Kai Axford, CISSP, MCSE Sr. Security Strategist Microsoft Corporation SIA202 Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools Measurement and evaluation Resources.
Download ReportTranscript Kai Axford, CISSP, MCSE Sr. Security Strategist Microsoft Corporation SIA202 Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools Measurement and evaluation Resources.
Kai Axford, CISSP, MCSE Sr. Security Strategist Microsoft Corporation SIA202 Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools Measurement and evaluation Resources Survival Your Staff: Cost-Effective! First to be affected during incident Compliance with policy can make or break any security program Awareness helps to— Become your organization’s detection instruments Make security reflexive Prevent incidents Mitigate damage if something happens Being alert to danger signals, and responding quickly, often is the difference between surviving…and not How to Spend a Dollar? Process Technology Risk Assessment Awareness Policy Success Factors Success Factors Information security policy Senior-level management support and buy-in Program’s focus that security, at its core, is a people problem Goals (short-, intermediate-, and long-term) Audience profiles Motivational techniques Information Security Policy Clarify and document management’s intention Set expectations and guide behavior Effective policies state— Goals Responsibilities Allowed behavior Prohibited behavior Penalties Helps deal with certain personality types… Awareness Policy Increases credibility and visibility of entire information security program Should establish— That participation in awareness program is mandatory That everyone will receive enough time Who is responsible for conducting the program Senior-Level Sponsorship A proper budget— Prevents middle management from denying requests to fund security Allows for the time with no “bottom line” obviousness Lead by example Executives must themselves be bound by policy Exemptions cost money, blow the budget! Affirm security staff Support those charged with enforcing policies Especially important when security and convenience conflict It’s a People Problem Don’t succumb to the urge to change conditions to force the outcome you want While we can use technology to mitigate some risk, it really depends on the cooperation of all the users If people don’t understand, or opt not to participate, the whole security program weakens Goals Practice, reinforce, repeat, automate Make it reflexive to “think security” Reinforce desired (often already known) behavior Gradually change undesired behavior Teach what happens in the event of a failure Be: specific, realistic, measurable Audience Profiles Everyone, from summer intern to CEO, requires the same level of security awareness Methods, however, should vary Needs: group by levels of computer experience Jargon vs. analogies Roles and interests— Users: Will it help me work better? Will it affect my performance review? Managers: How much will it cost? What return? Technicals: Is it authoritative and in the right language? Use surveys to find out what motivates Art of Mmotivations Some behaviors simply must change Sharing passwords Exchanging confidential data Belief that “hacking” is “cool” Appeal to— The damage a breach often causes Organizational recognition for protecting information Fact that attacking is a crime (that often hurts people) Desire to belong to group that shuns harmful actions Courage it takes to resist peer pressure (rules are good!) Don’t Rely Only on Fear More important to emphasize— Thinking about security in a new way How to avoid danger Potential pitfalls Losing the audience’s attention Alienating the audience Overdoing it Dribble it out…don’t overwhelm Approach Media Campaign No different than any other Message: Why security is important Product: The practice of security Market: All employees Research and planning produces strategy Define program objectives Identify audiences (primary, secondary) Define what’s to be communicated Describe benefits to audience Media Research Observation, surveys, tests, interviews Help desk statistics and trends How many password resets per week/month/…? IT staff knows your systems, ask— “How would you break into it?” “Are breaches predictable?” Use focus groups to test your message “If I had six hours to chop down a tree, I’d spend the first five sharpening the ax.” —Abraham Lincoln Sharpening the Ax Plan is essential Can be short and succinct— Status of current efforts Goals and objectives How progress will be measured Actions, by whom, when Good plans— Allow for faster reaction Take advantage of current events in the news Coordinate around a theme Awareness Principles “A” Attention-getting It’s a prerequisite to learning Use clever slogans, eye-catching images Appeal to target audience Know their existing values and motivations Start where they are, move to where you want them “B” SamplBasic (simple, memorable) Sets stage for training, shouldn’t be complex Take away fear and ignorance Foster recognition there’s a problem and that people are the solution Buy-in is better than coercion Contributors to awareness program are more likely to accept and follow controls Get feedback for every