We need to have an understanding of what actually constitutes "awareness". In addition, we also need to be able to measure people's awareness, which isn't always easy.
2. Why “Awareness”?
…when I have an IDS/IPS, UTM
Gateway, Encryption, DLP, Vuln
Scanning, Patch Management, AV,
HIDS, WAF, SEIM, Secure Code
Review, Whitelisting, MDM, cable
locks, lo-jack and epoxy in all of
my USB ports!!!!
3. Hint: You don’t have a technology problem.
“A computer lets you make
more mistakes faster than any
invention in human history –
with the possible exception of
handguns and tequila.”
- Mitch Ratliff
8. Awareness is knowledge:
• That *you* are being targeted as part of a larger
campaign to steal something.
• Within your specific business risk context.
• Which will require you to be able to identify
suspicious “things”.
• To understand and avoid a negative outcome.
• By taking appropriate action.
• Or immediate corrective actions, if a thoughtless
or incorrect choice is made.
10. Does Awareness “Work”?
Common criticisms:
• One click, by one user, and you’re
compromised, so why bother?
• We told them not to do that, and they still did it.
• They didn’t remember our advice.
12. Awareness Ideas
• Publish informational content in your IT
knowledgebase / wiki.
• Periodic informational emails.
• “Point of failure” education on your internet
gateways.
• “Coaching” people when they visit sites common
to scams.
• Internal phishing campaigns.
• Scam bounty programs.
• Annual, self-paced, awareness training.
13. Measuring Efficacy – A Must
The best possible outcome is that *nothing*
happens. Measure that.
Next best option – reduction in bad things:
- Web content filter hits.
- Phishing assessments.
- Anti-virus hits / infections.
15. Educational Resources:
• SANS Securing the human blog / newsletter
• US-CERT National Cyber Awareness System
• Krebs on Security
• Office of the National Counterintelligence Executive
• NIST Computer Security Resource Center
• Infragard Center for Information Security
Awareness
• FTC – Onguard Online
• StaySafeOnline.org - National Cyber Security
Alliance
Good morning, my name is Chris Merkel. I’m the director of information security for Brunswick Corporation. Brunswick is a multi-national recreational goods company, better known by it’s brands in the marine market, including Mercury Marine, Sea Ray, Bayliner, the Fitness industry under the LifeFitness and HammerStregnth brands, as well as our namesake, which is Brunswick bowling and billiards. We’re predominantly a manufacturing company, with operations worldwide, as well as a large retailer, with over 100 Brunswick Zone bowling centers in North America.As the director of security, I’m responsible for a small team that carries out the functions of the information security office, including policy, awareness, secure architecture, secure coding initiatives, security assessments, incident management, as well as forensic support for litigation and investigation processes.During this presentation, I’m going to present my personal views on the topic of security awareness training. I believe that the business of raising awareness, at least with respect to data security, is still in it’s infancy. My views are also not necessarily representative of the organization I work for.In addition, I have received the list of excellent questions that many of you have submitted. I will make an effort to speak to them as I present, but please don’t take that to mean that the topic shouldn’t be discussed further. We come from a diverse set of organizations – retail, manufacturing, critical infrastructure, education and government, and the Q&A time at the end of this session is where I hope the most knowledge transfer occurs. As a norex member, I have found that peer exchange trumps powerpoint, so I’ll do my best to make sure we have plenty of time to discuss how awareness impact you and the specific threats and challenges that your organization faces.
The security industry is awash with jargon and acronyms, sold to us by our vendors in 1U form factors at a “reasonable” price point. Each one of these solutions, we’re told, will eliminate the most terrifying security threats that they rip from the headlines of major media and trade publications.These technologies can and are often very useful for dealing with the operational aspects of security – detecting threats, keeping common malware off computers, for standing up resilient web applications, et cetera. At the end of the day, however, these technologies are device-centric, application-centric, and network centric ways of dealing with the attacks that all of our organizations face.Anyone who has deployed and operated many of these technologies can tell you that they are not, either individually or collectively, a panacea for preventing loss, theft, intrusion or disruption of our systems.This is because there’s another weakness on your network that none of these technologies can mitigate:
One of the largest problems we have to tackle isn’t a technology problem, it’s a people problem. In IT, we’re used to finding solutions to our business problems that can be solved with faster networks, bigger processors, more disk, efficient code and well-tuned IT operational and support processes. If you were a CS or MIS major, you learned a lot about foundational topics like inheritance, Boolean logic and modular system design. What you likely didn’t get were several semesters of behavioral psychology or behavioral economics – these are the domains that we need to better understand if we’re going to be effective in changing the behavior of people on a mass scale, which should be the goal of our security awareness programs.
Making sure we have a good definition for awareness is important. Because many of us on this call have specific regulatory obligations to do “security awareness”, I want to make sure that we raise a distinction between “having a program” and actually driving awareness among people to change behavior.
First, people aren’t going to willingly subject themselves to death by powerpoint. There’s a time and place for good presentations, and it is in person, with a small audience, or possibly on an in-person webinar. In general however, if you expect that you can get people to comprehend the nature of the problem that they face and the solution, all in one presentation, without respect to the target audience, you’re fooling yourself.Many of the other types of training that we provide within an organization are on topics that most people inherently understand. For example, there’s only a small handful of people in your organization that learned that sexual harassment is wrong, that standing on the top of a wobbly ladder is unsafe or that falsifying financial records for personal gain is a crime. The reason many organizations do this training is to remove any shred of doubt that a person found doing any of these things had a reasonable expectation that they would be disciplined or fired. I would argue that computer security is different, because it primarily involves re-training people to have a healthy suspicion of things, to question the identity and motives or others, and do so within a technologically complicated set of tools that we make them use.
If your goal is compliance, doing “security awareness” becomes much, much easier. Find out what your auditors expectations are and devise the most efficient, cost effective and non-intrusive way of accomplishing this. There isn’t anything inherently wrong with “studying for the test” as it were. If your organization has a clear, top-down understanding of their risk, and needing to treat the “human problem” isn’t among them, then it makes sense to do what’s necessary to check the regulatory box and keep the auditors off your back.However, I would suspect that for most of you on this call, you actually want to do things that result in an actual reduction of incidents arising from people failing to make correct decisions about technology and risk. It’s an axoim in security that properly treating the actual risk will almost always also result in less and less severe incidents while doing security only insofar as you need to meet a compliance obligation is only marginally effective.For PCI assessments, how do companies with 10,000+ associates conduct and validate all-company awareness training?Is anyone using any of the interactive software (on premises or on-line) for their security awareness? If so, will they share wins/fails?
We have to compete for people’s attention. There’s nothing wrong with putting up posters per se, but we’re competing for their attention in a crowded space. As technology people, we have near unilateral control over the 19-inch glowing box that nearly all of our people stare into 8 hours per day.So… if we understand that our goal is to make people aware, influence decision making and change outcomes, versus “having a program”, what is the right definition for “security awareness”?
How to monitor the effectiveness of the awareness program?For those with well-established security awareness programs, by which metrics do you measure the success of your program?
Are you doing any activities for Cyber Security Month? If so, do you have any materials you can share?Of those that take a home-grown approach, where do you get your ideas?
For those with well-established security awareness programs, do you use phishing campaigns to test your user's? Did you face any corporate culture challenges with this approach?