How can a company implement an effective security training program with limited budget and scarce resources? The first step is to assess needs and define training objectives. Then comes the challenging and often perplexing decision of build versus buy, instructor led versus CBT (computer based training), and generic versus customized training which references internal security standards, development policies, and secure coding guidelines. Finally how does the company define success and measure results? How does the company ensure developers retain and apply the skills they learn to develop secure software?
Kartik Trivedi, Symosis
Kartik is a senior information security, technology, and business professional, renowned speaker and cofounder of Symosis. Symosis is a boutique hi-tech information security consulting firm specializing in software security with focus on delivering solutions for organizations coping with the broad spectrum of security threats, risks, infrastructure needs, and regulatory compliance requirements. Kartik has a decade of experience selling and managing the delivery of services to the Fortune 500. He is a solutions-driven, collaborative leader known for consistently driving profitability and client satisfaction in rapidly growing and evolving organizations.
2. Who
am
I?
• VP
/
Co-‐Founder
of
Symosis,
10+
years
in
informaFon
security
consulFng
&
Training,
USC,
Foundstone,
McAfee,
Accuvant,
C-‐Level
security,
etc
• Invited
speaker,
author
and
educator
• MBA,
MS
Comp
Sc,
CISM,
CISA,
CISSP
3. Table
of
Contents
• Business
case
for
security
• Evolving
threats
• How
to
build
an
effecFve
training
program?
• Case
Studies
4. The
Business
Case
for
Security
Proper
security
enables
a
company
to
meet
its
business
objec-ve
by
providing
a
safe
and
secure
environment
5. Impact
of
Security
Breaches
Loss
of
Revenue
Damage
to
ReputaFon
Loss
or
Compromise
of
Data
Damage
to
Investor
Confidence
Legal
Consequences
InterrupFon
of
Business
Processes
Damage
to
Customer
Confidence
6. Dollar
Amount
Of
Loss
The
cost
of
implemenFng
security
measures
is
not
trivial;
however,
it
is
a
fracFon
of
the
cost
of
miFgaFng
security
compromises
*
CSI
2006
8. Security
Breach
Example
Costs
Cost
of
Recent
Customer
Records
Breach
• $6.5
Million:
DSW
Warehouse
Costs
from
Data
Thea
• $5.7
Million:
BJ’s
Wholesale
Club
from
Data
Breach
AddiFonal
impact/cost
due
to
lost
customers
• 20%
of
customers
have
ended
a
relaFonship
with
a
company
aaer
being
noFfied
of
a
breach
(Ponemon
InsFtute)
• 58%
said
the
breach
decreased
their
sense
of
trust
and
confidence
in
the
organizaFon
reporFng
the
incident
9. TOC
• Business
case
for
security
• Evolving
threats
• How
to
build
an
effecFve
training
program?
• Case
Studies
13. 13
Emerging
Threats
Categories
Malware
Botnets
Threats to VOIP and
mobile convergence
Cyber warfare
Data thefts
14. Threats becoming increasingly difficult to detect and mitigate
THREATSEVERITY
1990 1995 2000 2005 WHAT’S NEXT?
FINANCIAL
Theft & Damage
FAME
Viruses and Malware
TESTING THE WATERS
Basic Intrusions and Viruses
15. TOC
• Business
case
for
security
• Evolving
threats
• How
to
build
an
effec-ve
training
program?
• Case
Studies
16. Why
Security
Training
• Reduce accidental security breaches
• Improve employee behaviour
• Enable organization to hold employees
accountable for their actions
• Build in-depth knowledge to design,
implement, or operate security programs for
organizations & systems
• Develop skills & knowledge so that computer
users can perform their jobs while using IT
systems more securely
17. Why
Security
Training?
• Dissemination & enforcement of policy
become easier when training & awareness
programs are in place
• Demonstrating due care & diligence can
help indemnify the institution against
lawsuits
• By improving awareness of the need to
protect system resources
19. Step
1:
Define
Training
ObjecFves
• Compliance,
RegulaFons
and
Governance
• Client
/
Partner
requirements
• Increase
the
general
level
of
security
awareness
• Reduce
the
incidences
of
computer
fraud,
waste
and
abuse
• Create
a
more
security
savvy
workforce
• Design,
develop
and
maintain
secure
IT
infrastructure
and
applicaFons
20. PCI
Compliance
All
service
providers
with
which
cardholder
data
is
shared
must
adhere
to
the
PCI
DSS
requirements
and
must
sign
an
agreement
acknowledging
that
the
service
provider
is
responsible
for
the
security
of
cardholder
data
the
provider
possesses.
