How to get them to really understand why security is important

BOHICA: YOUR USERS, YOUR PROBLEM

“I personally believe that training users in security is generally a waste of time, and that the money can be spent better elsewhere. Moreover, I believe that our industry's focus on training serves to obscure greater failings in security design.”

- Bruce Schneier, March 2013

JOEL CARDELLA

• Director, Information Security for a multinational manufacturing company

• 16 years IT experience, I&O focused

• In 2012 I created and delivered an awareness program to the general population of a manufacturing company

• The program targeted general security awareness

• Based on survey responses:

• 98% of the population said the material was easy to understand

• 91% rated the program as Extremely Relevant or Very Relevant to their jobs

• 96% said they would be able to use the material in their personal lives

• 97% said they would like to receive more IT programs in the future

WHAT I PROMISED

• How to create a security awareness program which can be targeted to any level of user ability, in any user.

• Specifically show how targeting consumer behavior migrates to the enterprise.

• Motivational ways to engage users on the topic, in terms they understand

• Some ways to measure effectiveness

• How to prevent BOHICA

WHY DOES AWARENESS FAIL?

How users view IT How IT views users

For awareness to work this must change!

AWARENESS IS A SECURITY DISCIPLINE

• Awareness is not about creating a culture of fear & response

• Awareness is about reducing risk by shrinking the attack surfaces

• Like any security countermeasure, awareness is not 100% effective…

…but it is critical in maintaining a layered defense strategy

AWARENESS IS HARD

• Awareness benefits are often intangible, anecdotal and difficult to measure

• Thus, programs are a difficult sell to C-levels

• However, good awareness doesn’t have to follow a formula, and it can be done for very little cost

AWARENESS AND TRAINING ARE NOT THE SAME!

“Awareness is not training. The purpose of awareness presentations is simply to focus attention on security.

Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. “

PLANNING THE PROGRAMWhat I did … YMMV

WHAT I DID (YMMV)

Source: SANS Securing The Human

COMPANY PROFILE• Industry: Manufacturing

• IT Users: 5000

• Plants, facilities and remote trailers (blue collar, very low IT investment)

• 75% of the user base

• Corporate offices (white collar, mix of staff and management, very high IT investment)

• 25% of the user base

• Physical Locations: 400+

• Countries: 2

• Languages: 2

• GOAL: Create a targeted awareness campaign that every IT user at every level could benefit from

REFINING THE MESSAGE• To create the program, I started with a question:

• What understanding did I want to impart?

• The company had developed an annual one page sign off of security rules, called “the 5 IT rules”

Every user every year signs and acknowledges these rules

But had we ever taken the time to explain them, or why they were important?

FURTHER REFINEMENT

• So the program core was centered on the 5 IT rules, and all the resulting materials built around them

• In reality, only rule 1 would have the most impact for both awareness and for security

• So, the most time and energy spent in the sessions would be around constructing good passwords [and locking PCs]

HOW DO YOU GET THEM TO CARE?

• It's incredibly difficult for users to care about security, because, from a rational cost-benefit view, they draw a conclusion that it's not worth it

• We require stringent, complex passwords that change with increasing frequency – and we want them to use more than one

• They have no understanding of what they are trying to protect in a business sense, so they have no attachment to it

• They may not have the savvy to work with the technology, so they get frustrated

THE PROGRAM

OPENING THE MEETING• The first thing I did was engage them on their level

• I acknowledged this was mandatory, and no one likes being forced into a meeting

• I acknowledged that they thought security was - *GASP* - boring

• I acknowledged that they thought the next hour of their time would be a waste

• This set the stage for the information I was going to give them, and framed with a bit of humor

• Now that the level was set, I had to speak at that level – which meant very little “tech talk”

• I had to give them information about security and risk that they could use in context

• This is called “casting the line”

COMMON UNDERSTANDING

• I started with background data to get them to a point of common understanding

• Security is concept that applies to everything you do in life: at work, at home, with family & friends

• Security is not just technology, it’s about physical space and documents

• Mobility has brought personal and work lives together, and interconnected everyone (thus raising risk)

• I also had the benefit of using some failed audits as a driver and lever - YMMV

NEXT, I INTRODUCED NOTEWORTHY NEWS ITEMS

• I grabbed some news headlines of big, well known data breaches

• Sony

• Visa

• RSA

• NASDAQ

• This gave them context for the discussion using names and news items they had heard of

DATA = $$

• I explained that data breaches (aka “hacking”) was all about the monetization of the data

• Everything is now for sale, it’s no longer about bragging rights

• Then I showed them smaller breaches, but closer to home

• Medical records

• Financial records

• SSNs

AND A BIT MORE CONTEXT• Jan 15, 2012: 24 Million customer records on Zappos.com

• Jan 20: Arizona State University: 300,000 records downloaded by an illegal party

• Jan 20: Kansas Dept Of Aging: 7,100 records resulting from theft from a vehicle of paper files, laptop and flash drives

• Jan 24, 2012: 1,245,000 records from New York State Electric & Gas (NYSEG),

• Jan 30: University Of Miami: 1200 medical records stolen from a briefcase with flash drive

• Feb 6, 2012: 17,000 records when an October 2011 burglary from a physician’s office resulted in the theft of a laptop. Laptop contained names, DOBs, physicians and diagnosis information.

