SlideShare ist ein Scribd-Unternehmen logo

Issa Charlotte 2009 Patching Your Users

Mike Murray
Mike Murray

This document discusses how social engineering threats have replaced direct technical vulnerabilities as the main security risk, due to improvements in operating system security. It argues that traditional security awareness training does not effectively change user behavior because it is treated as mandatory training rather than persuasive marketing. The document advocates applying marketing principles to security awareness, including defining goals, measuring baseline user knowledge, developing an integrated marketing campaign using various communication channels, and re-measuring to evaluate impact and guide iterative improvement of the campaign. A case study example shows how these principles could be applied to a goal of improving password strength.

Technologie
1 von 36
Patching Your Users Defending against the Social Engineering Threat © 2009 – Foreground Security. All rights reserved
Pareto had it right: 20% of our efforts will produce 80% of our results. 2
Numerous Studies: Human error and internal threat responsible for more than 80% of Information Security breaches BUT Only 29% of organizations consider security training as a crucial requirement in preventing security breaches within organizations. 3
Agenda • The Changing Threat Environment • Social Engineering • Your Security Awareness Sucks • Making it really work. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
A History Lesson....
The Vulnerability Cycle Human / Network Organization Service / Client Server Application 6
The History of Security Commercial Vulnerability Assessment Sasser Nimda Commercial Blaster Loveletter Firewalls Slammer Commercial Data Leakage Kevin Vulnerability Management Prevention Mitnick Snort Melissa Spyware Code Red SATAN Commercial Commercial Morris IDS Anti-Spyware Nessus Worm Phishing Kevin IPS & UTM Commercial Poulsen SIM/SEM You Are Here 1985 1995 2005 Human Network Server Web App Client Organization 7
The Early Years • Those were the days – Software Vulnerabilities weren’t significant - most based on configuration weakness – Only a handful of people understood how to exploit technologies – Small Target Surface - Few internet-connected computers – Focus was on phone phreaking and academia • Social Engineering reigned supreme – Most successful attacks involved social engineering – Unsophisticated controls environments – Few understood the jargon – Policies encouraged trust over security © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
The Kevins 9 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
The Internet Era • Two Vital Dates – October 13, 1994 • Mosaic Netscape 0.9 released • The web becomes easy to navigate – August 24, 1995 • Windows 95 Released • Home computer use proliferates massively • The Internet Experiences exponential growth – Money starts to change hands – Internet connected computers become a viable target • This creates a target rich environment... 10 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
Attacking Computers Directly • Phrack 49 - November 8, 1996. – Aleph1 - Smashing the Stack for Fun and Profit • Readily available exploit code actually makes breaking in to computers easier – The “golden age” of server hacking begins. • 1996-2003 - More of the same – Memory attacks become more sophisticated – Polymorphic shell-code designed to evade detective controls – More advanced use of memory spaces (format strings, integer exploits) 11 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
August 4, 2004 • Windows XP Service Pack 2 Appears – Microsoft finally hardens their operating systems – The world changes overnight – Security is now baked in to the computer. • Server based vulnerabilities disappear – As massive server-based vulnerabilities disappear, client interaction becomes key – The number of issues continues to increase but the type of issues starts to change radically © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
Difficulty of Exploitation Human Vulnerabilities Difficulty of Exploit Technical Vulnerabilities 1985 1995 2005
The New Vulnerable Element • Since 2005 – No major direct-exploitation worm outbreaks – Less than a handful of “remote root” direct exploitation vulnerabilities • Major Classes of Attacks – Drive-by Download – Exploitation through Email, Web and Social Networking Sites – Phishing / Pharming / Spear-Phishing • What’s the similarity? – If you said “human interaction”, you get a gold star. 14 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
The human/organization are the main exploit targets again.
Social Engineering • Defined (by Wikipedia): – “The practice of obtaining confidential information by manipulating users.” • The Art of Exploiting Human Weakness – Humans are social creatures – Human nature makes us vulnerable to each other – Social engineers exploit weaknesses in human nature to obtain information or access to computer systems. – A Confidence Trick - Social Engineering is the age-old art of the “Confidence Man” • The bad guys are exploiting your people © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
Only two things are infinite: the universe and human stupidity. And I'm not sure about the former. - Albert Einstein 1 7
There is no patch for human stupidity. This was the slogan on a T-shirt a couple of years ago.
