Document

Download Report

Transcript Document 

To summit (surmount?)
the Matterhorn
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Quinn Shamblin
Harry Hoffman
Executive Director &
Information Security Officer
Boston University
[email protected]
@BUInfoSec
www.linkedin.com/in/quinnshamblin/
Security Operations Lead
MIT
[email protected]
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Agenda – The Expurgated Version
▪ Security is a mountain
[9 - 10*]
Awareness programs: the what, why and overview of how
▪
▪
▪
▪
▪
Topic [10 - 10:30]
Topic [10:45 - 11:15]
Topic [11:15 - 12]
Topic [1 - 2:15]
The route setters [2:30 - 3ish]
Considerations in managing an awareness program
(We will show the full agenda once we have talked through a few things…)
*Times are very general. Today will be filled with discussion.
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
What is Security?
Security is a Mountain
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Today’s metaphor
▪ Security is a mountain that we are trying to surmount
▪ Huge, many-faceted, challenging, ever-changing, treacherous
▪ Formed by the tectonic plates of regulation and practicality
▪ Regulatory requirements
▪ Limits of practicality
▪ The classic view of security
▪ Getting in the way of end users getting things done
▪ Department of Business Prevention
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
What do we mean by
Security Awareness?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Training v. Awareness
▪ Training = how, practical skills
▪ Awareness = why, emotional and intellectual motivation
▪ “Security training provides users with a finite set of
knowledge and usually tests for short-term
comprehension….
▪ Security Awareness programs strive to change behaviors of
individuals, which in turn strengthens the security culture.
Awareness is a continual process. It is not a program to tell
people to be afraid to check their e-mail. The discipline
requires a distinct set of knowledge, skills, and abilities.”
▪ “SETA” – Security Education Training and Awareness
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Why should we have an
awareness program?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
The Debate
▪ Disagreement by some big names
▪ Against (Bruce Schineier)
• “I personally believe that training users in security is
generally a waste of time and that the money can be spent
better elsewhere. Moreover, I believe that our industry’s
focus on training serves to obscure greater failings in
security design.”
• $
• Difficult to prove value
• Breaches happen anyway
▪ For (Ira Winkler)
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Why should we bother doing
this when some experts
say it has no value?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Safety of Organizational Information
HIPA
A
PCI
Personal Security
Reputation
Trade
or
Research
FISMA
SO
Secrets
Safety of Personal Information X
Network Hygiene
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Perhaps a more satisfying answer
▪ (Aside from being required by several regulations)
▪ Focusing on technology misses the whole point
▪ Understand and avoid fraudulent or malicious behavior
▪ These scams have been around for years, sometimes
hundreds of years
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
What is the goal of
Information Security
Awareness?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
The Goal: To Change Behavior
▪ In order for a person to change their behavior, they
must want to change their behavior
▪ This is an emotional issue not an intellectual one
▪ We don’t need to make them an expert
▪ (Feeds into recommendations on approach)
▪ A little bit of knowledge goes a long way if they
understand and believe
▪ However, to Bruce’s point, we need to make it easier
for them
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
When you think of
security training, what
do you think of?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
What are you doing for
Awareness?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Some Awareness Activities
▪
▪
▪
▪
▪
▪
▪
▪
▪
Orientation/on-boarding
Regulatory Training
NCSAM
Email campaigns
Phishing campaigns
Movie nights
Posters
Hacking demos
Flyers/pamphlets
▪
▪
▪
▪
▪
▪
▪
Local celebrity endorsements
Video campaigns
Contests
Teaching courses (zeitgeist)
Off-boarding
Shredding events
Sharing news articles
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
The Awareness and Training Framework
▪ There is no all-encompassing true path to the goal
▪ Success requires a multi-tiered approach:
1. Getting buy-in and support from the highest level
2. Middle management support,
both IT and business line
3. Building a security culture into your IT
practitioners: Developers, Admins,
Desktop Support
4. Giving the end users the tools and
knowledge they need
+ Having a plan to successfully develop and manage
an enterprise awareness program
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Agenda
▪ Q] The mountain is security
[9 - 10]
Awareness programs: the what, why and overview of how
