[00:58.370 --> 00:59.990]  Can you guys hear me through the mic?
[01:00.330 --> 01:00.770]  Awesome!
[01:00.770 --> 01:01.610]  Well, that made it really easy.
[01:01.610 --> 01:05.010]  There's four mice up here, so it's a little overwhelming.
[01:05.130 --> 01:08.150]  Welcome to White Hat Business Process Hacking.
[01:08.150 --> 01:10.270]  We're going to close down the conference tonight.
[01:10.270 --> 01:13.190]  No, we're going to at least have the last fun laugh.
[01:13.190 --> 01:14.910]  Hopefully you guys are entertained.
[01:15.250 --> 01:17.850]  Please feel free to ask questions, interrupt me.
[01:17.850 --> 01:23.750]  When I get excited, I start talking fast and I use my hands a lot, so if the mic gets really far away, just let me know.
[01:23.750 --> 01:25.890]  I'll get back on track.
[01:26.330 --> 01:28.970]  So, with that, I'm Matt Meiss.
[01:28.970 --> 01:29.970]  These are my stats.
[01:29.970 --> 01:32.850]  It's all images because you're going to hear the text from me.
[01:32.850 --> 01:35.730]  But I've been in IT for 10, 15 years now.
[01:36.250 --> 01:53.310]  Cybersecurity, Threat Hunter, I wrote college-level curriculum, I've been in the fraud area for the last five years, built the wire fraud detection system, got into data, and now I'm at Summit Credit Union doing cyberfraud and data stuff, which means I get to have a lot of fun each day.
[01:53.490 --> 02:03.690]  And I realized through each IT position that I had that the hardest problems we had were around people and processes, and the technology was actually pretty easy, right?
[02:03.690 --> 02:11.630]  And so if we look at the people and processes and try to improve those, the tech gets even easier yet.
[02:11.630 --> 02:12.970]  And so that's what I want to do today.
[02:12.970 --> 02:30.210]  I want to talk about how our adversaries, our business processes are attacking our processes, and then how can we defend against that internally with either controls, people, or just generally improving our business processes for them and bringing them into the fold of securing their own processes.
[02:31.450 --> 02:43.230]  So I think business processes, and I'm going to say that a million times, I told someone to bring an air horn every time I say business processes because it will slow me down on that, but I think these are our biggest attack vector.
[02:43.230 --> 02:45.910]  People say that people are the biggest attack vector, right?
[02:45.910 --> 02:49.630]  They're going to hit the phishing link and bring down the whole network of ransomware.
[02:49.890 --> 02:53.810]  How many organizations here have been part of a ransomware?
[02:53.890 --> 02:55.030]  How many people?
[02:55.550 --> 02:55.850]  Right?
[02:55.850 --> 02:56.230]  Okay.
[02:56.230 --> 02:57.150]  So there's one.
[02:57.150 --> 02:57.330]  All right.
[02:57.330 --> 02:58.270]  That's a big event.
[02:58.270 --> 02:59.450]  That's really costly.
[02:59.590 --> 03:04.930]  But how many businesses have really crappy processes and they lose money every day because of it?
[03:04.990 --> 03:05.490]  Right?
[03:05.490 --> 03:06.890]  That's the real loss.
[03:06.890 --> 03:19.750]  And if you can solve that loss every day and build that trust with your business partners, whoa, now when you say, hey, we need this new EDR system because we want to stop all this stuff on the endpoint, they're going to listen.
[03:19.870 --> 03:26.010]  Because you know, you save them a million dollars on their process that they didn't even know that they were doing wrong.
[03:26.170 --> 03:26.790]  Right?
[03:26.790 --> 03:31.370]  So that's why I think our business processes are under attack more than our people.
[03:31.410 --> 03:31.570]  Right?
[03:31.570 --> 03:36.010]  If we give this freedom to people, how do we keep them in some kind of guard rail?
[03:36.650 --> 03:38.150]  So that's what I'm kind of arguing here.
[03:38.150 --> 03:46.170]  And when I think about business process hacking, to really identify what it is, um, the goal here is identifying vulnerabilities before our threat actors do.
[03:46.210 --> 03:46.430]  Right?
[03:46.430 --> 03:56.430]  If we can identify a vulnerability with our call center, where social engineering works really well to get around multi-factor authentication questions.
[03:56.430 --> 03:56.630]  Right?
[03:56.630 --> 04:06.090]  We can say that I work from home, and I'm self-employed, and therefore you don't need to look into my background and my work history.
[04:06.130 --> 04:11.030]  Well, now I've just circumvented a whole process just by saying the magical words.
[04:11.070 --> 04:11.290]  Right?
[04:11.290 --> 04:15.690]  If I know that, as a security person, I can make that process better.
[04:15.690 --> 04:15.930]  Okay?
[04:15.930 --> 04:21.870]  I've found the weak point, and now when our call center hears that, we want them to have spidey senses.
[04:21.870 --> 04:22.230]  Right ?