Security Awareness Training • The solution for social engineering – Train your users on security topics – Use case-study training and scenarios so that users understand. – Ensure that users complete at least one multiple-choice test per quarter – Make sure that users pass, and they are now “aware”. • Two step process – Decide what we want the user to know – Find ways to “train” them on those things. • This is how most corporations are approaching user protection © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
The Security Awareness Process What do we want the users to know? Move to Next Goal Determine ways to teach users and deliver those messages 20
Unfortunately… • We recently surveyed a number of security pros in orgs with security awareness programs: – “If you could wake up tomorrow and the users understood 3 things about security, what would they be?” • We heard answers like: – Separation of duties / Principle of Least privilege – Seeing the big picture of enterprise security – Password Hygiene – Internet Hygiene – How to do business WHILE following policy – That security is their responsibility. – That there really are bad people who are out to get them. – Infosec isn’t there to stop you from doing your job.
So… Why Don’t They Know Those Things Already?
Typical CISO/CIO/General Counsel Response: We Trained Them!!! They should have “Security Awareness”!!!
Explanation #1 “Users are stupid.”* *Amrit Williams said this on his blog at one point.
Training Doesn’t Work • People aren’t puppies – Requires significant funding – Low uptake level – most users ignore or go through the motions. – The only way to “rub their noses in it” is through an incident • Training is the first thing to cut – When cutting costs, training is viewed as a luxury. – More importantly, ROI is generally not measured – “Success” is nebulous at best • “Training” is the wrong model 25
Solving the Problem • We have two main issues in getting users on-board – Users view security as a braking (breaking?) function – Users believe security is solved by the Information Security Department and that it’s not their responsibility. • The biggest problem: –NEITHER OF THESE ARE TRUE! • These are both perception issues • How do other industries solve perception issues? 26
Explanation #2 “Your marketing sucks.” Mark Stevens 2
The Marketing Process What do we want the users to know? Measure: How many people already know that? Yes – move Determine ways to teach to next goal users and deliver those messages Measure: How many people know that now? No Did we achieve our goals? 28
Measurement Is Key • Good Marketers Measure their Impact – This involves understanding how their messages impact their targets • Goals need to be set based on measurability – Define your goals based on how you will measure them • You Need a Baseline – Measure before you start your “Awareness” efforts – This lets you know how many of your users are already aware • Measure at the End – This gives you an idea of the success of your efforts – This is called “ROI”.
Perception and Reality • Positioning is the art of changing reality. – The technique by which marketers try to create an image or identity in the minds of their target market for its product, brand, or organization. (Wikipedia) • The key question is: How are we positioned? – Strong positioning is the key to strong marketing – What is the position of the following brands? • Rolls Royce • Ferrari • Chevy • Information Security within Your Organization? • What position do you want to have? – What would make you think that? 30
Delivering Your Message • Caveat: It’s far easier to say it than to do it. – They have a say in this process too. – Positioning is a dance between what the users think and what you say • This means you have to say it often. – Rule of thumb: a user has to see your message at least 7 times before your message has ANY effect – This is the main reason that “awareness training” doesn’t work!!! • Breaking the “Awareness Shield” – Users are marketed to repeatedly – We need to break through their “awareness shield”.
The Tool-kit • Marketing – The art of creating favorable impressions in your target audience • 3 Tools of Marketing – PR – Advertising – Direct Interaction • Does this work internally??? 32
7 Steps to Extreme Marketing 1. Marketing is an integrated process 2. Identify innovative initiatives that can command the attention of the marketplace 3. Integrate all the elements of your marketing program 4. Do not engage in any initiatives that fail to produce positive ROI 5. Pick the low hanging fruit first 6. Don’t be linear 7. Be persistent, relentless, inventive, counterintuitive, challenging, combative, strategic and tactical. (Source: Mark Stevens, Your Marketing Sucks) 33
Case Study: Strong Passwords • Goal – Client wants to teach their users to select strong passwords where password controls are not enforceable (e.g. cloud services) • Security Awareness Plan – Send emails telling people to choose strong passwords – Ask users to take multiple choice test that confirms that they know to create strong passwords. 34
Case Study: Strong Passwords • Security Marketing Campaign – Step 1: Measure strength of passwords chosen for baseline • Tools: survey random set of users, create application and test strength, etc. – Step 2: Create Marketing Campaign • Send emails to users – both instructional and examples that offer resources • Use multiple choice tests • Newsletters, articles, etc. • Repeat messages over short period of time – Step 3: Measure strength of passwords, look for changes. • Use SAME measurement technique as baseline – Did we get results? If no, repeat step 2 with different tactics. 35
Questions? Feel free to email: mike@foregroundsecurity.com

