PACB One-Day Cybersecurity Workshop CYBERSECURITY AWARENESS AND TRAINING! PRESENTED BY: JON WALDMAN, SBS CISA, CRISC Secure Banking Solutions, LLC www.protectmybank.com 1
Agenda What is cybersecurity? What do I need to know about cybersecurity? What are some of today s cybersecurity threats? How do I build a useful Information Security Program? How do I build a Risk Assessment that helps me make decisions? People are the weakest link; how do I prepare and train my people to mitigate risk? Bad things are going to happen; it s inevitable. How do I plan for and prepare to respond to incidents?
Security Awareness Training HOW DO YOU SECURE THE HUMAN?
Security Awareness Security Awareness is the degree or extent to which every member of staff understands: the importance of security the levels of security appropriate to the organization their individual security responsibilities... and acts accordingly.
Social Engineering The manipulation of people, rather than machines, to successfully breach the security systems of an enterprise or a consumer". People, by nature, are unpredictable and susceptible to manipulation and persuasion. Studies show that humans have certain behavioral tendencies that can be exploited with careful manipulation. Rich Mogull, research director for information security and risk at Gartner, said social engineering is more of a problem than hacking. We believe social engineering is the single greatest security risk in the decade ahead."
Regulatory Requirements The Federal Reserve says: The Security Guidelines require a financial institution to train staff to prepare and implement its information security program. III.C.2 of the Security Guidelines. The institution should consider providing specialized training to ensure that personnel sufficiently protect customer information in accordance with its information security program. For example, an institution should: Train staff to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext calling; Provide staff members responsible for building or maintaining computer systems and local and wide-area networks with adequate training, including instruction about computer security; and Train staff to properly dispose of customer information. FDIC says Train staff to implement the bank's information security program.
Regulatory Requirements The FFIEC Info Security booklet says: Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and strengthen compliance with security policies, standards, and procedures. Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management. Training materials for desktop and workstation users would typically review the acceptable use policy and include issues like desktop security, log-on requirements, password administration guidelines, etc. Training should also address social engineering and the policies and procedures that protect against social engineering attacks. Many institutions integrate a signed security awareness agreement along with periodic training and refresher courses.
Document a Policy Define target and purpose Define the number of hours annually Documentation requirements for attendance Define general topics Require additional details in a program (ISAP)
Sample ISAP Program
ISAP Program Topics Training Topics Training Videos Information Security Day/Week Security Posters Trainer/Outsourcing Reporting/Documentation Integration of Acceptable Use
Meeting FFIEC Compliance: Customer Awareness and Education 1.Handouts / Pamphlets 2.Posters / Calendars 3.Security Awareness Day 4.InfraGard Certification 5.Social Engineering Tests 6.Games 7.Resources 8.Commercial Customer Roundtable
Posters https://services.learnupon.com/store
Awareness Brochures https://services.learnupon.com/store
Regular Email Notifications From the ISO Test your Phishing IQ: http://www.sonicwall.com/furl/phishing/phishing-quiz-question.php For more general information about protecting yourself from Internet Fraud, please read this article: http://www.fbi.gov/scams-safety/fraud/internet_fraud/internet_fraud#ndm
Securing the Human http://www.securingthehuman.org/
Infragard Awareness https://www.infragardawareness.com/
Security Awareness Day
Onsite or Online Education
Customer Auditing Controls Audit Onsite visits Self Assessment / Evidence Social Engineering Tests On customers? USB/Media Dumpster Diving Phishing Impersonation Physical and phone
Physical Security And Social Engineering Examples Physical Impersonation
Physical Security And Social Engineering Examples Pretext Calling
Physical Security And Social Engineering Examples Phishing, Spear Phishing, and Whaling
Physical Security And Social Engineering Examples Dumpster Diving
Physical Security And Social Engineering Examples Unknown Media or Baiting