▪ Q] Shouting from (to?) the peaks
[10 - 10:30]
Tone from the top. Buy in and support from the highest level
▪ H] Tone from the middle…
[10:45 - 11:15]
The importance of support by middle management, both IT and line
▪ H] Those that help us climb
[11:15 - 12]
The real front line. Building a security culture into your IT practitioners:
Developers, Admins, Desktop Support
▪ H] The climbers
[1 - 2:15]
Those we are trying to help, the end users
▪ Q] The route setters
[2:30 - 3ish]
Considerations in managing an awareness program
Shouting From (To?) the Peaks
The voice from the top
is heard the farthest
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Do we really need
Senior Management
support?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Things we can only get through Mgmt
▪ Visible support
▪ Exposure to the Board
▪ Policies
▪ Setting responsibility
▪ Money
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Things we can only get through Mgmt
▪ Visible support
▪ Exposure to the Board
▪ Policies
▪ Setting responsibility
▪ Money
▪ Beware the arête
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Visible Support
▪ High level organizational Priorities
▪ Exposure to the Board
▪ Reporting of status
▪ Positive as well as negative
▪ Example to next layer of management and
down (the start of the support line)
▪ Delegated authority
▪ “The president has asked that we…”
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
If you can’t get visible support
▪ Doesn’t mean you have no program
▪ Changes how your program will need
to be run:
▪ Middle tier management
▪ Core IT
▪ End users
▪ Aligning security with core
business objectives:
▪ The argument: “security as an enabler”
▪ Could Amazon exist without security?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Wait… Policies?
Are policies necessary for a
good awareness program?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
What policies might
be helpful?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
What if I can’t make
or pass policy?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
P. v. p.
▪ [P] Data Classification
▪ Training and sensitivity by context of sensitivity of the data
▪ Signs in hospitals reminding nurses and doctors to be
careful where and how they talk about patient information
▪ [p] Onboarding training policy (or at least procedure)
▪ Periodic refresh
▪ [p] Mandatory refresher training
▪ Those that fall for phishing…
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Who is responsible
for security?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Really?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Setting Responsibility
▪ Changes to the actual organizational chart
▪ Tie upper management incentives to security goals
▪ Senior management bonuses – Goal for training
▪ Creating dotted lines across the organization to InfoSec
▪ Input to performance evaluations
▪ SMART goals
• Increase in average performance
on a security evaluation
• Requirement to measure against peers
• Application updates per quarter
• Passes OWAP Top 10/Security code audit
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
How do I drive buy-in from
Senior Management?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Have a
Breach
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Seriously, I can never get
money for security.
What can I do about that?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Is FUD bad?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
For management, yes FUD = bad
▪ Talk risk not fear
▪ Risk evaluation, base on REAL risk probabilities or
estimates where known.
▪ Quantified risk analysis
• Be realistic with your probabilities
▪ Regulation, monetizing the
risk using standard risk
assessment techniques
▪ COSO
▪ Binary risk analysis
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Talk reputation and then talk numbers
▪ Reputation
▪ Peer institutions, ISACs, IVY+
▪ Best practices
▪ Remember the bottom line. Control proposed cost.
▪ What can you do on a shoestring?
▪ Choose the biggest impact for lowest dollar
▪ Value proposition – Cost/Benefit
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
I have had high level buy-in
in the past and my program
still failed. Why!?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
This is not a guarantee of success
▪ Sabotage by other senior managers or others
▪ Don’t care
▪ Not fond of change
▪ Thinks it doesn’t apply to them
▪ Stragglers
▪ Impact of a single negative person
▪ Crowd mentality
▪ Don’t let it discourage you
▪ Attempts before first successful attempt
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Summary: Managing Senior Leadership
▪ You are the lead climber
▪ Forages ahead, gets support, establishes anchor,
sets the line so the next group can be hooked in
▪ Speak the language of business risk and value
▪ Total cost, risk avoidance, protection of reputation
▪ Monetize the impact of bad security choices
• Compromised machines and accounts
• Time and effort costs, time to fix/reimage, time to investigate
and recover.