suggestion; lack implies “no management interest” “C” Current Material must always be fresh “Smell like the tide, not like the fish” Credible Clear, relevant, appropriate Have 15 passwords? Write them down—and protect the list Continuing Persistence and repetition are important Vary methods used Content Risks Teach: “What does a threat look like?” How to detect unauthorized activity Busy toll-free: popular? full circuits? attacked line? Typical risks Malware types and how it is damaging Shared risk principles (my risk spreads across network) Impact of distributed attacks (DDoS mostly) Privacy and confidentiality issues Scope of embedded hardware/software vulnerabilities Tailor to audience Remote access, for instance Basic Countermeasures Security procedures and processes Personal practices Passwords—length, reuse, expiration E-mail attachments File transfers and downloads Reporting procedures Potential or actual security events Who to? How to? Telephone, e-mail, even fax Responsibilities Emphasize— Security is everyone’s responsibility Management has made it a priority It applies to everyone equally Make system or organizational codes of conduct discoverable and readable Contact Information Who • Phone numbers, e-mail addresses, web sites • Security staff, incident handlers, help desk What • Affected computers and operating systems • Symptoms • Date/time/duration of incident • Active connections • Observed damage, actions taken How • Method of reporting problem • Out-of-band of affected system When • Report now? Or wait a while? • Potential damage vs. business impact Techniques Start with a Bang Not with a long dry boring introduction That enumerates every law regulation policy standard guideline or requirement Reactions “I never thought of it that way.” “That surprises me!” “What a great idea!” “I’d almost forgot about that…” “I can use this.” Logos and Images Images have more power than words Look for colorful designs that catch the eye and burn into the brain Even animation can help What Wyad would cinx happen ef safper if someone stmxune changed khopgel your deko? joor data? Themes Unite several concepts into a related message Choose one that’s reflective of your business Incorporate design elements into posters Hospital “Prevention is better than a cure” US Nuclear Regulatory Agency “Keep it clean” “Cyber Tyger” “It’s a bug’s life” “PC Doctor” Posters 85 ,000 ,000 Stories and Examples Real people, real consequences Long-time employees (“corporate memory”) News events Internet message boards Security personnel Again, tailor to audience Theft of medical records: healthcare data processing Fraud/impersonation: financial and accounting groups Use Failure It’s a learning accelerator Online awareness training— Should provide immediate feedback No need to record answers Give staff something to think about Example The building is on fire. As you exit the building in a safe and orderly manner, you are able to take either the data backups or the backup of your custom built application. Which do you take? A. The data B. The backup Either answer is correct; training module should inform users of this Just like real life—not everything is easy Encourage Audience Involvement Use questions— “Did you know…?” “What would you do if…” Counter-intuitive facts work wonders In the United States, which of the following activities is illegal? A. Creating an e-mail virus B. Disrupting Internet communications C. Failing to make daily backups Be Surprising Just like a piñata—good material is full of surprises Role-play is excellent Manager who doesn’t want to follow the “no tailgating” policy Entertain, lead by example Retention is long lasting User Action and Signoff Each user signs acceptable use policy after reading Eliminates “I didn’t know…” excuses Don’t forget periodic refreshers, too “Noisy prosecutions,” even internally, might discourage security breaches Also allows tracking trends Assists identification and response Analogies Analogies, metaphors, similes help to associate new concepts with prior knowledge Illustrations help reinforce the message Passwords are like winter underwear: • should be long and mysterious • protect the owner • used by one person, not a group • changed periodically Sensitive data is like prescription drugs: • used only by those who need it • not given or sold to unauthorized people • can damage those who don’t need it Humor Gets attention, motivates and relaxes people Even influences organizational culture Be relevant, complement the message Otherwise your credibility suffers OK to joke about yourself or those in power Be careful about backfiring, though Sources Cartoons—Dilbert is canonical Humorous definitions Letterman-style top ten lists (“Top ten excuses for not making a backup”) Security-related poems or lyrics written to the tunes of popular songs (“The Infosec Rap”) Computer virus, Destroyer of files, survives through lack of scanning Learning Styles Auditory • Picks up information from hearing it • Reached by lectures and written material Visual • Wants to see what’s being taught • Prefers diagrams, charts, and pictures Kinesthetic • Responds well to tactile input • Wants to walk through steps or learn by physically performing the task