Gamifying Security Culture with PwnBot

Building security into your company culture is necessary but challenging. The first line of defense against most attacks are aware and vigilant people with an attitude of “see something, say something”.

attr. Tony Webster

Training employees on what is abnormal behavior and who to talk to when there is a potential problem can save your company from a lot of pain. For example, alerting security when a co-worker makes an unusual request because one of their accounts has been compromised by a hacker.

Lock your Laptops

One way Coinbase has improved the awareness of security in our organization is gamifying locking laptops using PwnBot. Unlocked and unattended laptops are open targets to be compromised. Anyone can gain access, install malicious software, copy credentials and other sensitive information, or just change a background image. If the attacker is prepared, they could do all of the above in seconds using a small programmable USB stick, like a MalDuino, to automate their actions.

PwnBot is a Slack bot that you call on someone else’s unlocked computer with /pwn @<your_name> awarding a point to the “pwner” and recording the “pwnie”.

Shane pwning Jenson

Everyone at the company can check the score board with /pwn to see who the most vigilant and careless employees are.

Shane checking the score board

This game is unreasonably fun and good at encouraging people to lock their computers. After releasing PwnBot at Coinbase, the game was taken way too seriously and finding an unlocked computer immediately became difficult. I have seen people run across the entire office to lock their computer before someone notices.

New employees are introduced to PwnBot along with the other security tools and processes at Coinbase, and if they were not paying attention to the security training then they will get pwned very quickly. Security culture is a part of our company from day one because new employees are on the same front line with everyone else.

Links

You can install PwnBot to your Slack team with:

Or you can use the open-source PwnBot code to deploy your own bot.

Listen to Philip Martin (Coinbase head of security) discussing security @ Coinbase on Software Engineering Daily podcast

Graham Jenson’s talk about Coinbase and Security without Friction @ KiwiRuby