All right, so good, good evening. Good afternoon, everyone. I guess it's already, almost, almost evening dark here in Berlin. Thank you very much for sticking around for, for this keynote. I'm very happy to be here. Just a little note on who I am before I, I jump into talking about my, my view on human factor security. So I'm Ben sch labs. I didn't study it. I was a physics major, but I grew up loving magic as a kid and liked doing stuff that people thought shouldn't be possible. And I thought shouldn't be possible, but I figured out how to do it. And I studied physics and got into problem solving pretty early on as a, as a kid. And so that actually ends up being a pretty good, good match for it. Security, where I've been working here in Berlin at security research labs for the last eight years now, security research labs is just what it sounds like.
We do security research on the, on the one side, we do a lot of telco security research, you know, hacking SIM cards, listening in on phone calls, all that kind of stuff. That's what we get in the news for, but we've been working with companies through around the world in 20 countries, four continents for the last eight years. And we have youngish office in, in Jakarta and well-established office in, in Hong Kong as well. And everywhere we go, we face legacy technology and, and legacy it security problems, which is why we were very, very happy when we got involved with a pure Greenfield startup. So a Greenfield startup in a very literal sense. That's a Greenfield outside of Mumbai in, in India. And within two years, they had gone from that to the largest startup in the world. India's largest 4g network by far 60,000 employees before the first SIM card was sold, they rebuilt the entire internet and we were there from the ground up and it was super exciting cuz we thought we can finally bake security into a company from the ground up using new technologies. This is the logo geo it's. If you look at a me image of it, it's oil and it's owned by the richest man in India, mu Kani. And he sees it as, as a mission to bring internet and, and digitization to the entire Indian population. And we were very much looking forward to using these new technologies and because we're so used
To having to fight all of the old problems here in, in European clients, you know, patching all the, you know, old technologies that are there with unauthenticated protocols, et cetera. And so we have these new boxes standing in our core network and it turns out in 2 20 17, we had unpatched Lennox from 2007. So someone had taken a product that had been designed one year prior and taken Linux from 20 2007 and, and put it on there without any of the patches that had been released since then here, we also have unauthenticated management protocols from the 1980s. This is in a Greenfield company with brand new technology. Then we have our, our nodes. We had 80,000 nodes where we'd checked them out when, when we got onboarded and it turned out that they were, they had one password and it was the vendor's company name on 80,000 nodes across the entirety of India.
India has a lot of people and we had a lot of time, so we were able to fix it, but not everyone has that luxury. So there's no such thing as, as true Greenfield legacy free. Yeah, it security. What about the people? So we saw the process and the technology, the people also bring their own legacy with them. So this is a diverse crowd of people and they hadn't grown up in countries with the, with AOL in 1995. So a lot of people hadn't been exposed to basic fishing, you know, the Nigerian prince kind of scenarios. And we were really mean, so this was very early on and we were really mean, and we sent fishing emails that were extremely convincing, but still you would hope that the rate of success for a fishing attack would be much lower than 61%. It wasn't, if you get on the phone and you're a human and you're talking to someone and you say, Hey, I need to reset your password here in the system. This is a startup, you know, everyone's working all the time, gotta get stuff done. 70, 76%. We also measured the strength of the passwords that people gave us very weak or weak 67% of the time. So they would've been broken within the first second of a, of a smart dictionary attack. So how do you, you know, how do you deal with that?
We all kind of know that the more you invest in protection, the more energy and time you invest, the more money you invest, the less damage you can expect. But what's missing from this general understanding that everyone has is innovation potential. So if you have absolutely no security, then it's clear, everyone's gonna get slaughtered. You throw people out into the, you know, the wild west on the internet without any guardrails. And all of your employees are going to get completely slaughtered. Let's ratchet it up a lot. Let's go over to the other side. On the other side of the spectrum you have, in our example, a competitor of Dropbox being built in house for the Indian market, we were supposed to pen test it. We took the app, we looked at it and we said, we can't, we don't even know how to use it.
It's so ugly. It can never compete with, with Dropbox. Why don't you look at, just copy what they're doing to make the user interface a little bit better. We can't, we can't access Dropbox. We're not allowed to, right? So that's over the top security and it's directly affecting your innovation and your productivity and the success of the company. So how do you measure where you are on this spectrum? The way we do it is by the typical, you know, prevention, detection, response measurements. So you measure how long it takes to hack your company. You measure how many, how many attacks out of the ones you run get, get detected properly. And then you measure the response time. And the numbers here look really scary. So if you see four days for like a total full compromise of your company, if you're, if you're doing a red team, that's really scary, right?
I just need to pay one guy in Russia, four days, wages and Sony goes down, that's unacceptable, but parrot with the next number that also looks bad, right? 20% coverage. I only see 20% of what's going on in my network. That's terrible. But actually the guy who's hacking you for four days, he's trying lots of different stuff. And every different thing, he tries, you have a 20% chance of catching him. So that's actually really good for you as the defender. And if you can catch him within the first three days, you've responded by the time that he actually has a total domain takeover, right? So that's how you need, how we think about, about security and the way we, we run it. I'm not gonna go into the details of this very dense slide. Don't worry. But we go from outside all the way to full domain takeover.