[04:22.230 --> 04:23.930]  Oh, work from home.
[04:23.930 --> 04:26.350]  I work, I'm self-employed.
[04:26.350 --> 04:27.030]  What's going on?
[04:27.030 --> 04:27.990]  Is that weird?
[04:28.690 --> 04:30.330]  And how do we do this?
[04:30.330 --> 04:32.450]  Well, in security, we have the best tools ever.
[04:32.450 --> 04:33.450]  We have ethical hacking.
[04:33.450 --> 04:37.090]  We all have seen ethical hacking in different ways.
[04:37.110 --> 04:39.010]  Let's apply it to our business processes.
[04:39.390 --> 04:50.190]  So the key objective of this talk is really just understanding how those processes can be hacked, and then identifying and mitigating downgrade and social engineering attacks.
[04:50.190 --> 04:51.070]  That's right.
[04:51.230 --> 04:53.190]  Processes have downgrade attacks.
[04:53.190 --> 04:53.530]  All right?
[04:53.530 --> 04:54.770]  It's completely applicable.
[04:54.770 --> 04:55.090]  Right?
[04:55.090 --> 04:57.890]  So think about our automated processes that you have.
[04:57.890 --> 04:59.830]  Maybe you have a new customer onboarding.
[04:59.830 --> 05:03.350]  They can come in through a website and do everything automated.
[05:03.350 --> 05:04.390]  That's awesome.
[05:04.390 --> 05:06.370]  We have great security controls around that.
[05:06.370 --> 05:08.910]  We identify their IP address, the individual.
[05:08.910 --> 05:10.390]  We take a picture of them.
[05:10.390 --> 05:13.430]  We ask for, you know, their mother's maiden name, all this stuff.
[05:13.430 --> 05:14.330]  It's great.
[05:14.410 --> 05:17.850]  Now, they failed that.
[05:17.850 --> 05:22.830]  And it gets into a manual queue that someone now calls them back and tries to verify information.
[05:23.250 --> 05:25.850]  They have just found the cheat code for your automated system.
[05:25.850 --> 05:29.290]  Fail the system and hope that salespeople want to sell you stuff.
[05:29.470 --> 05:30.010]  Okay?
[05:30.010 --> 05:43.850]  And now the person trying to sell them a product, right, it could be a banky product, insurance product, whatever that is, right, they're trying to get them onboarded, they can control that conversation, and they can find the weaknesses in that business process.
[05:44.670 --> 05:45.970]  Downgrade attacks.
[05:45.970 --> 05:47.450]  Automated down the manual.
[05:48.450 --> 05:49.850]  Social engineering.
[05:49.850 --> 05:53.050]  This is a common one in the security space.
[05:53.050 --> 05:58.070]  But when we have human judgment as part of our process, there's a weak point.
[05:58.210 --> 06:00.450]  So how do we eliminate that human judgment?
[06:01.210 --> 06:06.410]  Well, I argue calling your call center endlessly until they finally get it right.
[06:06.410 --> 06:16.450]  But really seeing out of 100 people that you call, and I'm using call center as an example, you could have a physical space, right, you have a teller line or you have a storefront.
[06:17.110 --> 06:27.710]  The process that those people use when interacting with your customers and or your adversaries can be attached to social engineering.
[06:28.430 --> 06:31.210]  And finally just a lack of controls in general.
[06:31.330 --> 06:47.110]  If someone calls in and I'm an insurance agent, and someone asks about a claim on a Matt Meis, and as an insurance agent I say, oh, yeah, we do have a claim, but I can't tell you any more information without authenticating you.
[06:47.450 --> 06:48.050]  Great.
[06:48.050 --> 06:49.010]  And they hang up.
[06:49.270 --> 06:53.490]  Now you've told them that Matt Meis has an insurance claim at this company.
[06:53.490 --> 06:55.410]  That's a small piece of information.
[06:55.410 --> 06:58.150]  The next call, they can get to the next step, right?
[06:58.150 --> 07:01.050]  Maybe they find out what are your authentication questions.
[07:01.050 --> 07:01.390]  Cool.
[07:01.390 --> 07:03.970]  Now I'm going to do some Googling and I come back again.
[07:04.030 --> 07:08.790]  It's simple social engineering, but the process is the problem, right?
[07:08.790 --> 07:11.950]  They shouldn't have said anything until that person was authenticated.
[07:12.010 --> 07:15.050]  So right up front we can stop that right away.
[07:20.290 --> 07:23.770]  And sometimes we just give them poor tech to work with, which isn't great either.
[07:25.770 --> 07:38.310]  The last thing with our business processes is that if it is left up to human judgment, what you end up having is new people that aren't trained or don't have the same intuition as those people that have been there for a while, and now you have problems.
[07:38.790 --> 07:40.250]  So what are some examples of these?
[07:40.690 --> 07:42.790]  A call center for a telco company.
[07:42.850 --> 07:46.730]  I call into TDS and I try to figure out someone else's account.
