Petra Smith is a security culture specialist on a mission to make information security accessible to everyone. She has a point and she’s getting to it.
It’s Christmas Day. You’re floating serenely in the coral sea surrounding a real live tropical desert island…when, suddenly, you’re having a too-close encounter with deadly wildlife. What do you do? Just follow your Incident Response Plan, of course!†
Don’t have an Incident Response Plan? No worries. I’ll take you through how to make a plan to help you navigate the shark-infested waters of a security incident with less stress, and get back to business - or living your best tropical mermaid life - quicker.
If your team’s worst-case scenario plan is to hope it never happens, this talk is for you. I’ll show you why you should prepare for the worst, and how anyone can make a plan that works.
† Based on a true story
Red teamers and blue teamers share a common goal: to protect people from security threats. But we aren’t doing a great job – security breaches increase in number every year, and most of them still start with someone falling for a phishing scam. Why? Because the way we teach people to spot a scam is so totally, utterly, job-security-guaranteeingly broken it sets them up to fail.
Comrades, it’s time to put aside our differences and unite to destroy our common enemy: corporate security awareness programmes that teach people that a legitimate company would never do things that legitimate companies do every day. Let’s talk about how they do more harm than good, and what we can do to make security awareness suck less for everyone.
You know how it is – you want to make your work/open source project/Sailor Moon fanclub more secure, so you come up with a brilliant plan, get things set up juuuust right...and people ruin all your hard work by ignoring your advice and finding ways round your security measures. What can you do? Give up, pour a stiff whisky, and go on another Slack rant about how stupid and lazy users are? Focus on the bits you can control, and make sure everyone knows it’s not your fault when something goes wrong?
Or would you rather understand why people keep thwarting your efforts, so you can get them on board and develop a security programme that works?
Let’s take a deep dive into the most complex and hard-to-secure component of your network: people. Why don’t they seem to listen or care? What can you do about it? And what does any of this have to do with mysterious fifteenth-century manuscripts and dinosaur facts? In this talk you’ll learn about some of the unpatched vulnerabilities in human information processing and communication protocols that make them infinitely frustra...err, fascinating, and discover how you can (lovingly and respectfully) exploit them to help make your life easier and your security efforts more effective.
Thinking of moving your applications to the cloud? How do you make sure they stay secure? This fast, fun, beginner-friendly session will demystify cloud security, introduce you to the most common cloud security models, and help you to choose the model that’s right for you.
From digital surveillance to technology-facilitated abuse to algorithmic bias, you don’t have to go far to find examples of how technology can cause real harm to real people. Technology can fail or be abused in ways its creators never anticipated, and have serious unintended consequences, especially for people who are already vulnerable, marginalised or persecuted.
When we’re making something for other people to use, we want to make sure it’s safe and secure. Threat modelling is a great way to discover how the thing we’re building could be misused, but it relies on our ability to imagine all the ways that someone could use it to cause harm. How can we be confident that we’re keeping people safe when they face threats that are literally unimaginable?
To answer “what could go wrong,” we need to go beyond the power of imagination and get out of our comfort zone. Aimed at developers, testers and everyone else involved in making things people use, this talk will introduce practical actions you can take to get to know your most vulnerable users, and offer strategies for creating things with their safety and security in mind.