Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors...
-
Upload
teresa-richards -
Category
Documents
-
view
214 -
download
0
Transcript of Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors...
Developing a SecurityAwareness Strategy
Gavin van NiekerkPrincipal Consultant
Topics
Awareness as a survival techniqueSuccess factorsApproachPrinciples: the “ABCs”ContentTechniquesToolsMeasurement and evaluationResources
Survival
Being alert to danger signals, and responding quickly, often is the difference between surviving…and not
Your Staff: Cost-Effective!
First to be affected during incidentCompliance with policy can make or break any security programAwareness helps to—
Become your organization’s detection instrumentsMake security reflexivePrevent incidentsMitigate damage if something happens
How to Spend a Dollar?
Policy
Awareness
Risk Assessment
Technology
Process
Success Factors
Success Factors
Information security policySenior-level management support and buy-inProgram’s focus that security, at its core, is a people problemGoals (short-, intermediate-, and long-term)Audience profilesMotivational techniques
Information Security Policy
Clarify and document management’s intentionSet expectations and guide behaviorEffective policies state—
GoalsResponsibilitiesAllowed behaviorProhibited behaviorPenalties
Helps deal with certain personality types…
Awareness Policy
Increases credibility and visibility of entire information security programShould establish—
That participation in awareness program is mandatoryThat everyone will receive enough timeWho is responsible for conducting the program
Senior-Level Sponsorship
A proper budget—Prevents middle management from denying requests to fund securityAllows for the time with no “bottom line” obviousness
Lead by exampleExecutives must themselves be bound by policyExemptions cost money, blow the budget!
Affirm security staffSupport those charged with enforcing policiesEspecially important when security and convenience conflict
It’s a People Problem
Don’t succumb to the urge to change conditions to force the outcome you want
While we can use technology to mitigate some risk, it really depends on the cooperation of all the users
If people don’t understand, or opt not to participate, the whole security program weakens
Be: specific, realistic, measurable
Goals
Practice, reinforce, repeat, automateMake it reflexive to “think security”
Reinforce desired (often already known) behaviorGradually change undesired behavior
Teach what happens in the event of a failure
Audience Profiles
Everyone, from summer intern to CEO, requires the same level of security awareness
Methods, however, should varyNeeds: group by levels of computer experience
Jargon vs. analogiesRoles and interests—
Users: Will it help me work better? Will it affect my performance review?Managers: How much will it cost? What return?Technicals: Is it authoritative and in the right language?
Use surveys to find out what motivates
Art of Mmotivations
Some behaviors simply must changeSharing passwordsExchanging confidential dataBelief that “hacking” is “cool”
Appeal to—The damage a breach often causesOrganizational recognition for protecting informationFact that attacking is a crime (that often hurts people)Desire to belong to group that shuns harmful actionsCourage it takes to resist peer pressure (rules are good!)
Dribble it out…don’t overwhelm
Don’t Rely Only on Fear
More important to emphasize—Thinking about security in a new wayHow to avoid danger
Potential pitfallsLosing the audience’s attentionAlienating the audienceOverdoing it
Approach
Media Campaign
No different than any otherMessage: Why security is importantProduct: The practice of securityMarket: All employees
Research and planning produces strategyDefine program objectivesIdentify audiences (primary, secondary)Define what’s to be communicatedDescribe benefits to audience
Media Research
Observation, surveys, tests, interviewsHelp desk statistics and trends
How many password resets per week/month/…?IT staff knows your systems, ask—
“How would you break into it?”“Are breaches predictable?”
Use focus groups to test your message
“If I had six hours to chop down a tree, I’d spend the first five sharpening the ax.”
