The Human Firewall How Security Awareness Impacts … · SecureWorks The Human Firewall – How Security Awareness Impacts Your Control Environment Dane Boyd, Security Awareness Training

SecureWorks

The Human Firewall – How Security Awareness Impacts Your Control Environment

Dane Boyd, Security Awareness Training Principal Consultant

John Andrew, IT Security Auditor

Dell SecureWorks

2

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

Agenda

• Introduction

• In The News …

• ‘Red Team’ Stories

• Defining the Problem

• Winning Awareness Strategies

• Winning Awareness Tactics

• Q&A

3


SecureWorks

Introduction

• Dane Boyd, Security Awareness Training Principal Consultant

- Awareness Com Leader – CISO

- Led DSWx Awareness practice for 5 years

- Fun facts: (From, Speak, Hobby)

• John Andrew, CISA, CISSP, GLEG

- IT Security Auditor – dotted line to CISO

- Over 20 Years IT, IT Audit, and IT Security experience

- Fun facts: (From, Speak, Hobby)

4


SecureWorks

Disclaimer – Rules of the Road

• This presentation is prepared solely for educational purposes.

• Our goal is to engage IT Auditors in Security Awareness efforts.

• Much of what we will share is based on our personal experience. Take what benefits you… forget the rest.

• Questions are welcome! Please wait until transition points.

5


SecureWorks

In The News…

‘Wired’ writer Andy Greenberg reports on Jeep Cherokee exploit

All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot.

6


SecureWorks

In The News…

‘Wall Street Journal’ – Michael Hayden describing the OPM hack – 21 MM Security Clearance Records compromised.

7


SecureWorks

In The News…

8


SecureWorks

In The News…

Critical Infrastructure

Survey Results –

48% of IT Executives believe that it is likely that there will be an attack on critical infrastructure.

When - in the next three years…

Impact – resulting in loss of life…

9


SecureWorks

Critical Infrastructure

The ERIPP and SHODAN search engines can be easily used to find Internet facing ICS devices, thus identifying potential attack targets. These search engines are being actively used to identify and access control systems over the Internet. Combining these tools with easily obtainable exploitation tools, attackers can identify and access control systems with significantly less effort than ever before.

Red Team Stories

10


SecureWorks

Red Team Stories

Project Shine - Control Systems Found Include- • Traffic light controls

• Traffic cameras

• Swimming Pool Acid Pump

• Hydroelectric plant

• Nuclear Power Plant

• Hotel Wine Cooler

• Hospital Heart Rate Monitor

• Home Security System

• Gondola Ride

• Car Wash

Source: http://money.cnn.com/2013/04/08/technology/security/shodan/index.html

11


SecureWorks

Red Team Stories

DHS Public Private Partnership

2014 IC Analyst – Private Sector Program – Critical Manufacturing Findings

• Lack of Awareness and information sharing

• Interpretation of cyber threats and the cyber security posture differed significantly between management, engineering, audit, compliance, and IT security.

• Need for more training, education, and awareness across all Critical Sectors.

12


SecureWorks

Information Security = Building a Castle

13


SecureWorks

“95% of all attacks on enterprise networks are the result of successful spear phishing”

Source: Allan Paller, Director of Research - SANS Institute

95%

14


SecureWorks

Firewall

IDS/IPS

Web Proxy

Anti-Virus

User

Network Defense Layers

End-point Defenses

Key Terrain

Endpoint Monitoring

Defense in Depth

15


SecureWorks

Vigilant

Employee

Strategies for a Vigilant Employee

Proper Attention

Executive Support

Inspect what you expect

SecureWorks

Strategy: Inspect what you expect

17


SecureWorks

Defense in Depth: A Closer Look

User

Only

60%

…of organizations have a Security Awareness Program.

Source: PwC The Global State of Information Security Survey 2014

Testing

Key Terrain

18


SecureWorks

Testing Improves Learning

“The added effort required to recall the information makes learning stronger.”

Henry L. Roediger III, Washington University in St. Louis

and a co-author of “Make It Stick: The Science of

Successful Learning.”

http://psych.wustl.edu/memory/roediger.html




19


SecureWorks

Strategy: Executive Support

20


SecureWorks

Reason #1: Employee Resentment

This guy…

21


SecureWorks

Reason #2: Employees Understanding

…and her!

