Security Awareness - Defined, Managed and Measured
-
Upload
chris-merkel -
Category
Technology
-
view
431 -
download
0
description
Transcript of Security Awareness - Defined, Managed and Measured
Security AwarenessChris MerkelDirector, IS SecurityBrunswick Corporation
Why “Awareness”?
…when I have an IDS/IPS, UTM Gateway, Encryption, DLP, Vuln Scanning, Patch Management, AV, HIDS, WAF, SEIM, Secure Code Review, Whitelisting, MDM, cable locks, lo-jack and epoxy in all of my USB ports!!!!
Hint: You don’t have a technology problem.
“A computer lets you make more mistakes
faster than any invention in human history – with the
possible exception of handguns and tequila.”
- Mitch Ratliff
What is awareness?
This is not awareness:
Neither is this:
92%
3% 5%
Percentage of US Employees Completing Security Awareness Module in the Past
12mo.
Complete
Incomplete
COMPLIANT
…or this:
Awareness is knowledge:
•That *you* are being targeted as part of a larger campaign to steal something.
•Within your specific business risk context.•Which will require you to be able to
identify suspicious “things”.•To understand and avoid a negative
outcome.•By taking appropriate action.•Or immediate corrective actions, if a
thoughtless or incorrect choice is made.
Excellent Awareness
Poster
What’s the problem?
How does it affect me?
What should I do?
Does Awareness “Work”?
Common criticisms:•One click, by one user, and you’re
compromised, so why bother?•We told them not to do that, and they still
did it.•They didn’t remember our advice.
Our Goal:Harm Reduction,Not Elimination
Awareness Ideas
•Publish informational content in your IT knowledgebase / wiki.
•Periodic informational emails.•“Point of failure” education on your
internet gateways.•“Coaching” people when they visit sites
common to scams.•Internal phishing campaigns.•Scam bounty programs.•Annual, self-paced, awareness training.
Measuring Efficacy – A Must
The best possible outcome is that *nothing* happens. Measure that.
Next best option – reduction in bad things:- Web content filter hits.- Phishing assessments.- Anti-virus hits / infections.
But….
Correlation ≠ Causation
Be rigorous with your data.
Educational Resources:• SANS Securing the human blog / newsletter• US-CERT National Cyber Awareness System• Krebs on Security• Office of the National Counterintelligence
Executive• NIST Computer Security Resource Center• Infragard Center for Information Security
Awareness• FTC – Onguard Online• StaySafeOnline.org - National Cyber Security
Alliance
Phishing Resources
•Free: SPT•Commercial:
▫Phish5▫Phishline▫Phishme
Thank You!Q&A