Speaker: Jayson E. Street, Security Awareness Advocate & Social Engineering Specialist
Background: 10+ years speaking at DEF CON, security awareness engagements, author, and social engineering expert
Key Focus: Practical security insights - what attackers love vs. hate, and actionable security awareness strategies
Introduction: The Reality of Security Testing
Jayson E. Street shares his unique perspective on security testing, focusing on practical, low-tech social engineering approaches that consistently bypass high-tech security measures.
Testing Philosophy: "I'm not a red teamer... I do security awareness engagements. I'm trying to teach them to be more security aware. I'm not trying to break something, I'm trying to help build something."
Core Approach:
- Spends less than 2 hours on Google research (no Maltego, no Recon-ng)
- Walks into buildings to see what access he can gain
- Has stolen computers from behind teller lines in banks
- Focuses on human vulnerabilities rather than technical exploits
- Uses minimal tools for maximum impact
"Social engineering is so easy even I can do it... If I'm your common denominator, if I'm your threat model, you've got problems that you need to address."
What Attackers Love: Security Weaknesses We Enable
Uneducated Employees
"Employees not empowered or educated to question the unusual." Smart employees who know their jobs but haven't been told security is part of their responsibility.
False Sense of Security
"The only thing worse than no security is a false sense of security." Once past initial security layers, people assume they're safe inside "secured" buildings.
USB Charger Attacks
USB Ninja Cable demonstration: Plugged into 8 computers with no phone attached, deployed payloads, and not one person questioned the unusual behavior.
Real-World Attack Example:
USB "Writes Check" Pretext
"Excuse me, I'm doing a USB writes check - we're making sure our domain policy doesn't allow you to charge devices on your computers."
Payload Deployment
Notepad automatically types: "Two tests completed successfully. Thank you for your cooperation. 😊" - clearly suspicious behavior ignored by all targets.
Psychological Factors
People accept authority figures, don't question unusual technical behavior, and prioritize being helpful over being secure.
Kaspersky Security Example: "In Moscow at Kaspersky headquarters, security guard immediately approached me before I even sat down. 'Comrade, can I help you get to reception? Are you meeting someone?' That's what proper security looks like - engaged, observant, and proactive."
Critical Infrastructure Failures
Egress Filtering & Internal Monitoring:
Network Monitoring Failures
"Why in the world is Bob in accounting able to telnet to the Netherlands without anybody wondering why that's going on?" Lack of egress filtering enables data exfiltration.
Sony Data Breach Example
"How can you lose 1.83 terabytes of data from your network and not have someone think about what's going on here? Your networking department should've at least said 'Hey, do we need to increase the bandwidth?'"
Internal Network Assumptions
"People keep assuming their internal networks are safe. I'm sorry, the attack is coming from within the house." Users initiate outbound connections that establish command and control channels.
Network Security Reality: "If you're not monitoring your internal network, don't worry - eventually I will be. And that's not something you really want."
What Attackers Hate: Effective Security Measures
Multi-Factor Authentication & Segmentation:
Dual Factor Authentication
"What a bummer! I get to a door and there's a keypad. I'm like 'Oh well, this was unexpected.' Forces attackers to social engineer entry or find alternatives.
Proper Keypad Security
Avoid worn keypads that reveal common codes (1,2,3,4 patterns). Use changing combinations and ensure codes aren't predictable.
Network Segmentation
Segment office buildings so access to different areas requires additional authentication. "That will stop or delay attackers - it's about delaying the attacks."
Security Investment Analogy:
"Explain it to your executives: The more money they spend, the longer you can withstand an attack before it gets detected, before it gets responded to. You're not trying to stop the risk, you're trying to mitigate as much as you can."
Executive Communication: "Use the fireproof safe analogy: They're fireproof up to 3 hours, 6 hours, 12 hours. The more money you spend, the longer your safe can withstand a fire. Same with security - more investment means longer attack resistance."
Policy & Procedure Enforcement Failures
Real-World Security Breaches:
Air Force Base Breach
Civilians breached an Air Force Base in Nevada, only discovered when one told an airman she'd been kidnapped. Guards failed to notice suspicious vehicle entry.
Cold War Missile Theft
Russian agent entered German Air Force Base, took missile from jet fighter, wheeled it to Mercedes, and smuggled it piece by piece back to Russia - with proper red tag compliance.
Executive Exemptions
"If your CEO has an exemption on the password reset policy, congratulations - you don't have a security policy." Policies must apply equally to all employees.
Policy Enforcement Reality: "If your executives think security policies don't apply to them, the people they report to think it doesn't matter to them either. By the time you finish, within six months no one is actually following the policy."
Insider Threat Realities
Types of Insider Threats:
Malicious Insiders
Robert Hanssen - FBI agent who maliciously compromised security for personal gain. Clear malicious intent and execution.
