we head home after a long day at work fire up your computer you’re ready for a
fire up your computer you’re ready for a
fire up your computer you’re ready for a long evening of well-earned and largely
long evening of well-earned and largely
long evening of well-earned and largely meaningless web surfing until you see a
meaningless web surfing until you see a
meaningless web surfing until you see a terse message that says all your files
terse message that says all your files
terse message that says all your files have been encrypted all your documents
have been encrypted all your documents
have been encrypted all your documents photos videos and databases are
photos videos and databases are
photos videos and databases are unaccessible suddenly your heart starts
unaccessible suddenly your heart starts
unaccessible suddenly your heart starts to beat a little fast your head starts
to beat a little fast your head starts
to beat a little fast your head starts to spin you realize something is very
to spin you realize something is very
to spin you realize something is very very wrong you start to think like most
very wrong you start to think like most
very wrong you start to think like most human beings wait a second
human beings wait a second
human beings wait a second this is supposed to happen to other
this is supposed to happen to other
this is supposed to happen to other people not to me now that I’ve got your
people not to me now that I’ve got your
people not to me now that I’ve got your attention I’m John Dixon I’m a cyber
attention I’m John Dixon I’m a cyber
attention I’m John Dixon I’m a cyber security professional and for the last
security professional and for the last
security professional and for the last 20 years I’ve been helping really large
20 years I’ve been helping really large
20 years I’ve been helping really large companies protect themselves from the
companies protect themselves from the
companies protect themselves from the attacks of a rogue’s gallery of hackers
attacks of a rogue’s gallery of hackers
attacks of a rogue’s gallery of hackers and black operatives and all these bad
and black operatives and all these bad
and black operatives and all these bad guys and what I’ve learned over the last
guys and what I’ve learned over the last
guys and what I’ve learned over the last 20 years is that even at this point
20 years is that even at this point
20 years is that even at this point after all the headlines we still
after all the headlines we still
after all the headlines we still struggle as individuals as individual
struggle as individuals as individual
struggle as individuals as individual users to protect ourselves this thus was
users to protect ourselves this thus was
users to protect ourselves this thus was the case last May May 2017 when the one
the case last May May 2017 when the one
the case last May May 2017 when the one a cry ransomware attack occurred across
a cry ransomware attack occurred across
a cry ransomware attack occurred across the world about 230,000 computers and
the world about 230,000 computers and
the world about 230,000 computers and about 100 countries were locked out many
about 100 countries were locked out many
about 100 countries were locked out many of you know about this after about a
of you know about this after about a
of you know about this after about a week we kind of whistled through the
week we kind of whistled through the
week we kind of whistled through the graveyard and most of our clients were
graveyard and most of our clients were
graveyard and most of our clients were okay we were good at the end of the week
okay we were good at the end of the week
okay we were good at the end of the week I get a call from my parents they said
I get a call from my parents they said
I get a call from my parents they said hey could you come over after work I
hey could you come over after work I
hey could you come over after work I think we’ve had a problem and sure
think we’ve had a problem and sure
think we’ve had a problem and sure enough they got hit that was the bad
enough they got hit that was the bad
enough they got hit that was the bad news good news is I went over there and
news good news is I went over there and
news good news is I went over there and spent the whole evening with them they
spent the whole evening with them they
spent the whole evening with them they had backed up everything so it wasn’t
had backed up everything so it wasn’t
had backed up everything so it wasn’t catastrophic but as our evening wound
catastrophic but as our evening wound
catastrophic but as our evening wound down my mom asked me a question she said
down my mom asked me a question she said
down my mom asked me a question she said what could we have reasonably done to
what could we have reasonably done to
what could we have reasonably done to protect ourselves
protect ourselves
protect ourselves you see my mom’s a a layperson a
you see my mom’s a a layperson a
you see my mom’s a a layperson a civilian so to speak she’s not an IT
civilian so to speak she’s not an IT
civilian so to speak she’s not an IT person she’s not a security person she
person she’s not a security person she
person she’s not a security person she has no idea about the behind-the-scenes
has no idea about the behind-the-scenes
has no idea about the behind-the-scenes Titanic struggles between the blackhat
Titanic struggles between the blackhat
Titanic struggles between the blackhat attackers and the white hat defenders
attackers and the white hat defenders
