1 Security Awareness Program Learning Objectives By Aron Warren Last Update 6/29/2012
2 Module 1: You are a target You are a target Explain how employees are a target from both domestic and foreign threats. Government Laboratory employees are a highly valuable target from both domestic and foreign threats. Of the numerous vectors that employees generally encounter in their dayto-day activities we will focus on how employees are attacked through the vector of Internet usage versus in-person contact. Simple based attacks (tending more toward the spear-fishing) and downloads of software on the Internet are attack vectors to be focused on. This module will supplement the currently required security training materials. 1. Highlight several current attack vectors and the associated mitigating behavior. Use the past 6 months of attack vectors having been detected by Cyber Security. 2. Explain how employees can internally determine risk level of their actions while using the Internet. Using the above attack vectors give real world, relatable scenarios, that the employees can identify in their own work days. 3. Name a few of the future attack vectors as given in the June SEC 464 Quarterly Threat Briefing. 4. Explain how current threats to foreign adversaries, eg. Flame, could be adapted to assault US infrastructures, or could backfire causing domestic damage. 5. Re-iterate the key points from the annual required computer security awareness training provided by corporate, tying in points from that training to this module to form cohesion across the trainings.
3 Module 2: Data protection Data protection Explain how employees should protect the data of their customers. Employees should be reminded of the specific ways of how to protect the data of their customers, both unclassified and classified. This information should expand upon then topics discussed in the required annual Data Classification and Security Clearance training but with more detail applicable to the computer based data. 1. Protecting unclassified data learning objective will briefly reiterate the different data classifications and categories from the required annual trainings. Once the basis has been restated then moving into how and where that data is used on the networks and servers we administer. 2. After the basics have been covered a transition into the tools available to protect the customer data. Examples of how to move data between our segmented networks will serve as an introduction for new staff members. 3. Classified data protection learning objectives will, again, draw upon the annual required training to restate the basics of data classifications and categories. A reminder will be given that only Need-to-Know people and further specific trainings are required in order to and to have those completed before their due date. 4. After the basics are covered then a brief reminder of who the declassification experts are for our organization as well as what tools are available for the encryption and transport of the various levels of classified data.
4 Module 3: Encryption Encryption Explain how encryption can be used in general day-to-day activities Employees can benefit from an increased use of encryption in their daily lives. This module will offer ideas and areas where encryption might be beneficial such as encryption during an incident response. This module will expand upon the material presented in the currently required trainings so as to focus on the areas the employees work in. 1. List the types of data, both classified and unclassified, that require encryption. This will briefly re-iterate upon the Data Protection module. 2. Where encryption is currently being used that the employees might not be aware of. List the places along the network that data is encrypted but the staff might not be aware of, thusly removing the need for additional encryption. 3. Give examples of where encryption can be used, but is currently not mandatory.
5 Module 4: Know your Security Operations Center (SOC) Know your SOC Explain when and how employees can and should engage their SOC. The SOC performs many duties that benefit both directly and indirectly the employees of org XXXX. This module will explain who the staff currently is, what their duties are and when to engage those employees according to Memorandums of Understanding (MOUs) and additional agreements. 1. Introduce Staff, what their names are, what they do, who they report to and what access levels they possess. 2. Explain the SOC s mission, what they do for us, what they monitor, what response times are and what they expect from us. 3. Detail when and how to engage the SOC. This is under what scenarios the SOC is to be engaged. Example being during environmental issues affecting server availability, when a physical security issue has been observed, what to do when after hours work is performed.
6 Module 5: Data destruction Data destruction Explain how and when data should destroy data. Employees are called upon to destroy data on a variety of file system types. This module will explain the tools for achieving data destruction that goes beyond what is provided in the required trainings. 1. Unclassified data destruction methods a. Staff will be pointed to the current location of unclassified shredders and recycling bins. b. For electronic files, the staff will be told about what needs to be done before drives are sent out for destruction. 2. Classified data destruction methods a. The staff will be pointed to the current location of classified shredders. b. For electronic files, the staff will be told about what needs to be done for proper classified data destruction.