• Breaches
▪ Regulation, monetizing the risk using standard risk
assessment techniques (COSO)
Tone From the Middle…
My boss doesn’t care,
why should I?..
.
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
What do we need from
business line management?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Business Line Management
▪ Security is the responsibility of the business, not IT
▪ IT is a service organization, there to support the business
▪ They are responsible for nothing but delivering what the
business requires, but can be very helpful in doing so
• They are acutely aware of this, sometime to the detriment
▪ Recall the responsibility setting
discussion from senior management…
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
What do we need from business line mgmt?
▪ Balance Risk - Fully understand the risk
▪ Include security in the conversation
▪ Introducing risk because they don’t understand the
security implications of their decisions
▪ Support
▪ Understanding that there are needs that they
sometimes don’t understand or care about
▪ …but they are still needs (compliance, etc.)
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
How do we get it?
▪ Can we change that relationship premise?
▪ Partner, not just provider
• IT not just a service organization, but responsible for
making the business better—another line
▪ Having an equal voice in decisions
▪ Establish dotted line ownership to IT
▪ Align process—both business and IT—with overall
business objectives and include security considerations
along the way
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
How do we get it?
▪ IT and Cyber Security must be business analysts
▪ “It is not my job to say no.
It is my job to find a safe way to say yes.”
▪ Suggest ways to meet the business goals,
not just veto
▪ Build and maintain credibility
▪ Back suggestions with data, not just anecdotes
▪ Be realistic about risk and what is really a “requirement” vs.
just a nice-to-have or a “best practice”.
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
The problem with autonomy ☺
▪ Procurement – Consumerization and the cloud
▪ Going and buying their own stuff
• Provide guidelines ,recommendations and considerations
on safely using consumer products and cloud services
▪ End run around procurement, general counsel, security
• Relationship building and communication are important
• Regularly meet/lunch with folks to find out what’s going on
▪ Solution: relationship building
• Give good, easy-to-use, trustworthy
advice that people will want
• Be the go-to person/group
• Requires and openness to do more work
Tone From the Middle…
My IT boss doesn’t care,
why should I?..
.
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
IT Middle Management
▪ Interfaces directly with the different business units
▪ Sets team and IT unit priorities based on business input
▪ Relationship building
▪ Directly controls the priorities, tools and processes used
by the Developers and Admins
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
What do we need from IT mgmt?
▪ Getting things out the door can't be the ultimate
decider
▪ Need to help the business understand when they are
pushing for things with risk implications
▪ Include security in the conversation
▪ Introducing risk because they don’t understand the
security implications of their decisions
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
What else do we need from IT mgmt?
▪ Care for and support of IT staff
▪ Tools
• Automated code testing
• Vulnerability scanning
• Privileged account management
• Automated data/behavioral analytics
▪ Processes / frameworks / standards
▪ LISTENING and taking action
• Security issues that were not understood until there was
greater analysis
• Being willing to go back to the business
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
How do we get it?
▪ Build risk and security evaluation and approval into IT
processes
▪ Help communicate risk
▪ Involve other groups when needed
▪ Support IT budget requests for security functions/tools
▪ Make suggestions, get their buy-in
▪ But they propose it in the budget process
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
A word about integration with processes
▪ Enterprise Architecture
▪ Project Management
▪ Security evaluation framework for project requirement
analysis and associated training
▪ SDLC
▪ Software (and Security) Development Life Cycle
• Coding frameworks, best practices, code audits
• QA Testing/Approval
▪ Post-production
▪ Institutional Processes – IRB
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Summary: Managing the Middle
▪ Management performance evaluation should include
security goals
▪ Make security the responsibility of Business and IT
management… in actuality, not just theory
▪ Help them understand risk
▪ Build evaluation and approval into processes
▪ Make it easy by providing tools and templates
▪ Propose solutions
▪ Provide visible support for good proposals
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
PWN
age
<Cthon98> I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.
