Jumpstarting Your Security Awareness Program

Transcription

1 Jumpstarting Your Security Awareness Program Michael Holcomb Director, Information Security HO

2 Jumpstarting Your Security Awareness Program Classification: Confidential Owner: Michael Holcomb Approver: Phil Cirulli Prepared: January 21 st, 2015 HO

3 The Need for Security Awareness Most organizations focus on controlling the perimeter through firewalls, intrusion detection systems and other technical security controls Attackers are targeting your employees as ways to gain access to your internal network Employees can be targeted in their personal life as well as back at the office More than likely, someone is on your network right now doing something they shouldn t be! HO

4 Initial Questions to Answer Why are you providing security awareness? Compliance requirements? Grassroots initiative? Or? What do you want to accomplish? What type of behaviors are you trying to change? Who do you have support from? Your Executive Management? Your boss? Just you and yourself? What type of budget support do you have? Feast or famine? Or somewhere in between? How much time do you have to dedicate to security awareness planning and initiatives? All the time in the world? Squeezing it in the other sixty hours a week you work? Or? HO

5 Leverage Security Awareness Frameworks Several security awareness frameworks and sets of best practices exist to leverage in establishing a new program or identifying gaps in existing Microsoft Security Awareness Toolkit SANS Security Awareness Planning Kit PCI Best Practices for Implementing a Security Awareness Program actices_for_implementing_security_awareness_program.pdf SANS Top 20 Critical Controls HO

6 Microsoft Security Awareness Toolkit Provides baseline documentation for security awareness programs, especially for those with compliance requirements HO

7 SANS Security Awareness Roadmap HO

8 PCI Best Practices for Implementing a Security Awareness Program Focuses on assigning responsibilities for members of the security awareness team Includes various levels of training for specific groups of users Provides a number of simple metrics for measuring effectiveness of security awareness efforts All Personnel Management Specialized Groups HO

9 SANS Top 20 Critical Controls 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4. Continuous Vulnerability Assessment and Remediation 5. Malware Defenses 6. Application Software Security 7. Wireless Access Control 8. Data Recovery Capability 9. Security Skills Assessment and Appropriate Training to Fill Gaps 10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11. Limitation and Control of Network Ports, Protocols, and Services 12. Controlled Use of Administrative Privileges 13. Boundary Defense 14. Maintenance, Monitoring, and Analysis of Audit Logs 15. Controlled Access Based on the Need to Know 16. Account Monitoring and Control 17. Data Protection 18. Incident Response and Management 19. Secure Network Engineering 20. Penetration Tests and Red Team Exercises HO

10 Other Suggestions Leverage Free Resources Make It Personal Pull Back the Curtains Focus on Target Groups of Employees Social Engineering Tests Metrics HO

11 Leverage Free Resources National Cyber Security Alliance (NCSA) staysafeonline.org SANS Ouch! Newsletter securingthehuman.org/resources/ SANS Securing the Human Community HO

12 SANS Security the Human Community Led by SANS Lance Spitzner, the STH Community is the most valuable resource for security awareness today Access to some of the top minds practicing security awareness today in organizations of all sizes No vendors are allowed on the mailing list Sign up today at HO

13 Make It Personal Employees take cyber security practices to heart when taught from a personal perspective Teach your employees how to keep themselves and their families cyber safe at home Employees will bring their cyber safety practices back to the office with them HO

14 Do Not Reuse Passphrases/Passwords (Example) If an attacker was to compromise the username and password for your Netflix account, would they Be able to read your personal messages? Be able to make purchases with your Amazon or other accounts? Be able to transfer money from your bank account? Be able to access your company s systems remotely and steal information? At a minimum, never share passwords between resources used for company business and personal use Assign unique passwords to your sensitive sites such as your bank account HO

15 Pull Back the Curtains Employees need to understand that security threats against the company they work for are real and that they do occur Reveal information related to actual security events and incidents with your employees to raise awareness Employees need to understand that they and their company are targets HO

16 Cyber Attacks Against Fluor Employees (Example) An advanced group of attackers targeted Fluor employees in order to gain access to one of our client s resources Initial contact was made via Facebook with a fake identity ( Emily ) in an attempt to establish personal rapport with targeted employees HO

17 Cyber Security Blotter (Example) HO

18 Focus on Target Groups of Employees While all employees should be provided with a basic level of security awareness training, specialized groups of employees requiring additional training should be identified Executives New Employees Accounting/Finance System administrators Application developers Employees with workstations infected HO

19 Social Engineering Tests Determine the need for an internal phishing campaign platform for raising phishing awareness Leverage the most common examples of phishing campaigns targeting your company today If you don t know what these are you need to find out! Consider conducting social engineering phone calls of your employees Pretend to be a member of your company s help desk or from the company s Internet Service Provider For additional ideas, visit the Capture the Flag (CTF) section on social-engineering.com HO

20 Metrics Use simple metrics to communicate to senior leadership the level of perceived risk with the human factor in your organization Ideally metrics will be used to demonstrate the effectiveness of your security awareness program over time HO

21 Metrics Suggestions Some examples of simple metrics for tracking various aspects of your security awareness efforts: Phishing Tests Percentage of employees clicking on test phishing links Percentage of employees opening test phishing attachments Percentage of employees providing company credentials online Phone Call Tests Percentage of employees providing company credentials over the phone to unknown party Overall level of cooperation for called employees Don t forget special interest groups such as IT, HR & Finance USB Drops Percentage of USB drops loaded on company computers HO