[07:46.730 --> 07:51.390]  Maybe I can take over their landline or I can take over their Internet bill.
[07:51.390 --> 07:54.970]  Not that I want to pay it, but maybe I can get them to pay mine somehow.
[07:55.410 --> 07:58.430]  Frontline staff for a bank, a secretary at an office building.
[07:58.430 --> 08:06.470]  All of these are examples of processes that clearly could be vulnerable because they're interacting with people outside of your organization.
[08:06.510 --> 08:10.930]  The same can be true for insider threats if you're talking about processes within the org.
[08:10.930 --> 08:16.890]  I like to focus on the external ones because those are usually the ones where you're losing money, like I said, every day.
[08:20.250 --> 08:30.190]  So if we really want to understand what our business processes look like and where they're vulnerable, we can do something like a game of toast.
[08:30.430 --> 08:33.290]  And I'm going to get to the game of toast, but there's actually a few more steps in that.
[08:33.290 --> 08:39.810]  So we're going to go through the best way to map your business processes and find vulnerabilities quickly so that you can harden them.
[08:40.230 --> 08:43.350]  So this is my four-step easy process for success.
[08:43.590 --> 08:45.430]  You map your business process.
[08:45.710 --> 08:47.190]  This is where the toast comes in.
[08:47.430 --> 08:49.130]  We identify weak points.
[08:49.410 --> 08:51.710]  And I'm going to dive into each of these in more depth.
[08:51.710 --> 08:54.730]  I just want you to see the forest here before we get into each of the trees.
[08:54.950 --> 08:56.690]  We want to identify these weak points.
[08:56.690 --> 08:59.790]  And weak points in a business process are risk.
[09:00.590 --> 09:04.570]  In cybersecurity, we're just identifying and solving risk for our business.
[09:04.650 --> 09:06.870]  And it's the same thing with our business processes.
[09:07.170 --> 09:10.130]  So if we're all about risk, this actually does matter to us.
[09:10.130 --> 09:15.490]  And it matters to our business because now we're saving the money in the long term which we can spend on something else.
[09:15.490 --> 09:17.010]  At least that's my goal.
[09:17.710 --> 09:19.690]  Business might want to just save it for themselves.
[09:21.370 --> 09:25.370]  After we identify the weak points, we want to simulate an attack internally.
[09:25.370 --> 09:27.730]  Does this weak point actually flesh out?
[09:27.730 --> 09:31.210]  So if I call in, will they give me information that I shouldn't know?
[09:31.310 --> 09:31.810]  Yes?
[09:31.810 --> 09:32.430]  Okay, cool.
[09:32.450 --> 09:34.570]  It's a proven weak point.
[09:34.630 --> 09:36.270]  Now I want to harden that.
[09:36.430 --> 09:40.890]  We need to change the workflow that the call center reps are going through.
[09:40.890 --> 09:43.550]  We need to change the type of questions they're asking.
[09:43.630 --> 09:47.290]  And once we've done that hardening, we can go back and simulate the attack again.
[09:47.290 --> 09:49.450]  Now does it work after the hardening?
[09:49.450 --> 09:49.890]  No?
[09:49.890 --> 09:51.370]  Okay, we got to add more controls.
[09:51.370 --> 09:56.790]  Add more friction to that employee or to the person calling in the customer.
[09:58.470 --> 10:03.750]  So diving deeper into business process mapping, this is really the cool piece.
[10:03.750 --> 10:04.990]  So there's a Ph.D.
[10:04.990 --> 10:16.150]  that came up with this idea of mapping or the systems design thinking that's all about mapping a process from start to finish using a group of people that are experts in that process.
[10:16.150 --> 10:20.970]  I've done this to map out threat hunting from a group of five threat hunters.
[10:20.970 --> 10:34.430]  We had a full wall about the size of this CypherCon drop up here full of sticky notes, and it came down to one slide of about 14 steps for your average threat hunting process.
[10:35.230 --> 10:50.990]  What's not impressive is the sticky notes or the actual end diagram, but it was helpful for us to explain outside of our organization or outside of our internal team what we do, but the discussion we had to define the process was what was really, really valuable.
[10:50.990 --> 10:56.290]  Because I would say, oh, I start at this step, right, for threat hunting.
[10:56.290 --> 10:57.990]  Let's just say I start with a hypothesis.
[10:58.510 --> 11:01.550]  And someone's like, no, no, I start with reading the news.
[11:02.110 --> 11:03.290]  And then I get a hypothesis.
[11:03.290 --> 11:03.870]  Okay, well, cool.
[11:03.870 --> 11:05.970]  Now what are the sources for hypotheses?
[11:05.970 --> 11:11.250]  That's interesting because now we can document those and then share that out in a weekly newsletter.
[11:11.250 --> 11:12.970]  Now we'll get more ideas within the team.
[11:12.970 --> 11:13.250]  Cool.
[11:13.250 --> 11:20.010]  Now I learned something that I was maybe unconsciously doing, but I can utilize it.
[11:20.010 --> 11:28.470]  And then as we go through each step of the threat hunting life cycle, I would find something that I did different or someone else did different.
[11:28.470 --> 11:34.410]  One person didn't ever act on the results and never communicated them to the business, so there wasn't any value in their threat hunts.
[11:34.410 --> 11:42.910]  They just found cool shit and said, hey, what's And so we ended up helping define exactly what our process should be so that we can follow it.
[11:42.910 --> 11:44.090]  It's the same thing here.
[11:44.090 --> 11:46.390]  So the Toast activity is pretty simple.
[11:46.390 --> 12:00.270]  You take a business process that could be very simple, very complex, and you get a bunch of SMEs, so subject matter experts, and you ask them to, by themselves in the room, on sticky notes, write each step of that business process.
[12:00.830 --> 12:03.730]  Let's just say it is negotiating a check at a bank.
[12:04.070 --> 12:06.450]  So they're going to take a check and give you money.
[12:06.450 --> 12:08.410]  That seems like such a simple process.
[12:08.410 --> 12:11.130]  It happens every day at banks around the United States.
[12:11.790 --> 12:14.670]  Now, not in New Zealand, funny enough.
[12:14.670 --> 12:17.150]  New Zealand, you can't write checks in New Zealand.
[12:17.150 --> 12:18.450]  They completely dropped it.
[12:18.450 --> 12:20.850]  So let's just drop checks in the United States, right?
[12:21.710 --> 12:35.470]  Anyway, negotiating a check in the United States, if you have 10 different tellers talk about how they do that, some of them might start with questions, some of them might start with greeting the member as they walk in the door, other ones could say, oh,
[12:35.470 --> 12:38.790]  this customer, I don't have to look at their ID because I know them, and so on.
[12:38.790 --> 12:42.790]  So you start having them write down what is your own process.
[12:42.850 --> 12:49.990]  Normally when they write this down on sticky notes, they get 5 to 15 steps, no matter what the business process is.
[12:49.990 --> 12:52.210]  The reason that you use sticky notes is actually pretty cool.
[12:52.210 --> 12:53.490]  So sticky notes do two things.
[12:53.490 --> 12:57.530]  One, if you wrote it out of order, you can just change it really easily, right?
[12:57.530 --> 12:59.790]  So for an individual, super easy.
[13:00.330 --> 13:09.610]  The other thing is that if you finish early, and the people I think they know the process the best will, then they can go back over and add steps as they see fit.
[13:09.610 --> 13:11.630]  So it actually makes it really malleable.
[13:12.310 --> 13:21.550]  The final reason that you use sticky notes is that once everyone's done with their five minutes, that's all you give them to write their process up, then the real work begins as a team.
[13:21.630 --> 13:32.450]  So as a team, the first person gets nominated, and they take their process, and they put it up on the wall, and they say, here are the five things I do when figuring out a check and negotiating a check at the bank.
[13:32.810 --> 13:33.650]  Great.
[13:34.150 --> 13:39.910]  Everyone might have questions, might want to clarify some of the steps that they take, and that first person sits down.
[13:40.310 --> 13:42.770]  Person number two gets interested.
[13:46.700 --> 13:52.580]  So person number two goes up, and they see step one as greeting the customer, and they say, oh cool.
[13:52.820 --> 13:57.220]  Right after step one, before I ask any questions, I actually compliment them.
[13:57.220 --> 13:57.300]  Right.
[13:57.300 --> 13:58.980]  I want to put them in a good mood.
[13:58.980 --> 13:59.220]  All right.
[13:59.220 --> 14:01.620]  So they added something new to the diagram.
[14:01.660 --> 14:04.640]  Anything else is exactly the same as the other processes.
[14:04.640 --> 14:06.160]  They just put those sticky notes up.
[14:06.160 --> 14:07.580]  There's no real conversation.
[14:07.580 --> 14:08.260]  They say, hey, good.
[14:08.260 --> 14:09.160]  We thought the same.
[14:09.160 --> 14:09.880]  Woohoo.
[14:09.960 --> 14:11.180]  Congratulate themselves.
[14:11.480 --> 14:31.960]  Anything additional, it gets added to the diagram, and over time, as each SME comes up and adds their piece to the puzzle, you end up seeing this complex process where some people do certain things really well, and other people have unique characteristics that they use that actually enhance how they do that process.
[14:31.960 --> 14:32.020]  Right.
[14:32.020 --> 14:34.200]  Enhance how they interact with the customer.
[14:35.060 --> 14:42.080]  Once you have that full map out, now it's actually pretty easy from a security perspective to say, where are the risks in this?
[14:42.080 --> 14:42.260]  Right.
[14:42.260 --> 14:44.320]  Who's going to screw up at what point?
[14:44.320 --> 14:52.900]  And so you can take this big sticky note on the wall, or multiple sticky notes, put it into a one pager, and start having fun.