21. PCI
Compliance
Payment
Card
Industry
(PCI)
Data
Security
Standard
mandates
security
awareness
program
that
12.6.1:
Educate
employees
upon
hire
and
at
least
annually
12.6.2:
Require
employees
to
annually
acknowledge
in
wriFng
that
they
have
read
and
understood
the
company's
security
policy
and
procedure
22. HIPAA
Compliance
The
Health
Insurance
Portability
and
Accountability
Act
of
1996
(HIPAA)
mandates
that
Covered
EnFFes,
which
includes
health
plans,
healthcare
clearinghouses,
and
most
healthcare
providers,
may
not
use
or
disclose
individuals’
health
informaFon
for
purposes
unrelated
to
providing
health-‐
care,
managing
their
organizaFon,
or
meeFng
their
obligaFons
under
state
and
federal
law,
unless
individuals
specifically
authorize
them
to
do
so.
23. HIPAA
Compliance
Ensuring
all
employees
including
management,
agents
and
contractors
in
an
organizaFon
understand
and
uphold
these
rules
is
no
easy
task
and
is,
to
a
large
degree,
a
training
and
management
problem.
This
is
why
the
Department
of
Health
and
Human
Services
(HHS)
has
mandated
annual
privacy
and
security
training,
as
well
as
regular
reminders
for
all
employees.
24. HIPAA
Compliance
• Upper
Management
Training
• Security
Awareness
Day
• Security
Awareness
and
Ongoing
Training
for
all
staff
• Computer
Users’
Supervisor
Training
• Security
“MarkeFng”
Efforts
• Annual
System-‐specific
training
• Professional
EducaFon
Training
25. GLBA
Compliance
Gramm-‐Leach-‐Bliley
Act
of
1999
Employee
Training
Requirements
mandates
IT
Security
Awareness
Training
for
all
employees
of
financial
service
providers
(FSPs)
covered
by
the
GLB
act,
which
includes
all
companies
"engaging
in
financial
acFviFes.”
26. GLBA
Compliance
• Examples
of
organizaFons
who
are
affected
by
these
rules
include
– insurance
agencies
– tax
preparers
– finance
companies
– collecFons
agencies
– leasing
agencies
– travel
agencies
– financial
advisors
27. ISO
27002
• ISO
27002
is
an
internaFonally
recognized
standard
published
by
the
InternaFonal
OrganizaFon
for
StandardizaFon
covering
informaFon
security
best
pracFces.
Many
global
organizaFons
use
this
comprehensive
standard
to
gauge
their
informaFon
security
programs.
• Provide
an
adequate
level
of
security
educaFon
and
training
to
your
organizaFon’s
employees,
contractors
and
third
party
users
28. FISMA
• Federal
InformaFon
Security
Management
Act
(FISMA)
is
Title
III
of
the
E-‐Government
ACT,
which
requires
federal
agencies
to
develop,
document,
and
implement
a
comprehensive
agency-‐wide
informaFon
security
program.
• Part
of
such
a
program
is
security
training
program
that
educates
personnel,
including
contractors
and
other
users,
of
their
responsibiliFes
in
maintaining
informaFon
security,
complying
with
organizaFonal
policies
and
procedures,
and
reducing
the
risks
associated
with
their
acFviFes
29. Red
Flag
Thea
PrevenFon
• Under
the
new
Red
Flag
regulaFons,
financial
insFtuFons
and
creditors
must
develop
a
wriien
program
that
idenFfies
and
detects
the
relevant
warning
signs
(Red
Flags)
of
idenFty
thea,
such
as
unusual
account
acFvity,
fraud
alerts
on
a
consumer
report,
or
aiempted
use
of
suspicious
account
applicaFon
documents,
• Includes
appropriate
staff
training
and
oversight
of
any
service
providers
30. SOX
(Sarbanes
Oxley)
• Sarbanes
Oxley
requires
the
CEO
and
CFO
of
publicly
traded
companies
to
be
held
accountable
for
financial
statements
filed
with
the
SecuriFes
and
Exchange
Commission
and
includes
criminal
penalFes
for
false
cerFficaFon
• Top
management
must
ensure
that
there
are
adequate
'internal
controls'
to
ensure
reliable
financial
reporFng
and
protect
financial
data
that
resides
in
informaFon
systems
31. Step
2:
Assess
Needs
• IdenFfy
training
administrator
– Primary
responsibility
lies
with
Chief
InformaFon
Security
Officer,
top
management
and
security
team
32. Assess
Needs
• Who
needs
to
be
trained
and
on
what?
– All
stakeholders:
Security
Awareness
Training,
Compliance
– Program
Managers
–
Architecture
&
Design
– Architects
&
Developers
–
Threats,
coding
mistakes,
secure
soaware
development
– Testers
/
QA
–
Security
Test
Cases
33. Assess
Needs
FuncFonal
Background
General
User
Managerial
User
Technical
User
Skill
Level
Novice
Intermediate
Expert
Using wrong training
methods can:
Hinder transfer of
knowledge
Lead to unnecessary
expense
& frustrated, poorly
trained employees
34. Step
3:
Key
Factors
• Build
vs.
Buy
• Classroom
/
Instructor
Led
• CBT
/
Web
Based
• Generic
vs.
Customized
• HosFng
35. Build
vs.