Empfohlen

Issa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social EngineeringIssa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social Engineering
Mike Murray
 
Think like a hacker for better security awareness
Think like a hacker for better security awarenessThink like a hacker for better security awareness
Think like a hacker for better security awareness
COMSATS
 
Nexus2010 keynote -- ImageSource
Nexus2010 keynote -- ImageSourceNexus2010 keynote -- ImageSource
Nexus2010 keynote -- ImageSource
John Mancini
 
Business Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revBusiness Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_rev
Shanker Sareen
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover Story
Torrid Networks Private Limited
 
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
GFI Software
 
Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11
Joseph Schorr
 
Wall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk itWall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk it
Messiernl
 

Empfohlen

Issa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social EngineeringIssa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social Engineering
Mike Murray
 
Think like a hacker for better security awareness
Think like a hacker for better security awarenessThink like a hacker for better security awareness
Think like a hacker for better security awareness
COMSATS
 
Nexus2010 keynote -- ImageSource
Nexus2010 keynote -- ImageSourceNexus2010 keynote -- ImageSource
Nexus2010 keynote -- ImageSource
John Mancini
 
Business Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revBusiness Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_rev
Shanker Sareen
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover Story
Torrid Networks Private Limited
 
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
GFI Software
 
Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11
Joseph Schorr
 
Wall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk itWall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk it
Messiernl
 
Hybrid Technology
Hybrid TechnologyHybrid Technology
Hybrid Technology
GFI Software
 
7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security
Cindy Kim
 
VIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareVIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of Bloatware
GFI Software
 
Paradigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk AssessmentsParadigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk Assessments
Fernando Reiser
 
Security and SMBs
Security and SMBsSecurity and SMBs
Security and SMBs
GFI Software
 
Maximizing Security Training ROI
Maximizing Security Training ROIMaximizing Security Training ROI
Maximizing Security Training ROI
Symosis Security (Previously C-Level Security)
 
Pci compliance training agents
Pci compliance training agentsPci compliance training agents
Pci compliance training agents
ocinc
 
All clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalAll clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equal
Nicholas Cramer
 
Security Principles for CEOs
Security Principles for CEOsSecurity Principles for CEOs
Security Principles for CEOs
Morten Bjørklund
 
Small Business Technology Challenges
Small Business Technology ChallengesSmall Business Technology Challenges
Small Business Technology Challenges
Infinity Technologies
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
Andris Soroka
 
Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland
Devendra kashyap
 
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTPrint - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Gerry Skipwith
 
16231
1623116231
16231
James Grant
 
CRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff CrumeCRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff Crume
KrisValerio
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
Dominic Vogel
 
Buyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsBuyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection Platforms
FindWhitePapers
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of Security
Karina Elise
 
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Energy Network marcus evans
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
Rogers Communications
 
Sockets en c
Sockets en cSockets en c
Sockets en c
MaShYy
 
Hacker Halted 2009 - Owning People through Technology
Hacker Halted 2009 - Owning People through TechnologyHacker Halted 2009 - Owning People through Technology
Hacker Halted 2009 - Owning People through Technology
Mike Murray
 

Weitere ähnliche Inhalte

Was ist angesagt?

