2. Agenda
Why
Who
What
When
Where and How
Tests for Understanding
Documentation
Slide 2
3. Why Security Awareness Training
Regulatory/Corporate Compliance
Users Don’t Get It
It Can’t Happen Here Syndrome
Make Our Lives Easier
Goals of Security Awareness
Training
Slide 3
4. Why: Regulatory/Corporate Compliance
Sarbanes-Oxley
• Requires companies to become more fiscally accountable
JCAHO
• “To continuously improve the safety and quality of care
provided to the public through the provision of health care
accreditation and related services that support
performance improvement in health care organizations. “
USA Patriot Act
• Requires seeking, detecting, and
reporting computer trespasses
HIPAA
• Requires CIA of patients' private
information
Slide 4
5. Why: Users Don’t Get It
There’s nothing important on my computer
We have virus software so my computer is
protected from everything
All threats are from the outside
It’s not my job/I’m too busy to worry about security
Technology provides full protection
Slide 5
6. Why: It Can’t Happen Here Syndrome
Use Examples from Your Organization
Use Examples from Others:
•
•
•
•
•
•
•
•
•
Two years of research material lost with no backup
Test results are changed
Falsified ID is used to send threatening e-mail
Employees running side business with our technology
Hospital machines used as zombies for DDOS attacks
Virus, worm, trojan infestations and attacks
Illegal music downloading
Online gaming
IT equipment stolen
Slide 6
7. Why: Make Our Lives Easier
Routine Helpdesk Calls are Reduced
Fewer Malicious Code Outbreaks
Lowers Data Restore Requests
Able to Focus on Projects
Users Feel Ownership
Users Think More Highly of IT
Less Time Spent Firefighting
Slide 7
8. Goals of Security Awareness Training
Establish a knowledge baseline for the entire
organization
Modifying user behavior helps the security team
Adds a human component to defense-in-depth
Securing people is at least as important as
securing systems
Slide 8
9. Who Needs Security Awareness Training
Employees
Non-employees
Slide 9
10. Who: Employees
All Employees
• Determine minimum level for everyone
• Include volunteers, medical staff and administration
Department Champions
• Find your IT want-to-bes
• Use them to help smooth the path
Management
• Make sure that they are not embarrassed
• Provide justification for expenditures
IT Staff
• Keep them fully informed
Slide 10
11. Who: Non-employees
On-site
• Volunteers
• Medical Staff
• Others
Remote
• Medical Staff
• Public
• Support
Contract/Non-contract
• Escort?
Slide 11
12. What: Security Awareness Training
Most Common Mistakes
Training Topics
Acceptable Use Policy/Agreement
Slide 12
13. What: Most Common Mistakes
Poor Password Management
Workstation Attached and Unattended
Malicious E-mail Attachments
Ineffective Anti-virus Software
Uncontrolled Laptops
Unreported Security Violations
Updates, Hot Fixes, Service Packs not Installed
Poor Perimeter Protection
• Electronic
• Physical
Slide 13
14. What: Training Topics
Data Backup/Restore
Physical Security
Portables
Social Engineering
ID/Passwords
E-mail
Wireless
Malicious Software
Slide 14
15. Data Backup/Restore
Users are responsible for communicating their
needs
IT is responsible for making sure it happens
• Included in IT procedures
• Tools supplied to users
Slide 15
16. Physical Security
Every User is an Extension of the Security Force
Lock Offices as Often as Practical
Restrict Open External Entrances
Technology
•
•
•
•
Cameras
Motion sensors
Alarm systems
Tags
Slide 16
17. Portables
Favorite Target of Thieves
Less Likely to Draw Attention
Easily Hidden
“Turn” Fast at Pawn Shops and Online
Almost Always Contain “Sensitive” Data
Slide 17
18. Social Engineering
“This is (manager, director, etc.)
and I need…”
“This is Sue with the Help Desk and we are:
• verifying your passwords…”
• troubleshooting logon problems…”
• got your (bogus) request to change your…”
E-mail Attachments
Dumpster Diving
Recover Data from Surplus
Equipment/Media
Slide 18
19. ID/Passwords
Users are responsible for what
happens with their ID/password
If you HAVE to write them down treat the paper
like a credit card
Change passwords if there is a
possibility it has been compromised
Use complex passwords
The sanctions for not protecting
login credentials are…
Slide 19
20. From the University of Michigan
Passwords Are Like Underwear:
Change yours often!
Don’t leave yours lying around!
The longer the more protection!
Don’t share yours with friends!
Be mysterious!
Slide 20
21. E-Mail
E-mails Exist in Multiple Places
Deleting an Email from One Place Does Not
Delete it from Anywhere Else
Be Aware of “bcc”
Spam Effects and Avoidance
Verify Attachments Before Opening
Don’t Send Confidential Information
via Standard E-mail
E-mail Can be Forged
Slide 21
22. Wireless
Don’t Plug in Your Own Wireless Access Point
Don’t Change the Secure Configuration:
• To make it work with your home network
• So it will connect in the airport
• To access other facilities networks
Use a Wire When Available
• Faster
• More secure
• Less competition for access
point bandwidth
Slide 22
23. Malicious Software
Leave Virus Protection and Firewall Programs
Running
Check for or Allow Updates
Recognize Potential Malicious Activities:
•
•
•
•
•
Hard drive running when no programs are running
Unusual or unexpected logon screens
Boot up speed or sequence changes
Performance degradation
Returned e-mails
Others?
Slide 23
24. What: Acceptable Use Policy/Agreement
Include All Security Topics
Templates and Examples are Available Online
Include in Training
Have Users Sign
May Include Confidentiality
and Privacy
Slide 24
25. When: Security Awareness Training
Prior to System/Facility Access
• Require security training
• Have Acceptable Use Policy; Confidentiality; Privacy
and other agreements signed
Ongoing
•
•
•
•
New Hire
Reminder
Annual
Include security
every chance
Non-employees
Slide 25
26. Where and How:
Security Awareness Training
Posters
Newsletters
Login Dialogue Boxes
E-mails
Display Tables
Contests
“Mystery Guest”
Slide 26
27. Tests for Understanding
Positives
• Proof that learning occurred
• Program improvements
Negatives
• Proof that learning did not occur
• Handling the failures
Slide 27
28. Documentation
Annual Plan
Who/What/When Matrix
Proof of Occurrence
Quality Review
Meeting Minutes
Slide 28
29. From George Mason University
S.E.C.U.R.E. I.T.
Simple (All users can implement these procedures)
Effective (Problems are solved by following procedures)
Concerned (All users should be concerned about
security)
Useful (Procedures keep resources safe and available)
Responsibility (All users must follow the AUP)
Economical (Resources are protected and conserved)
Information (Confidentiality, integrity, accessibility)
Technology (Hardware is protected and preserved)
Slide 29