attackers and the white hat defenders her question really not on me for a long
her question really not on me for a long
her question really not on me for a long time and it brought up a bigger question
time and it brought up a bigger question
time and it brought up a bigger question which was how could regular users
which was how could regular users
which was how could regular users reasonably protect themselves against
reasonably protect themselves against
reasonably protect themselves against increasingly sophisticated cybersecurity
increasingly sophisticated cybersecurity
increasingly sophisticated cybersecurity attacks the problem is really it starts
attacks the problem is really it starts
attacks the problem is really it starts with us right here’s a truism the
with us right here’s a truism the
with us right here’s a truism the attackers the hackers so to speak they
attackers the hackers so to speak they
attackers the hackers so to speak they know that if they exhaust all their
know that if they exhaust all their
know that if they exhaust all their technical means they will go after the
technical means they will go after the
technical means they will go after the weakest link that’s us that’s the users
weakest link that’s us that’s the users
weakest link that’s us that’s the users that means that before you fix the
that means that before you fix the
that means that before you fix the internet before we fix the web before we
internet before we fix the web before we
internet before we fix the web before we do all the technical stuff in about
do all the technical stuff in about
do all the technical stuff in about behind the scenes we’ve got to fix our
behind the scenes we’ve got to fix our
behind the scenes we’ve got to fix our own behaviors online and to that end I
own behaviors online and to that end I
own behaviors online and to that end I like to introduce you to this concept of
like to introduce you to this concept of
like to introduce you to this concept of what I call the resilient user the
what I call the resilient user the
what I call the resilient user the resilient user is an individual who
resilient user is an individual who
resilient user is an individual who through it implements a series of habits
through it implements a series of habits
through it implements a series of habits a series of practices online that make
a series of practices online that make
a series of practices online that make themselves less susceptible to hacking
themselves less susceptible to hacking
themselves less susceptible to hacking it’s very simple that means a series of
it’s very simple that means a series of
it’s very simple that means a series of technical means like protecting
technical means like protecting
technical means like protecting themselves by making sure their systems
themselves by making sure their systems
themselves by making sure their systems are updated that could also mean be much
are updated that could also mean be much
are updated that could also mean be much more mindful online because many of this
more mindful online because many of this
more mindful online because many of this behaviors if they have many of the
behaviors if they have many of the
behaviors if they have many of the actions actually put themselves in a bad
actions actually put themselves in a bad
actions actually put themselves in a bad position and then finally that can mean
position and then finally that can mean
position and then finally that can mean for individuals to protect their private
for individuals to protect their private
for individuals to protect their private information and and guard it jealously
information and and guard it jealously
information and and guard it jealously because guess what attackers do they use
because guess what attackers do they use
because guess what attackers do they use that private information against us to
that private information against us to
that private information against us to craft their attacks so that’s the
craft their attacks so that’s the
craft their attacks so that’s the challenge before we go into it let me
challenge before we go into it let me
challenge before we go into it let me just say I get us a hands up to see how
just say I get us a hands up to see how
just say I get us a hands up to see how many people saw the free underscore TEDx
many people saw the free underscore TEDx
many people saw the free underscore TEDx underscore Wireless that was out there a
underscore Wireless that was out there a
underscore Wireless that was out there a few y’all that was this guy for the
few y’all that was this guy for the
few y’all that was this guy for the record that this is the Wi-Fi pineapple
record that this is the Wi-Fi pineapple
record that this is the Wi-Fi pineapple what the Wi-Fi pineapple is is a I’ll
what the Wi-Fi pineapple is is a I’ll
what the Wi-Fi pineapple is is a I’ll use the term oddity device what it does
use the term oddity device what it does
use the term oddity device what it does is that some pretty cool things it sets
is that some pretty cool things it sets
is that some pretty cool things it sets itself up as a wireless access point or
itself up as a wireless access point or
itself up as a wireless access point or a rogue or fake wireless access point
a rogue or fake wireless access point
a rogue or fake wireless access point and will do things like look at all the
and will do things like look at all the
and will do things like look at all the traffic that you have going through
traffic that you have going through
