Upload
hadung
View
217
Download
2
Embed Size (px)
Citation preview
SecureWorks
The Human Firewall – How Security Awareness Impacts Your Control Environment
Dane Boyd, Security Awareness Training Principal Consultant
John Andrew, IT Security Auditor
Dell SecureWorks
2
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Agenda
• Introduction
• In The News …
• ‘Red Team’ Stories
• Defining the Problem
• Winning Awareness Strategies
• Winning Awareness Tactics
• Q&A
3
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Introduction
• Dane Boyd, Security Awareness Training Principal Consultant
- Awareness Com Leader – CISO
- Led DSWx Awareness practice for 5 years
- Fun facts: (From, Speak, Hobby)
• John Andrew, CISA, CISSP, GLEG
- IT Security Auditor – dotted line to CISO
- Over 20 Years IT, IT Audit, and IT Security experience
- Fun facts: (From, Speak, Hobby)
4
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Disclaimer – Rules of the Road
• This presentation is prepared solely for educational purposes.
• Our goal is to engage IT Auditors in Security Awareness efforts.
• Much of what we will share is based on our personal experience. Take what benefits you… forget the rest.
• Questions are welcome! Please wait until transition points.
5
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
In The News…
‘Wired’ writer Andy Greenberg reports on Jeep Cherokee exploit
All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot.
6
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
In The News…
‘Wall Street Journal’ – Michael Hayden describing the OPM hack – 21 MM Security Clearance Records compromised.
7
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
In The News…
8
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
In The News…
Critical Infrastructure
Survey Results –
48% of IT Executives believe that it is likely that there will be an attack on critical infrastructure.
When - in the next three years…
Impact – resulting in loss of life…
9
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Critical Infrastructure
The ERIPP and SHODAN search engines can be easily used to find Internet facing ICS devices, thus identifying potential attack targets. These search engines are being actively used to identify and access control systems over the Internet. Combining these tools with easily obtainable exploitation tools, attackers can identify and access control systems with significantly less effort than ever before.
Red Team Stories
10
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Red Team Stories
Project Shine - Control Systems Found Include- • Traffic light controls
• Traffic cameras
• Swimming Pool Acid Pump
• Hydroelectric plant
• Nuclear Power Plant
• Hotel Wine Cooler
• Hospital Heart Rate Monitor
• Home Security System
• Gondola Ride
• Car Wash
Source: http://money.cnn.com/2013/04/08/technology/security/shodan/index.html
11
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Red Team Stories
DHS Public Private Partnership
2014 IC Analyst – Private Sector Program – Critical Manufacturing Findings
• Lack of Awareness and information sharing
• Interpretation of cyber threats and the cyber security posture differed significantly between management, engineering, audit, compliance, and IT security.
• Need for more training, education, and awareness across all Critical Sectors.
12
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Information Security = Building a Castle
13
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
“95% of all attacks on enterprise networks are the result of successful spear phishing”
Source: Allan Paller, Director of Research - SANS Institute
95%
14
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Firewall
IDS/IPS
Web Proxy
Anti-Virus
User
Network Defense Layers
End-point Defenses
Key Terrain
Endpoint Monitoring
Defense in Depth
15
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Vigilant
Employee
Strategies for a Vigilant Employee
Proper Attention
Executive Support
Inspect what you expect
SecureWorks
Strategy: Inspect what you expect
17
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Defense in Depth: A Closer Look
User
Only
60%
…of organizations have a Security Awareness Program.
Source: PwC The Global State of Information Security Survey 2014
Testing
Key Terrain
18
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Testing Improves Learning
“The added effort required to recall the information makes learning stronger.”
Henry L. Roediger III, Washington University in St. Louis
and a co-author of “Make It Stick: The Science of
Successful Learning.”
19
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Strategy: Executive Support
20
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Reason #1: Employee Resentment
This guy…
21
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Reason #2: Employees Understanding
…and her!