And we see where is the path of least resistance and it's not always fishing. It's not always human, unless that human happened to be responsible. For example, for, you know, hardening and middleware security, that kind of thing. It's, it is often also fishing, which is what I'm gonna talk about a little bit more now. So this is what it looks like in Europe. And actually this is worse than it looks like now in, in India where it's down in single digits. Usually if you have a baseline around a quarter, which you have here of, of people who click the link, then you can get it down to single digits or at least around 10%, but you don't get much lower than that. People are human and you shouldn't expect more than that. PE if you do click the link and someone's asking for your password, and it's a convincing website, chances are you're gonna go all the way. You're gonna fall for the, for the last bit of it as well.
Sometimes we can even see what happens when people have been told to change their password, for example. So on the, on the raw password strength score of, of the password that was entered first, the old password and the new password, it actually looks like people with very weak passwords got better. You know, there were fewer people that had very weak passwords, but there were also fewer people had very strong passwords. So basically things became a little bit more average on the face of things. But when you look deeper, when you actually look at the passwords that people enter, you realize that our strength meter was just not smart enough. We weren't comparing the old password to the new password. And what happens a lot, like an unbelievably high amount of the time is lethal weapon. Two guy will change his password to a lethal weapon three.
And that's a real, that's a real 1, 1 71 bench. I adjusted that one to reflect my name changes to 1 72, 10, a reef exclamation mark exclamation, mark changes to the next special character on the keyboard. So not everyone has the same pattern, but if I fish you one time and you don't know about it, then I might know that you're going to have 75 w E R a SDF dollars sign November, 2020, January, 2021. If you're forced to reset your password all the time, but why are people so, you know, dumb? Why are people so dumb about their passwords? The guidelines are so easy. You just need to do all of this, right? So what, what are the, the legacy password rules that people have to are faced with and are still probably enforced in most of your companies or at least in the, on the windows office, 365 side, change your password regularly.
The idea is that you can kick snoops out, right? So if someone has compromised my password, I change it, they're gone. But if I have to change my password every three months, then I have bad password, November 20, 19 bad password, January, 2020, it needs to be complex, random long, right? That's because the, the character set to the power of the number of digits in your password is, is the, is the strength, right? Like lots of entropy, a, a brute force attack would take tens of thousands of years to break it, but that's not true. You know, dictionary attacks are a real thing and they break passwords that brute force doesn't and attackers know that brute force. Isn't really a thing. Dictionary attacks are always the first step and people who are forced to enter a number and an, and a special character, add one exclamation mark all the time.
And if it's not that it's one of a dozen other things or make it 500 other things, but at 150 billion guesses per second, with a smart dictionary attack on a strong system, that password is as good as N it will get guests in under a thousandth of a second. Random humans are bad at making random stuff, not random password length, add enough exclamation marks until you get to the end. This is what people do. You probably do it yourself, at least on like Spotify or something, and then never write them down. If that's good advice, then why does my mom give me this for Christmas? Right? This is a internet address and password log book.
It's actually not the worst idea in the world, right? I'm not worried about anyone in this room, frankly, attacking me. What I'm worried about is being one of the vulnerable people with exposed stuff on the internet to remote attackers. If someone is close enough to me to steal this and get my passwords, then I should be worried if, if they're really a risk. So what's, what's the best advice. I, I still wouldn't recommend writing down every password you had. I think pair had good advice on, on that note, but good advice in my, in my book is make your password arbitrary. Don't have it related to stuff that I can scrape from the internet about you and feed into my smart dictionary attack, make your passwords long, unique, and memorize them for all of your key accounts. What's a key account, your Gmail account, for example, your, your work email account.
What can I do with that? If I'm an attacker and I have access to your email account, maybe I even figured out a way to, you know, sniff the, the SMS that you're receiving as your second factor or whatever it is. If I have access to that just for a day, I can reset all of the passwords in your entire life. I can take over all of your accounts just by getting your Gmail. So have it be long. That's the biggest, the biggest defense against dictionary attacks and brute force attacks both have it be arbitrary. So JE purple seven Yong, right? That has four languages in it. And it's super long. It's so long that I don't know how many characters are in it, but I do know that I can remember it forever. It's very easy. So that's my strength as a human is that I can remember that.
And a computer can't can't break it very easily. Of course, also password managers, password safes. They're good advice. Second factor. Second step. Anytime you can realistically do it unique, right? Unique for every account, ideally, but absolutely definitely long unique and memorized for your key accounts. So how as security leaders do you help in this situation? Well, have strength meters and have smart strength. Meters don't have ones that are, are stupid and unaware of password blacklists password blacklists should be ideally tens of thousands, if not hundreds of thousands of words long, and they should not be allowed. You should kill any chance of, of having extremely common passwords that seem secure in your password database and also give helpful feedback. So explain why you're rejecting a password and saying it doesn't have a special character in it is not good guidance that doesn't help. I'm just gonna add an exclamation mark, you know, so yeah. Make, make sure that the password strength, meters give good feedback and have a long, robust blacklist in
It. All right. So we talked about this graph a little bit earlier and how it applies to humans. If you're interested, we have lots of data on humans and passwords. We also did the work and tried to measure the security of industries, companies, 40,000 businesses around the world, deep web wide scan. And if you want to check your own report, you can go to Autobon security. So autobon.security and the takeaways legacy is not going away live with it and deal with it. Security comes with externalities, often it backfires. So make sure that you embrace the humans that need to do the work to get more secure and also leverage humans, natural efficiencies and drives and ambition. And don't stifle them with security. That's my talk how's time. Great. All right. Thank you.