The Human Firewall How Security Awareness Impacts Your Control Environment

Transcription

1 The Human Firewall How Security Awareness Impacts Your Control Environment Dane Boyd, Security Awareness Training Principal Consultant John Andrew, IT Security Auditor Dell

2 Agenda Introduction In The News Red Team Stories Defining the Problem Winning Awareness Strategies Winning Awareness Tactics Q&A 2 Classification: //Dell /Confidential - Limited External Distribution:

3 Introduction Dane Boyd, Security Awareness Training Principal Consultant - Awareness Com Leader CISO - Led DSWx Awareness practice for 5 years - Fun facts: (From, Speak, Hobby) John Andrew, CISA, CISSP, GLEG - IT Security Auditor dotted line to CISO - Over 20 Years IT, IT Audit, and IT Security experience - Fun facts: (From, Speak, Hobby) 3 Classification: //Dell /Confidential - Limited External Distribution:

4 Disclaimer Rules of the Road This presentation is prepared solely for educational purposes. Our goal is to engage IT Auditors in Security Awareness efforts. Much of what we will share is based on our personal experience. Take what benefits you forget the rest. Questions are welcome! Please wait until transition points. 4 Classification: //Dell /Confidential - Limited External Distribution:

5 In The News Wired writer Andy Greenberg reports on Jeep Cherokee exploit All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. 5 Classification: //Dell /Confidential - Limited External Distribution:

6 In The News Wall Street Journal Michael Hayden describing the OPM hack 21 MM Security Clearance Records compromised. 6 Classification: //Dell /Confidential - Limited External Distribution:

7 In The News 7 Classification: //Dell /Confidential - Limited External Distribution:

8 In The News Critical Infrastructure Survey Results 48% of IT Executives believe that it is likely that there will be an attack on critical infrastructure. When - in the next three years Impact resulting in loss of life 8 Classification: //Dell /Confidential - Limited External Distribution:

9 Red Team Stories Critical Infrastructure The ERIPP and SHODAN search engines can be easily used to find Internet facing ICS devices, thus identifying potential attack targets. These search engines are being actively used to identify and access control systems over the Internet. Combining these tools with easily obtainable exploitation tools, attackers can identify and access control systems with significantly less effort than ever before. 9 Classification: //Dell /Confidential - Limited External Distribution:

10 Red Team Stories Project Shine - Control Systems Found Include- Traffic light controls Traffic cameras Swimming Pool Acid Pump Hydroelectric plant Nuclear Power Plant Hotel Wine Cooler Hospital Heart Rate Monitor Home Security System Gondola Ride Car Wash 10 Source: html Classification: //Dell /Confidential - Limited External Distribution:

11 Red Team Stories DHS Public Private Partnership 2014 IC Analyst Private Sector Program Critical Manufacturing Findings Lack of Awareness and information sharing Interpretation of cyber threats and the cyber security posture differed significantly between management, engineering, audit, compliance, and IT security. Need for more training, education, and awareness across all Critical Sectors. 11 Classification: //Dell /Confidential - Limited External Distribution:

12 Information Security = Building a Castle 12 Classification: //Dell /Confidential - Limited External Distribution:

13 95% 95% of all attacks on enterprise networks are the result of successful spear phishing Source: Allan Paller, Director of Research - SANS Institute 13 Classification: //Dell /Confidential - Limited External Distribution:

14 Defense in Depth Firewall IDS/IPS Network Defense Layers Web Proxy Anti-Virus Endpoint Monitoring End-point Defenses User Key Terrain 14 Classification: //Dell /Confidential - Limited External Distribution:

15 Strategies for a Vigilant Employee Executive Support Vigilant Employee Inspect what you expect Proper Attention 15 Classification: //Dell /Confidential - Limited External Distribution:

16 Strategy: Inspect what you expect

17 Defense in Depth: A Closer Look Testing Only 60% User Key Terrain of organizations have a Security Awareness Program. 17 Source: PwC The Global State of Information Security Survey 2014 Classification: //Dell /Confidential - Limited External Distribution:

18 Testing Improves Learning The added effort required to recall the information makes learning stronger. Henry L. Roediger III, Washington University in St. Louis and a co-author of Make It Stick: The Science of Successful Learning. 18 Classification: //Dell /Confidential - Limited External Distribution:

19 Strategy: Executive Support 19 Classification: //Dell /Confidential - Limited External Distribution:

20 Reason #1: Employee Resentment This guy 20 Classification: //Dell /Confidential - Limited External Distribution:

21 Reason #2: Employees Understanding and her! 21 Classification: //Dell /Confidential - Limited External Distribution:

22 Reason #3: Executives are part of the problem 22 Classification: //Dell /Confidential - Limited External Distribution:

23 Whaling

24 The Whale Hunt Salary Previous jobs Donations 24 Classification: //Dell /Confidential - Limited External Distribution:

25 The Whale Hunt 25 Classification: //Dell /Confidential - Limited External Distribution:

26 The Whale Hunt Salary Previous jobs Donations Children s name Mother s death date 26 Classification: //Dell /Confidential - Limited External Distribution:

27 The Whale Hunt Salary Previous jobs Donations Children s name Mother s death date City & State 27 Classification: //Dell /Confidential - Limited External Distribution:

28 The Whale Hunt Salary Previous jobs Donations Children s name Mother s death date City & State Tax Record Home Address Aerial Photo of home 28 Classification: //Dell /Confidential - Limited External Distribution:

29 29 Classification: //Dell /Confidential - Limited External Distribution:

30 30 Classification: //Dell /Confidential - Limited External Distribution:

31 31 Classification: //Dell /Confidential - Limited External Distribution:

32 Strategy: Treat Awareness like a vulnerability 32 Classification: //Dell /Confidential - Limited External Distribution:

33 Proper Importance CVE CVE Employee ID In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. Source: Wikipedia 33 Classification: //Dell /Confidential - Limited External Distribution:

34 Live Poll: How frequently are you patching the human firewall? New Employee Security Awareness Training? Annual Security Awareness Training? Periodic Security Awareness Newsletter? Phishing Assessments? Lunch & Learn? Other areas? 34 Classification: //Dell /Confidential - Limited External Distribution:

35 Tactics 35 Classification: //Dell /Confidential - Limited External Distribution:

36 Typical Security Awareness Program Tactics Once a year Too Long! Computer Expert Policy Acknowledgement Form? 36 Classification: //Dell /Confidential - Limited External Distribution:

37 Frequency Duration Instructor Focus Testing Reinforcement Learn from Arnold Worked out twice a day Trained each muscle group 3x/week sets per workout Tens of thousands of pounds SAT Tip: Frequency matters!!! 37 Classification: //Dell /Confidential - Limited External Distribution:

38 Pop quiz! Where am I from? 38 Classification: //Dell /Confidential - Limited External Distribution:

39 Frequency Duration Instructor Focus Testing Reinforcement How often are you training your employees? 39 Classification: //Dell /Confidential - Limited External Distribution:

40 Frequency Duration Instructor Focus Testing Reinforcement Who is this??? Edward Everett, Spoke at Dedication of Soldier's National Cemetery Two hours long speech Who spoke after him? 40 Classification: //Dell /Confidential - Limited External Distribution:

41 Frequency Duration Instructor Focus Testing Reinforcement Learn from Lincoln Gettysburg Address 272 words Two minutes SAT Tip: Shorter is better! Make it consumable! 41 Classification: //Dell /Confidential - Limited External Distribution:

42 Frequency Duration Instructor Focus Testing Reinforcement How long are your training sessions? 42 Classification: //Dell /Confidential - Limited External Distribution:

43 Frequency Duration Instructor Focus Testing Reinforcement SAT Tip: Understanding security is a skill. Communication is a separate skill! 43 Classification: //Dell /Confidential - Limited External Distribution:

44 Frequency Duration Instructor Focus Testing Reinforcement Who here is a strong communicator? Who here is highly technical? 44 Classification: //Dell /Confidential - Limited External Distribution:

45 Frequency Duration Instructor Focus Testing Reinforcement Learn from Coast Guard Continually adapted to smugglers methods: Cargo ships Fast Boats Submarines SAT Tip: Training must be specific to threats and adapt as threats change. Intel is key! 45 Classification: //Dell /Confidential - Limited External Distribution:

46 Frequency Duration Instructor Focus Testing Reinforcement What threats do we see today? How do we adapt? 46 Classification: //Dell /Confidential - Limited External Distribution:

47 Frequency Duration Instructor Focus Testing Reinforcement What threats do we see today? How do we adapt? 47 Classification: //Dell /Confidential - Limited External Distribution:

48 Frequency Duration Instructor Focus Testing Reinforcement Learn from the US ARMY What is the number one principle in peacetime training? Replicate battlefield conditions SAT Tip: Include realistic simulations as tests 48 Classification: //Dell /Confidential - Limited External Distribution:

49 Frequency Duration Instructor Focus Testing Reinforcement What are the battlefield conditions? How do you simulate these conditions? Phishing Vishing USB Drops Tail gating Bacon Confiscating sensitive info 49 Classification: //Dell /Confidential - Limited External Distribution:

50 Frequency Duration Instructor Focus Testing Reinforcement Learn from Advertisers 1.2 billion media impressions Social Media Television Radio Signage 107% Increase in Sales SAT Tip: Consistent message & multiple mediums (Combined with frequency) to change behavior 50 Classification: //Dell /Confidential - Limited External Distribution:

51 Frequency Duration Instructor Focus Testing Reinforcement What does reinforcement look like? Posters Newsletters Signage Reward Program Recognition Programs Secret Shopper Trivia 51 Classification: //Dell /Confidential - Limited External Distribution:

52 Frequency Duration Instructor Focus Testing Reinforcement Output 52 Case file: Arnold Classification: //Dell /Confidential - Limited External Distribution:

53 Results 53 Classification: //Dell /Confidential - Limited External Distribution:

54 Dell Managed Phishing Phishing Failure Rate 54 Classification: //Dell /Confidential - Limited External Distribution:

55 40% 55 Classification: //Dell /Confidential - Limited External Distribution:

56 Conclusion 56 Classification: //Dell /Confidential - Limited External Distribution:

57 Thank you!