Pci compliance training agents
Pci compliance training agentsPci compliance training agents
Pci compliance training agents
ocinc
 
All clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalAll clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equal
Nicholas Cramer
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of Security
Karina Elise
 

Was ist angesagt? (20)

Hybrid Technology
Hybrid TechnologyHybrid Technology
Hybrid Technology
 
7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security
 
VIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareVIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of Bloatware
 
Paradigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk AssessmentsParadigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk Assessments
 
Security and SMBs
Security and SMBsSecurity and SMBs
Security and SMBs
 
Maximizing Security Training ROI
Maximizing Security Training ROIMaximizing Security Training ROI
Maximizing Security Training ROI
 
Pci compliance training agents
Pci compliance training agentsPci compliance training agents
Pci compliance training agents
 
All clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalAll clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equal
 
Security Principles for CEOs
Security Principles for CEOsSecurity Principles for CEOs
Security Principles for CEOs
 
Small Business Technology Challenges
Small Business Technology ChallengesSmall Business Technology Challenges
Small Business Technology Challenges
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
 
Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland
 
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTPrint - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
 
16231
1623116231
16231
 
CRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff CrumeCRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff Crume
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
 
Buyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsBuyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection Platforms
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of Security
 
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
 

Andere mochten auch

Sockets en c
Sockets en cSockets en c
Sockets en c
MaShYy
 
Hacker Halted 2009 - Owning People through Technology
Hacker Halted 2009 - Owning People through TechnologyHacker Halted 2009 - Owning People through Technology
Hacker Halted 2009 - Owning People through Technology
Mike Murray
 
BSides Rhode Island 2013 - Bite the Wax Tadpole (with Katrina Rodzon)
BSides Rhode Island 2013 - Bite the Wax Tadpole (with Katrina Rodzon)BSides Rhode Island 2013 - Bite the Wax Tadpole (with Katrina Rodzon)
BSides Rhode Island 2013 - Bite the Wax Tadpole (with Katrina Rodzon)
Mike Murray
 
Security is Hard
Security is HardSecurity is Hard
Security is Hard
Mike Murray
 
Desarrollo aplicaciones distribuidas sockets
Desarrollo aplicaciones distribuidas socketsDesarrollo aplicaciones distribuidas sockets
Desarrollo aplicaciones distribuidas sockets
dandark2000
 

Andere mochten auch (8)

Sockets en c
Sockets en cSockets en c
Sockets en c
 
Hacker Halted 2009 - Owning People through Technology
Hacker Halted 2009 - Owning People through TechnologyHacker Halted 2009 - Owning People through Technology
Hacker Halted 2009 - Owning People through Technology
 
Issa Vancouver 6 09 Pareto's Revenge
Issa Vancouver 6 09 Pareto's RevengeIssa Vancouver 6 09 Pareto's Revenge
Issa Vancouver 6 09 Pareto's Revenge
 
BSides Rhode Island 2013 - Bite the Wax Tadpole (with Katrina Rodzon)
BSides Rhode Island 2013 - Bite the Wax Tadpole (with Katrina Rodzon)BSides Rhode Island 2013 - Bite the Wax Tadpole (with Katrina Rodzon)
BSides Rhode Island 2013 - Bite the Wax Tadpole (with Katrina Rodzon)
 
Sockets en JAVA
Sockets en JAVASockets en JAVA
Sockets en JAVA
 
Security is Hard
Security is HardSecurity is Hard
Security is Hard
 
(2) enrutamiento estático
(2) enrutamiento estático(2) enrutamiento estático
(2) enrutamiento estático
 
Desarrollo aplicaciones distribuidas sockets
Desarrollo aplicaciones distribuidas socketsDesarrollo aplicaciones distribuidas sockets
Desarrollo aplicaciones distribuidas sockets
 

