Pwning the hapless or How to Make Your Security Program Not Suck

BSidesLV 2014

Presented by: Casey Dunham, Emily Pience
Date: Wednesday August 06, 2014
Time: 15:45 - 16:15
Location: Proving Ground

Customer data is our business. Whether within the financial or healthcare industries, the root of our business is to safely house and transmit information to and from trusted parties.

With the growing demand of increased access – in healthcare, from providers, employees, visitors and patients, from a variety of devices, increased federal enforcements of privacy and security requirements under the new HIPAA Omnibus Rule, there is an ongoing challenge of ensuring patient and customer information is adequately protected.

Numerous breaches within both the healthcare and financial fields have involved lost or stolen unencrypted devices, but mistakes by employees continue to be the biggest security threats to all businesses. Even tech-based companies are shown to be at risk for various social engineering attempts.

Why do these breaches keep happening? How can you, as an IT professional, or merely an employee with the safety of your customers’ data a concern, help your business create useful prevention strategies that employees will pay attention to? How do you train your non-tech employees to not be susceptible to social engineering attacks?

Emily, an insurance professional with ten years experience of working for 3 of the 5 biggest US disability insurance companies, and Casey, a Security Engineer with history working for commercial financial firms, will explore the unawareness non-tech employees have of their actions, discuss useful training and resource organization and allocation. We will walk through a few scenarios (the successful and non) and discuss what we have learned from human behavior and how it can apply to enforcing security policies or creating a culture of care.

Technical solutions will not be discussed specifically, as the focus will be on employee awareness, education and how we can do better.

By working through a few scenarios that we have personally encountered, we will address the topics of

Casey Dunham

Casey Dunham, is currently a Security Engineer with Bigelow Laboratories in Booth Harbor, ME. He also runs his own security consultancy, Gnosis Security, Inc. His InfoSec history includes working for commercial financial firms and volunteering at numerous regional and national InfoSec Cons,is the point of contact for DC207, and a member of PWM TOOOL.

Emily Pience

Emily Pience is currently a Clinical Innovation Specialist with [redacted name of major American health and medical insurance company]. She has never worked in InfoSec but was raised by an Electrical Engineer in the cable industry, and believes herself to be a bastard of the engineering / InfoSec / modern Technology fields. She has worked for 3 of the 5 top disability insurance companies in the US and is working on her MS in Social Work. She is a member of PWM TOOOL and a founding supporter of I Am The Cavalry movement.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats