Embed Size (px)
DESCRIPTION
Human is the weakest link in security. What to do? How DLP can help? All companies are invested in security, but far from all came to realize: employees’ awareness and education are the key factors to improve information protection and prevent data leaks. You can install most powerful DLP, encryption and other security tools, hire a lot of security officers and consulters to tune your business processes, eventually waste a lot of money and resources at security issues, but if end-users don’t understand threats, don’t know rules – they cannot follow internal policies and regulations, cannot correctly use appropriate tools. It’s all for nothing. Efficient information security strategy is to create a culture of awareness and enforcement – culture where users understand the consequences. This session is about 3 main things: 1) What is user awareness in information security? 2) Why user awareness is required? 3) How to raise user awareness and what are key factors. Practical recommendations for security user awareness program adopters and practitioners will be given. Role of the DLP in raising user awareness will be highlighted.
Citation preview
Click to edit Master title style
DLP Research, R&D, Kaspersky Lab
February 3, 2012
Cancun, Mexico, Ritz-Carlton Hotel
Humans Are The Weakest Link – How DLP Can Help
Valery Boronin, Director DLP Research
Vera Trubacheva, System Analyst
Click to edit Master title style
Agenda
1. DLP to date
2. Key challenge
3. User awareness
1. What is it?
2. Why is it required?
3. How to raise it?
4. How DLP could help?
4. Q&A
Click to edit Master title style
Page 3 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
DLP to date
Customers want:
1. Easy
2. Convenient
3. Reliable
4. Cheap
Customers receive:
1. Complicated
2. Inconvenient
3. Unreliable
4. Expensive
Gartner research estimates that more than 800 technology vendors and other providers currently have data security offerings. Numerous nontechnical controls are also available. The difficulty of understanding all these options, their benefits and their challenges tends to lead to enterprises using limited subsets of the available tools and having serious gaps in controls and risk mitigation
Typical Elements of an Enterprise Data Security Program, Gartner, Aug 2009
Click to edit Master title style
Page 4 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
Key Challenge is the Complexity
Technologies
People
Processes
Expertise & Tools
Data Luxury
Protection
Click to edit Master title style
Page 5 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
Accusation against DLP 1.0
No user awareness in DLP 1.0
Claim 1: Raising user awareness.
Claim 2: Control of education efficiency.
Mock trial
Click to edit Master title style
Page 6 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
What is user awareness?
User awareness is making users aware of information security policies, threats, mitigating controls
Security education
Childhood Work
Click to edit Master title style
Page 7 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
Why is user awareness required?
1. It is required by law
PCI DSS
FISMA
HIPAA
GLBA
SOX
NIST 800-53ISO/IEC 27001 & 27002
See Appendix 1
Click to edit Master title style
Page 8 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
Why is user awareness required?
2. To protect the weakest link in security – the human
Click to edit Master title style
Page 9 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
Why is user awareness required? Evidence 1
Guess what this is:
• 12345• qwerty• 11111• abc123• admin
Click to edit Master title style
Page 10 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
Why is user awareness required? Evidence 2
Click to edit Master title style
Page 11 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
Why is user awareness required? Evidence 3
The weakest link in security is human!
75%
100%
90%
60%Human factor
Accidental mistakes
(InfoWatch)
Exploits need a user interaction
(Symantec)
Security incidents
Target of all successful APT attacks is a user
(Mandiant)
Click to edit Master title style
Page 12 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
Why is user awareness required?
3. To reduce huge costs!
$7,2 billion per data breach in 2010
$56,165 for a lost notebook in 2010
You could buy a yacht like this for one data breach
Click to edit Master title style
Page 13 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
How to raise user awareness?
Recognize the problem
Click to edit Master title style
Page 14 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
How to raise user awareness?
Get top management support
Click to edit Master title style
Page 15 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
How to raise user awareness?
Know your data
Click to edit Master title style
Page 16 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
How to raise user awareness?
Prepare clear, simple instructions
Click to edit Master title style
Page 17 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
What to teach?
1.Security basics
2.Corporate policy rules
3.Incident response
Click to edit Master title style
Page 18 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
How to teach?
Use different ways
See Appendix 2
Click to edit Master title style
Page 19 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
Key Factor 1
Explain
Click to edit Master title style
Page 20 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
Key Factor 2
Measure results before and after
Click to edit Master title style
Page 21 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
Key Factor 3
Explain consequences for secure and
unsecure behavior
Click to edit Master title style
Page 22 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
Members of the Jury: Time for Action
Poll of the Jury
Click to edit Master title style
Page 23 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
Court Decision: Verdict
DLP 1.0 must
1. Raise user awareness
2. Control education efficiency
Click to edit Master title style
Thank you!Raise User Awareness!
Humans Are The Weakest Link – How DLP Can Help
Valery BoroninDirector DLP ResearchKaspersky [email protected]+7 495 797 8700 x4200
Vera TrubachevaSystem Analyst, DLP Research
Kaspersky [email protected]
+7 495 797 8700 x4201
Click to edit Master title style
Page 25 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
Appendix 1
For compliance with laws and regulations:
• Payment Card Industry Data Security Standard (PCI DSS)• Federal Information System Security Managers Act (FISMA)• Health Insurance Portability and Accountability Act (HIPAA)• Gramm-Leach-Bliley Act (GLBA)• Sarbanes-Oxley Act (SOX)• EU Data Protection Directive• National Institute of Standards and Technology (NIST 800-53)• International Organization for Standardization: ISO/IEC 27001 & 27002• Control Objectives for Information and Related Technology (CoBiT 4.1)• Red Flag Identity Theft Prevention• Personal Information Protection and Electronic Documents Act (PIPEDA)• Management of Federal Information Resources (OMB Circular A-130)• Some state breach notification laws (ie Massachusetts 201 CMR 17.00)• Стандарт Банка России по обеспечению информационной безопасности
организаций банковской системы Российской Федерации (СТО БР ИББС)
Click to edit Master title style
Page 26 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
Appendix 2
• Security topics
• E-mail etiquette
• Social Engineering
• Clean Desk
• Protecting Sensitive Information
• Strong Password
• Data owners
• Internet
• Identity theft
• Personal use
• Protecting data
• Mobile security
Click to edit Master title style
Page 27 February, 3d, 2012SAS 2012, DLP Research, Kaspersky Lab
Appendix 3
Sources of Awareness Material:
• CERT
• Ponemon Institute
• ISSA
• The university of Arizona
• NIST SP 800-50 and NIST SP 800-16
• SANS (presentations, Security Awareness Newsletters, training)
• InfoSecurityLab (posters, Wallpapers & Screensavers, Newsletters)