Ähnlich wie Issa Charlotte 2009 Patching Your Users

Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about security
Alison Gianotto
 
DLP - Network Security Conference_ Ramsés Gallego
DLP - Network Security Conference_ Ramsés GallegoDLP - Network Security Conference_ Ramsés Gallego
DLP - Network Security Conference_ Ramsés Gallego
Ramsés Gallego
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloud
Nicholas Chia
 
Cyber Security at CTX15, London
Cyber Security at CTX15, LondonCyber Security at CTX15, London
Cyber Security at CTX15, London
John Palfreyman
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
Andris Soroka
 
140707_Cyber-Security
140707_Cyber-Security140707_Cyber-Security
140707_Cyber-Security
Tara Gravel
 
Compliance standards interoperability - Zoltan Precsenyi
Compliance standards interoperability - Zoltan PrecsenyiCompliance standards interoperability - Zoltan Precsenyi
Compliance standards interoperability - Zoltan Precsenyi
e-Democracy Conference
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsThe Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for Investors
OurCrowd
 
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxLogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
CNSHacking
 

Ähnlich wie Issa Charlotte 2009 Patching Your Users (20)

A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)
 
DSS ITSEC Conference 2012 - Cyberoam Layer8 UTM
DSS ITSEC Conference 2012 - Cyberoam Layer8 UTMDSS ITSEC Conference 2012 - Cyberoam Layer8 UTM
DSS ITSEC Conference 2012 - Cyberoam Layer8 UTM
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistance
 
Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about security
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
 
Data Breach from the Inside Out
Data Breach from the Inside Out Data Breach from the Inside Out
Data Breach from the Inside Out
 
DLP - Network Security Conference_ Ramsés Gallego
DLP - Network Security Conference_ Ramsés GallegoDLP - Network Security Conference_ Ramsés Gallego
DLP - Network Security Conference_ Ramsés Gallego
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloud
 
Trending it security threats in the public sector
Trending it security threats in the public sectorTrending it security threats in the public sector
Trending it security threats in the public sector
 
Cyber Security at CTX15, London
Cyber Security at CTX15, LondonCyber Security at CTX15, London
Cyber Security at CTX15, London
 
Ijnsa050215
Ijnsa050215Ijnsa050215
Ijnsa050215
 
Information Security - The Missing Elements
Information Security - The Missing ElementsInformation Security - The Missing Elements
Information Security - The Missing Elements
 
Cybersecurity Myths for Small and Medium-Sized Businesses
Cybersecurity Myths for Small and Medium-Sized BusinessesCybersecurity Myths for Small and Medium-Sized Businesses
Cybersecurity Myths for Small and Medium-Sized Businesses
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
 
140707_Cyber-Security
140707_Cyber-Security140707_Cyber-Security
140707_Cyber-Security
 
Compliance standards interoperability - Zoltan Precsenyi
Compliance standards interoperability - Zoltan PrecsenyiCompliance standards interoperability - Zoltan Precsenyi
Compliance standards interoperability - Zoltan Precsenyi
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsThe Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for Investors
 
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxLogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
 

Kürzlich hochgeladen

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Kürzlich hochgeladen (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Issa Charlotte 2009 Patching Your Users

