Practical Advantages of a Security Educated Workforce
-
Upload
keyaan-williams -
Category
Technology
-
view
106 -
download
4
Transcript of Practical Advantages of a Security Educated Workforce
Adventures in Security Awareness:
Practical Advantages of an Educated Workforce
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
2
Speaker Biography
• 15+ years fighting the InfoSec leadership battle • knows a few things about information
security governance and what it takes to build a successful security program• helps other security leaders build
successful governance, risk management, and compliance (GRC) programs• Also helps start-ups, small businesses,
non-profits, and university enterprises produce big business success
Keyaan Williams
www.linkedin.com/in/keyaan
@KeyaanWilliams
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
3
Forcing users to complete annual security training to check boxes rubbish!
There are better ways to use education, training, and awareness to improve security.
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
4
OutlineDefinitions
The Compliance-Driven Approach
The Compliance-Driven Problem
A Culture-Driven Alternative
Every Security Person Can Contribute
Summary and Q&A
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
5
DefinitionsUnderstanding the words we are using will help drive the point home.
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
6
Adjective: of or concerned with the actual doing or use of something rather than with theory and ideas
Practical
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
7
Education focuses on transferring knowledge or information via
communication tools that produce long-term retention.
Education
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
8
Training focuses on activities, coaching, and feedback that develop new skills or new
knowledge that students can apply to their work.
Training
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
9
Awareness focuses on the increased perception of facts or
information. Awareness
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
10
The Compliance-Driven Approach to “Security Awareness Training”
The regulators made me do it!
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
11
What normally happens
Compliance defines the approach rather than tailoring something unique for the organization.
Education, training, and awareness are consolidated into one big blob that is a single objective/activity.
Education, training, and awareness are not distinct activities with specific, individual purposes.
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
12
The Compliance Perspective
“The organization will be more secure because you gave users security training and you
confirmed that everyone participated at least annually.”
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
13
ISO 27001 and 27002
“All employees of the organization and, where relevant, contractors and third party users should receive
appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their
job function.”
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
14
NIST 800-53, AT-2
“The organization provides basic security awareness training to information system users.”
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
15
PCI-DSS
“Implement a formal security awareness program to make all personnel aware of the cardholder data security policy.”
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
16
PCI DSS v3.2
Testing procedures (12.6.1 and 12.6.2)
•Verify people attend training when hired and at least annually.•Obtain acknowledgement that people have read and
understand the security policy.
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
17
The Compliance-Driven Problem
Compliance provides a budget, but it doesn’t tell me how to be effective.
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
18
The compliance problem
Compliance incentivizes a generic approach that rarely changes behavior or has a meaningful
impact.
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
19
The compliance problem
Compliance requires no validation that users can apply what they learned to their work.
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
20
The compliance problem
Compliance measures how many, but not how effective.
Does theory produce practical results?
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
21
• Content has nothing to do with the organization or its current threats
• It is optional or some people are forgotten• It only focuses on phishing and makes people afraid
to check their e-mail• It produces no change in user-generated security
events
The Worst Case
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
22
A Culture-Driven Alternative
What can we do to make this work for everyone?
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
23
What does culture have to do with anything?
Sociology 101 - Culture is the sum of attitudes, customs, and beliefs that distinguishes one
group of people from another. This should drive the content of education, training, and
awareness at an organization.
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
24
Security Theory and Culture Collide
Incorporating security theory from education, training, and awareness into the culture of the
organization can practically make the organization more secure.
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
25
This is about changing (or strengthening) security culture
Emphasize what is important.
Reward behaviors that reflect what is
important.
Discourage behaviors that do not reflect what is
important.
Model the behaviors that you want to see in the
workplace. C. McNamara, "Organizational Culture," Authenticity Consulting, LLC, 2000. [Online]. Available: http://managementhelp.org/organizations/culture.htm#influence. [Accessed June 2016]
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
26
What is important? •Assets and how we protect
them.•Data and how we protect it.•People and how we protect them. •Stakeholders and how we protect their interests.
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
27
What is good behavior? •Follow policies, procedures,
and standards.•Report anomalies and strange events: “see something; say something.”•Conduct activities ethically.
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
28
How do we discourage
bad behavior? •Frown at nonconformists; peer pressure is effective.
•Formalize recourse in policies and standards (i.e. HR and performance reviews)
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
29
How do we reward good
behavior? Money
Recognition
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
30
A Simple Culture Case Study
The simplicity of cause, effect, and human behavior.
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
31
Rewarding good behavior influences the workforce. Most people want the reward.
I want recognition that produces a reward
I inform security operations about suspicious e-mail
They recognize me or give me money
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
32
Every Security Person Can Contribute
I am not part of the security awareness team.What does it have to do with me?
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
33
Every Security Person Can Contribute
You don’t have to be a CISO, Director, or Security Leader to contribute to the practical security
education of your organization.
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
34
Every Security Person Can Contribute
Practitioners have a great opportunity to communicate relevant information and
influencing behavior as part of their interactions with people.
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
35
Every Security Person Can Contribute
You are a professional; you know a lot! Share that information with everyone you encounter.
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
36
Every Security Person Can Contribute
Tailor content based on the audience.Tell executives, managers, IT personnel, and non-IT end users the same story, but package the story differently based on the
risk each group faces.
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
37
Every Security Person Can Contribute
Discretely retrain compromised users. You don’t have to embarrass people to get them to change.
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
38
Every Security Person Can Contribute
Bedside manner is important!Don’t be a donkey about it.
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
39
Case Study 2Combining incident response and user re-education to
improve security.
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
40
Combining security awareness and incident response to improve security
User causes event
CSIRT activated
Root cause analysis
Results shared with
user
Anonymized results
shared with workforce
# similar events
decreases
This actually happened!
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
41
“Oh my! I downloaded a malicious file from a suspicious e-mail.”
User causes event
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
42
Case StudyEnterprise controls detect the IOC and the Computer Security Incident Response Team (CSIRT) is activated to
provide remediation.
CSIRT activated
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
43
Case Study
The CSIRT conducts root cause analysis to identify the malicious software’s impact and method of installation.
Root cause analysis
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
44
Case Study Findings from the root cause analysis are shared with the
user.
• The user understands his or her part in the activity.• This understanding prevents
a repeat offense.
Results shared with user
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
45
Case Study Results are anonymized to protect the image of the affected user and shared
with the workforce.
• The affected user is not embarrassed.
Anonymized results shared
with workforce
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
46
Case Study• Everyone learns from a single
mistake.
•Other users are less likely to repeat the actions.
•A culture of respect increases the likelihood that users will report anomalous events.
# similar events decreases
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
47
SummaryWhat should I remember from this conversation?
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
48
Compliance requires security awareness training, but a compliance-driven approach is the wrong approach. 1Effective education, training, and awareness can reduce the risk introduced by users2Effective training is tailored, interactive, and meaningful.3Awareness is important to reinforce ideas.4All security personnel can contribute to education, training, and awareness in an organization.5