22
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Reason #3: Executives are part of the problem
SecureWorks
Whaling
24
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
The Whale Hunt
• Salary
• Previous jobs
• Donations
25
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
The Whale Hunt
26
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
The Whale Hunt
• Salary
• Previous jobs
• Donations
• Children’s name
• Mother’s death date
27
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
The Whale Hunt
• Salary
• Previous jobs
• Donations
• Children’s name
• Mother’s death date
• City & State
28
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
The Whale Hunt
• Salary
• Previous jobs
• Donations
• Children’s name
• Mother’s death date
• City & State
• Tax Record
• Home Address
• Aerial Photo of home
29
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
30
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
31
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
32
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Strategy: Treat Awareness like a vulnerability
33
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Proper Importance
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.
Source: Wikipedia
CVE-2014-7861
Employee ID 24355
CVE-2014-6277
34
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Live Poll: How frequently are you patching the human firewall?
• New Employee Security Awareness Training?
• Annual Security Awareness Training?
• Periodic Security Awareness Newsletter?
• Phishing Assessments?
• Lunch & Learn?
• Other areas?
35
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Tactics
36
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Typical Security Awareness Program Tactics
Once a year
“Too Long!”
Computer Expert
Policy
Acknowledgement
Form
?
37
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Reinforcement Testing Focus Instructor Duration Frequency
Learn from Arnold
Worked out twice a day Trained each muscle group 3x/week • 26 – 61 sets per workout • Tens of thousands of pounds
SAT Tip: Frequency matters!!!
38
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Pop quiz! Where am I from?
39
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Reinforcement Testing Focus Instructor Duration Frequency
How often are you training your employees?
40
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Reinforcement Testing Focus Instructor Frequency Duration
Who is this???
Edward Everett, 1794 – 1865
Spoke at Dedication of Soldier's National Cemetery
Two hours long speech
Who spoke after him?
41
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Reinforcement Testing Focus Instructor Frequency Duration
Learn from Lincoln
Gettysburg Address
272 words Two minutes
SAT Tip: Shorter is better! Make it consumable!
42
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Reinforcement Testing Focus Instructor Frequency Duration
How long are your training sessions?
43
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Reinforcement Testing Focus Frequency Duration Instructor
SAT Tip: Understanding security is a skill. Communication is a separate skill!
44
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Reinforcement Testing Focus Frequency Duration Instructor
Who here is a strong communicator?
Who here is highly technical?
45
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Reinforcement Testing Frequency Duration Instructor Focus
SAT Tip: Training must be specific to threats
and adapt as threats change. Intel is key!
Learn from Coast Guard
Continually adapted to smugglers methods:
• Cargo ships
• Fast Boats
• Submarines
46
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Reinforcement Testing Frequency Duration Instructor Focus
What threats do we see today?
How do we adapt?
47
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Reinforcement Testing Frequency Duration Instructor Focus
What threats do we see today?
How do we adapt?
48
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Reinforcement Frequency Duration Instructor Focus Testing
Learn from the US ARMY
What is the number one principle in peacetime training?
Replicate battlefield conditions
SAT Tip: Include realistic simulations as tests
49
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Reinforcement Frequency Duration Instructor Focus Testing
What are the battlefield conditions?
How do you simulate these conditions?
• Phishing
• Vishing
• USB Drops
• Tail gating
• Bacon
• Confiscating sensitive info
50
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Frequency Duration Instructor Focus Testing Reinforcement
Learn from Advertisers
1.2 billion media impressions
Social Media
Television
Radio
Signage
107% Increase in Sales
SAT Tip: Consistent message & multiple mediums
(Combined with frequency) to change behavior
51
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Frequency Duration Instructor Focus Testing Reinforcement
What does reinforcement look like?
• Posters
• Newsletters
• Signage
• Reward Program
• Recognition Programs
• “Secret Shopper”
• Trivia
52
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Frequency Duration Instructor Focus Testing Reinforcement Output
Case file: Arnold
53
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Results
54
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Phishing Failure Rate
Dell SecureWorks Managed Phishing
55
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
40%
56
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Conclusion
SecureWorks
Thank you!