Buy
• Business
needs
are
unique
• Internal
capability
available
• Proprietary
informaFon
or
data
needs
to
be
protected;
• Complexity
of
interface
with
company's
LMS
• No
COTS
products
or
too
costly
Build
• Reduce
and
control
operaFng
costs
• Free
internal
resources
• Gain
access
to
external
capabiliFes
• Resources
constraints
• Improve
company
focus
• Share
risks
Buy
Key
consideraFons
-‐
cost,
quality,
and
timeline
36. Costs
• “How
to
Spend
a
Dollar
on
Security”
recommends
that
out
of
every
security
dollar
you
spend:
– 15
cents:
Policy
– 40
cents:
Awareness
– 10
cents:
Risk
Assessment
– 20
cents:
Technology
– 15
cents:
Process
• We
have
seen
it
done
from
anywhere
between
$5K
to
$5M
annual
costs
Patrick
McBride
–
ComputerWorld
37. Classroom
/
Instructor
Led
• Study
away
from
the
office
at
another
locaFon
with
Fme
set
aside
dedicated
to
learning
a
new
course
(and
in
some
cases,
for
cerFficaFon,
siyng
of
an
exam)
• Costs
are
more
expensive
as
it
involves
the
course
fees,
travel,
accommodaFon
and
other
expenses
• Access
to
a
trainer
for
the
duraFon
of
the
course
(and
someFmes
for
a
limited
period
aaer
the
course)
• Access
to
other
students
during
the
course
and
as
a
potenFal
networking
group
aaer
the
course
38. Computer
/
Web
Based
• Individuals
can
study
at
their
own
Fme
and
pace
thereby
learning
at
a
rate
that
they
are
comfortable
with
• Lower
costs
–
CBT
is
much
more
cost
effecFve
than
classroom
training.
MulF-‐user
opFon
allow
a
company
to
train
more
than
one
person
with
the
same
budget
or
less
than
sending
on
a
classroom
course
• Combines
the
“best
bits
of
classroom
training”
such
as
the
video
clips
of
instructor
sessions
with
the
“best
bits
of
reference
material”
such
as
technical
informaFon
and
pracFce
quesFons
to
provide
a
great
all
round
training
experience
which
is
beneficial
to
both
student
and
employer
at
the
best
price
available.
39. Generic
vs.
Customized
• Generic
training
is
cost
effecFve
and
focuses
on
core
security
issues,
OWASP
Top
10
threats,
etc
• CustomizaFon
provides
training
that
matches
specific
needs
for
content,
compleFon
requirements,
quiz,
policies,
and
even
employee
responsibility
acknowledgment.
40. HosFng
• Web
based
training
could
be
hosted
internally
or
provided
as
soaware
as
a
service
(SAAS)
• Internal
hosFng
provides
greater
control
but
could
be
resource
and
cost
intensive
• SAAS
service
is
oaen
turn
key
but
may
limit
scalability
and
usage
41. Step
4:
Metrics
• Quiz
and
survey
results
• Content
• People
42. Metrics
-‐
Quiz
and
survey
results
• Score
Results:
How
did
people
score?
• Answer
Breakdown:
How
did
people
answer?
• Aiempt
Detail:
How
did
a
user
answer?
43. Metrics
-‐
Content
• AcFvity:
What
was
the
acFvity
for
a
content
item?
• Traffic:
How
oaen
was
an
item
viewed?
• Progress:
How
many
slides
did
people
view?
• Popular
Content:
Which
content
was
viewed
the
most?
44. Metrics
-‐
People
• Group
AcFvity:
What
content
did
a
group
view?
• User
AcFvity:
What
content
did
a
user
view?
• AcFve
Groups:
Who
were
my
most
acFve
groups?
• AcFve
Users:
Who
were
my
most
acFve
users?
• Guestbook
Responses:
What
were
the
responses
to
a
guestbook?
45. TOC
• Business
case
for
security
• Evolving
threats
• How
to
build
an
effecFve
training
program?
• Case
Studies
46. Case
Study
1
-‐
Project
management
and
custom
soaware
company
• Challenge:
– Ensure
secure
coding
elements
have
been
taught
– Prevent
top
10
threats
and
miFgaFon
techniques
– Meet
a
Fme
sensiFve
requirement
under
a
DoD
contract
• SoluFon:
– Implement
best
pracFces
soaware
security
training
for
Java
– Provide
access
to
training
on
demand
from
a
SaaS
model
47. • Challenge
– Improve
soaware
quality
by
eliminaFng
common
mistakes
– Provide
foundaFon
for
everyone
to
‘own’
security
• SoluFon
– Create
custom
course
based
on
previously
idenFfied
risk
and
miFgaFon
– Integrate
security
cases
into
QA
lifecycle
– Measure
year
over
year
declines
in
security
related
CRs
48. • Challenge:
– Meet
PCI
compliance
for
integraFng
secure
coding
pracFces
• SoluFon
– Implement
JAVA/.NET
secure
coding
pracFces
– Address
PCI
Cardholder
Data
requirements
within
applicaFon
development
49. Thanks
for
listening…
QuesFons?
Try
out
free
Symosis
training
at
hip://
www.symosis.com