building a strategic plan for your security awareness program · building a strategic plan for your...
TRANSCRIPT
SESSIONID:SESSIONID:
#RSAC
LanceSpitzner
BuildingaStrategicPlanforYourSecurityAwarenessProgram
HUM-T09
DirectorSANSSecuringTheHuman@lspitzner
2002 20122004 2006 2008 2010
Secu
rity
Cont
rols
Trustworthy ComputingSoftware Restriction Policies
Automatic UpdatingMicrosoft Secure Development LifecycleFirewall Enabled by DefaultBaseline Security AnalyzerData Execution Protection (DEP)
Malicious Software Removal ToolWindows Defender
ASDLUser Account ControlBitlockerWindows Service HardeningMandatory Integrity Control
AppLockerEncrypted File System
Microsoft Security EssentialsEMET
2014
HumanOS
WindowsOS
SecurityAwarenessMaturityModel
Nonexistent
Compliance-Focused
Promoting Awareness and Behavioral Change
Long-Term Sustainment andCultural Change
MetricsFramework
Security Awareness Maturity ModelSecurity Awareness Maturity Model
Compliance Focused
Promoting Awareness & Behavior Change
Long-Term Sustainment &Culture Change
MetricsFramework
Non-existent
4
#RSAC
YourStrategicPlan
WHO
WHAT
HOW
#RSAC
WHOAreYouTargeting?
• Differenttargetsrequiredifferent/additionalcontentandcommunicationmethods:o Employeeso Contractors/Vendorso ITStaff/Developerso SeniorManagemento AccountsPayable/HR
• Manyorganizationsstartwithjustallemployees,butastheirprogramsmature,theyidentifyuniquesub-groups
#RSAC
DefiningWho
#RSAC
WHATDoYouTeach?
• FocusontopicsthathavethegreatestROI:o Peoplecanrememberonlysomuch—cognitiveoverloado Youhavelimitedtimeandresourcestoteacho Fewertopicsareeasiertoreinforceo Avoid“trainingfatigue”
• Identifythegreatesthumanriskstoyourorganization,andthendeveloptrainingmodulestoaddresseachofthoserisks
#RSAC
VerizonDBIR
#RSAC
QualitativeAnalysis
Topic % Impact RiskScore
VH / 5
H / 4
L / 2
M / 3
VL / 1
VH / 5H / 4M / 3L / 2VL / 1
Impact
Prob
abilit
y XX
4 4 165 1 5
Phishing
TrackingCookies
#RSAC
LearningObjectives- Bad
• Acommonsecurityawarenesstopicispasswords:o Minimumof12characterso 1symbolo 1numbero 1capitallettero Notworepeatedletterso Changeevery90days
• Costsassociatedwiththis
#RSAC
LearningObjectives- Good
• Donotgetinfected
• Donotshareyourpasswords
• Donotloginusinguntrustedsystems
• Personalquestionsarejustanotherpassword
• Passphrases—WhereismyCoffee?
• PasswordManagers
• Usetwo-stepverificationwheneverpossible
#RSAC
HOWtoChangeBehavior
Securityteamshavetothinklikemarketing,communicationsorsalespeople.Awarenessisaproductweareattemptingto‘sell’
Connectpeopleatanemotional,creativelevel.
Whydoescybersecuritymatter?
#RSAC
CurseofKnowledge
#RSAC
WhyCyberSecurityMatters
#RSAC
Engagement
• CentersforDiseaseControl(CDC)haslong-termawarenesscampaignonpreparingfordisasters;noonewaslistening
• May16,2011postedblogonpreparingfor"ZombieApocalypse"
• Threehourslater,thenetworkcollapsed;2dayslater,theymadeanofficialpublicannouncement
#RSAC
PushVersusPull
• Push:Sendinginformationtopeople
• Pull:Peoplegetinformationontheirown
• Pullmethodisbecomingmorecommonandpopular:• Online/ComputerBasedTraining• Podcasts/blogs• Newsletters/Posters• Boothevents• Ambassadorprograms
#RSAC
Primaryvs.Reinforcement
Primary:Typicalannualtraining.Mandatory/complianceLaysfoundationforpeopleInstructorLed/ComputerBased
Reinforcement:RestoftheyearNotmandatory/engagingOnetopicatatimeNumerouswaystocommunicate
#RSAC
Turkcell
Ilikeithere,thereisalotofinformationtosatisfymystomach!Don’tfeedthemonster.
AnnualProgram
#RSAC
TwoTypesofMetrics
• ComplianceMetrics:Measurethedeploymentofyourawarenessprogram.Areyoucompliant?
• ImpactMetrics:Measuretheimpactofyourawarenessprogram.Areyouchangingbehavior?
#RSAC
ImpactMetrics
Everymetricshouldtietoaspecificbehaviorthathelpsmanageahumanriskyoucareabout
—Phishing—IDBadges/Drafting—Dumpsterdiving—Phonecalls—DataLossPrevention(DLP)—Screenlock use—Mobiledeviceloss
#RSAC
Metrics– KeyPoints
• Biggestdifferencebetweentechnicalandhumanmetricsisthathumanshavefeelings
• Announceyourmetricsprogramaheadoftime,andthenstartslowandsimple
• Donotembarrasspeople(noViagrae-mails).Donotreleasenamesofthosewhofail.Onlynotifymanagementofrepeatoffenders
• Focusonreal-worldrisks,donot“trick”people
• Alwaysmakesurethereareatleasttwowaystodetectanassessment
#RSAC
WhenYouReturntoWork
24
Identifyyourkeyhighriskgroups(accountspayable,HR,etc)andtakethemouttolunchorhostaspecializedwebcastforthem.Buildbridges
Doahumanriskanalysisandprioritizetherisks/behaviorsyouteach
Partnerwithyourcommunicationsteam,haveapersonassignedtoyoursecurityteam
ReadLeadingChangeandMadetoStick
Partnerwithaseniorchampion,havethatpersonhelpyoucommunicatewithleadership