Awareness Break
Those That Help Us Climb
Building a security culture
into your IT practitioners:
Developers, Admins, Support
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Security Sherpas – IT making security easier
▪ Security is hard enough. Let’s have those designing
systems do so to make it as easy as possible
▪ I reject the common thought that
“Security and convenience
are mutually exclusive”
▪ What we need from IT >>
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Make it easy to be secure
▪ Provide tools to make things easier
▪ Password managers
▪ Modern Multi-factor authentication
▪ Adaptive authentication
▪ iPhone 5s – fingerprint technology
▪ Next Gen AV
▪ New device and
other notifications
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
At the moment of truth
▪ Provide information at the moment they are making a
security decision.
▪ Clicking link is a security decision, but no one thinks of it
as such. {ClickProtect}
▪ Extended Validation Certificates
▪ DLP (Data Loss Prevention) Information Tools
▪ Information at the ready
▪ Regulations that affect your org
▪ List of resources easy to find
• Internal/External links ... regularly updated
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
The only ones that could know …usually
▪ Practitioners best know the systems and are often the
only ones that can understand anomalies
▪ Logs - oh, look... we're being scanned quite a bit for SQL
injection...
▪ Know the normal (or the expected) so that
abnormal behaviors become apparent
▪ Are you really logging in from Texas at 10am when you
just logged in from Boston at 9:15?
▪ …Don’t discount user reports of odd behavior
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Architecting for use, for ease and security
▪ Be a business analyst
▪ Turnkey business solutions with built-in security
▪ Research solution w/ pre-approved grant supporting
documentation (System Security Plans and Data
Management Plans)
▪ Web access and security
▪ Some IAM considerations
▪ Multi-factor authentication considerations
▪ Group/role-based authorization
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Architecting for ease and security – IAM
▪ Account management lifecycle
▪ Account creation and delivery
▪ Security and support through its life
▪ Automated authorization changes based on role changes
▪ Automated account/authorization
removal/deprovisioning
▪ Align procedures with processes
▪ Tie to ERP system, HR takes an action, account is
automatically updated with preapproved changes
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Technologists: Ask for what you need
▪ Speak up, ask:
▪ For security training
▪ For frameworks and templates
▪ For reviews
▪ For support
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Third-party considerations
▪ Solutions that automatically wrap security around
cloud solutions
▪ Guideline and considerations/recommendations where
this is not possible
▪ Compatibility/support of SAML and federated
authentication
▪ EDUROAM, OAUTH
▪ Get risk support involved:
Security, Purchasing and
General Counsel
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Considerations after Production
▪ Security throughout the SDLC is not the end
▪ The higher-ed approach – Pay for once, up front, never
pay for again, run in to the ground
• Put up application but don’t plan for resource to maintain
them
▪ Vulnerability scanning and management
▪ What is secure today is not secure tomorrow
▪ Efficiency of operations and prioritization of patching
▪ Secure retirement at end of life
▪ Data destruction, cleaning the backups, hard drives
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Summary: Security Sherpas
▪ IT can design to make things easier for the end users
▪ Deploy tools to make security transparent or to give
users security information at the moment of the
decision (where possible)
▪ When someone reports an issue, take it seriously
▪ Listen to what people are trying to accomplish vs.
trying to fix the problem as you think it is
▪ But often only you can know when something isn’t
right. Take that seriously too
▪ Ask management for what you need
The Climbers
Helping your people make good
security decisions
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
We are in this together
▪ We are all responsible,
but we rely on each other
▪ Those on the ground rely on
the support of management
and IT
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Traditional Training
▪ Estimated > 50% of data breaches are due directly or
indirectly to poor IS security compliance 1
▪ Per Gartner most SETA programs are developed based on
“tradition, personal judgment and whim” 2
▪ Most SETA programs lack an underlying theory 3
▪ These programs are not working well:
▪ < 12% believe awareness programs are effective 4
▪ 24% didn’t know if their university had a security policy 5
▪ 18% had read it 5
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Training Pedagogies
Transmission
Transaction
Learning
paradigm
Behaviorism
Cognitivism
Constructivism
Social Constructivism
General
aims
Mastery of
knowledge
Cognitive
abilities
Change beliefs and
actions, personal
change
Change beliefs and
actions, communal
change
Content
Subject
centered
Problem
centered
Learner centered
Community centered
Teaching
methods
Instructor led
Cognitive
problem solving
Personal knowledge
through
collaboration
Communal
knowledge through
collaboration
Evaluation
of learning
Tests
Acquired
intellectual
skills
Conversational
forms of evaluation
for individuals
Conversational forms of
evaluation for groups
We are normally here
Transformation
We want to be here
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Learning theory for SETA
▪ The pedagogy for SETA should be “social constructivism”
▪ “persuasive and non-cognitive”
▪ Cognitive arguments and pedagogies are not successful at
changing behaviors.