traffic that you have going through after you connect to the internet you
after you connect to the internet you
after you connect to the internet you know what else it does it will sit there
know what else it does it will sit there
know what else it does it will sit there and watch all your traffic and log it it
and watch all your traffic and log it it
and watch all your traffic and log it it will also look at all the other wireless
will also look at all the other wireless
will also look at all the other wireless access points you view attached to and
access points you view attached to and
access points you view attached to and download all the credentials for those
download all the credentials for those
download all the credentials for those all the usernames and passwords of all
all the usernames and passwords of all
all the usernames and passwords of all the other wireless access points you’ve
the other wireless access points you’ve
the other wireless access points you’ve done so the key point here is people
done so the key point here is people
done so the key point here is people looking for wireless internet will hop
looking for wireless internet will hop
looking for wireless internet will hop on these things mindlessly
on these things mindlessly
on these things mindlessly and put themselves into a very difficult
and put themselves into a very difficult
and put themselves into a very difficult position
position
position so what I’d ask you to do is to really
so what I’d ask you to do is to really
so what I’d ask you to do is to really think about and steal a concept from the
think about and steal a concept from the
think about and steal a concept from the physical world I’ve been struggling
physical world I’ve been struggling
physical world I’ve been struggling about this how do you how do you get
about this how do you how do you get
about this how do you how do you get regular users to stop doing these things
regular users to stop doing these things
regular users to stop doing these things and I really latched on a term an idea
and I really latched on a term an idea
and I really latched on a term an idea around defensive driving because
around defensive driving because
around defensive driving because defensive driving is something we all
defensive driving is something we all
defensive driving is something we all understand we all understand the two
understand we all understand the two
understand we all understand the two second rule about putting yourself at
second rule about putting yourself at
second rule about putting yourself at putting a cushion between you and the
putting a cushion between you and the
putting a cushion between you and the driver in front of you you understand
driver in front of you you understand
driver in front of you you understand not to put yourselves in risky positions
not to put yourselves in risky positions
not to put yourselves in risky positions and you largely put yourself in
and you largely put yourself in
and you largely put yourself in dangerous environments and survive those
dangerous environments and survive those
dangerous environments and survive those dangerous environments every day I
dangerous environments every day I
dangerous environments every day I thought about that when I drove from
thought about that when I drove from
thought about that when I drove from Denver to Vail two days ago for example
Denver to Vail two days ago for example
Denver to Vail two days ago for example with so-so I can’t think of a more
with so-so I can’t think of a more
with so-so I can’t think of a more fitting metaphor for the online world so
fitting metaphor for the online world so
fitting metaphor for the online world so we’ve got to pull those concepts and
we’ve got to pull those concepts and
we’ve got to pull those concepts and start to make those habits as users to
start to make those habits as users to
start to make those habits as users to become much more resilient so let me
become much more resilient so let me
become much more resilient so let me talk to you about the resilient user and
talk to you about the resilient user and
talk to you about the resilient user and what that means becoming resilient user
what that means becoming resilient user
what that means becoming resilient user first of all I talked about technical
first of all I talked about technical
first of all I talked about technical means what I mean by that simply is you
means what I mean by that simply is you
means what I mean by that simply is you need to be obsessive like I am about
need to be obsessive like I am about
need to be obsessive like I am about updates you need when you see those
updates you need when you see those
updates you need when you see those little updates to come on your iPhone or
little updates to come on your iPhone or
little updates to come on your iPhone or on your computer yes a few of those are
on your computer yes a few of those are
on your computer yes a few of those are feature requests are new features most
feature requests are new features most
feature requests are new features most of them these days or security patches
of them these days or security patches
of them these days or security patches it’s those patches that not applied put
it’s those patches that not applied put
it’s those patches that not applied put you at a weakness and allow attackers to
you at a weakness and allow attackers to
you at a weakness and allow attackers to come in
come in
come in and exploit your systems I mean none of
and exploit your systems I mean none of
and exploit your systems I mean none of us would jump on the road knowing
