the human factor
DESCRIPTION
A thought on security awarenss back in 2005TRANSCRIPT
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
The Human Factorin
Information Technology
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
Introduction
• 75% of security incidents caused by human error
• Technology oriented civilization
• General ignorance in all layers of the civilization
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
Work environment
• Employees often clueless about security improvements.
• Incidents often caused by :– Configuration error– Misinterpretation– Intentionally action
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
Design issue
• Techies needs vs business needs
• Business function vs security
• User-friendly vs security
• The strength of the design is often the downfall to it. Regular users do not think as those who designed it
• Design should identify human and societal need
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
Technology• Technology rapidly changes resulting in
inability to manage• Technology often ties us to our work and
instead making it easier it gets worse• Top notch technology is expensive and
does not guarantee security.• Implementers often external, could leave
insecure traces, purposely or by error
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
Social engineering
• Art of deception or persuasion
– The exploits– Human based social engineering– Technology based social engineering
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
Social engineeringThe Exploits
• Diffusion of responsibility
• Trust relationships
• Moral duty
• Guilt
• Desire to be helpful
• Cooperation
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
Human basedSocial engineering
• Impersonation
• The VIP approach
• Shoulder surfing
• Dumpster diving
• Piggy backing
• Third party approach
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
TechnologySocial engineering
• Popup windows
• Mail attachments
• Spam, Spim, chain emails, hoaxes
• Websites
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
CountermeasuresBuilding a human firewall
• Convince top management– Top down approach– Prove security is business enabler not a cost
enabler only.– According to Gartner the executive board has 3
mayor questions when confronted with security issues:
• Is our security policy enforced fairly and consistently?• Would employees, contractors and partners know if a
security violation occurred?• Would the company know how to handle and react if
they recognize a security violation?
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
CountermeasuresBuilding a human firewall
• Assign and clarify roles/responsibilities
– Separation of duties, do people have the authority– Careful with overlapping duties– Clear statements from management
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
CountermeasuresBuilding a human firewall
• Define an action plan linked to a budget
– Assessment of relative value of information assets
– Use a risk assessment approach – Prioritize asset values to simplify budgetting– Involve all units
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
CountermeasuresBuilding a human firewall
• Develop/update the policy framework
– Policies evolve just as the law in real life– Written in language everyone can understand– Align with business goals, constraining or
contradictory policies end up in the forgotten list
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
CountermeasuresBuilding a human firewall
• Develop incident response program
– Reduce damage – Recover quick and efficient– Keep a trace of the security event, learn from it
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
CountermeasuresBuilding a human firewall
• Develop a security awareness program
– Conduct a survey to find the weak and strong domains
– Repetition is the key to success– Events happening in the world could be the
initiator– It should not be limited to a one shot. Use any
means possible such as quiz, posters, intranet, mails etc..
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
CountermeasuresBuilding a human firewall
• Develop a security awareness program
– Senior management– Mid management– Staff– Technical staff
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
CountermeasuresTarget audience
• Develop a security awareness program– Senior management
• Focus on key elements, risk level, loss• Numerical or statistical approach• Examples of real life
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
CountermeasuresTarget audience
• Develop a security awareness program– Mid management
• Granular approach on policies, procedures,…• In charge of mapping it to different departments• Use business examples
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
CountermeasuresTarget audience
• Develop a security awareness program– Staff
• Repetition = key to success• Split into job related groups• Stress on the importance of his/her job and the security
related issues involved
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
CountermeasuresTarget audience
• Develop a security awareness program– Technical Staff
• Audit trails often see as work control• Often integrate security after everything is running• Convince them security protects also their work
environment
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
CountermeasuresBuilding a human firewall
• Measure your security awareness efforts
– A quiz is an excellent tool to measure– Security event statistics can indicate weak spots– Evaluation forms to gain knowledge current
issues and where to improve
Koen Maris – The Human Factor in Information technology – Copyright 2005 – [email protected]
The Human Factor
Q & A