▪ Social constructivism:
groups construct knowledge
for one another collaboratively
creating a culture
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Advertising has been figured out
▪ Include concepts from the human behavioral and
organizational sciences field, which has already been
largely explored and figured out…
▪ Leverage those who know in creating the program
▪ Marketing and advertising professors in your Business or
Communications Schools
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Approach for General Training
▪ Symbols are more important than words
▪ Bullet points and stories
make lasting impressions
▪ Persuasion not fear
▪ Positive FUD
▪ Fun, engaging – not stodgy
▪ Provide clear ways to act
▪ Teach common sense
(build common sense)
▪ Leverage social media for distribution and creation
▪
Crowd Source
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Approach for General Training
▪
▪
▪
▪
Don’t overwhelm – Pick 2-3 priorities each year
Instill a sense of ownership
Reward actions
Don’t ignore or forget anyone – everyone has a role
▪ Don’t forget third parties and contractors
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Leverage enlightened self-interest
▪ Security benefits the individual & company
▪ With great ownership, comes great responsibility
▪ More and more, devices are owned by our clients
• Personal convenience, fewer devices
▪ Their device, our data, our risk
• Loss, theft, destruction
▪ Help them understand
and support the goal
of safety for both
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Vary format and approach
▪ Change things up like you would an exercise program
▪ Intro/baseline/foundational
▪ Bricks of learning
▪ People will not remember long
▪ The gamification movement
▪ Ensure your program addresses different learning modes
• Audio, visual, and repetitive methods
▪ The buddy system
• Do you know anyone that needs to know this?
• Train the trainer (turn an end user into a trainer)
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Target your training and awareness
▪ Audience - Specify employee, student, and contractor
responsibilities
▪ Information necessary and appropriate to that role
▪ (picture with cliff ready to avalanche)
▪ Modular
▪ Target to meet just the specific needs
• HIPAA: Overview > Hospital Visitation > Patient record
handling > Research
▪ No shotgun approaches
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Flash messages as part of a program
▪ Breaking news
▪ Live, action-oriented, present
▪ Balanced with realism and a
sense of proportion
▪ Pragmatic
▪ Keep your companies strategic capabilities in mind
▪ Avoiding knee jerk responses
• Our systems will not run without Java or Flash
▪ Balance “the possible” with “the probable”
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Summary tips for effective security training
▪
▪
▪
▪
▪
▪
▪
▪
▪
▪
Serve small bites
Reinforce lessons
Train in context
Vary the message
Involve your audience
Give immediate feedback
Tell a story
Make them think
Let them set the pace
Offer conceptual and procedural knowledge
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Process of creating the training
▪ Leverage those who know
▪ Marketing and advertising professors in your Business or
Communications Schools or your PR department
▪ Crowdsourcing / Special Interest Group meetings
▪ Have end users design and suggests content themselves
(not IT, not sec)
• This is in and of itself an awareness activity
▪ They can help figure out what they and the groups they
represent don’t know and what they need to know
(What risks they realistically face)
• Tailor the program to that
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Consider Outsourcing Options
▪ Popular outsource platforms
▪ http://www.securingthehuman.org/
▪ http://www.wombatsecurity.com/
▪ http://www.wecomply.com/
▪ http://www.inspiredelearning.com/sat/default.htm
▪ Things to look for
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Summary: Managing the Climbers
▪ Use the correct pedagogy for your program
▪ Don’t overwhelm, pick 2-3 core messages each year
▪ Target your audience and use members of that
audience to design and build the training.