—Abraham Lincoln
Sharpening the Ax
Plan is essentialCan be short and succinct—
Status of current effortsGoals and objectivesHow progress will be measuredActions, by whom, when
Good plans—Allow for faster reactionTake advantage of current events in the newsCoordinate around a theme
Awareness Principles
Appeal to target audienceKnow their existing values and motivationsStart where they are, move to where you want them
Attention-gettingIt’s a prerequisite to learningUse clever slogans, eye-catching images
“A”
SamplBasic (simple, memorable)Sets stage for training, shouldn’t be complexTake away fear and ignoranceFoster recognition there’s a problem and that people are the solution
Buy-in is better than coercionContributors to awareness program are more likely to accept and follow controlsGet feedback for every suggestion; lack implies “no management interest”
“B”
ContinuingPersistence and repetition are importantVary methods used
CredibleClear, relevant, appropriateHave 15 passwords? Write them down—and protect the list
CurrentMaterial must always be fresh“Smell like the tide, not like the fish”
“C”
Content
Risks
Teach: “What does a threat look like?”How to detect unauthorized activity
Busy toll-free: popular? full circuits? attacked line?Typical risks
Malware types and how it is damagingShared risk principles (my risk spreads across network)Impact of distributed attacks (DDoS mostly)Privacy and confidentiality issuesScope of embedded hardware/software vulnerabilities
Tailor to audienceRemote access, for instance
Basic Countermeasures
Security procedures and processesPersonal practices
Passwords—length, reuse, expirationE-mail attachmentsFile transfers and downloads
Reporting proceduresPotential or actual security eventsWho to?How to? Telephone, e-mail, even fax
Responsibilities
Emphasize—Security is everyone’s responsibilityManagement has made it a priorityIt applies to everyone equally
Make system or organizational codes of conduct discoverable and readable
Contact InformationWho • Phone numbers, e-mail addresses, web sites
• Security staff, incident handlers, help deskWhat • Affected computers and operating systems
• Symptoms• Date/time/duration of incident• Active connections• Observed damage, actions taken
How • Method of reporting problem• Out-of-band of affected system
When • Report now? Or wait a while?• Potential damage vs. business impact
Techniques
Start with a Bang
Notwithalongdryboringintroduction
Thatenumerateseverylawregulationpolicystandardguidelineorrequirement
Reactions
“I never thought of it that way.”“That surprises me!”“What a great idea!”“I’d almost forgot about that…”“I can use this.”
Logos and Images
Images have more power than wordsLook for colorful designs that catch the eye and burn into the brainEven animation can help
What wouldhappen ifsomeonechanged
your data?
Wyad cinxsafper efstmxunekhopgel
joor deko?
US NuclearRegulatory Agency
“Keep it clean”“Cyber Tyger”
“It’s a bug’s life”“PC Doctor”
Hospital“Prevention is
better than a cure”
Themes
Unite several concepts into a related messageChoose one that’s reflective of your businessIncorporate design elements into posters
Posters
85 3,000,000
Stories and Examples
Real people, real consequencesLong-time employees (“corporate memory”)News eventsInternet message boardsSecurity personnel
Again, tailor to audienceTheft of medical records: healthcare data processingFraud/impersonation: financial and accounting groups
Use Failure
It’s a learning acceleratorOnline awareness training—
Should provide immediate feedbackNo need to record answersGive staff something to think about
The building is on fire. As you exit the buildingin a safe and orderly manner, you are able to take either the data backups or the backup of your custom built application. Which do you take?
A. The dataB. The backup
Example
Either answer is correct; training module should inform users of thisJust like real life—not everything is easy
In the United States, which of the following activities is illegal?
A. Creating an e-mail virus B. Disrupting Internet communications C. Failing to make daily backups
Encourage Audience Involvement
Use questions—“Did you know…?”“What would you do if…”
Counter-intuitive facts work wonders
Be Surprising
Just like a piñata—good material is full of surprises
Role-play is excellentManager who doesn’t want to follow the “no tailgating” policy
Entertain, lead by exampleRetention is long lasting
User Action and Signoff
Each user signs acceptable use policy after reading
Eliminates “I didn’t know…” excusesDon’t forget periodic refreshers, too
“Noisy prosecutions,” even internally, might discourage security breaches
Also allows tracking trendsAssists identification and response
Analogies
Analogies, metaphors, similes help to associate new concepts with prior knowledgeIllustrations help reinforce the message
Sensitive data is likeprescription drugs:• used only by those who
need it• not given or sold to
unauthorized people• can damage those who
don’t need it
Passwords are likewinter underwear:• should be long
and mysterious• protect the owner• used by one person, not
a group• changed periodically
Humor
Gets attention, motivates and relaxes peopleEven influences organizational cultureBe relevant, complement the message
Otherwise your credibility suffersOK to joke about yourself or those in powerBe careful about backfiring, though
Computer virus,Destroyer of files, survivesthrough lack of scanning
Sources
Cartoons—Dilbert is canonicalHumorous definitionsLetterman-style top ten lists (“Top ten excuses for not making a backup”)Security-related poems or lyrics written to the tunes of popular songs (“The Infosec Rap”)
Learning StylesAuditory • Picks up information from hearing it
• Reached by lectures and written materialVisual • Wants to see what’s being taught
• Prefers diagrams, charts, and picturesKinesthetic • Responds well to tactile input
• Wants to walk through steps or learn by physically performing the task
Personalities
Some people ignore procedures if they don’t understand the reasons
Give them the “whys,” it’s OKGive learners the choice after an exercise
Try again?Or just receive the answer?
