The Most Critical Risk Control: Human Behavior
Lynn Goodendorf
Director, Information Security
Atlanta ISACA
Chapter Meeting
June 20, 2014
AGENDA FOR THIS SESSION
Why technical defenses are not enough
Formal policy vs. training and awareness
What does an effective security awareness program look like?
LESSONS FROM DATA BREACHES
Epsilon – spear phishing attack
AOL – not understanding data classification
Google, Yahoo and 18 others: users needed to update browsers
Gawker Media –used weak passwords for multiple applications
Target – began with phishing attack on 3rd party
FORMAL POLICY
Provides management guidance and intention
Protects company liability
Must be “translated” into key concepts and messages
Requires partnership with Human Resources
AWARENESS TOPICS
How to spot Key logging devices
Is Email Spam Harmful?
Watering hole attacks
Storing paper records
Visitors who may be imposters
Are cookies bad for you?
All about malware
MORE AWARENESS TOPICS
Create and remember strong passwords
Get Going with Mobile Security
What is a mobile botnet?
Found any free USB drives?
What did you capture on camera?
Erase those whiteboards!
We love to share email chain letters
AND MORE AWARENESS TOPICS
Dialing for Dollars: Phone Scams
Cell phone ringtone scams
Dangers of Counterfeit Software
Wi-Fi Security Tips at Home
Email Etiquette for Your Career
Has your Facebook account been hacked?
STANDARDS
NIST Special Publication 800-50 “Building an Information
Technology Security Awareness and Training Program”
ISO 27002:2013 Section 7.2.2 Deliver Information Security
Awareness Programs
Australian Government: Protective Security Governance Guidelines –
Security Awareness Training
COST OF SECURITY AWARENESS
Budgetary Planning: $5 - $10 per person per year
Online courses
Posters, Screen savers
Newsletters
Pens, Buttons, Etc.