Personalities Some people ignore procedures if they don’t understand the reasons Give them the “whys,” it’s OK Give learners the choice after an exercise Try again? Or just receive the answer? Some people retain better when they deduce answers themselves; others simply want to see the result and move on Circumstances Disaster—like a fire Can be invigorating Current events Can add credibility Check security-related Internet news sites Reward first-discoverer “news hawk” who contributes new story to the awareness program Recent attack Also effective for obtaining budget Tools Considerations What tools are most appropriate? What methods are most likely to be credible and appropriate for the audience? Which and how many methods are feasible, given budget and time constraints? Internet/Intranet Web sites on the Internet or hosted internally Convenient for distributed organizations Annual refresher training Good for people with diverse technology experience Own pace, immediate feedback Why? How? Flexible, customizable Reduce costs and training time E-mail for sending alerts and newsletters Screen Savers Enable auto-locking screen saver with group policy Distribute eye-catching design Hire a professional artist Coordinate with other awareness themes Consider animations or even interactive trivia Update regularly Sign-on Messages Short reminder of users’ responsibilities Changed regularly Note: No legal coverage Posters Videos Great for orientation meetings and “brown bag” staff lunches Provide popcorn—in bags with printed security messages Many advantages Consistent message throughout organization Short and succinct: 20 minutes, no more Save travel time and costs But… Expensive to produce, though…US$3000/min Become out-of-date rather quickly Maybe produce segmented video? Trinkets and tchochkies Pencils, pens, highlighters—“Report breaches, it’s the ‘write’ thing to do” Erasers— “Wipe out password sharing” Notepads—“Note who should be in your area and challenge strangers” Frisbees—“Our information security program is taking off” Mouse pads and inserts—with a clear cover over an area holding removable paper inserts, making the cost to change the message far less than the cost of printing new pads Key chains—“You are the key to information security” Flashlights—“Keep the spot light on security” Cups or mugs—“Awareness: the best part of SecuriTEA” (where the campaign has explained that TEA stands for training, education, and awareness) Magnets, buttons, stickers—“Stick with security” First-aid kits—“Be prepared for security” Rulers, calculators—“Security counts” Coasters, toys, hand exercisers, informational cards, and other items including posters, virus scanning software, and screen savers Publications Newsletters and magazines Paper and electronic Print stressful communications on paper, staple a facial tissue to it Add inconvenience Increase user burden Targeted brochures, pamphlets, even comic books Inspections and Audits Certainly raise awareness, at least during event Try “security by walking around” (SBWA) Catch staff doing something right Leave behind certificates of congratulations, thankyou notes, or trinkets Be random Try to social engineer your own workplace Reward users who refuse to comply Retest users who get duped Conferences and Seminars International Computer Security Day Annually, every 30 November “Grill Your Security Officer Cook-Out” Serve food and drink Encourage staff to bring questions for security officers Lectures by dynamic speakers Security awareness briefings Senior executives New arrivals Measurement It’s the Price we Pay How many received training? Attendance sheets Course registrations Online completion notices Signed acceptable-use policies Use empirical evidence to demonstrate effectiveness; feedback from— Presenters Audiences Supervisors Audience Satisfaction Evaluations and surveys Yeah, it’s mostly a measurement of how well they liked it…but it’s a place to start Were the materials useful? Were the activities fun and memorable? Was the information relevant? Can you use it on your job? Any suggestions for improvement? Learning Effectiveness Pre-tests measure prior knowledge Post-tests measure what the audience remembered Both useful for tailoring future programs Pre-test important: it’s how you measure improvement after the training! Skill Transfer Gather input from outside evaluator Supervisor, practitioner, incident handler, help desk Measure improvements with— Follow-up interviews Walk-through testing Help desk and incident reporting statistics Audit findings Must acquire a pre-training baseline Pre- and Post-Observations Passwords—test with cracking program Locked workstations—check during lunch Survey of attitudes and knowledge Whom to report incidents to? Take-home policy for old software? Monitor actual numbers and types of incidents An increase is probably a sign that the awareness program is working—not that there are suddenly many more attacks! Thank you! Kai Axford [email protected] Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn Resources for IT Professionals Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources Complete an evaluation on CommNet and enter to win! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.