Hacker culture is about doing your own thing and rebelling.
But hacker cons seem to look the same.
#purplecon

Let the experiment begin!
@purpleconNZ


Is that right? That's your mom, dad, CEO, colleagues.
Do we abandon them?
#purplecon

- People who have no idea what to do
- People who know what to do, but not how to implement it
#purplecon @Sereeena

Trying to force people to use the BEST security means they won't adopt anything at all
#purplecon @Sereeena

#purplecon @Sereeena

We have a pervasive culture of shaming people and it DOESN'T WORK.
#purplecon @Sereeena


#purplecon @Sereeena


Ah ha!
#purplecon @errbufferoverfl


Maybe it's an attacker or maybe an insider threat.
#purplecon @errbufferoverfl


#purplecon @errbufferoverfl

Canarys are only useful if they sing!
#purplecon @errbufferoverfl
Make them look juicy and interesting to attract the haxors
#purplecon @errbufferoverfl



#purplecon @errbufferoverfl

All good code needs a good problem to solve.
What about storing cloud limes?
Answer: Redis.
#purplecon @mossnz



#purplecon @mossnz

Need to trust the people building the tools.
Compilers can alter programs. Including the compiler that compiles the compiler. 😱
#purplecon @mossnz



Must we rebuild the cosmos?
#purplecon @mossnz


Its NOT the latest build.
Extremely confusing.
#purplecon @mossnz
#purplecon @SparkleOps

Context means he knows what to actually look for.
#purplecon @SparkleOps


#purplecon @SparkleOps

Being pen tested can be scary for devs
#purplecon @SparkleOps


"Don't worry! I turned off anything that can go wrong!"
Brendan: 😱
#purplecon @SparkleOps

We're not setting up our pen tester friends for success.
#purplecon @SparkleOps


Implement LAPS
Disable default local Admin
Remove passwords from GPO
#purplecon @mikeloss



- Implement a custom AD password filter
- Deal with default passwords
- Unfuck the passwords on service accounts
#purplecon @mikeloss



- Kick stale RDP sessions
- set login type restrictions
- turn host-based firewall back on
#purplecon @mikeloss



- segmentation & segregation
- MFA ALL THE THINGS!
- Put vaults in the right place
#purplecon @mikeloss




#purplecon @NZPrivacy

#purplecon @NZPrivacy
Engineer and encourage people privacy options.
#purplecon @NZPrivacy
No. Our systems are people!
#purplecon @petrajane


#purplecon @petrajane

As a consultant you can give them the best possible advice but they may not take it.
#purplecon @petrajane
Humans make sense of their world by making connections. They might have different reference points and interpret things differently.
#purplecon @petrajane
We can tell stories. Facts may not fit into their mental scaffolding in the way we imagine. But if we spin a narrative we create our own scaffolding.
#purplecon @petrajane

We're very bad at maintaining constant vigilance.
#purplecon @petrajane

#purplecon @petrajane
#purplecon @petrajane
We need to take people on the journey as to WHY the reality/advice has changed.
#purplecon @petrajane

Form small groups of birds that all look after they group's eggs collectively.
#purplecon @petrajane

How can we turn humans into security pukekos?
We tend to view security as a secondary (or tertiary) priority. Find out why.
#purplecon @petrajane

#purplecon @petrajane
Shouldn't be an adversarial relationship. Should be a symbiotic relationship.
#purplecon @petrajane
People are frightened of us. They think we're going to be mean.
#purplecon @petrajane
Small steps make us feel empowered to be part of the solution. Starts with simple gestures where people can show that they care.
#purplecon @petrajane

Security is a means to an end. We want to help make small gestures close to home. How do you secure your Facebook? Your home wifi? How do you backup?
Once they're invested, can see the businesses issues. Make everyone a champion
#purplecon @petrajane
Who am I protecting? How can I take them on this journey?
#purplecon @petrajane

The slides are GORGEOUSLY illustrated.
#purplecon @petrajane