[14:54.700 --> 14:56.420]  Questions on that toast process.
[14:56.420 --> 14:58.620]  That's the toast process I was mentioning.
[14:58.780 --> 15:04.980]  So the PhD I was mentioning earlier, he does this with making toast.
[15:04.980 --> 15:05.140]  Right.
[15:05.140 --> 15:06.680]  What are the steps to making toast?
[15:06.680 --> 15:09.400]  And these are some diagrams from some of his workshops.
[15:09.400 --> 15:11.040]  He's done thousands of these.
[15:11.160 --> 15:15.700]  Everyone has a different process of making toast, and making toast should be simple.
[15:15.980 --> 15:17.240]  Everyone should do it the same.
[15:17.240 --> 15:17.360]  Right.
[15:17.360 --> 15:19.720]  You have a toaster, you put the toast in, you get toast done.
[15:19.720 --> 15:20.580]  That's it.
[15:20.820 --> 15:26.420]  But as you can see here, right, there's six different steps in the first image.
[15:26.740 --> 15:32.080]  You have someone putting toast in the toaster, pushing it down, waiting for some time, taking it back out.
[15:32.080 --> 15:32.360]  Great.
[15:32.360 --> 15:33.280]  Now you have toast.
[15:33.340 --> 15:35.580]  Top one, oh, don't forget to open that bag.
[15:35.580 --> 15:35.780]  Right.
[15:35.780 --> 15:37.220]  You got to get the bread out of somewhere.
[15:37.600 --> 15:40.300]  Someone's like, oh, actually, we have to go back further in the process.
[15:40.360 --> 15:42.560]  I like to have flour so I can make bread.
[15:42.640 --> 15:43.260]  Cool.
[15:43.320 --> 15:46.020]  That could actually be part of the process.
[15:46.020 --> 15:55.560]  And if you think about the teller and negotiate and check, maybe that process goes back to their training or that process goes back to how they integrated within the team.
[15:55.560 --> 15:56.020]  Right.
[15:56.100 --> 15:59.240]  And then the last one here, we have some Europeans that like to make toast with a skillet.
[15:59.240 --> 16:00.380]  That's fine.
[16:00.820 --> 16:02.100]  It's each their own.
[16:02.100 --> 16:08.140]  But which one is going to work more effective and how do we want our business process to look when we make toast?
[16:08.140 --> 16:15.340]  So if you see toast as a simple problem, imagine some of your business processes and the differences that your individuals could face.
[16:15.360 --> 16:15.680]  Right.
[16:15.680 --> 16:21.760]  Now think about a corporation that's in multiple states, multiple countries.
[16:21.800 --> 16:23.500]  They're going to be doing it differently.
[16:23.500 --> 16:24.800]  They have to.
[16:24.800 --> 16:30.780]  Just by the default of different culture, different training, and potentially different mergers.
[16:30.960 --> 16:38.940]  And so this is where the process gets quite interesting because you get to see how it's being done different and come up with some questions.
[16:39.060 --> 16:46.620]  For example, when I start looking at this diagram, I'm going to start asking this me is, okay, so is toast normally served at breakfast time?
[16:47.340 --> 16:52.380]  Because that could matter to how alert our people are.
[16:52.380 --> 16:55.620]  The people that are on site at the time that breakfast is being served.
[16:55.620 --> 16:57.780]  Because Fred can't handle toast.
[16:57.780 --> 16:59.160]  He can't touch hot things.
[16:59.160 --> 16:59.360]  Right.
[16:59.360 --> 17:01.320]  So that could actually matter.
[17:01.320 --> 17:02.640]  What other questions do we have?
[17:02.660 --> 17:04.120]  Does a drink go with it?
[17:04.120 --> 17:04.940]  Is there a topping?
[17:04.940 --> 17:07.660]  None of these actually said let's put butter or jam on our toast.
[17:07.660 --> 17:09.720]  That would be awful toast to eat.
[17:09.880 --> 17:10.140]  Right?
[17:10.140 --> 17:11.900]  So they're missing pieces.
[17:11.900 --> 17:14.720]  And so you have to draw those out of the SMEs.
[17:15.760 --> 17:20.700]  Once you do have that full process figured out, you can identify the weak points.
[17:20.820 --> 17:21.040]  Right?
[17:21.040 --> 17:24.340]  So we ought to analyze alternative routes.
[17:24.340 --> 17:29.600]  If we had an automated system and you could downgrade to a manual attack, what does that alternative route look like?
[17:29.600 --> 17:30.220]  Right?
[17:31.240 --> 17:36.940]  I like to think of these new business process maps that we've created as a kill chain.
[17:37.660 --> 17:43.940]  Every step of the process, what are the controls we have in place to make sure when we move to the next step, it's in a secure way.
[17:44.400 --> 17:51.140]  Now, obviously, if you're having a conversation and it's a question to answer, you're not going to have a control step at each piece.
