1 PRESENTATION TITLE 1 The Streetwise Security Zone Presents Turning Swiss Cheese Into Hard Candy...
-
Upload
arianna-casey -
Category
Documents
-
view
218 -
download
4
Transcript of 1 PRESENTATION TITLE 1 The Streetwise Security Zone Presents Turning Swiss Cheese Into Hard Candy...
1 PRESENTATION TITLE1
The Streetwise Security Zone Presents
Turning Swiss CheeseInto Hard Candy
Scott WrightThe Streetwise Security Coach
http://www.streetwise-security-zone.com
Justifying Security Awareness Training
2 Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC2
Why Swiss Cheese?
Threats!
Workflows
Threats
3 Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comINT3
Cases of Security Awareness Failure
Spouse installs music sharing software on company laptop, exposing 17,000 employees’ personal data on the Web
4 Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comINT4
Downadup virus hits PCs at five Sheffield hospitals"The virus has now been contained and our IT team have been working very closely with external antivirus specialists to update PCs and remove the last remnants of the virus from the network to limit the chances of a repeat infection.”
The automatic Microsoft update process had been temporarily disabled following problems with some PCs providing supporting information in theatres.
"This decision was taken by the IT Change Advisory Board to prevent further disruption in theatres.“ (ZDNet.co.uk, January 22, 2009)
Cases of Security Awareness Failure
The “Conficker” (aka Downadup, Kido) worm has infected 8-12 million computers globally* creating a large BOTNET, through a combination of:
a) Poor password choices,
b) USB Flash Drive infections, and
c) Windows computers not being updated with Microsoft’s security patches*United Press International, January 26, 2009
5 Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comINT5
Cases of Security Awareness Failure
Restaurant + IT Staff Lunch + New Employee + Blogger Sitting Nearby = ….
Easy! The only password you
need to remember is “Password1”…
We use it everywhere.
This new job is challenging… We
have so many systems. How do you manage it?
6 Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC6
Why Do You Need to Take Action?
You (or your clients) could be a click away from disaster…
Poor employee risk decisions cause over 80% of data breaches
Ponemon Institute: http://www.encryptionreports.com/
60% of individuals FAILED a simple test of information security risk decisions
The Honey Stick Project: http://www.honeystickproject.com
7 Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC7
What is Security Awareness?Ability to recognize risks
Ability to make decisions that reduce risk, regardless of technology or other safeguards Meeting job requirements and organization’s objectives
Securely and efficiently!
Empowerment – When employees do the right things… At the right time, for right reasons, when nobody is watching!
Michael Santarcangelo, The Security Catalyst
Something doesn’t look quite right…
8 Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC
Facebook - Good or Bad?
Explosive growth in use for marketing and networkingIncreased “exposure” (one way or another!)
Facebook RisksAlmost half of new profiles are not real
Don’t accept invitations from strangers (link whoring)
Increasing use of Bots for invitations and attacksBe suspicious of friends’ recommendations
Trust is easily exploitableVerify information before acting
Links are easy to obscure with tinyurl.comBe suspicious of abnormal linksUse plugins that expand links - (e.g. Longurl in Firefox)
8
9 Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC9
A Few More Facebook Risks and TipsCorporate espionage is easy and growing
Change privacy settings to “Friends Only”
Third-party applications can be malicious or “leaky” Only accept applications from reputable sources
Facebook is a big target Large repository of personal information Big risk to ANY info within it, despite policies or settings Don’t post anything you wouldn’t want to see in the newspapers!
See Tom Eston’s See Tom Eston’s Guide to Facebook Privacy Guide to Facebook Privacy and Securityand Security
http://www.spylogic.net Streetwise Security Zone Podcast - Episode 3Streetwise Security Zone Podcast - Episode 3
10
Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC
If you were targeting a company...
10
• NOTE TO PRESENTER USING THIS SLIDE DECK…• For a live Facebook demo from within your own
Facebook profile…• Go to Facebook main page• Search for a company in your local geographical
area (same city as in your profile)• Enter <company name> along with <software> or
<research> or <strategic> or <travel> or <finance>• i.e. Search for: IBM strategic, IBM research, etc.
11
Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC11
What’s the worst case of personal use causing business risk?
Срочно! Слишком
низко!
Roger that... Looks like I shouldn’t
have accepted that Facebook invitation from that Russian lady. Right Jim?
Translation:
Urgent! You are too low!
Pull up!
Any idea what she’s
saying?
12
Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC12
Facebook Settings
13
Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC13
Who Needs Security Awareness Most? General staff
On the front lines, the first place attackers go Handles large volumes of information
Executives Often feel they are immune to “operational rules” Often carry or discuss valuable information
IT Staff Also feel they are immune Need valuable information to get their jobs done
R&D Staff Has key intellectual property – very high value to
the organization Responsible for building in safeguards
Everybody Needs It!
14
Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC14
Handling information more securely in your job…
For Executives, Management, Administrators, R&D Staff, or IT Staff –
The Streetwise Security Awareness Technique (SWAT) uses the same approach for all jobs…
But, the safeguards are tailored in each step…
Be prepared with basic best practices
Identify your trusted sources of guidance
Identify your information context
Control information in your context
Collaborate for security and efficiency
15
Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC15
The SWAT Basic Information Security Awareness Guidelines1. Take responsibility for software being up-to-date
2. Use only authorized hardware or software
3. Use multiple, strong passwords
4. Know your security software logo and alerts
5. Do regular backups of your work, and test them
6. Encrypt sensitive files before leaving the office
7. Challenge strangers, or anything odd
8. Lock up sensitive assets and information before leaving them
9. Be suspicious (i.e. don’t click on untrusted/unexpected links or attachments)
10. Report incidents to management or the helpdesk
16
Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC16
What about the Swiss Cheese?…
• Less Rework
• Better Quality and Compliance
• Fewer Legal Issues
• Better Productivity
• Happier Customers
• Better Industry Image
• Happier Employees Threats!
17
Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC17
To Hard Candy… and more
• Less Rework
• Better Quality and Compliance
• Fewer Legal Issues
• Better Productivity
• Happier Customers
• Better Industry Image
• Happier Employees
18
Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC18
Summary
Security relies on technology, human decisions and empowerment
Everybody needs security awareness – weakest link is limiting factor
Spin-off benefits – improved productivity, quality, customer satisfaction, leadership, and more…
19
Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC19
Quiz on Security Awareness
1) Approximately what percentage of data breaches are caused, in some way, by poor employee risk decisions?
(a) 10% (b) 40% (c) 70 % (d) 80%
2) What do Phishers and Identity Thieves look for in Facebook profiles?
(a) Employer names (b) Favorite color (c) Privacy settings
3) Should your organization be more like Swiss Cheese or Hard Candy?
Which one does it resemble right now?
20
Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC
Let’s work together!
Scott Wright - The Streetwise Security CoachContact - [email protected]
Sales Resources: http://www.streetwise-security-zone.com/training-sales.html
Slide decks, sales letters and other tips over time
The Streetwise Security Zone websitehttp://www.streetwise-security-zone.com
FREE weekly tips email newsletter on home pageCurrently free FULL membership (during promotion)Podcasts, tweets, articles, forums
The Honey Stick Project - Measuring risk decisionshttp://www.honeystickproject.com
20