Information Security Awareness & Training Programs Scratch That.

Information Security Behavior Programs Michael McDonnell

GCIA, GCWN, MLISmichael@winterstorm.ca

Security Awareness is Commonly Prescribed

Security Awareness is one part of a Security Program

Governance

RiskManageme

nt

Incident Response

TrainingAnd

Awareness

SecurityArchitectu

re

Security ITOperation

s

Compliance

& Audit

We have Security Awareness because People are the Target of Attacks

Social Engineering:

Exploiting the natural human nature to trust.

We have Security Awareness because Technology Alone is not Enough

We have Security Awareness because People Need to Understand

Understand their roles and responsibilityUnderstand the organization’s IT security policies & proceduresUnderstand the systems they are responsible for

(NIST 800-50)A Security Awareness Program has 4 Components

IT SecurityLearning Continuum

1. AwarenessThe purpose of awareness presentations is simply to focus attention on security.

2. TrainingStrives to produce relevant and needed security skills and competencies.

3. EducationIntegrates all of the security skills and competencies of the various functional specialties into a common body of knowledge and strives to produce IT security specialists.

4. Professional DevelopmentValidates skills through certification.

(NIST 800-50)Model 1: Centralized

EDUCAUSE specifies something like Model 1

1. TechnologyTools used to defend against threats. Training and awareness can be focused on these tools.

2. Policy and ProceduresSecurity related policies are needed to reduce risk.

3. RemediationAwareness is designed to change behavior. The program should have as its goal remediation of problems.

4. Training and AwarenessCommunicate related to the first three items.

Security Awareness Plan Components

(NIST 800-50)Model 2: Partially Decentralized

A communications focused approach is like Model 2

Audience

Leaders

Managers

Staff

Auditors

IT Admins

External

Customers

Content

Phishing

Malware

Procedures

Policies

Skill Building

Training

Briefings

Method

Presentations

Guides

Website

Newsletters

Articles

Lunch-and-learn

Email Alerts

CBT

(NIST 800-50)Model 1: Fully Decentralized

(NIST 800-50)Emphasizes continuous improvement

Planning & Development

Needs assessment

Identify Gaps

Develop a Strategy Plan

Establish Priorities

Choose Level of Complexity

Secure Funding

Execution & Improvement

Select Topics/Content

Develop materials

Create Courses

Implement/Delivery

Monitor Compliance

Revise Awareness Program

Security Awareness Maturity can be Measured

SANS InstituteSecurity Awareness RoadmapMaturity Levels

1. No Awareness Program

2. Compliance Focused

3. Promotes Awareness & Change

4. Long Term Sustainment

5. Metrics Framework

Security Training in Practical Reality

Media Pro (http://www.mediapro.com/)

SANS Institute (https://securingthehuman.org)

InfoSecure (http://www.infosecuregroup.com/awareness-training.html)

Inspired Learning (http://www.inspiredelearning.com/sat/)

Trustwave (https://www.trustwave.com/security-awareness-education/)

Security Awareness &Training can be about building behavior

Hack Surfer (http://www.hacksurfer.com/)Social Analytics of IT Security Topics with risk measures

Web Filtering/Threat Intelligence (http://www.mcafee.com/threat-intelligence)

APOZY (http://www.apozy.com)

PhishMe (http://phishme.com/)

Security Awareness is Controversial

Security Awareness in Practical Reality

Is this your password? Imperva Analysis

Nearly 50% of passwords: Names slang words Dictionary words Consecutive digits Keyboard patterns

My own experience: Phone numbers Dates Names backwards 4 digit PINs (is that your

BANK PIN TOO?!) Swear words

123456

12345

123456789

Password

Iloveyou

princess

rockyou

1234567

12345678

abc123

Security Awareness in Practical Reality

Users don’t care about security right?

Most people have some interest. Just different interests.

Use “multi-modal” communications

Address a diverse set of topics

Mix business and personal focus

Choose topics that are likely to be discussed

Make communications consistent and common

They do outside of work!

Everyone has kids, and kids have cybersecurity issues

Everyone knows someone who got a virus

Some are asked to help their family members with computer security

Everyone sees cybersecurity on the news and some are curious

Does Awareness thwart APT: Shady RAT, Night Dragon, and the RSA Breach

Could Security Awareness have Prevented the RSA Breach?

Could Security Awareness have Prevented the RSA Breach?

“But do phishing attacks like RSA prove that employee training is a must, or just the opposite? If employees and/or executives at RSA, Google, eBay, Adobe, Facebook, Oak Ridge National Laboratory and other technologically sophisticated organizations can be phished, doesn't that suggest that even knowledgeable and trained people still fall victim to attacks?” – Dave Aitel, Immunity Inc. CSO

/

Could Security Awareness have Prevented the RSA Breach?

“When it comes to APTs it is not about how good you are once inside, but that you use a totally new approach for entering the organization.  You don’t bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees.” –”Anatomy of an Attack (RSA Blog)”

“…the hackers had knowledge of the internal naming conventions that his company used for hosts on its network…. This knowledge helped them disguise their malicious activity inside the network so that it appeared to be legitimate…. ‘User names could match workstation names, which could make them a little more difficult to detect….’” -- IDG interview with Eddie Schwartz, RSA’s chief security officer

https://blogs.rsa.com/anatomy-of-an-attack/

Information Security Behavior ProgramsInformation Security Awareness & Training Programs

Cultivate Security-centric• Attitudes• Perceptions• Behaviors• Knowledge• Skills• Abilities

Cultivation creates• Security Culture

Security Culture requires collaboration

“Security Culture Framework approach relies heavily on the uncomfortable realization that most infosec pros are really great at security, but most likely will need the help of other key players to accomplish organizational change where security awareness efforts are concerned.

“Culture is the HR department’s turf, communication is the marketing department’s purview, while planning and execution may reside in the project management office or similar, depending on your organization….”

“As the security specialist, you should concentrate only on how to facilitate the development of the content and the goals of the awareness program, which is a very different approach than trying to do it all yourself.”

--Kai Roer on Building an Enterprise Security Culture

Questions?michael@winterstorm.ca

Further Reading

Complete Guide to Security and Privacy Metrics http://www.amazon.com/Complete-Guide-Security-Privacy-Metrics/dp/0849354021

http://www.securitymetrics.org

Kai Roer on Building an Enterprise Security Culture[Rebuttle for Why you shouldn’t train employees for security awareness] http://www.tripwire.com/state-of-security/risk-based-security-for-executives/risk-management/kai-roer-on-building-an-enterprise-security-culture/