  • 1. Patching Your Users Defending against the Social Engineering Threat © 2009 – Foreground Security. All rights reserved
  • 2. Pareto had it right: 20% of our efforts will produce 80% of our results. 2
  • 3. Numerous Studies: Human error and internal threat responsible for more than 80% of Information Security breaches BUT Only 29% of organizations consider security training as a crucial requirement in preventing security breaches within organizations. 3
  • 4. Agenda • The Changing Threat Environment • Social Engineering • Your Security Awareness Sucks • Making it really work. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 6. The Vulnerability Cycle Human / Network Organization Service / Client Server Application 6
  • 7. The History of Security Commercial Vulnerability Assessment Sasser Nimda Commercial Blaster Loveletter Firewalls Slammer Commercial Data Leakage Kevin Vulnerability Management Prevention Mitnick Snort Melissa Spyware Code Red SATAN Commercial Commercial Morris IDS Anti-Spyware Nessus Worm Phishing Kevin IPS & UTM Commercial Poulsen SIM/SEM You Are Here 1985 1995 2005 Human Network Server Web App Client Organization 7
  • 8. The Early Years • Those were the days – Software Vulnerabilities weren’t significant - most based on configuration weakness – Only a handful of people understood how to exploit technologies – Small Target Surface - Few internet-connected computers – Focus was on phone phreaking and academia • Social Engineering reigned supreme – Most successful attacks involved social engineering – Unsophisticated controls environments – Few understood the jargon – Policies encouraged trust over security © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 9. The Kevins 9 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 10. The Internet Era • Two Vital Dates – October 13, 1994 • Mosaic Netscape 0.9 released • The web becomes easy to navigate – August 24, 1995 • Windows 95 Released • Home computer use proliferates massively • The Internet Experiences exponential growth – Money starts to change hands – Internet connected computers become a viable target • This creates a target rich environment... 10 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 11. Attacking Computers Directly • Phrack 49 - November 8, 1996. – Aleph1 - Smashing the Stack for Fun and Profit • Readily available exploit code actually makes breaking in to computers easier – The “golden age” of server hacking begins. • 1996-2003 - More of the same – Memory attacks become more sophisticated – Polymorphic shell-code designed to evade detective controls – More advanced use of memory spaces (format strings, integer exploits) 11 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 12. August 4, 2004 • Windows XP Service Pack 2 Appears – Microsoft finally hardens their operating systems – The world changes overnight – Security is now baked in to the computer. • Server based vulnerabilities disappear – As massive server-based vulnerabilities disappear, client interaction becomes key – The number of issues continues to increase but the type of issues starts to change radically © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 13. Difficulty of Exploitation Human Vulnerabilities Difficulty of Exploit Technical Vulnerabilities 1985 1995 2005
  • 14. The New Vulnerable Element • Since 2005 – No major direct-exploitation worm outbreaks – Less than a handful of “remote root” direct exploitation vulnerabilities • Major Classes of Attacks – Drive-by Download – Exploitation through Email, Web and Social Networking Sites – Phishing / Pharming / Spear-Phishing • What’s the similarity? – If you said “human interaction”, you get a gold star. 14 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 15. The human/organization are the main exploit targets again.
  • 16. Social Engineering • Defined (by Wikipedia): – “The practice of obtaining confidential information by manipulating users.” • The Art of Exploiting Human Weakness – Humans are social creatures – Human nature makes us vulnerable to each other – Social engineers exploit weaknesses in human nature to obtain information or access to computer systems. – A Confidence Trick - Social Engineering is the age-old art of the “Confidence Man” • The bad guys are exploiting your people © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 17. Only two things are infinite: the universe and human stupidity. And I'm not sure about the former. - Albert Einstein 1 7
  • 18. There is no patch for human stupidity. This was the slogan on a T-shirt a couple of years ago.
  • 19. Security Awareness Training • The solution for social engineering – Train your users on security topics – Use case-study training and scenarios so that users understand. – Ensure that users complete at least one multiple-choice test per quarter – Make sure that users pass, and they are now “aware”. • Two step process – Decide what we want the user to know – Find ways to “train” them on those things. • This is how most corporations are approaching user protection © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  • 20. The Security Awareness Process What do we want the users to know? Move to Next Goal Determine ways to teach users and deliver those messages 20
