Jumpstarting Your Security Awareness Program Michael Holcomb Director, Information Security HO20110473 1
Jumpstarting Your Security Awareness Program Classification: Confidential Owner: Michael Holcomb Approver: Phil Cirulli Prepared: January 21 st, 2015 HO20110473 2
The Need for Security Awareness Most organizations focus on controlling the perimeter through firewalls, intrusion detection systems and other technical security controls Attackers are targeting your employees as ways to gain access to your internal network Employees can be targeted in their personal life as well as back at the office More than likely, someone is on your network right now doing something they shouldn t be! HO20110473 3
Initial Questions to Answer Why are you providing security awareness? Compliance requirements? Grassroots initiative? Or? What do you want to accomplish? What type of behaviors are you trying to change? Who do you have support from? Your Executive Management? Your boss? Just you and yourself? What type of budget support do you have? Feast or famine? Or somewhere in between? How much time do you have to dedicate to security awareness planning and initiatives? All the time in the world? Squeezing it in the other sixty hours a week you work? Or? HO20110473 4
Leverage Security Awareness Frameworks Several security awareness frameworks and sets of best practices exist to leverage in establishing a new program or identifying gaps in existing Microsoft Security Awareness Toolkit www.microsoft.com/en-us/download/details.aspx?id=11428 SANS Security Awareness Planning Kit www.securingthehuman.org/resources PCI Best Practices for Implementing a Security Awareness Program www.pcisecuritystandards.org/documents/pci_dss_v1.0_best_pr actices_for_implementing_security_awareness_program.pdf SANS Top 20 Critical Controls www.sans.org/critical-security-controls/ HO20110473 5
Microsoft Security Awareness Toolkit Provides baseline documentation for security awareness programs, especially for those with compliance requirements HO20110473 6
SANS Security Awareness Roadmap HO20110473 7
PCI Best Practices for Implementing a Security Awareness Program Focuses on assigning responsibilities for members of the security awareness team Includes various levels of training for specific groups of users Provides a number of simple metrics for measuring effectiveness of security awareness efforts All Personnel Management Specialized Groups HO20110473 8
SANS Top 20 Critical Controls 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4. Continuous Vulnerability Assessment and Remediation 5. Malware Defenses 6. Application Software Security 7. Wireless Access Control 8. Data Recovery Capability 9. Security Skills Assessment and Appropriate Training to Fill Gaps 10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11. Limitation and Control of Network Ports, Protocols, and Services 12. Controlled Use of Administrative Privileges 13. Boundary Defense 14. Maintenance, Monitoring, and Analysis of Audit Logs 15. Controlled Access Based on the Need to Know 16. Account Monitoring and Control 17. Data Protection 18. Incident Response and Management 19. Secure Network Engineering 20. Penetration Tests and Red Team Exercises HO20110473 9
Other Suggestions Leverage Free Resources Make It Personal Pull Back the Curtains Focus on Target Groups of Employees Social Engineering Tests Metrics HO20110473 10
Leverage Free Resources National Cyber Security Alliance (NCSA) staysafeonline.org SANS Ouch! Newsletter securingthehuman.org/resources/ SANS Securing the Human Community HO20110473 11
SANS Security the Human Community Led by SANS Lance Spitzner, the STH Community is the most valuable resource for security awareness today Access to some of the top minds practicing security awareness today in organizations of all sizes No vendors are allowed on the mailing list Sign up today at https://lists.sans.org/mailman/listinfo/sth-community HO20110473 12
Make It Personal Employees take cyber security practices to heart when taught from a personal perspective Teach your employees how to keep themselves and their families cyber safe at home Employees will bring their cyber safety practices back to the office with them HO20110473 13
Do Not Reuse Passphrases/Passwords (Example) If an attacker was to compromise the username and password for your Netflix account, would they Be able to read your personal email messages? Be able to make purchases with your Amazon or other accounts? Be able to transfer money from your bank account? Be able to access your company s systems remotely and steal information? At a minimum, never share passwords between resources used for company business and personal use Assign unique passwords to your sensitive sites such as your bank account HO20110473 14
Pull Back the Curtains Employees need to understand that security threats against the company they work for are real and that they do occur Reveal information related to actual security events and incidents with your employees to raise awareness Employees need to understand that they and their company are targets HO20110473 15
Cyber Attacks Against Fluor Employees (Example) An advanced group of attackers targeted Fluor employees in order to gain access to one of our client s resources Initial contact was made via Facebook with a fake identity ( Emily ) in an attempt to establish personal rapport with targeted employees HO20110473 16
Cyber Security Blotter (Example) HO20110473 17
Focus on Target Groups of Employees While all employees should be provided with a basic level of security awareness training, specialized groups of employees requiring additional training should be identified Executives New Employees Accounting/Finance System administrators Application developers Employees with workstations infected HO20110473 18
Social Engineering Tests Determine the need for an internal phishing campaign platform for raising phishing awareness Leverage the most common examples of phishing campaigns targeting your company today If you don t know what these are you need to find out! Consider conducting social engineering phone calls of your employees Pretend to be a member of your company s help desk or from the company s Internet Service Provider For additional ideas, visit the Capture the Flag (CTF) section on social-engineering.com HO20110473 19
Metrics Use simple metrics to communicate to senior leadership the level of perceived risk with the human factor in your organization Ideally metrics will be used to demonstrate the effectiveness of your security awareness program over time HO20110473 20
Metrics Suggestions Some examples of simple metrics for tracking various aspects of your security awareness efforts: Phishing Tests Percentage of employees clicking on test phishing links Percentage of employees opening test phishing attachments Percentage of employees providing company credentials online Phone Call Tests Percentage of employees providing company credentials over the phone to unknown party Overall level of cooperation for called employees Don t forget special interest groups such as IT, HR & Finance USB Drops Percentage of USB drops loaded on company computers HO20110473 21