[17:51.140 --> 17:57.580]  But there might be specific words that you want your people to use to incite the right results from that customer interaction.
[17:58.860 --> 18:01.840]  And then we want to look at the human factors of the interactions.
[18:01.840 --> 18:03.440]  Where do the employees make judgment calls?
[18:03.440 --> 18:04.940]  This is going to be a weaker point.
[18:05.220 --> 18:10.480]  And then mark where different pieces of the process are automated or manual.
[18:11.060 --> 18:15.340]  And then, again, the manual parts are going to be the ones that are more likely to weakness.
[18:15.340 --> 18:19.880]  We can focus there when we try to attack this specific business process.
[18:20.600 --> 18:27.100]  Key point here is think of your process like a kill chain and you can apply controls to it.
[18:30.040 --> 18:33.200]  So step three, we're going to be simulating the attacks internally.
[18:33.200 --> 18:34.740]  And this is just like any pen test.
[18:34.960 --> 18:36.580]  Attack the system.
[18:36.580 --> 18:38.000]  See if you can break it.
[18:38.140 --> 18:41.980]  And you end up finding that the weak points are weak for a reason.
[18:41.980 --> 18:47.440]  Now we have to see how people react as we needle on the weak points.
[18:47.600 --> 18:51.440]  Document your findings and assess the risks of those weak points.
[18:51.720 --> 18:57.960]  If someone is going to be able to get the name of my institution because they called in, I don't really care.
[18:58.060 --> 18:58.780]  That's okay.
[18:58.780 --> 19:00.580]  That's okay information to share.
[19:00.580 --> 19:02.020]  And I'm going to just move on with that.
[19:02.020 --> 19:03.180]  It's not a big risk.
[19:03.180 --> 19:08.140]  But if they're able to get the social security number of my CEO on a call, that's a bigger risk.
[19:08.300 --> 19:11.440]  Right now that's going to be a finding that we really have to have the control for.
[19:13.940 --> 19:17.640]  And examples of simulating internal attacks, call your call center.
[19:17.640 --> 19:18.800]  Call your help desk.
[19:18.800 --> 19:22.660]  See how they react when you give them a situation.
[19:22.840 --> 19:33.820]  And a really great situation, by the way, and I heard this from a fraud red team test that we're running, is they told us we'd love to say that we've lost our phone.
[19:34.360 --> 19:37.160]  Because you can't MFA them very easily.
[19:37.160 --> 19:38.780]  You can't call the number on file.
[19:38.980 --> 19:43.400]  They can't look up their account number or their member number or anything about themselves, right?
[19:43.400 --> 19:48.780]  So losing a phone loses the technical identity of the person quite easily.
[19:48.780 --> 19:55.060]  And it puts you into a downgrade attack of how else do we figure out who this person is, right?
[19:55.060 --> 19:59.220]  So if you want to use that one on your next pen test, use that one.
[20:00.600 --> 20:03.080]  So now we've figured out our weaknesses.
[20:03.380 --> 20:04.680]  We've tested them.
[20:04.680 --> 20:05.820]  We want to harden our process.
[20:05.820 --> 20:07.380]  So this is actually the most important part.
[20:07.380 --> 20:09.380]  This is actually a blue team talk.
[20:09.380 --> 20:12.840]  I know I said hack, but this is really about how we would fix things.
[20:12.860 --> 20:14.940]  And so we want to increase automation, right?
[20:14.960 --> 20:17.300]  IT, that's the forefront of our mind.
[20:17.300 --> 20:19.760]  But you want to reduce those manual overrides.
[20:19.760 --> 20:23.040]  Where are the specific weak points where we have manual overrides?
[20:23.620 --> 20:25.180]  Let's try to automate that.
[20:25.640 --> 20:28.280]  Add security layers throughout the process, right?
[20:29.020 --> 20:32.280]  I've seen a lot of talks today that talk about onions, that talk about layers.
[20:32.280 --> 20:42.440]  If you can add a small control that is fairly frictionless but adds pause to the employee or the customer, you're probably going to harden that weak point.
[20:43.860 --> 20:53.580]  Big key areas for hardening are usually authentication or verification of the person on the other end of a phone call or a human interaction, right?
[20:53.580 --> 20:56.140]  Even a person in front of you can lie about their identity.
[20:56.620 --> 21:05.160]  And so if you can authenticate them correctly or verify their identity or their documents quickly, that makes it easier for a person to make a judgment call.
[21:05.680 --> 21:09.760]  And then, hey, look, the common security answer, training, right?
[21:09.760 --> 21:14.340]  So training your employees actually becomes important and making sure that they have the same training over time, right?
[21:14.340 --> 21:20.980]  The people that have been there for a while in theory are the best at their job, but they may have not gotten the most recent training because of that.
[21:20.980 --> 21:23.540]  So are they actually a bigger weak point?
[21:29.480 --> 21:35.920]  So coming into the last section of the presentation, we want to secure our process by design itself.