Well-Intentioned Insiders
TSA employee who published pictures of TSA keys online. Best intentions but catastrophic security impact.
Productivity-Driven Insiders
Bank executive who installed wireless router under conference table to access email during meetings. Not malicious, just prioritizing productivity over security.
Border Patrol Data Breach Case Study:
- Contractor moved data to internal network against policy
- Contractor compromised, data stolen
- Homeland Security claimed "searched dark web, you're good"
- Reporter found 300GB of data available for download hours later
- Multiple insider threats: policy violation, inadequate response, false assurances
"Not all insider threats come from the bad guy. Sometimes it just comes from human stupidity. Sometimes we just go 'Duh, maybe I should have done that.'"
Innovative Security Awareness Strategies
Gamification & Positive Reinforcement:
Where's Waldo Security
One employee wears Waldo picture on valid ID badge. Employees who spot Waldo get $100 gift card. Makes people look at badges and be security conscious.
Home Security Training
Teach employees to configure home routers, change privacy settings, protect children online. They'll bring that security consciousness back to work.
Personal Benefit Focus
"They still are never going to care about your data, but you can make them be concerned about security in other ways by showing what's in it for them."
Social Media Awareness:
- Hashtag searches: #newjob #newbadge reveal corporate security information
- Bank Facebook page showing badges at company barbecue
- Spear phishing using only About page and Twitter information
- CEO clicked phishing link within 12 hours using only public information
Social Engineering Reality: "I don't scan your network, I don't scan your firewalls - I scan Twitter. I scan your About page. That's the information that convinces the person to click the link."
Practical Security Metrics & Testing
Essential Security Metrics:
Threat Detection Metrics
Quarantined emails, virus detections, firewall alerts, IPS rules triggered, investigation actions. Tangible numbers that show security team activity.
Patch Management Metrics
Servers/workstations patched, antivirus definition update speed, Microsoft patch deployment time. Shows vulnerability management effectiveness.
Phishing Test Metrics
Click rates, reporting rates, repeat offenders. But never share individual names with executives - focus on trends and education.
Security System Testing:
- Send malicious packets to firewalls to verify blocking
- Test IDS/IPS with actual attack patterns, not just eicar
- Run ransomware in segmented environments to test endpoint protection
- Verify security products work beyond sales demonstrations
- Avoid default configurations (Snort examples)
Budget Justification Strategy: "The better you are, the less you're seen. You have to show them numbers, show them metrics. When executives see Game of Thrones action figures and nerf guns, they may question why they have these guys here. Show them you're getting their money's worth."
Core Philosophy & Actionable Recommendations
10-Year DEF CON Message:
People Are The Solution
"Your people are your solution, not your liability. Fix them. Stop trying to offset your failings and misconfigurations onto them."
Education Over Technology
"Stop trying to create technology to fix your users. Start getting your users on board to protect your technology."
Security Responsibility
Make security part of job responsibilities. "Employees are going to do only what is required for them to keep their job."
Phishing Response Recommendations:
- First click: Re-education and security awareness training
- Second click: More stringent training with restricted access
- Third click: Termination or severe penalties
- Rationale: "You don't let a delivery driver wreck three company vans without consequences"
"I only have one major message after 10 years of speaking at DEF CON: Your people are your solution, not your liability. Educate and empower your users. We need to make them understand that they are part of your solution, not part of the problem."
Key Takeaways for Security Teams
Essential Security Principles:
- Educate and empower users - They are your first line of defense, not your weakest link
- Enforce policies equally - No executive exemptions for security policies
- Implement multi-factor authentication - Physical and digital access control
- Monitor internal networks - Attacks come from inside as much as outside
- Test security systems regularly - Don't rely on vendor demonstrations
- Use gamification for awareness - Make security engaging and rewarding
- Track meaningful metrics - Demonstrate security team value and effectiveness
- Focus on human layer security - Layer 8 (human layer) is often the most vulnerable
- Segment networks and facilities - Delay and contain attacks
- Make security personal - Teach home security to improve workplace security
Final Assessment: "The security landscape is getting better because we're understanding it's not just technology. More people are looking into social engineering and realizing the human element is your biggest point of failure and how to protect against it."
Red Team Applications:
- Focus on low-tech social engineering over complex technical attacks
- Use minimal OSINT (2 hours Google research) for effective targeting
- Test physical security with simple pretexts and basic tools
- Evaluate employee security awareness through realistic scenarios
- Measure organizational resilience to social engineering attacks
- Provide actionable recommendations for security awareness improvement
"I don't have to bypass your firewall if I can bypass your receptionist. I don't scan your network, I scan Twitter. I scan your About page. That's the information that I gather that convinces the person to click the link."