us would jump on the road knowing
us would jump on the road knowing full-well or the brakes were pretty
full-well or the brakes were pretty
full-well or the brakes were pretty shaky I sure as heck wouldn’t do that
shaky I sure as heck wouldn’t do that
shaky I sure as heck wouldn’t do that drive again if I knew my brakes were
drive again if I knew my brakes were
drive again if I knew my brakes were shaky I wouldn’t drive at night if my
shaky I wouldn’t drive at night if my
shaky I wouldn’t drive at night if my taillights didn’t work but somehow many
taillights didn’t work but somehow many
taillights didn’t work but somehow many of us will hop on the internet if they
of us will hop on the internet if they
of us will hop on the internet if they haven’t updated their Windows computer
haven’t updated their Windows computer
haven’t updated their Windows computer that is the almost the exact same
that is the almost the exact same
that is the almost the exact same metaphor as you’re putting yourselves at
metaphor as you’re putting yourselves at
metaphor as you’re putting yourselves at risk to the latest malware and the
risk to the latest malware and the
risk to the latest malware and the latest attacks that are out there you’re
latest attacks that are out there you’re
latest attacks that are out there you’re putting yourself at a structural
putting yourself at a structural
putting yourself at a structural disadvantage the second thing I would
disadvantage the second thing I would
disadvantage the second thing I would throw out there is backing up can you
throw out there is backing up can you
throw out there is backing up can you think of a more unsexy topic these days
think of a more unsexy topic these days
think of a more unsexy topic these days than backing up your stuff but guess
than backing up your stuff but guess
than backing up your stuff but guess what if it weren’t for the backing up my
what if it weren’t for the backing up my
what if it weren’t for the backing up my peers would have lost everything and
peers would have lost everything and
peers would have lost everything and with ransomware and getting much more
with ransomware and getting much more
with ransomware and getting much more sophisticated much more pervasive if you
sophisticated much more pervasive if you
sophisticated much more pervasive if you have everything backed up online or some
have everything backed up online or some
have everything backed up online or some other means that type of event is not
other means that type of event is not
other means that type of event is not catastrophic so the second concept I
catastrophic so the second concept I
catastrophic so the second concept I want to throw in there is this one of
want to throw in there is this one of
want to throw in there is this one of mindfulness what I mean by mindfulness
mindfulness what I mean by mindfulness
mindfulness what I mean by mindfulness is really the pregnant pause the the
is really the pregnant pause the the
is really the pregnant pause the the consciousness of when you’re online you
consciousness of when you’re online you
consciousness of when you’re online you know being a little bit of paranoid
know being a little bit of paranoid
know being a little bit of paranoid which I know is an antithesis to this
which I know is an antithesis to this
which I know is an antithesis to this conference but to be to maybe say no to
conference but to be to maybe say no to
conference but to be to maybe say no to the
the
the to say no to that link that your friends
to say no to that link that your friends
to say no to that link that your friends sent you but what I mean is a level of
sent you but what I mean is a level of
sent you but what I mean is a level of thought they an approach to the way you
thought they an approach to the way you
thought they an approach to the way you conduct yourselves online because again
conduct yourselves online because again
conduct yourselves online because again the attackers know if they can’t get you
the attackers know if they can’t get you
the attackers know if they can’t get you technically they will come after you and
technically they will come after you and
technically they will come after you and they are incredibly smart these days so
they are incredibly smart these days so
they are incredibly smart these days so things like trusting your intuition if
things like trusting your intuition if
things like trusting your intuition if something looks fishy err looks bad it
something looks fishy err looks bad it
something looks fishy err looks bad it probably is absolutely it probably is so
probably is absolutely it probably is so
probably is absolutely it probably is so it’s okay to say no in this instance the
it’s okay to say no in this instance the
it’s okay to say no in this instance the other thing I would throw out there is
other thing I would throw out there is
other thing I would throw out there is really around protecting your private
really around protecting your private
really around protecting your private information you wouldn’t believe how
information you wouldn’t believe how
information you wouldn’t believe how much stuff is out there I don’t know how
much stuff is out there I don’t know how
much stuff is out there I don’t know how many people have done an audit of their
many people have done an audit of their
many people have done an audit of their online profile and the things that are
online profile and the things that are
online profile and the things that are out there on flink tin Facebook and