7 Module 6: Browsing Browsing Explain how employees can improve their browsing habits. Employees regularly use the Internet to find answers to questions. Not all employees are aware of tools that make their browsing activities safer for the organization. This module will expound upon practices not included in the required trainings. 1. Using browser protection, extensions or add-ons: a. NoScript/NotScript for Java protection. MacOSX s latest Java controls. b. Updating your Java software from approved software repositories. c. HTTPS Everywhere or some similar that prefers HTTPS enable sites. d. Flash updating now automatic. 2. Sandboxing your web browser inside of a virtual machine. How to do this and what it buys you. 3. URL Verification is a good way to verify the website you are going to is authentic and (hopefully) malware free. This involved showing the staff how to take a URL and paste it into one of the major security vendor s websites. 4. Employees might be interested in using browsers that automatically update themselves, versus waiting for corporate downloads to be ready.
8 Module 7: Social Engineering Social Engineering Explain how employees might be socially engineered. Employees are pretty isolated and aware of the basic ways of being socially engineered through traditional channels: eg. , phone calls, etc. This module will go beyond required training to detail how day-to-day conversations with non-employees can be socially engineered to gather information. 1. Opportunities outside work for employees to be contacted. Include scenarios from actual employee experiences. a. Wearing badges outside of the workplace. b. Employees giving out work addresses, on websites, in mailing lists, on social networking sites. c. Patterns of behavior may be learned. What is learned about an employees habits, hobbies, family, traveling may be used against them. 2. Insider Threat a. Judging normal requests for information from suspicious requests. b. How to report to the security and counterintelligence teams.
9 Module 8: Mobile Device Security Mobile Device Security Explain further methods to protect the security of their mobile devices. Employees who use mobile devices are at a greater risk for data compromise. This module will expound upon the information presented in the current required trainings. 1. Laptops connected via VPN and how corporate security can be bypassed by adversaries. a. When using the various VPN connection methods, how do each one allow an attacker to pivot through the VPN? b. For non-full-vpn connectivity, what are the dangers of allowing others to use that computer? Are there less protections than with full-vpn computers? c. Laptops that go on foreign travel services that are available. 2. Mobile phones and how to use the security mechanisms available: a. Full device encryption aka. Full disk encryption b. Longer than 4 digit password locks for phones c. Remote device wiping through Exchange or icloud d. Application Sandboxing and the model that ios e. Knowingly / unknowingly allowing access to your contact list f. Applications like XXXX and how their model protects corporate data
10 Module 9: Protecting your personal computer Protecting your personal computer Explain how employees should protect the personal computers at home to ensure corporate security. Employees that use personal devices, eg. home computers, to access corporate resources should be aware of the attack vectors that can be leveraged through their home computers. 1. Detail several home computer vectors to gain access to corporate resources such as a. Keyloggers b. Screen scraping c. Leaving VPN sessions unattended 2. Normal suite of antivirus and antimalware 3. Firewalls that are available, either host based or network based: a. ZoneAlarm b. Astaro Security Gateway 4. Patching, especially automated patching, and various ways of achieving it.
