Automated Human Vulnerability Scanning with AVA

Presented at Black Hat USA 2015, Aug. 6, 2015, 2:30 p.m. (50 minutes)

It will not be a surprise to you that of all the elements within our organisations and systems, the people are most likely to expose us to risk. In short we are a mess of emotional unpredictablity that threaten us all (and security professionals are the worst of the bunch).

Many very clever people have spent a long time teaching us this. This is not news.

So if this is the case, why in 20 years of modern information security have we done so little to actively protect them?

Technical vulnerability scanning is now mature and commoditised, allowing us to repeatably test and adapt our systems in the face of a changing threat landscape. The time has come to apply the same logic to our people, actively understand human connectivity and behaviours when faced with threat and understand the effect of this behaviour with our organisations.

This talk will discuss why this is a difficult challenge and introduce AVA, the first automated human vulnerability scanner that allows us to map the connectivity of our people, test them with a range of security threats and measure their behaviour. A tool built to make human security risk (and the effectiveness of our countermeasures and training) measurable.

Let's change the way we approach human security risk. Let's protect our people.

Presenters:

• Laura Bell / ladynerd - SafeStack Limited   as Laura Bell
  With almost a decade of experience in software development, penetration testing and information security, Laura Bell specializes in bringing security practices and culture into organizations of every shape and size. Known for her no-nonsense, plain English approach, she has made a career from challenging the traditional fear-based formal governance approaches and calling out shameful security vendor practices. In addition to consulting, Laura conducts research and tool development in the fields of agile application security and human vulnerability assessment. An experienced conference speaker and regular panel member, Laura has spoken at a range of events, including Kiwicon, Linux Conf AU and Microsoft TechEd on the subjects of privacy, covert communications, agile security and security mindset. She is the founder and lead consultant at SafeStack (http://safestack.io) and lives in Auckland, New Zealand with her husband and daughter.

Links:

• https://www.blackhat.com/us-15/briefings.html#automated-human-vulnerability-scanning-with-ava
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - Automated Human Vulnerability Scanning With AVA.srt (subtitles)
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - Automated Human Vulnerability Scanning With AVA.mp4
• https://www.youtube.com/watch?v=8aZvtOeftl8
• https://www.blackhat.com/docs/us-15/materials/us-15-Bell-Automated-Human-Vulnerability-Scanning-With-AVA.pdf

Similar Presentations:

• AppSec USA 2013 / The Cavalry Is Us: Protecting the public good
• Kiwicon 9: Cyberwar Is Hell (2015) / The Nihilist's Guide to Wrecking Humans and Systems
• Kiwicon 8: It's always 1989 in Computer Security (2014) / Eradicating the Human Problem