it so the bad guys can't get in so these guys are paid to think and act like an attacker and use the same tools and techniques that attackers use in one simple attack my team loads some software onto USB memory drives like this one and they place these drives in staff break rooms staff parking areas smoking areas around the facilities that we're trying to target in hopes that employees will find them and pick them up after all who among us hasn't found a USB Drive and thought Yahtzee free USB key well if they find these drives and they plug them into a computer the software will attempt to automatically launch and if it's successful it will open up a connection back to our command center where we can take control the machine now depending on how the computer's configured the software may not automatically launch if it doesn't then if the user clicks on the USB Drive to open up the files a menu like the one on screen is displayed clicking on any one of the files or folders in our menu will tell us what file or folder they clicked on and it will also launch the attack now which one of these files or folders do you think most people click on that's right curiosity leads them to click on Vegas Vic's baby because what happens in Vegas apparently not if it's on a USB Drive the second characteristic of humans that makes us susceptible to cyber security tax is our trusting and helpful nature the nature of most people is to be accommodating and people don't like confrontation particularly in a business setting attackers know that people are unlikely to challenge someone who appears to know what they're doing or appears to have authority to be in a certain area and they take advantage of this in several ways I could tell you a story about one of my team members who convinced the security guard at a large medical complex to allow him to print himself his own access badge giving him full access to the entire campus or another story about another team member who called the helpdesk of a large organization posing as that company's CEO and convinced to help desk technician to reset the password for the CEOs account and tell him what it was so he could use it to log in the bottom line is the trusting and helpful nature of people when combined with their dislike for confrontation creates opportunities for attackers to get individuals to carry out actions on their behalf or give them access to information they shouldn't have the third characteristic of people that makes us subject to cyber security attacks is the fact that we're uninformed when it comes to cyber security risks what I mean by this is that people just don't understand how the things that they do make them more susceptible to attack the best example of this is computer passwords a computer password is designed to give the owner of the count the authorized user access to systems and data and it's by its very nature designed to let that user through all of the cyber security defenses that the company has put in place to keep intruders out so it's hackers know that their best Avenue into a system is to get a valid username and password so they don't have to figure out how to defeat all the company's other cyber security measures one technique that attackers use to get passwords is called password spraying and it works like this an attacker finds a web portal like the webmail portal on the screen once they find this web portal they need a username and a password and many companies use the email address as the username for a web portal like this so a quick scan of the Internet in search of LinkedIn will typically turn up a lot of email addresses associated with a particular organization once the company has once the hacker has email addresses he can use he then needs a password so he'll start by guessing passwords that people commonly use something like password one or maybe spring 2019 this particular attack typically results in a hacker being able to get access to at least one of the harvested accounts but here's the problem those two password examples that I used technically meet the password composition requirements that are commonly touted as acceptable because they include upper and lowercase letters a number and a special character but they're relatively trivial and easy to guess and that's the challenge that cyber security professionals face one training users to choose good passwords in to finding additional defenses to put in place to insulate themselves against this type of attack of course some people make it way too easy for the attacker to guess their password every year a company goes out on the internet and posts a list of the most commonly used passwords for people's internet accounts how does this company get the passwords that you and I use for our internet accounts you might ask they get it from hackers you see when a hacker breaks into a computer network one of the things they try to do is get the password database and if they're successful they'll use the accounts and passwords for whatever purposes they intend and then when they're finished they'll post those passwords on the internet for other attackers to use think of that hackers being helpful anyway this company then goes out to the site where all these are posted there are millions of them out there by the way and compiles the list of the most commonly used passwords for each calendar year what do you think the most commonly used password was for the year 2018 no silly it was not password that was number two though it's commonly used password for 2018 was one two three four five six now before you laugh at the silliness of somebody using one two three four five six for their account password think about this how many of you have ever used one two three four is your cell phone lock code don't raise your hands I do not want to know what your cell phone lock code is but that's the point most people view passwords as a hindrance rather than as a strategic protection so they choose passwords that are easy to type and easy to remember and that's why our humanity puts us at risk for you and me proper cybersecurity starts with choosing good passwords choosing a good password requires that we acknowledge our humanity and we resist the urge to take the easy route acknowledge and resist sounds like the manager of a cult doesn't it the cult of cybersecurity perhaps ooh I should make t-shirts the secret to choosing a good password of course is choosing a password that is easy for you to remember but difficult for other people to guess or crack now of course most of us have so many passwords to remember we come up with a scheme to help us remember them problem is that scheme often uses information it's very personal to us that people could gather about us things like names of our family members our pets or favorite sports teams our hobbies this information is available on our social media accounts so if we eliminate the ability to use personal information about us it becomes much more difficult for us to choose passwords for an attacker to get these days passwords have evolved into past phrases because they're much longer and much harder to guess or crack a passphrase is a series of words such as the line from a favorite song or several common words all mashed together using the concept of a passphrase and keeping in mind be easy to remember requirement a couple of examples of good pass phrases for somebody like me would be these and once you've chosen good pass phrases for your accounts you also want to use a technique called two-factor authentication to ensure that even if the attacker does somehow get your password he won't be able to use it to log in and get your information but that's a topic in a talk for another day and finally we need to all acknowledge that all of us are targets if we expect to be targeted it will make us much more skeptical of those unsolicited emails that we get and offers of free gifts the attacks that I've described here today are what cyber security experts call social engineering attacks social engineering is in essence an attacker taking advantage of one or more of these basic human characteristics that I've identified to get an individual a target to carry out actions on their behalf or give them information that they shouldn't have attackers leveraging social engineering attacks are how many of the organization's examined in the beginning were compromised the internet is amazing loaded with information to learn and sites to explore the vast trove of data and the opportunity that it represents appeals to our humanity but when it comes to clicking on links opening files choosing passwords and inserting things into our computer perhaps we can all be a little less human if we're conscious of our humanity when using the internet we'll be able to reap all the benefits that it offers without realizing the pitfalls we won't be the subject of cybersecurity attacks instead our experience with the internet will be much more like the example of the consistent placekicker that we looked at in the beginning it's good thanks and have a great day stay secure [Applause]

Info

Channel: TEDx Talks

Views: 19,872

Rating: undefined out of 5

Keywords: TEDxTalks, English, Technology, Business, Computer Virus, Computers, Cyber, Hack, Internet, Psychology, Security

Id: pnADP41earI

Channel Id: undefined

Length: 18min 22sec (1102 seconds)

Published: Mon Jun 10 2019