11 Module 10: Hacked Hacked Explain how be made aware of current attack vectors through periodic updates. Employees should be briefed regularly on the current threat vectors. 1. Employees are given knowledge of current attack vectors hitting the labs 2. Employees should be reminded, beyond SANS 464 briefings, what signs they should look for to indicate a compromised machine. 3. Employees should be encouraged to seek audits from colleagues to verify security standards are being used, eg. peer audits. 4. What steps should be done if a machine appears to be compromised
FIRST Site Visit Requirements and Assessment Document originally produced by CERT Program at the Software Engineering Institute at Carnegie Mellon University And Cisco Systems PSIRT Revision When Who What
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
New York State Office of the State Comptroller Division of Local Government and School Accountability LOCAL GOVERNMENT MANAGEMENT GUIDE Information Technology Governance Thomas P. DiNapoli State Comptroller
ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of
BELGIAN CYBER SECURITY GUIDE PROTECT YOUR INFORMATION This Guide and the accompanying documents have been produced jointly by ICC Belgium, FEB, EY, Microsoft, L-SEC, B-CCENTRE and ISACA Belgium. All texts,
The Cloud App Visibility Blindspot Understanding the Risks of Sanctioned and Unsanctioned Cloud Apps and How to Take Back Control Introduction Today, enterprise assets are more at risk than ever before
SECURITY FOR INDUSTRIAL CONTROL SYSTEMS IMPROVE AWARENESS AND SKILLS A GOOD PRACTICE GUIDE Disclaimer Reference to any specific commercial product, process or service by trade name, trademark, manufacturer,
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
PCI Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 1.2 For merchants and organizations that store, process or transmit cardholder data Contents Copyright 2008
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
SECURITY THREATS: A GUIDE FOR SMALL AND MEDIUM BUSINESSES What does an SMB need? A successful business works on the basis of revenue growth and loss prevention. Small and medium-sized businesses are particularly
Chapter 3.3: IT and Cloud Computing Darren Brooks, Daniel Roberts, Depeche Eliot 1. Introduction Advances in workplace technology and more specifically information technology have driven significant change
Guidelines for smart phones, tablets and other mobile devices Summary Smart phones, tablets and other similar mobile devices are being used increasingly both privately and in organisations. Another emerging
Poplar Street Primary School ICT Security and Acceptable Use Policy E-Safety policy 2013/14 Working Together Aiming High! 1 Contents 1. Introduction... 3 2. Policy Objectives... 3 3. Application... 3 4.
Chapter 3 Controls and Safeguards Solutions in this chapter: Data Security Program Security Controls Technical Safeguards Access Control Activity Logging and Monitoring Software Assurance Change Management
Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
Small businesses: What you need to know about cyber security Contents Why you need to know about cyber security... 3 Understanding the risks to your business... 4 How you can manage the risks... 5 Planning
Getting Physical with the Digital Investigation Process Brian Carrier Eugene H. Spafford Center for Education and Research in Information Assurance and Security CERIAS Purdue University Abstract In this
Welcome to the HIPAA, Privacy & Security Training Module THIS TRAINING MODULE IS APPROVED FOR NON-COMMERCIAL USE ONLY. Copyright protected by the University of North Carolina at Chapel Hill, 2013-15 During
Acknowledgment to ECSC for guidance and support in the creation of elements of this manual Introduction Rapidly developing information and communication technologies (ICT) are exciting and motivating learning
A Trend Micro Research Paper Suggestions to Help Companies with the Fight Against Targeted Attacks Jim Gogolinski Forward-Looking Threat Research Team Contents Introduction...3 Targeted Attacks...4 Defining
A Guide to Information Technology Security in Trinity College Dublin Produced by The IT Security Officer & Training and Publications 2003 Web Address: www.tcd.ie/itsecurity Email: ITSecurity@tcd.ie 1 2
CYBERSECURITY A Resource Guide for BANK EXECUTIVES Executive Leadership of Cybersecurity CEO LETTER I am proud to present to you the CSBS Executive Leadership of Cybersecurity Resource Guide. The number
Next Generation Cloud Computing Issues and Solutions Jeon SeungHwan 1, Yvette E. Gelogo 1 and Byungjoo Park 1 * 1 Department of Multimedia Engineering, Hannam University 133 Ojeong-dong, Daeduk-gu, Daejeon,
The Department of Health and Human Services Information Systems Security Awareness Training Fiscal Year 2015 Information Systems Security Awareness Introduction Information Security Overview Information
Continuous Compliance for Energy and Nuclear Facility Cyber Security Regulations Leveraging Configuration and Vulnerability Analysis for Critical Assets and Infrastructure May 2015 (Revision 2) Table of
Protecting PERSONAL INFORMATION A Guide for Business FEDERAL TRADE COMMISSION PROTECTING PERSONAL INFORMATION A Guide for Business Most companies keep sensitive personal information in their files names,