out there on flink tin Facebook and
out there on flink tin Facebook and other sites but we had a client several
other sites but we had a client several
other sites but we had a client several years back who used a private bit of
years back who used a private bit of
years back who used a private bit of information for all of his domain
information for all of his domain
information for all of his domain registries so all of his website domains
registries so all of his website domains
registries so all of his website domains and it was his favorite vacation spot
and it was his favorite vacation spot
and it was his favorite vacation spot was the secret that the GoDaddy had and
was the secret that the GoDaddy had and
was the secret that the GoDaddy had and everybody else had and sure enough the
everybody else had and sure enough the
everybody else had and sure enough the attackers just kind of did a little bit
attackers just kind of did a little bit
attackers just kind of did a little bit of research and call back in and said
of research and call back in and said
of research and call back in and said favorite vacation spot Oh at San Diego
favorite vacation spot Oh at San Diego
favorite vacation spot Oh at San Diego and they rerouted all of their websites
and they rerouted all of their websites
and they rerouted all of their websites to a neo-nazi site I think it was at the
to a neo-nazi site I think it was at the
to a neo-nazi site I think it was at the time that’s not really hacking that’s
time that’s not really hacking that’s
time that’s not really hacking that’s just really not being mindful and not
just really not being mindful and not
just really not being mindful and not protecting the private data so here’s a
protecting the private data so here’s a
protecting the private data so here’s a bit of advice
bit of advice
bit of advice you know those shared secrets you have
you know those shared secrets you have
you know those shared secrets you have to do for banks and stuff like that you
to do for banks and stuff like that you
to do for banks and stuff like that you don’t have to tell the truth so my first
don’t have to tell the truth so my first
don’t have to tell the truth so my first girlfriend think about that my first
girlfriend think about that my first
girlfriend think about that my first girlfriend was Marilyn Monroe my first
girlfriend was Marilyn Monroe my first
girlfriend was Marilyn Monroe my first car was a Lamborghini and so you start
car was a Lamborghini and so you start
car was a Lamborghini and so you start to think that way I mean you don’t have
to think that way I mean you don’t have
to think that way I mean you don’t have to put down the actual answers that are
to put down the actual answers that are
to put down the actual answers that are true that people can research so you so
true that people can research so you so
true that people can research so you so again a mindset change here right so let
again a mindset change here right so let
again a mindset change here right so let me just wrap up really quickly and say a
me just wrap up really quickly and say a
me just wrap up really quickly and say a couple of things first of all if you
couple of things first of all if you
couple of things first of all if you read the headlines you could get that
read the headlines you could get that
read the headlines you could get that you could perceive that
you could perceive that
you could perceive that we’re losing this battle right and
we’re losing this battle right and
we’re losing this battle right and there’s some good days and bad days
there’s some good days and bad days
there’s some good days and bad days every day there seems to be another
every day there seems to be another
every day there seems to be another breach story but I would argue that as
breach story but I would argue that as
breach story but I would argue that as individuals that if you apply some of
individuals that if you apply some of
individuals that if you apply some of these concepts of resilience you will
these concepts of resilience you will
these concepts of resilience you will change now lots of power between the
change now lots of power between the
change now lots of power between the attackers in the attacked if you if you
attackers in the attacked if you if you
attackers in the attacked if you if you really implement and become obsessive
really implement and become obsessive
really implement and become obsessive about those updates if you really are
about those updates if you really are
about those updates if you really are much more mindful about what you do
much more mindful about what you do
much more mindful about what you do online and if you guard your private
online and if you guard your private
online and if you guard your private data very preciously
data very preciously
data very preciously you’ll make it harder for the attackers
you’ll make it harder for the attackers
you’ll make it harder for the attackers to do their job it’ll make it harder for
to do their job it’ll make it harder for
to do their job it’ll make it harder for them to steal information to steal your
them to steal information to steal your
them to steal information to steal your data steal your money and I think
data steal your money and I think
data steal your money and I think that’ll make the world a better place
that’ll make the world a better place
that’ll make the world a better place thank you
thank you
thank you [Applause]
[Applause]
[Applause] [Music]
”
Be First to Comment