• Feb 15, 2012: St Joseph Health System: 32,000 records of patients available on internet. Hospital did not know until contacted by attorney

HOW IT IMPACTED THE BUSINESS

• The next part was a brief slide of the infections & breaches we had seen at the company, and how they had impacted business

• Again, this was to impart the context of how security breaches impact all parts of their lives

• This was an important slide for business context, but I did NOT spend a lot of time on it

• This is where they will get lost & bored

• This is called “reeling in the line”

• Reel too fast and you lose your fish

• Reel too slow and you lost your bait

SETTING THE HOOK

• Now that the stage was set with context, I shifted gears to show what IT initiatives were in place or in the works to deal with these things

• Locking down admin rights on PCs

• 2 factor authentication for IT System Admins

• Training IT Staff on current threats/trends

• Vulnerability Tests

• Segregation of Duties – NOTE: this was a big bone of contention because of the impact to users in the business, so it helped to explain why it was necessary

• What this did was show that IT was doing what it could to help prevent, detect and respond to threats

• But we needed them to come to the table as well

• This is what we call “setting the hook”

ENGAGING THEM

• This is where you are asking for help, creating empathy

• This is where humor is your ally!

• This is IT outreach, and it’s sorely needed in all organizations

FOCUS ON PASSWORDS

RECAP: WHAT HAS HAPPENED SO FAR

• I have created empathy

• I have given them context for security at home and at work

• I have given them an expectation of what we need from them

• I’ve set the hook and begun to reel them in

• WHAT HAS REALLY HAPPENED

• The concept of risk has been illustrated

• We’ve shown why risk needs to be reduced

• They have had a few laughs

• They are seriously worried about having to make 30 character passwords

NOW WE FOCUS ON WHAT WE WANT THEM TO LEARN

• So, if we need passwords to be strong we have to explain why

• So, I discuss “What is the value of your password?”

• Put a monetary value on a user password, so if it is compromised the value can be used to determine the impact

• I used the company annual report of profit ($500M)

• We have 5 main business processes, so even division means that each process contributes $100M to profit

• If a user contributes only 1% to their business process, then their password is worth $100,000

• These are really simple expressions that are not 100% accurate but they help send the message

APPLY THE SAME CONCEPT TO THEIR PERSONAL LIVES

• Add up the total of all your personal assets or use an arbitrary number to represent data value

• Every password in your personal life then has this value associated with it

• Email

• Bank/finance

• Crazy web sites

• So the concept of password strength is universal, and this is what the user must understand – this is awareness; that passwords at home and at work represent identity, and that identity must be protected regardless of context (business or personal)

• This is the real hook – getting them aware that this concept of security applies to any context of using IT systems

NOW THE MEAT

• I told them here that this was the important stuff

• If they walked away retaining anything it was this

I USED THE STRATFOR BREACH• I showed the actual list of breached passwords, so they could see what were considered bad

passwords & why

I explained that password crackers use dictionary word lists to guess passwords, and that’s why we say don’t use real words

I also asked if anyone saw their own password on the list

I EXPLAINED PASSPHRASES

• I showed how to construct strong passwords from pass phrases

• I asked them not to hum when typing them

AND NOW THE QUIZ

• To test the concept of whether or not what I was saying was getting through, I did a quick quiz

• The quiz showed a password and I asked

• Is this a good, strong password?

• Why or why not?

• The final question in the quiz showed a 16 character password

• I asked them if it was:

• Compliant with corporate policy

• Strong

• Easy to remember

• They said NO

• Then I sang the passphrase it was attached to – and I saw the light bulbs light

PASSWORD QUIZ!• Are these strong passwords? Why or why not?

• Cindy2012

• No! This complies with corporate security policy but is easily guessed

• Fisherman

• NO! Real word in the dictionary

• GoWings!

• Hey I’m from Detroit.

• No, this password is too easily guessed

• P@ssw0rd#1

• No. These substitution tricks are too common – looks too much like a real world, easily guessed

• H,dyhtstmbgitw?1

• Yes! It doesn’t look like any words and it has enough complexity

• Themostbeautifulgirlintheworld1.

• Yes! This very complex and long (32 characters!) and can’t be easily guessed, even though it has real words in it

GIVE THEM A GOAL

• I set a goal for them to have one distinct long & complex password for one login: their personal finances

AT THIS POINT: AWARENESS

• This is when awareness kicks in

• This is the point that they realize they can make strong passwords that they can easily remember

• They also realize they can use different passwords across applications, and also remember them

• And then I offered a bonus class session on managing complex passwords using password management software (KeePass)

• Imagine what would happen to your enterprise if you had a 20% to 30% shift in users using strong passwords

• Imagine what would happen to the world if this shift occurred?