[21:35.920 --> 21:44.940]  So if we have a systems map for a process, we can actually design it in a way that secures it and makes it easier to move through that flow.
[21:45.360 --> 21:53.960]  So most business processes, when they're designed, are to make money and to make it easy for the customer.
[21:54.260 --> 21:54.900]  Guess what?
[21:54.900 --> 21:56.040]  We get to fix that.
[21:56.800 --> 22:02.320]  So we still want to make money, we still want to be easy for the customer, but we want to secure it from the get-go, right?
[22:02.320 --> 22:06.260]  So we might have to really redesign some of these customer flows that we have.
[22:07.200 --> 22:12.300]  When we think about how do we actually do this by design, business analysts are your friends.
[22:12.300 --> 22:15.520]  How many people work with business analysts often?
[22:15.580 --> 22:15.800]  Okay.
[22:15.800 --> 22:15.940]  Yeah.
[22:15.940 --> 22:17.400]  Business analysts are really awesome.
[22:17.540 --> 22:17.840]  Okay.
[22:17.840 --> 22:22.300]  This is actually, like, if you're a business analyst wanting to get into security, business process hacking is for you.
[22:22.300 --> 22:25.220]  Because this is what they do on a daily basis, right?
[22:25.220 --> 22:29.280]  They're understanding business processes, trying to fix them, and trying to automate them.
[22:29.360 --> 22:30.020]  Boom.
[22:30.020 --> 22:31.560]  They know your weak points.
[22:31.560 --> 22:34.460]  They know that they're basically just me in that area.
[22:34.460 --> 22:38.720]  So find your business analysts, they could be your next superhero in the security realm.
[22:40.020 --> 22:43.980]  And that's a key point that I wanted to make sure you remember.
[22:44.240 --> 22:53.740]  We want to secure by design, again, enforcing these privilege in your processes, multi-factor authentication, some of the generic things that we might see on the security side.
[22:53.740 --> 22:55.060]  A culture of awareness.
[22:55.060 --> 22:59.780]  And it's not just training our frontline staff, but it's making them aware that security matters, right?
[22:59.780 --> 23:05.840]  Security should be top of mind when they're interacting with people outside or even inside the organization.
[23:05.880 --> 23:10.460]  It's not always do what they say or make it easy for them.
[23:10.700 --> 23:13.100]  Make sure that they're thinking security first.
[23:14.240 --> 23:16.220]  And then finally, ongoing audits.
[23:16.220 --> 23:24.160]  So we want to have ongoing audits and continuous improvements so that we can continue to test this, get feedback, and make this whole thing better.
[23:27.770 --> 23:28.070]  All right.
[23:28.070 --> 23:33.070]  So three key points that we talked about throughout the presentation today.
[23:33.070 --> 23:38.790]  We can apply pen testing methodology to our business processes and really profit right away, right?
[23:38.790 --> 23:42.150]  You have better business processes, you have less losses.
[23:42.150 --> 23:42.990]  That's huge.
[23:42.990 --> 23:44.050]  And that's in any business.
[23:44.050 --> 23:57.770]  Because people that are giving fees back to individuals, people that are allowing claims through, people that are allowing people in the door to physically access your secure equipment, that's all problems that it's going to lose this money.
[23:59.170 --> 24:06.870]  Another one is thinking about your business process like a kill chain and treating it as such to have security mechanisms at each step along the way.
[24:07.350 --> 24:12.710]  And then finally, engage those business analysts, treat them like friends, and you'll profit from that.
[24:13.410 --> 24:15.350]  So what can you do next?
[24:15.350 --> 24:18.050]  There's really these three things.
[24:18.230 --> 24:20.870]  Start auditing all of your own processes today.
[24:20.870 --> 24:22.990]  Honestly, do the Toast activity.
[24:23.030 --> 24:27.310]  I love playing Toast and doing the systems design exercise with Smeeze.
[24:27.310 --> 24:36.690]  You find out so much more about how your business runs and how then you can secure it both in your technical area or in the process that you're actually looking at.
[24:37.490 --> 24:42.870]  Analyze, basically establish a red team process for testing your business processes.
[24:42.990 --> 24:45.590]  And then educate your employees on the attack vectors.
[24:45.950 --> 24:55.290]  Employee that hears about security all the time at least will think about it when they have that next spidey sense in the back of their mind.
[24:56.470 --> 24:59.730]  And with that, I'll kind of end my talk.
[24:59.730 --> 25:00.870]  I'm open to questions.
[25:00.870 --> 25:03.110]  Plenty of options out here.
[25:24.210 --> 25:30.250]  So if you can't counter in real time, can you detect it after the fact as a trend, as a larger trend, right?
[25:30.250 --> 25:37.050]  So we've implemented processes where we couldn't stop something from happening in the moment.
[25:37.050 --> 25:45.730]  So for example, when I built the wire fraud solution, we alerted on fraud and our analysts called our members.
[25:45.770 --> 25:47.670]  And literally, they're businesses, right?