▪ Use people that know marketing and advertising
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Implementation
Ideas and Examples
Sources of Material
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Sources of Free Material - EDUCAUSE
▪ http://www.educause.edu/library/security-awareness
▪ Information Security Resources for Presidents and Senior
Executives
▪ http://www.educause.edu/library/resources/resources-
presidents-and-senior-executives-information-security
▪ Annual Information Security Awareness Video & Poster
Contest
▪ https://www.youtube.com/user/SecurityVideoContest
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Sources of Free Material – Industry News
▪
▪
▪
▪
▪
▪
nakedsecurity.sophos.com
www.cisecurity.org
isc.sans.edu
www.secunia.com/community/advisories/historic/
www.zerodayinitiative.com/advisories/upcoming/
Multi-State Information Sharing and Analysis Center (MS-ISAC)
– msisac.cisecurity.org/advisories/
▪ Research and Education Networking ISAC (REN-ISAC)
– www.ren-isac.net
▪ Microsoft Security Slate (arrange through your MS contact)
▪ www.privacyandsecuritymatters.com
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Sources of Free Material – Professional Orgs
▪ National Cyber Security Alliance
National Cyber-Security
Awareness Monthwww.staysafeonline.org/ncsam/
▪ ISACA Information Systems Audit and Control Association www.isaca.org
▪ HTCIA High Technology Crime Investigation Association www.htcia.org
▪ Infraguard FBI partnership/ outreach to the private
sectorwww.infragard.org
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Sources of Free Material – Security Vendors
▪ Trustwave Global Security Reportwww.trustwave.com/gsr
▪ Verizon Data Breach Investigations
Reportwww.verizonenterprise.com/DBIR/
▪ Mandiant Intelligence Center Report
intelreport.mandiant.com
▪ Sophos Security Threat Report www.sophos.com/enus/threat-center/security-threat-report.aspx
nakedsecurity.sophos.com
▪ McAfee http://www.mcafee.com/us/business-home.aspx
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Sources of Free Material – Presentations
▪ Material created by Quinn and Harry that you may
freely rebrand
▪ Deter. Detect. Defend. AvoID Theft
▪ Mad Hacker (Gleeful “Scare Tactics” presentation)
▪ Securing Your Digital Life
▪ IM Social Engineering
▪ Monty Python-style script on password disclosure
▪ Shop Safe this Holiday Season
▪ Some are older and need to be updated, but are still a
place to start
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
▪ Ah, the IRS outsourced
their Tax Return function
to ‘Exentric Gamers’
again the year
…Looks legit
http://www.exentric-gamers.com/templates/index.html
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Ideas for easy Live Hacking Demos
▪ Sniffer, hash capture, password cracker
▪ Run a password cracking program on your users
password and share aggregate data with them to
understand what would happen i f someone managed to
get a hold of their hashed passwords.
▪ SSID tampering
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Top 5 excuses for doing nothing about
computer security!
EXCUSE 1. No-one's interested in little old me!
EXCUSE 2. My printer won't work with the latest updates.
EXCUSE 3. I've got a Mac.
EXCUSE 4. Security slows your computer to a crawl.
EXCUSE 5. I only browse to safe sites.
Breaking News | Awareness Break
The Route Setters
Considerations and tips in managing
an effective awareness program
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
You need a program.
You need to make a plan.
How?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
General planning
▪ What are you trying to achieve and why?
▪ What is the goal?
▪ Who is your audience?
▪ What do they need?
▪ How are they best approached?
▪ What are common factors that lead to success?
▪ What constraints should you build in to the plan?
▪ What resistance are you likely to meet?
▪ How will you deal with it?
▪ How will you measure or prove value and success?
▪ How will you build a sustainable program?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Why are we doing
this in the first place?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Reasons to have an awareness program
▪ It is a regulatory requirement
▪ HIPAA, PCI, FERPA, GLBA,
FISMA (NIST 800-53),
SOX (for publically traded)
▪ It helps protect
▪ The organization
▪ The individuals themselves
▪ It can educate people
on the policy
▪ (I’m sure they read
them all when hired.)
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
You don’t know what
you don’t know.
