Security 101: Training, Awareness, and Strategies Stephen Cobb, CISSP Senior Security Researcher Eset Na
Security 101: Training, Awareness, and Strategies Stephen Cobb, CISSP Senior Security Researcher Eset Na
Security 101: Training, Awareness, and Strategies Stephen Cobb, CISSP Senior Security Researcher Eset Na
Enterprises
Assets
worth SMB
looting Sweet Spot
Consumers
Level of protection
The challenge
Organizations of every type rely on
computers to handle information
Everyone today is a computer user
Most have no security training
Lack of security
training leads
to problems
How big is the challenge
We asked U.S. consumers if they had ever
received any computer security training
Yes:
32% No:
68%
Yes:
32% No:
68%
Yes:
27%
No:
73%
*Ponemon Institute
Trojan terminates escrow firm
$1.1 million wired to China and could
not be retrieved
Firm was closed by state law, now in
receivership, 9 people out of a job
So whats the best weapon for keeping
that kind of Trojan code out of your
companys system?
A well-trained workforce
Knows not to click on suspicious links
in email or social media
Knows to report strange activity (e.g.
the two-factor authentication not
working)
Knows to scan all incoming files for
malware
Email, USB drives
Does training make a difference?
Yes
A significant percentage of problems
can be averted, or their impact
minimized, if more employees get
better security training and education*
CREDENTIALS
Do you know how the bad guys
operate?
!?**!
Popular
Attack
Technique
Malware server Command & Control
RAT has full access to victim PC
And its network connections
Search and exfiltrate files
Access to webcam and audio
Scrape passwords
Execute system functions
Chat with victim
What happens next?
So how do we move forward?
The road map: A B C D E F
Assess your assets, risks, resources
Build your policy
Choose your controls
Technology
Deploy controls
Educate employees, execs, vendors
Further assess, audit, test
A B C D E F
F E D C B A
Assess assets, risks, resources
Assets: digital, physical
If you dont know what youve got you
cant protect it!
Risks
Who or what is the threat?
Resources
In house, hired, partners, vendors,
trade groups, associations
Build your policy
Security begins with policy
Policy begins with C-level buy-in
High-level commitment to protecting
the privacy and security of data
Then a set of policies that spell out the
protective measures, the controls that
will be used
Choose controls to enforce policies
For example:
Policy: Only authorized employees can
access sensitive data
Controls:
Require identification and authentication of
all employees via unique user name and
password
Limit access through application(s) by
requiring authentication
Log all access
Deploy controls, ensure they work
Put control in place; for example,
antivirus (anti-malware, anti-phishing,
anti-spam)
Test control
Does it work technically?
Does it work with your work?
Can employees work it?
Educate everyone
Everyone needs to know
What the security policies are
How to comply with them through
proper use of controls
Pay attention to any information-
sharing relationships
Vendors, partners, even clients
Clearly state consequences of failure
to comply
Who gets trained?
Everyone, but not in the same way,
break it down:
All-hands training
IT staff training
Security staff training
How to deliver training
In person
Online
On paper
In house
Outside contractor
Mix and match
Be creative
Incentives?
Yes!
To launch programs, push agendas
Prizes do work
But also make security part of every
job description and evaluation
Use your internal organs
Of communication!
Newsletter
Intranet
Bulletin board
Meetings
Company-wide email
How to do awareness
Make it fun
Make it relevant
Leverage the news
Bear in mind that everyone benefits
from greater awareness, at work and at
home
Resources to tap
Industry associations
FS-ISAC, NH-ISAC, others
CompTIA, SBA, BBB
ISSA, ISACA, SANS, (ISC)2
Local colleges and universities
Securing Our eCity
Need more motivation?
Security training is the law
HIPAA
Red Flag Identity Theft Prevention
Gramm-Leach-Bliley, Sarbanes-Oxley
FISMA
Or required by industry
PCI Data Security Standard
Or just plain required
To get that big juicy contract
Many companies now require suppliers
to certify that they have security
training and awareness programs in
place as a condition of doing business
Further assess, audit, test
This is a process, not a project
Lay out a plan to assess security on a
periodic basis
Stay up-to-date on emerging threats
Stay vigilant around change such as
arrivals, departures, functionality
A B C D E F
F E D C B A
The Technology Slide
Authenticate
Firewall users
and scan:
Incoming traffic
emails
files Monitor
devices Filter and
media monitor
Encrypt outbound