Some people retain better when they deduce answers themselves; others simply want to see the result and move on
Circumstances
Disaster—like a fireCan be invigorating
Current eventsCan add credibilityCheck security-related Internet news sitesReward first-discoverer “news hawk” who contributes new story to the awareness program
Recent attackAlso effective for obtaining budget
Tools
Considerations
What tools are most appropriate?What methods are most likely to be credible and appropriate for the audience?Which and how many methods are feasible, given budget and time constraints?
Internet/Intranet
Web sites on the Internet or hosted internallyConvenient for distributed organizationsAnnual refresher trainingGood for people with diverse technology experienceOwn pace, immediate feedbackFlexible, customizableReduce costs and training time
E-mail for sending alerts and newsletters
How?Why?
Screen Savers
Enable auto-locking screen saver with group policyDistribute eye-catching design
Hire a professional artistCoordinate with other awareness themes
Consider animations or even interactive triviaUpdate regularly
Sign-on Messages
Short reminder of users’ responsibilitiesChanged regularlyNote: No legal coverage
Posters
VideosGreat for orientation meetings and “brown bag” staff lunchesProvide popcorn—in bags with printed security messagesMany advantages
Consistent message throughout organizationShort and succinct: 20 minutes, no moreSave travel time and costs
But…Expensive to produce, though…US$3000/minBecome out-of-date rather quickly
Maybe produce segmented video?
Trinkets and tchochkiesPencils, pens, highlighters—“Report breaches, it’s the ‘write’ thing to do”Erasers— “Wipe out password sharing”Notepads—“Note who should be in your area and challenge strangers”Frisbees—“Our information security program is taking off”Mouse pads and inserts—with a clear cover over an area holding removable paper inserts, making the cost to change the message far less than the cost of printing new padsKey chains—“You are the key to information security”Flashlights—“Keep the spot light on security”Cups or mugs—“Awareness: the best part of SecuriTEA” (where the campaign has explained that TEA stands for training, education, and awareness)Magnets, buttons, stickers—“Stick with security”First-aid kits—“Be prepared for security”Rulers, calculators—“Security counts”Coasters, toys, hand exercisers, informational cards, and other items including posters, virus scanning software, and screen savers
Publications
Newsletters and magazinesPaper and electronic
Print stressful communications on paper, staple a facial tissue to it
Add inconvenienceIncrease user burden
Targeted brochures, pamphlets, even comic books
Inspections and Audits
Certainly raise awareness, at least during eventTry “security by walking around” (SBWA)
Catch staff doing something rightLeave behind certificates of congratulations, thank-you notes, or trinketsBe random
Try to social engineer your own workplaceReward users who refuse to complyRetest users who get duped
Conferences and Seminars
International Computer Security DayAnnually, every 30 November
“Grill Your Security Officer Cook-Out”Serve food and drink
Encourage staff to bring questions for security officers
Lectures by dynamic speakersSecurity awareness briefings
Senior executivesNew arrivals
Measurement
It’s the Price we Pay
How many received training?Attendance sheetsCourse registrationsOnline completion noticesSigned acceptable-use policies
Use empirical evidence to demonstrate effectiveness; feedback from—
PresentersAudiencesSupervisors
Audience Satisfaction
Evaluations and surveysYeah, it’s mostly a measurement of how well they liked it…but it’s a place to start
Were the materials useful?Were the activities fun and memorable?Was the information relevant?Can you use it on your job?Any suggestions for improvement?
Learning Effectiveness
Pre-tests measure prior knowledgePost-tests measure what the audience rememberedBoth useful for tailoring future programsPre-test important: it’s how you measure improvement after the training!
Skill Transfer
Gather input from outside evaluatorSupervisor, practitioner, incident handler, help desk
Measure improvements with—Follow-up interviewsWalk-through testingHelp desk and incident reporting statisticsAudit findings
Must acquire a pre-training baseline
Pre- and Post-Observations
Passwords—test with cracking programLocked workstations—check during lunchSurvey of attitudes and knowledge
Whom to report incidents to?Take-home policy for old software?
Monitor actual numbers and types of incidentsAn increase is probably a sign that the awareness program is working—not that there are suddenly many more attacks!
A slide outlining the 2009 evaluation process and prizes will be provided closer to the event.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.