Editor's Note: Over the coming weeks we will post recaps of speakers' talks from the 3rd Annual Security Awareness Summit. Today Dan Kern shares details from his talk and experiences from the summit.
I was truly honored to present at the 2016 SANS Security Awareness Summit on the topic of using hacking demos to awaken end users and get them more interested in security and securing themselves. I have presented hacking demos as part of our annual security awareness training for several years now. These are short demonstrations (about 10 minutes long) that are part of a longer awareness presentation. These hacking demonstrations are intended to show users how computer attacks really work, and how easy it is for an attacker to use people as a means to gain access to computers and networks. The demos are followed by a discussion on how users can prevent these attacks. We arm users with knowledge, tools and techniques that they can use to protect both their business and personal information. It has been my experience that users really enjoy these demonstrations and want to learn more. We have seen a significant increase in end-user security interest and participation (as well as better metrics). You can use demos like these as part of your security awareness arsenal, either as standalone demos or part of a larger presentation. Here are some key points to consider when using hacking demos for security awareness:
- It’s all about the human as the easiest way into a network. Target a real human in the organization (with permission, of course). Use the target’s social media content and show users how to socially engineer! Our experience is that when users see how easy it is to do, the light comes on and they become much more suspicious.
- Keep the demos simple. Discussing things like APTs, advanced malware, or buffer overflows will lose audience attention. Instead, demonstrate that attackers are often simply tricking users into running software on their systems that gives the attacker remote control.
- Keep it real. Users should understand that everything they see are real attacks techniques used by real bad guys, and that there are no camera tricks
- Tell a story. In all my demos, I never once mention the name of a hacking tool seen on screen because it’s not necessary. Rather, tell the story of an attack while users watch it happen before their eyes. Details of the execution of code aren’t important. The result and the impact are.
- Target both business and personal information. Users will begin to see there isn’t really much difference when it comes to protecting different types of information.
- The most important thing to remember is that it’s not just a hacking demo. You are arming users! Walk through the key parts of the hack and show how it could have been avoided by responsible and wise user actions. Then give users tools and techniques that they can use to help protect themselves.
- When presenting demos to a live audience, I recommend that you don’t execute the actual demonstrations live. Things don’t always go perfectly, and the last thing you want is a crowd waiting while you reboot a virtual machine. Instead, plan out your demo, flow it, and record it. I personally use Camtasia as my tool of choice for creating hacking demo videos. You can then edit it so it’s shorter (i.e., by removing command output delays), add graphics and pointers, edit text, etc. The only action I do live is the narration. When narrating, you can pause the video so that your narration drives the video and you aren’t racing to keep up with it. Of course, you can also place your narration in the demo recording so that the demo is easily posted for viewing online, especially if you aren’t going to present to a live audience.
Want to learn more about how these attacks happen? SANS offers fantastic courses including SEC504 – Hacker Tools, Techniques, Exploits and Incident Handling, SEC560 – Network Penetration Testing and Ethical Hacking, and the SANS NetWars tournament. You can learn more and view my end-user hacking demos and security awareness presentations at my YouTube channel. Feel free to use them as you like!
Bio: Dan Kern is the Chief Security Officer for the County of Monterey, California, where he has worked for over 15 years. Dan has an extensive background as an ethical hacker, intrusion analyst and incident responder, and specializes in translating technology and effectively communicating business risk at the C level. Dan also specializes in studying offense in order to improve defense, and taking that understanding to create popular and entertaining live security awareness training that includes real world hacking demonstrations. Dan has worked in the Information Technology field for over 25 years. Dan has multiple SANS certifications and is extensively SANS trained, and also holds a Bachelor's degree in Communications. Learn more at his blog.