How do you fix that?
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Collect Other Requirements
▪ Find out what is required, what various interests and
constituencies in your organization (let’s call them
stakeholders) may want from such a program
▪ Faculty, students, staff,
▪ HR, communication, PR, physical security
▪ Regulatory officers, risk officers, general counsel,
internal audit
▪ Gauge your efforts against your peers and those the
next level up
▪ Recognize and embrace resistance
▪ Talk to your detractors – Opposing views are best at
teaching you where your plan is weak
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Reminder: Considerations for each level
▪ Go back to the end of each of our sections and review
considerations for managing:
▪ Senior leaders
▪ Business line management
▪ IT management
▪ IT practitioners
▪ Clients on the ground
▪ Particularly important: If you can,
ensure that all management have
responsibility via goals set from the top
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Factors of a successful plan
▪ Don’t forget this is Marketing.
▪ Creativity and enthusiasm are a must
▪ Don’t just say what not to do, tell them what to do
▪ Multimodal – what form factors can you think of?
• Generational and self-identity factors
▪ Security Culture …to an
appropriate level
▪ Motivation for all levels
▪ Enterprise v distributed
(enterprise experts working
with local champions)
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Understand and plan around constraints
▪ Constraints
▪ Timing constraints (fiscal or semester beginning or end)
▪ Effective timing cycle
• Training has a 27-day shelf life
• 90 days, three main topics at a time
• Connects to metrics as well
▪ Funding
▪ Ways around the constraints
▪ Things you can do
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Create a plan
▪ Split into manageable chunks
▪ How do you climb the Matterhorn?
▪ One section at a time…
▪ Timing
• Monthly, quarterly, semesterly (?), annually
▪ Narrow the requirements
▪ Scope
▪ What will your program cover
▪ Start with least common
denominator and build
from there
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Plan to prove value and success
▪ Plan at the beginning how to measure success
▪ Metrics
▪ Don’t forget to get a Baseline!
▪ Training records
▪ Compliance tracking and progress reporting metrics
▪ Plan to report regularly
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Possible Metrics
▪ Success Metrics
▪ How many phishing messages get delivered
▪ Number of phishing reports
▪ Code analysis
▪ Update compliance
• Endpoint Operating System and Anti-Malware
• Server patches
▪ Value Metrics
▪ Frequency and number of compromised accounts
▪ Reduction in related tickets (staff hours)
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Plan for Reporting
▪ Release findings on a regular basis and at all levels of the
organization
▪ Talk about what’s working
▪ Talk about what’s not working
▪ Talk about what you’re going to do to fix the not working
▪ Gauge yourself among your peers (ISACs, IVY+, etc)
▪ Report to each group down through the levels
▪ Not just to senior management
▪ Don’t create acrimony, change is hard enough!
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Vet the plan, get support
▪ Get people on board before you begin. Buy-in
▪ Give others ownership, get them invested
▪ A personal reason to actively help the program succeed
▪ Remember to embrace resistance as an opportunity to
improve
▪ Talk to your detractors
▪ Can teach you where your plan is weak.
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Common points of resistance
▪ Slippery slope
▪ Adding security controls in an unmanaged environment
▪ Privacy (in higher ed)
▪ Big brother
▪ Not having well-thought-out programs
▪ Why people don’t want security
▪ The fallacy of “academic freedom”
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Addressing Resistance
▪ Listen.
▪ Work to understand the real concern
▪ Rephrasing
▪ Build selfish considerations and
personal benefits into the program
▪ Help people understand the “A” in the “C.I.A.” triad
Building an Effective Security Awareness and Training Program
Execute the plan
SHAMBLIN | HOFFMAN
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Program Sustainability
Building an Effective Security Awareness and Training Program
SHAMBLIN | HOFFMAN
Keep things
fresh
Quinn Shamblin
Harry Hoffman
Executive Director &
Information Security Officer
Boston University
[email protected]
@BUInfoSec
www.linkedin.com/in/quinnshamblin/
Security Operations Lead
MIT
[email protected]
ENJOY THE CLIMB!
References used as source material
for this presentation are collected
in the notes section of this slide…