Upload
michael-mcdonnell
View
505
Download
4
Tags:
Embed Size (px)
DESCRIPTION
A presentation on the process of developing and running an Information Security Awareness program. Heavily based on NIST guidelines.
Citation preview
Information Security Awareness & Training Programs Scratch That.
Information Security Behavior Programs Michael McDonnell
GCIA, GCWN, [email protected]
Security Awareness is Commonly Prescribed
Security Awareness is one part of a Security Program
Governance
RiskManageme
nt
Incident Response
TrainingAnd
Awareness
SecurityArchitectu
re
Security ITOperation
s
Compliance
& Audit
We have Security Awareness because People are the Target of Attacks
Social Engineering:
Exploiting the natural human nature to trust.
We have Security Awareness because Technology Alone is not Enough
We have Security Awareness because People Need to Understand
Understand their roles and responsibilityUnderstand the organization’s IT security policies & proceduresUnderstand the systems they are responsible for
(NIST 800-50)A Security Awareness Program has 4 Components
IT SecurityLearning Continuum
1. AwarenessThe purpose of awareness presentations is simply to focus attention on security.
2. TrainingStrives to produce relevant and needed security skills and competencies.
3. EducationIntegrates all of the security skills and competencies of the various functional specialties into a common body of knowledge and strives to produce IT security specialists.
4. Professional DevelopmentValidates skills through certification.
(NIST 800-50)Model 1: Centralized
EDUCAUSE specifies something like Model 1
1. TechnologyTools used to defend against threats. Training and awareness can be focused on these tools.
2. Policy and ProceduresSecurity related policies are needed to reduce risk.
3. RemediationAwareness is designed to change behavior. The program should have as its goal remediation of problems.
4. Training and AwarenessCommunicate related to the first three items.
Security Awareness Plan Components
(NIST 800-50)Model 2: Partially Decentralized
A communications focused approach is like Model 2
Audience
Leaders
Managers
Staff
Auditors
IT Admins
External
Customers
Content
Phishing
Malware
Procedures
Policies
Skill Building
Training
Briefings
Method
Presentations
Guides
Website
Newsletters
Articles
Lunch-and-learn
Email Alerts
CBT
(NIST 800-50)Model 1: Fully Decentralized
(NIST 800-50)Emphasizes continuous improvement
Planning & Development
Needs assessment
Identify Gaps
Develop a Strategy Plan
Establish Priorities
Choose Level of Complexity
Secure Funding
Execution & Improvement
Select Topics/Content
Develop materials
Create Courses
Implement/Delivery
Monitor Compliance
Revise Awareness Program
Security Awareness Maturity can be Measured
SANS InstituteSecurity Awareness RoadmapMaturity Levels
1. No Awareness Program
2. Compliance Focused
3. Promotes Awareness & Change
4. Long Term Sustainment
5. Metrics Framework
Security Training in Practical Reality
Media Pro (http://www.mediapro.com/)
SANS Institute (https://securingthehuman.org)
InfoSecure (http://www.infosecuregroup.com/awareness-training.html)
Inspired Learning (http://www.inspiredelearning.com/sat/)
Trustwave (https://www.trustwave.com/security-awareness-education/)
Security Awareness &Training can be about building behavior
Hack Surfer (http://www.hacksurfer.com/)Social Analytics of IT Security Topics with risk measures
Web Filtering/Threat Intelligence (http://www.mcafee.com/threat-intelligence)
APOZY (http://www.apozy.com)
PhishMe (http://phishme.com/)
Security Awareness is Controversial
Security Awareness in Practical Reality
Is this your password? Imperva Analysis
Nearly 50% of passwords: Names slang words Dictionary words Consecutive digits Keyboard patterns
My own experience: Phone numbers Dates Names backwards 4 digit PINs (is that your
BANK PIN TOO?!) Swear words
123456
12345
123456789
Password
Iloveyou
princess
rockyou
1234567
12345678
abc123
Security Awareness in Practical Reality
Users don’t care about security right?
Most people have some interest. Just different interests.
Use “multi-modal” communications
Address a diverse set of topics
Mix business and personal focus
Choose topics that are likely to be discussed
Make communications consistent and common
They do outside of work!
Everyone has kids, and kids have cybersecurity issues
Everyone knows someone who got a virus
Some are asked to help their family members with computer security
Everyone sees cybersecurity on the news and some are curious
Does Awareness thwart APT: Shady RAT, Night Dragon, and the RSA Breach
Could Security Awareness have Prevented the RSA Breach?
Could Security Awareness have Prevented the RSA Breach?
“But do phishing attacks like RSA prove that employee training is a must, or just the opposite? If employees and/or executives at RSA, Google, eBay, Adobe, Facebook, Oak Ridge National Laboratory and other technologically sophisticated organizations can be phished, doesn't that suggest that even knowledgeable and trained people still fall victim to attacks?” – Dave Aitel, Immunity Inc. CSO
/
Could Security Awareness have Prevented the RSA Breach?
“When it comes to APTs it is not about how good you are once inside, but that you use a totally new approach for entering the organization. You don’t bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees.” –”Anatomy of an Attack (RSA Blog)”
“…the hackers had knowledge of the internal naming conventions that his company used for hosts on its network…. This knowledge helped them disguise their malicious activity inside the network so that it appeared to be legitimate…. ‘User names could match workstation names, which could make them a little more difficult to detect….’” -- IDG interview with Eddie Schwartz, RSA’s chief security officer
https://blogs.rsa.com/anatomy-of-an-attack/
Information Security Behavior ProgramsInformation Security Awareness & Training Programs
Cultivate Security-centric• Attitudes• Perceptions• Behaviors• Knowledge• Skills• Abilities
Cultivation creates• Security Culture
Security Culture requires collaboration
“Security Culture Framework approach relies heavily on the uncomfortable realization that most infosec pros are really great at security, but most likely will need the help of other key players to accomplish organizational change where security awareness efforts are concerned.
“Culture is the HR department’s turf, communication is the marketing department’s purview, while planning and execution may reside in the project management office or similar, depending on your organization….”
“As the security specialist, you should concentrate only on how to facilitate the development of the content and the goals of the awareness program, which is a very different approach than trying to do it all yourself.”
--Kai Roer on Building an Enterprise Security Culture
Further Reading
Complete Guide to Security and Privacy Metrics http://www.amazon.com/Complete-Guide-Security-Privacy-Metrics/dp/0849354021
http://www.securitymetrics.org
Kai Roer on Building an Enterprise Security Culture[Rebuttle for Why you shouldn’t train employees for security awareness] http://www.tripwire.com/state-of-security/risk-based-security-for-executives/risk-management/kai-roer-on-building-an-enterprise-security-culture/