I QUICKLY ADDRESSED THE OTHER 4 RULES

• I linked it back to personal behavior

• Locking your PC is like locking the door to your house – you are trying to keep your valuables safe

Many users did not know that you could lock a PC using Windows+L

They also did not know how easy it was to unlock

Don’t assume your users know these things!

LET’S TALK

• When you have achieved this point, stop talking about the company/business and keep the talk focused on their personal lives

• This is awareness, which is behavioral focused, and if we get them to behave securely in their personal lives, this will migrate to the enterprise

CONSUMERIZATION

CONSUMER BEHAVIOR APPLIES TO THE ENTERPRISE

• Now I discussed consumerization and the risks

• Social Media

• Mobility

• Public Wifi/Public access terminals

• For the older generation, I acknowledged that while they might not use these things in any large capacity, they knew someone who did: their kids, nieces/nephews, friends, neighbors

TALKING THE TALK

• I addressed “bad” behaviors

• Avoid using the same usernames and passwords among multiple applications/websites

• I talked about “good” behaviors

• 2nd factor authentication for email/Facebook/Twitter (protecting identity)

• I gave personal anecdotes

• My wife’s Facebook post from Foursquare showed we were at the movies, the show times, and a map

• This is important as it illustrates that anyone can be in a compromised position

WALKING THE TALK• Social networking:

• I showed them how to use Facebook privacy settings, and what the important ones were

• Explained social interconnection, and how posts from others can impute information about themselves (esp kids)

• How it can be used for identity fraud

• Mobility

• I discussed the importance of PIN locking a smartphone

• I discussed apps accessing more data than they might want

• Public access

• I discussed use of public terminals (library computers) and to log out/close browser sessions

• I discussed that SMS on a data network can be captured in the clear

I SHOWED THEM HOW TO BE SECURE AT HOME

• An important item is to engage them at home – personal behavior migrates to the enterprise

• I talked about how to secure their home PCs by using antivirus, and accepting regular software and OS updates

• I talked about physical security and different lock types

• I also gave them takeaways for home which included a list of free AV apps and other open source programs which can be helpful

• I opened the floor for a Q&A about home PC use

2 OPTIONAL CLASSES

• I also gave 2 optional classes at each site

• Managing passwords using password management software (KeePass)

• Creating backups for home and for work using open source tools (Fbackup)

• The feedback here was 100% positive from those who attended, and I have been asked to continue giving these classes

GAUGING SUCCESS

SUBJECTIVE MEASURES

• “Success” with awareness is more subjective that objective

• So I gathered subjective observations and included them in an executive report

• I was doing a two day session at a plant. A terminal operator from day one came to me and said “Last night my wife and I sat down and changed all our passwords. Thanks!”

• At one location, the plant employees asked if their wives come come hear the talk about Facebook and social media protection – so I gave it again for them as well

• At one corporate location, after giving the class on managing passwords with KeePass, a Finance controller came to me and said “This has changed my life for the better”

OBJECTIVE MEASURES• I created a quick, 10 question survey and distributed it via SurveyMonkey

• Was the material presented in a way that was easy to understand?

• Yes/No/Partial

• 98% Yes

• How relevant is the material to your job?

• Exteremely/Very/Somewhat/Slightly/Not at all

• 91% Extremely or Very

• Will you be able to use the material in your home life as well as work life?

• Yes/No/Partially

• 96% Yes

• Do you think this material is important to you and the company?

• Yes/No/Partial

• 97% Yes

• Then some questions about me as a presenter and a couple of optional questions & comments

IMPACT ON METRICS

• The impact on metrics was minimal, but noticable

• The rate of infection didn’t change

• The amount of malicious activity like side-scanning didn’t change

• The number of tickets reporting fake/phishing email went up 2400%

• From 2-3/month to 50+/month

• The number of contacts by users into Security about general questions went up 300%

• Rough 2-3 per year to 30+

WHY WAS IT SUCCESSFUL?

ENGAGEMENT AND PARTNERSHIP

• Partnering with HR was key

• HR managed the meeting organizations

• HR tracked them as training sessions (all employees have mandatory training hours)

• I talked to users in their language

• I didn’t use acronyms, or explained the ones I did

• Did not see them as Juggalos

IT’S ALL ABOUT CONNECTING AND OUTREACH

• Awareness doesn’t have to be a program, you can use other ways

• Offer optional training classes on IT tools

• Backup management

• Password management

• How to protect a home PC

• How to effectively use search engines

• Publish a security newsletter, with personal information that can be used at home

• Especially target information for families

NEWSLETTER EXAMPLES

NEWSLETTER EXAMPLES

NEWSLETTER EXAMPLES

TOOLBOX

ONLINE TOOLS• Privacyrights.org

• Lists reported data breaches

• Verizon Data Breach Investigation Report

• http://www.verizonenterprise.com/DBIR/2013/• Microsoft Threat Intelligence Report

• http://www.microsoft.com/security/sir/default.aspx• Ponemon Threat Intelligence Report

• http://www.ponemon.org/• Popular news stories about security

CONTACT INFO• Joel Cardella

• Email: dronf@pobox.com

• Twitter: @JoelConverses

• Freenode IRC: #MiSEC