Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)

7/29/2019 Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)

http://slidepdf.com/reader/full/security-smackdown-end-user-awareness-programs-vs-technology-solutions-166295407 1/19

© C. Brisson and J. Klein Keane

Security Smackdown: End-UserAwareness Programs vs.

Technology Solutions

Justin Klein Keane

Christine BrissonUniversity of Pennsylvania

School of Arts & Sciences



Analogies only work if they're accurate

Except in the case of car analogies, whichalways suck

*Let's try to keep this discussion free of car

analogies



Proven Technical Solutions



http://www.darkreading.com/blog/240151108/on-security-awareness-training

.html

Security Luminaries agree:● Bruce Schneier ● Dave Aitel, Immunity●

Richard Bejtlich, Mandiant

N.B.: Detractors of security awarenesstraining have nofinancial stake in the

correctness of their argument.

http://www.darkreading.com/blog/240151108/on-security-awareness-training.html






Gizmodo -- The 10 most popularpasswords of 2012:

1. Password (Unchanged)2. 123456 (Unchanged)3. 12345678 (Unchanged)4. abc123 (Up 1)5. qwerty (Down 1)6. monkey (Unchanged)7. letmein (Up 1)8. dragon (Up 2)9. 111111 (Up 3)

10. baseball (Up 1)

What about Pa$$w0rd?



Simulated Phishing Campaigns

● New York State employees (2005) – 10,000 people – decline in response rate to fake phishing emails

● from 15% to 8% over two trials

● PhishMe at Emory (2012)

– 40,000 people -- decline in response rate to fake phishing emails – From 13.7% overall to 8.1% over three trials.

– No overall decline in number of successful phishing attacks

● Operation Carronade (West Point, 2004)

– 80% of cadets (small sample size, 400) clicked on the link; 90% offreshmen

– “There is a culture at West Point that any e-mail with a "COL" (abbreviationfor Colonel) salutation has an action to be executed. To a cadet, theaction/request is to be executed regardless of its nature or rationale. The e-mail sought to exploit this culture.”



Phishing Education is Misguided



Careful where you Click



Be careful where you click?



Human Cognition is Exploitablehttps://online.citiban.k.com/US/JSO/signon

https://online.C|T|BANK.COM/US/JSO/signonhttps://online.citibank.com/US/JSO/signon:/accounts/[email protected]

https://online.citibänk.com/US/JSO/signon

https://online.citibaņk.com/US/JSO/signon

https://online.citbank.com/US/JSO/signon

http://bit.ly/JQ9RChhttp://translate.google.com/#auto/en/https%3A%2F%2Fevil.com

Some tricks are invisible:

http://www.symantec.com/connect/blogs/soft-hyphen-new-url-obfuscation-technique

http://bit.ly/JQ9RCh

http://bit.ly/JQ9RCh



Privacy/Sensitive data



Effective Training (Developers)



Effective Training (Users)



NCSAM Campaigns in SAS

Two main messages● Information Security is an issue● Know who to contact if you have questions

We chose themes based on pain points● Data and privacy● Be careful where you click● Securing mobile devices

Different methods of outreach● Posters● Web site● Events (shredding day)● “Security and Donuts” -- school wide but locally-based

Shared material/ideas with other Penn schools/units



References

● West Point:● http://www.educause.edu/ero/article/fostering-e-mail-security-awareness-west-point-carronade

● New York State phishing:

● “You Won’t Believe How Adorable This Kitty Is! Click for More!” by Geoffrey A Fowler, Wall Street Journal, 3/27/2013.

● Emory University phishing:● http://www.educause.edu/events/security-professionals-conference/phishing-ourselves-raise-awareness

● Top 10 Passwords:● http://gizmodo.com/5954372/the-25-most-popular-passwords-of-2012

● Anti-Phishing Phil:● "Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish." by Steve Sheng, Bryant Magnien,

Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, Elizabeth Nunge. Symposium On Usable Privacy and

Security (SOUPS) 2007, July 18-20, 2007, Pittsburgh, PA, USA. Available at

http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf

● West Virginia University training effort:● “Information Security Training - Lessons Learned Along the Trail” by Michael Cooper. SIGUCCS ’08 , October 19-22, 2008, Portland,

Oregon, USA

● Arguments in favor of security training::● http://www.csoonline.com/article/705639/ten-commandments-for-effective-security-training● http://searchsecurity.techtarget.com/news/2240162630/Data-supports-need-for-awareness-training-despite-naysayers

http://www.educause.edu/ero/article/fostering-e-mail-security-awareness-west-point-carronade

http://www.educause.edu/events/security-professionals-conference/phishing-ourselves-raise-awareness


http://www.csoonline.com/article/705639/ten-commandments-for-effective-security-training

http://www.csoonline.com/article/705639/ten-commandments-for-effective-security-training


http://www.educause.edu/events/security-professionals-conference/phishing-ourselves-raise-awareness

http://www.educause.edu/ero/article/fostering-e-mail-security-awareness-west-point-carronade



References (cont.)

● Proven technical controls

● "Strategies to Mitigate Targeted Cyber Intrusion," Australian Defense Signals Directorate.http://www.dsd.gov.au/infosec/top-mitigations

● "20 Critical Controls," Center for Strategic and International Studies. https://www.sans.org/critical-security-controls/guidelines.php

● Phishing resources:

● https://crypto.stanford.edu/antiphishing/

● https://www.mozilla.org/en-US/firefox/phishing-protection/

● https://community.opendns.com/phishtank/

● Security training is a waste:

● “On Security Awareness Training,” by Bruce Schneier. Dark Readinghttp://www.darkreading.com/blog/240151108/on-security-awareness-training.html

● “Why you shouldn't train employees for security awareness”, by Dave Aitel. CSO Online,http://www.csoonline.com/article/711412/why-you-shouldn-t-train-employees-for-security-awareness

● “Security Awareness Training: A Waste of Time?,” by Richard Bejtlich. Tao Security,http://taosecurity.blogspot.com/2005/11/security-awareness-training-waste-of.html

● Malware obfuscation techniques

● “Soft Hyphen – A New URL Obfuscation Technique,” by Samir Patil. Symantec Official Blog,http://www.symantec.com/connect/blogs/soft-hyphen-new-url-obfuscation-technique

http://www.dsd.gov.au/infosec/top-mitigations

https://www.sans.org/critical-security-controls/guidelines.php

https://crypto.stanford.edu/antiphishing/

https://www.mozilla.org/en-US/firefox/phishing-protection/

https://community.opendns.com/phishtank/


http://www.csoonline.com/article/711412/why-you-shouldn-t-train-employees-for-security-awareness

http://taosecurity.blogspot.com/2005/11/security-awareness-training-waste-of.html



http://taosecurity.blogspot.com/2005/11/security-awareness-training-waste-of.html

http://www.csoonline.com/article/711412/why-you-shouldn-t-train-employees-for-security-awareness


https://community.opendns.com/phishtank/

https://www.mozilla.org/en-US/firefox/phishing-protection/

https://crypto.stanford.edu/antiphishing/

https://www.sans.org/critical-security-controls/guidelines.php

http://www.dsd.gov.au/infosec/top-mitigations

Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)

Documents

Transcript of Security Smackdown: End-User Awareness Programs vs. Technology Solutions (166295407)