Hacktober: A Month of Security Games at Facebook
Articles Blog

Hacktober: A Month of Security Games at Facebook

– So, I wanted to come back
you’d mentioned Hacktober, and that sounds like a really, cool way of kind of, getting more people involved and, helping to… The way I think about
it is, like extending your security team outward. So, can you talk more
about Hacktober and what it is that you are doing
and kind of why you do that? – Yeah, sure. So, if I have to say it in
one line what Hacktober is, it’s very much to the theme
of Halloween in October. Which is, either– – So jumping out at people? – Almost. (laughing) Either get tricked or
be awarded with swag. – Okay – So, trick or treat. – Okay. – So, the whole company knows that this is the month when the security team is explicitly trying
to trick or hack them, and they have to have their guards on. And, if they do that,
they get very cool swag which they can wear throughout the year. – What’s an example of the swag? – A T-shirt, like the way we um label those like there would
be pumpkin on there, they’ll say you participated in Hacktober and everybody knows that
you have to win these by going through some
contest or something. – Okay, so it’s rare swag that’s only – Exactly – Available then, gotcha. – And er some of the things
we do during Hacktober are pretty interesting, we
run our own capture the flag. – Okay – And when I say capture
the flag you might think “Oh but not everybody is a tech employee” – Right. – So how do you do that,
so we run two different capture the flag events. – Okay – One is for our technical workforce and one is for all others, so they can still get
the security awareness and they can participate in this. Our main goal out of this,
is to make sure that security is not just security
team’s responsibility. – Right – It is everyone’s responsibility and they need to participate in it, so. – So um…. in the not. So I’m very familiar with you know technical Capture the
Flags and I think a lot of our audience is familiar with that, what’s some of the things
that go on on like the non-technical Capture the Flag, what are some examples there? – It could be very simple things like asking them “what is phishing?” – Okay – And can they even pick
up because a lot of times when you are just doing a training where they had to attend
something for twenty minutes and answer a quiz in that moment in time, you’ll be surprised the
retention of that information is almost like probably in single digits. People listen to it, they forget, then you ask them a month
later “what is phishing?” they’re like “I heard this
term” but I can’t relate to it. – Right. – So it is more about going over and over on some of this information. By the way we do some cool stuff as well. Like we have lock picking sessions. – Cool. – So, this is just to make sure people are always thinking about security, no matter what they are doing. – And then how do you
measure the success of that, so, so you got this month and its great, and you know people either get
tricked or they get treated. How do you know that there is value? ‘Cause I’m sure its a lot of work. – It is and a lot of people on the team, within security team and outside, they help put these
events together because we bring in external speakers on campus to talk about specific areas. So we are doing full analytics and again, this is aggregate analytics – Sure. – that we run on it. So how many people
attended these sessions, how many people participated
in Capture the Flag. Up until what stage did they succeed, where do we need to make sure that we need to do more education. So those are the kind of
things we are looking for. And when we are even
hosting simple things like lock picking and if we
are more and more demand, sometimes we have had so much demand that we go from very
simple like hosting it in just couple of offices, to
then other offices are like, “Oh we want to be included in this too!” – Its a good problem. – So we have to literally
fly our team members to these offices to say go run some of the lock
picking sessions there, and do some awareness trainings there. So it just shows the engagement we get, people get super excited about it. – And then what is kind of
the value of that engagement? So you you’ve got that, you
know people have bought in um, how is that really manifesting itself kind of day to day? – So then we have more
eyes and ears on the ground – Okay – When people hear these
awareness trainings they will come and report
to us even simple things like, oh I was in this conference room, and I saw this device sitting in there plugged into this jack, and even though it had the labels of like Facebook, IT or Facebook security I’m not a hundred percent
sure it belongs there – All right. – So, and I always
believe in like reporting is more important than “Oh
did I report the right thing” “Was I right in reporting”. Please report it let us check it out I’ll better be safe than sorry, so this encourages them
to report these things and it makes it so much better. – That sounds awesome, Hacktober sounds like an amazing event! Thankyou. – It is it is.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top