1 PRESENTATION TITLE1

The Streetwise Security Zone Presents

Turning Swiss CheeseInto Hard Candy

Scott WrightThe Streetwise Security Coach

http://www.streetwise-security-zone.com

Justifying Security Awareness Training

2 Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC2

Why Swiss Cheese?

Threats!

Workflows

Threats

3 Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comINT3

Cases of Security Awareness Failure

Spouse installs music sharing software on company laptop, exposing 17,000 employees’ personal data on the Web

4 Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comINT4

Downadup virus hits PCs at five Sheffield hospitals"The virus has now been contained and our IT team have been working very closely with external antivirus specialists to update PCs and remove the last remnants of the virus from the network to limit the chances of a repeat infection.”

The automatic Microsoft update process had been temporarily disabled following problems with some PCs providing supporting information in theatres.

"This decision was taken by the IT Change Advisory Board to prevent further disruption in theatres.“ (ZDNet.co.uk, January 22, 2009)

Cases of Security Awareness Failure

The “Conficker” (aka Downadup, Kido) worm has infected 8-12 million computers globally* creating a large BOTNET, through a combination of:

a) Poor password choices,

b) USB Flash Drive infections, and

c) Windows computers not being updated with Microsoft’s security patches*United Press International, January 26, 2009

5 Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comINT5

Cases of Security Awareness Failure

Restaurant + IT Staff Lunch + New Employee + Blogger Sitting Nearby = ….

Easy! The only password you

need to remember is “Password1”…

We use it everywhere.

This new job is challenging… We

have so many systems. How do you manage it?

6 Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC6

Why Do You Need to Take Action?

You (or your clients) could be a click away from disaster…

Poor employee risk decisions cause over 80% of data breaches

Ponemon Institute: http://www.encryptionreports.com/

60% of individuals FAILED a simple test of information security risk decisions

The Honey Stick Project: http://www.honeystickproject.com

7 Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC7

What is Security Awareness?Ability to recognize risks

Ability to make decisions that reduce risk, regardless of technology or other safeguards Meeting job requirements and organization’s objectives

Securely and efficiently!

Empowerment – When employees do the right things… At the right time, for right reasons, when nobody is watching!

Michael Santarcangelo, The Security Catalyst

Something doesn’t look quite right…

8 Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC

Facebook - Good or Bad?

Explosive growth in use for marketing and networkingIncreased “exposure” (one way or another!)

Facebook RisksAlmost half of new profiles are not real

Don’t accept invitations from strangers (link whoring)

Increasing use of Bots for invitations and attacksBe suspicious of friends’ recommendations

Trust is easily exploitableVerify information before acting

Links are easy to obscure with tinyurl.comBe suspicious of abnormal linksUse plugins that expand links - (e.g. Longurl in Firefox)

8

9 Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC9

A Few More Facebook Risks and TipsCorporate espionage is easy and growing

Change privacy settings to “Friends Only”

Third-party applications can be malicious or “leaky” Only accept applications from reputable sources

Facebook is a big target Large repository of personal information Big risk to ANY info within it, despite policies or settings Don’t post anything you wouldn’t want to see in the newspapers!

See Tom Eston’s See Tom Eston’s Guide to Facebook Privacy Guide to Facebook Privacy and Securityand Security

http://www.spylogic.net Streetwise Security Zone Podcast - Episode 3Streetwise Security Zone Podcast - Episode 3

10

Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC

If you were targeting a company...

10

• NOTE TO PRESENTER USING THIS SLIDE DECK…• For a live Facebook demo from within your own

Facebook profile…• Go to Facebook main page• Search for a company in your local geographical

area (same city as in your profile)• Enter <company name> along with <software> or

<research> or <strategic> or <travel> or <finance>• i.e. Search for: IBM strategic, IBM research, etc.

11

Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC11

What’s the worst case of personal use causing business risk?

Срочно! Слишком

низко!

Roger that... Looks like I shouldn’t

have accepted that Facebook invitation from that Russian lady. Right Jim?

Translation:

Urgent! You are too low!

Pull up!

Any idea what she’s

saying?

12

Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC12

Facebook Settings

13

Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC13

Who Needs Security Awareness Most? General staff

On the front lines, the first place attackers go Handles large volumes of information

Executives Often feel they are immune to “operational rules” Often carry or discuss valuable information

IT Staff Also feel they are immune Need valuable information to get their jobs done

R&D Staff Has key intellectual property – very high value to

the organization Responsible for building in safeguards

Everybody Needs It!

14

Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC14

Handling information more securely in your job…

For Executives, Management, Administrators, R&D Staff, or IT Staff –

The Streetwise Security Awareness Technique (SWAT) uses the same approach for all jobs…

But, the safeguards are tailored in each step…

Be prepared with basic best practices

Identify your trusted sources of guidance

Identify your information context

Control information in your context

Collaborate for security and efficiency

15

Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC15

The SWAT Basic Information Security Awareness Guidelines1. Take responsibility for software being up-to-date

2. Use only authorized hardware or software

3. Use multiple, strong passwords

4. Know your security software logo and alerts

5. Do regular backups of your work, and test them

6. Encrypt sensitive files before leaving the office

7. Challenge strangers, or anything odd

8. Lock up sensitive assets and information before leaving them

9. Be suspicious (i.e. don’t click on untrusted/unexpected links or attachments)

10. Report incidents to management or the helpdesk

16

Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC16

What about the Swiss Cheese?…

• Less Rework

• Better Quality and Compliance

• Fewer Legal Issues

• Better Productivity

• Happier Customers

• Better Industry Image

• Happier Employees Threats!

17

Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC17

To Hard Candy… and more

• Less Rework

• Better Quality and Compliance

• Fewer Legal Issues

• Better Productivity

• Happier Customers

• Better Industry Image

• Happier Employees

18

Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC18

Summary

Security relies on technology, human decisions and empowerment

Everybody needs security awareness – weakest link is limiting factor

Spin-off benefits – improved productivity, quality, customer satisfaction, leadership, and more…

19

Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC19

Quiz on Security Awareness

1) Approximately what percentage of data breaches are caused, in some way, by poor employee risk decisions?

(a) 10% (b) 40% (c) 70 % (d) 80%

2) What do Phishers and Identity Thieves look for in Facebook profiles?

(a) Employer names (b) Favorite color (c) Privacy settings

3) Should your organization be more like Swiss Cheese or Hard Candy?

Which one does it resemble right now?

20

Copyright 2009. Scott Wright. All rights reserved. http://www.streetwise-security-zone.comSC

Let’s work together!

Scott Wright - The Streetwise Security CoachContact - scott@streetwise-security-zone.com

Sales Resources: http://www.streetwise-security-zone.com/training-sales.html

Slide decks, sales letters and other tips over time

The Streetwise Security Zone websitehttp://www.streetwise-security-zone.com

FREE weekly tips email newsletter on home pageCurrently free FULL membership (during promotion)Podcasts, tweets, articles, forums

The Honey Stick Project - Measuring risk decisionshttp://www.honeystickproject.com

20