22


SecureWorks

Reason #3: Executives are part of the problem

SecureWorks

Whaling

24


SecureWorks

The Whale Hunt

• Salary

• Previous jobs

• Donations

25


SecureWorks

The Whale Hunt

26


SecureWorks

The Whale Hunt

• Salary

• Previous jobs

• Donations

• Children’s name

• Mother’s death date

27


SecureWorks

The Whale Hunt

• Salary

• Previous jobs

• Donations



• City & State

28


SecureWorks

The Whale Hunt

• Salary

• Previous jobs

• Donations



• City & State

• Tax Record

• Home Address

• Aerial Photo of home

29


SecureWorks

30


SecureWorks

31


SecureWorks

32


SecureWorks

Strategy: Treat Awareness like a vulnerability

33


SecureWorks

Proper Importance

In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.

Source: Wikipedia

CVE-2014-7861

Employee ID 24355

CVE-2014-6277

34


SecureWorks

Live Poll: How frequently are you patching the human firewall?

• New Employee Security Awareness Training?

• Annual Security Awareness Training?

• Periodic Security Awareness Newsletter?

• Phishing Assessments?

• Lunch & Learn?

• Other areas?

https://gameday.doubledutch.me/?sessionToken=1bc7bac6-ece3-4dec-9b0c-e13676123ef8&mod=polls&pollId=20331



35


SecureWorks

Tactics

36


SecureWorks

Typical Security Awareness Program Tactics

Once a year

“Too Long!”

Computer Expert

Policy

Acknowledgement

Form

?

37


SecureWorks

Reinforcement Testing Focus Instructor Duration Frequency

Learn from Arnold

Worked out twice a day Trained each muscle group 3x/week • 26 – 61 sets per workout • Tens of thousands of pounds

SAT Tip: Frequency matters!!!

38


SecureWorks

Pop quiz! Where am I from?

39


SecureWorks

Reinforcement Testing Focus Instructor Duration Frequency

How often are you training your employees?

40


SecureWorks

Reinforcement Testing Focus Instructor Frequency Duration

Who is this???

Edward Everett, 1794 – 1865

Spoke at Dedication of Soldier's National Cemetery

Two hours long speech

Who spoke after him?

41


SecureWorks


Learn from Lincoln

Gettysburg Address

272 words Two minutes

SAT Tip: Shorter is better! Make it consumable!

42


SecureWorks


How long are your training sessions?

43


SecureWorks

Reinforcement Testing Focus Frequency Duration Instructor

SAT Tip: Understanding security is a skill. Communication is a separate skill!

44


SecureWorks

Reinforcement Testing Focus Frequency Duration Instructor

Who here is a strong communicator?

Who here is highly technical?

45


SecureWorks

Reinforcement Testing Frequency Duration Instructor Focus

SAT Tip: Training must be specific to threats

and adapt as threats change. Intel is key!

Learn from Coast Guard

Continually adapted to smugglers methods:

• Cargo ships

• Fast Boats

• Submarines

46


SecureWorks


What threats do we see today?

How do we adapt?

47


SecureWorks


What threats do we see today?

How do we adapt?

48


SecureWorks

Reinforcement Frequency Duration Instructor Focus Testing

Learn from the US ARMY

What is the number one principle in peacetime training?

Replicate battlefield conditions

SAT Tip: Include realistic simulations as tests

49


SecureWorks

Reinforcement Frequency Duration Instructor Focus Testing

What are the battlefield conditions?

How do you simulate these conditions?

• Phishing

• Vishing

• USB Drops

• Tail gating

• Bacon

• Confiscating sensitive info

50


SecureWorks

Frequency Duration Instructor Focus Testing Reinforcement

Learn from Advertisers

1.2 billion media impressions

Social Media

Television

Radio

Signage

107% Increase in Sales

SAT Tip: Consistent message & multiple mediums

(Combined with frequency) to change behavior

51


SecureWorks

Frequency Duration Instructor Focus Testing Reinforcement

What does reinforcement look like?

• Posters

• Newsletters

• Signage

• Reward Program

• Recognition Programs

• “Secret Shopper”

• Trivia

52


SecureWorks

Frequency Duration Instructor Focus Testing Reinforcement Output

Case file: Arnold

53


SecureWorks

Results

54


SecureWorks

Phishing Failure Rate

Dell SecureWorks Managed Phishing

55


SecureWorks

40%

56


SecureWorks

Conclusion

SecureWorks

Thank you!

Documents

The Human Firewall How Security Awareness Impacts … · SecureWorks The Human Firewall – How Security Awareness Impacts Your Control Environment Dane Boyd, Security Awareness Training