I just spent 3 days in Detroit with a great group of people at BSides Detroit. J Wolfgang Goerlich (@jwgoerlich), Ryan Harp (@b00st_sec), and Steven Fox (@securelexicon) did a great job of organizing this event. It was my first trip to Detroit and I enjoyed the venue at the Renaissance Center in the GM Building. While I would love to go on about BSides Detroit and how amazing it was, it is muted by my experience coming back into the office this morning. Besides, you can view the awesome pictures CaptainSpoon took of it here.
Now, don’t get me wrong. Attending BSides Detroit is way better than sitting in the office. However, what I am about to tell you should hopefully help you understand why I am super excited and pumped.
As a Vice President, it is typical for me to do a morning recap conversation with the Information Systems Manager. While I am away, he takes care of things and reports any issues or outstanding items of which may need my attention. This morning was no different. As we chatted and talked about the morning news, the happenings of the last couple of days he mentioned that he had one issue arise while I was away at BSides Detroit. But before I get to that, some background.
For those of you that may not be aware, my “Creating A Powerful User Defense Against Attackers” talk was voted for by the BSides Detroit participants. In this talk, I talk about how I changed my approach to Security Awareness programs. I talk about how the users reacted and the results of my approach. I have presented this talk at DerbyCon 2012 and more recently at THOTCON 0x4 in Chicago. I was a bit surprised that the talk was selected as BSides Detroit was so close to THOTCON.
After my DerbyCon and THOTCON talks I consistently had people ask me about metrics. How do I ‘know’ it’s working. I tell them that it’s based on the communication from my users. What are they telling me now that they were not telling me before. What are the users ‘identifying as “out of the ordinary” and alerting my team about? As with all metrics, your mileage may vary (ymmv).
So, how do I know that what we are doing is working? Well, back to my story.
I was alerted that the contractors that were hired by our building management company had tried twice to gain access to our suite without authorization or without checking in at the front desk. In the first instance, one of the contractors was engaging in dialog with another employee while someone was entering their code to open the door. The other contractor was then on the other side watching the code being entered. The employee noticed this and alerted their manager.
In the other instance, after two employees entered through the coded door and the door was about to close the contractor forced his hand and foot to prevent it from latching to gain access. They immediately called the Information Systems Manager who came by and took control of the situation.
I brought all of the employees into my office and asked them to tell me what happened. Then I gave them each a gift card for lunch on the company today, thanked them, and gave them huge kudos for a job well done! They all did exactly what they should have done and while there wasn’t any actual malicious intent, the contractors were just trying to do their job, it’s instances like these that could cause a major breach.
This doesn’t mean that my users will catch everything. But the user layer of our defense worked this time around! This is my favorite layer of our defense because contrary to popular belief, when your users care about security, they are a force to be reckoned with! While I was away at BSides Detroit telling others about how we got our users excited about security, they were stopping potential threats from gaining physical access to our site. I don’t care who you are, that’s freaking awesome!