  • 21. Unfortunately… • We recently surveyed a number of security pros in orgs with security awareness programs: – “If you could wake up tomorrow and the users understood 3 things about security, what would they be?” • We heard answers like: – Separation of duties / Principle of Least privilege – Seeing the big picture of enterprise security – Password Hygiene – Internet Hygiene – How to do business WHILE following policy – That security is their responsibility. – That there really are bad people who are out to get them. – Infosec isn’t there to stop you from doing your job.
  • 22. So… Why Don’t They Know Those Things Already?
  • 23. Typical CISO/CIO/General Counsel Response: We Trained Them!!! They should have “Security Awareness”!!!
  • 24. Explanation #1 “Users are stupid.”* *Amrit Williams said this on his blog at one point.
  • 25. Training Doesn’t Work • People aren’t puppies – Requires significant funding – Low uptake level – most users ignore or go through the motions. – The only way to “rub their noses in it” is through an incident • Training is the first thing to cut – When cutting costs, training is viewed as a luxury. – More importantly, ROI is generally not measured – “Success” is nebulous at best • “Training” is the wrong model 25
  • 26. Solving the Problem • We have two main issues in getting users on-board – Users view security as a braking (breaking?) function – Users believe security is solved by the Information Security Department and that it’s not their responsibility. • The biggest problem: –NEITHER OF THESE ARE TRUE! • These are both perception issues • How do other industries solve perception issues? 26
  • 27. Explanation #2 “Your marketing sucks.” Mark Stevens 2
  • 28. The Marketing Process What do we want the users to know? Measure: How many people already know that? Yes – move Determine ways to teach to next goal users and deliver those messages Measure: How many people know that now? No Did we achieve our goals? 28
  • 29. Measurement Is Key • Good Marketers Measure their Impact – This involves understanding how their messages impact their targets • Goals need to be set based on measurability – Define your goals based on how you will measure them • You Need a Baseline – Measure before you start your “Awareness” efforts – This lets you know how many of your users are already aware • Measure at the End – This gives you an idea of the success of your efforts – This is called “ROI”.
  • 30. Perception and Reality • Positioning is the art of changing reality. – The technique by which marketers try to create an image or identity in the minds of their target market for its product, brand, or organization. (Wikipedia) • The key question is: How are we positioned? – Strong positioning is the key to strong marketing – What is the position of the following brands? • Rolls Royce • Ferrari • Chevy • Information Security within Your Organization? • What position do you want to have? – What would make you think that? 30
  • 31. Delivering Your Message • Caveat: It’s far easier to say it than to do it. – They have a say in this process too. – Positioning is a dance between what the users think and what you say • This means you have to say it often. – Rule of thumb: a user has to see your message at least 7 times before your message has ANY effect – This is the main reason that “awareness training” doesn’t work!!! • Breaking the “Awareness Shield” – Users are marketed to repeatedly – We need to break through their “awareness shield”.
  • 32. The Tool-kit • Marketing – The art of creating favorable impressions in your target audience • 3 Tools of Marketing – PR – Advertising – Direct Interaction • Does this work internally??? 32
  • 33. 7 Steps to Extreme Marketing 1. Marketing is an integrated process 2. Identify innovative initiatives that can command the attention of the marketplace 3. Integrate all the elements of your marketing program 4. Do not engage in any initiatives that fail to produce positive ROI 5. Pick the low hanging fruit first 6. Don’t be linear 7. Be persistent, relentless, inventive, counterintuitive, challenging, combative, strategic and tactical. (Source: Mark Stevens, Your Marketing Sucks) 33
  • 34. Case Study: Strong Passwords • Goal – Client wants to teach their users to select strong passwords where password controls are not enforceable (e.g. cloud services) • Security Awareness Plan – Send emails telling people to choose strong passwords – Ask users to take multiple choice test that confirms that they know to create strong passwords. 34
  • 35. Case Study: Strong Passwords • Security Marketing Campaign – Step 1: Measure strength of passwords chosen for baseline • Tools: survey random set of users, create application and test strength, etc. – Step 2: Create Marketing Campaign • Send emails to users – both instructional and examples that offer resources • Use multiple choice tests • Newsletters, articles, etc. • Repeat messages over short period of time – Step 3: Measure strength of passwords, look for changes. • Use SAME measurement technique as baseline – Did we get results? If no, repeat step 2 with different tactics. 35
  • 36. Questions? Feel free to email: mike@foregroundsecurity.com