Upload
educause
View
225
Download
0
Embed Size (px)
Citation preview
7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)
http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 1/19
© C. Brisson and J. Klein Keane
Security Smackdown: End-UserAwareness Programs vs.
Technology Solutions
Justin Klein Keane
Christine BrissonUniversity of Pennsylvania
School of Arts & Sciences
7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)
http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 2/19
Analogies only work if they're accurate
Except in the case of car analogies, whichalways suck
*Let's try to keep this discussion free of car
analogies
7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)
http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 3/19
7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)
http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 4/19
Proven Technical Solutions
7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)
http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 5/19
http://www.darkreading.com/blog/240151108/on-security-awareness-training
.html
Security Luminaries agree:● Bruce Schneier ● Dave Aitel, Immunity●
Richard Bejtlich, Mandiant
N.B.: Detractors of security awarenesstraining have nofinancial stake in the
correctness of their argument.
7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)
http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 6/19
Gizmodo -- The 10 most popularpasswords of 2012:
1. Password (Unchanged)2. 123456 (Unchanged)3. 12345678 (Unchanged)4. abc123 (Up 1)5. qwerty (Down 1)6. monkey (Unchanged)7. letmein (Up 1)8. dragon (Up 2)9. 111111 (Up 3)
10. baseball (Up 1)
What about Pa$$w0rd?
7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)
http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 7/19
7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)
http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 8/19
Simulated Phishing Campaigns
● New York State employees (2005) – 10,000 people – decline in response rate to fake phishing emails
● from 15% to 8% over two trials
● PhishMe at Emory (2012)
– 40,000 people -- decline in response rate to fake phishing emails – From 13.7% overall to 8.1% over three trials.
– No overall decline in number of successful phishing attacks
● Operation Carronade (West Point, 2004)
– 80% of cadets (small sample size, 400) clicked on the link; 90% offreshmen
– “There is a culture at West Point that any e-mail with a "COL" (abbreviationfor Colonel) salutation has an action to be executed. To a cadet, theaction/request is to be executed regardless of its nature or rationale. The e-mail sought to exploit this culture.”
7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)
http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 9/19
Phishing Education is Misguided
7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)
http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 10/19
Careful where you Click
7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)
http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 11/19
Be careful where you click?
7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)
http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 12/19
Human Cognition is Exploitablehttps://online.citiban.k.com/US/JSO/signon
https://online.C|T|BANK.COM/US/JSO/signonhttps://online.citibank.com/US/JSO/signon:/accounts/[email protected]
https://online.citibänk.com/US/JSO/signon
https://online.citibaņk.com/US/JSO/signon
https://online.citbank.com/US/JSO/signon
http://bit.ly/JQ9RChhttp://translate.google.com/#auto/en/https%3A%2F%2Fevil.com
Some tricks are invisible:
http://www.symantec.com/connect/blogs/soft-hyphen-new-url-obfuscation-technique
7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)
http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 13/19
Privacy/Sensitive data
7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)
http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 14/19
Effective Training (Developers)
7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)
http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 15/19
Effective Training (Users)
7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)
http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 16/19
NCSAM Campaigns in SAS
Two main messages● Information Security is an issue● Know who to contact if you have questions
We chose themes based on pain points● Data and privacy● Be careful where you click● Securing mobile devices
Different methods of outreach● Posters● Web site● Events (shredding day)● “Security and Donuts” -- school wide but locally-based
Shared material/ideas with other Penn schools/units
7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)
http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 17/19
7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)
http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 18/19
References
● West Point:● http://www.educause.edu/ero/article/fostering-e-mail-security-awareness-west-point-carronade
● New York State phishing:
● “You Won’t Believe How Adorable This Kitty Is! Click for More!” by Geoffrey A Fowler, Wall Street Journal, 3/27/2013.
● Emory University phishing:● http://www.educause.edu/events/security-professionals-conference/phishing-ourselves-raise-awareness
● Top 10 Passwords:● http://gizmodo.com/5954372/the-25-most-popular-passwords-of-2012
● Anti-Phishing Phil:● "Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish." by Steve Sheng, Bryant Magnien,
Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, Elizabeth Nunge. Symposium On Usable Privacy and
Security (SOUPS) 2007, July 18-20, 2007, Pittsburgh, PA, USA. Available at
http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf
● West Virginia University training effort:● “Information Security Training - Lessons Learned Along the Trail” by Michael Cooper. SIGUCCS ’08 , October 19-22, 2008, Portland,
Oregon, USA
● Arguments in favor of security training::● http://www.csoonline.com/article/705639/ten-commandments-for-effective-security-training● http://searchsecurity.techtarget.com/news/2240162630/Data-supports-need-for-awareness-training-despite-naysayers
7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)
http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 19/19
References (cont.)
● Proven technical controls
● "Strategies to Mitigate Targeted Cyber Intrusion," Australian Defense Signals Directorate.http://www.dsd.gov.au/infosec/top-mitigations
● "20 Critical Controls," Center for Strategic and International Studies. https://www.sans.org/critical-security-controls/guidelines.php
● Phishing resources:
● https://crypto.stanford.edu/antiphishing/
● https://www.mozilla.org/en-US/firefox/phishing-protection/
● https://community.opendns.com/phishtank/
● Security training is a waste:
● “On Security Awareness Training,” by Bruce Schneier. Dark Readinghttp://www.darkreading.com/blog/240151108/on-security-awareness-training.html
● “Why you shouldn't train employees for security awareness”, by Dave Aitel. CSO Online,http://www.csoonline.com/article/711412/why-you-shouldn-t-train-employees-for-security-awareness
● “Security Awareness Training: A Waste of Time?,” by Richard Bejtlich. Tao Security,http://taosecurity.blogspot.com/2005/11/security-awareness-training-waste-of.html
● Malware obfuscation techniques
● “Soft Hyphen – A New URL Obfuscation Technique,” by Samir Patil. Symantec Official Blog,http://www.symantec.com/connect/blogs/soft-hyphen-new-url-obfuscation-technique