[25:47.670 --> 25:49.710]  So it was business wire fraud.
[25:49.710 --> 25:53.870]  They called the business and they said, hey, you're sending money to Hong Kong.
[25:53.870 --> 25:55.230]  Did you expect this?
[25:55.230 --> 25:59.850]  And the person said, my accountant said this is what I should do, so I'm going to do it, send the money.
[25:59.870 --> 26:00.570]  It's a wire.
[26:00.570 --> 26:01.850]  As soon as that's sent, it's gone.
[26:01.850 --> 26:03.350]  I'm not getting it back for them.
[26:03.470 --> 26:07.570]  The next day they called back and said, hey, Vendor never got the money I sent yesterday.
[26:07.710 --> 26:09.650]  Yeah, you sent it to Hong Kong.
[26:10.110 --> 26:14.150]  We warned them up front, complete, like dead stop, we knew it was bad.
[26:14.730 --> 26:15.990]  It's their money, they do what they want.
[26:15.990 --> 26:18.250]  So what can we do on the back end, right?
[26:18.250 --> 26:22.990]  As an aggregate, we can see every time where that process broke down.
[26:23.210 --> 26:26.010]  And then is there a different hook, right?
[26:26.010 --> 26:29.590]  So when are all the times that it worked and when are the times it didn't work?
[26:29.590 --> 26:34.690]  And then say, okay, well, it's these two words, if you say these, people pause, right?
[26:34.690 --> 26:37.610]  Like wait two hours and then get back to me, right?
[26:37.610 --> 26:39.090]  Verify through a different channel.
[26:39.090 --> 26:49.590]  So we found that just taking aggregate statistics after the fact and bringing it back to the business, they were able to find the ways where they did win in those situations.
[26:50.070 --> 26:53.550]  But yeah, some situations you are kind of screwed, right?
[26:53.550 --> 27:00.590]  If you're taking a paper check and giving out real money, that paper check is gone and you're out the money.
[27:16.880 --> 27:22.400]  The business analysts I've worked with really side with the business and the customer, right?
[27:22.400 --> 27:31.060]  So I think most business analysts I work with are not thinking about security or they think about it as, oh, we should check with security at the end, right?
[27:31.060 --> 27:36.460]  And I think all of you that are in security right now, you feel that like, oh, this is going live next week, we good?
[27:36.840 --> 27:38.980]  We have to be because it's going live next week.
[27:39.520 --> 27:41.900]  So what do we do in that scenario, right?
[27:42.120 --> 27:45.640]  So it's about that trust and communication up front.
[27:45.640 --> 27:53.940]  So yes, you're going to be on the backside of projects for a year, but as they work with you more and more, they should be bringing you in earlier.
[27:54.160 --> 28:01.060]  And so that's the only thing I try to train business analysts or other departments about is, hey, come to me when you're starting.
[28:01.200 --> 28:02.120]  That's all I want.
[28:02.120 --> 28:06.940]  You don't need to actually know anything about security or data or fraud or whatever I'm working on.
[28:07.000 --> 28:09.660]  Just if you're starting a project, come talk to me.
[28:09.720 --> 28:13.120]  And I will help you not be late on your deadline.
[28:13.300 --> 28:15.000]  And that matters to them, right?
[28:15.000 --> 28:17.960]  They don't actually care about the security because it's going to make their life harder.
[28:18.080 --> 28:21.860]  So what is their benefit of coming to you and their deadline is going to be on time?
[28:31.160 --> 28:35.000]  Show them the amount of money they're going to save because they care about money.
[28:35.000 --> 28:49.460]  So if you can say that, hey, this weak point is costing 20 hours a week or this weak point is costing the business $500,000 because we have to have this technical control that actually isn't useful, that's money that they can put in their pocket.
[28:50.280 --> 28:52.860]  So again, approach it from what is their benefit?
[28:52.860 --> 28:54.880]  And their benefit is never the security.
[28:54.900 --> 28:56.020]  They really don't care.
[28:56.220 --> 28:58.480]  Unless it makes them money.
[28:59.720 --> 29:01.000]  And maybe I'm cynical that way.
[29:01.040 --> 29:05.400]  But if you can prove it with numbers, it's a lot easier.
[29:08.040 --> 29:08.460]  Awesome.
[29:08.460 --> 29:09.660]  Well, this is my link tree.
[29:10.040 --> 29:13.280]  I have a bunch of different resources that I curate.
[29:13.280 --> 29:16.820]  I have a cyber fraud newsletter that I put out each week.
[29:17.380 --> 29:18.840]  Contact information is on there.
[29:18.840 --> 29:23.860]  And then this whole presentation, you can download so you can get the deck if you want it from that link.
[29:23.860 --> 29:25.960]  So thanks, everyone, for joining.
[29:25.960 --> 29:31.340]  Don't forget to go to the Hilton afterwards for the big party after and enjoy the rest of the con.
[29:31.340 --> 29:32.260]  Thank you.