NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
Security Awareness ProgramFrom 0 to Maturity
Laurianna Callaghan, CISSP, CCNA Security
Information Security
11/11/2017
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
AGENDA
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
AGENDA
• Why bother with the human?
• Simple program.
• Mature program.
• Next steps.
3
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
WHY BOTHER WITH THE HUMAN?
4
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
STATISTICS
• Statistics against the human are daunting.
• Humans are the prevalent enabler of attacks from the outside.
• The stronger your security, the more humans will become targets.
5
Technology
1st Qtr 2nd Qtr
3rd Qtr 4th Qtr
Compliance
1st Qtr 2nd Qtr
3rd Qtr 4th Qtr
Culture
1st Qtr 2nd Qtr
3rd Qtr 4th Qtr
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
“JUST ONE CLICK”
• Fallacy: If one person in a company clicks, we might as well not teach anyone.
• If enough people report spam, Security may be able to take quick action.
• Less devices would get infected by malware.
• If using an anti-virus, other companies will benefit.
• Security Awareness saves time, effort and money.
6
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
LACK OF CONTROL
7
• For the most part, you can control technology through proper configuration and prevention.
• Humans are unpredictable and cannot be configured. They require a different method of security.
Some don’t care.Some don’t understand.Some don’t know.Some just want to be left alone.
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
SLEEP
• A truly mature security awareness program can help you sleep.*
• From security awareness alone, a mature dashboard can help determine which technology is “in danger.”
• Think of what can be done when consolidating metrics with other secure applications and AI programs.
*This statement not evaluated by the FDA.
8
KEEPS YOU UP AT NIGHT
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
SIMPLE PROGRAM
9
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
SANS MATURITY MODEL
10
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
NON-EXISTENT
• Smaller companies.
• Small home-grown companies.
• No perceived need for PCI-DSS or HIPAA, etc.
• Companies that don’t know what to do.
• Companies that don’t follow regulations.
11
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
COMPLIANCE FOCUSED
• Most simple programs include just 1 or 2 projects.
• Trinkets and training only.
• Newsletter or other form of sending tips and information.
• Humans chose whether they participate, and many don’t.
• Forgo the Security Awareness Life Cycle.
“Be Secure”Button
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
PROMOTING AWARENESS
• Understands behavior change.
• Teaches home and travel security.
• Program consistent annually.
• Targets specific behaviors.
• Continual reinforcement.
• Learn by example.
• Changes behavior.
13
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
CULTURE CHANGE
• Focuses beyond training with multiple delivery methods.
• Follows the Security Awareness Life Cycle.
• Consistent review of program with updates.
• Executive buy-in.
• Budge resources.
14
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
MATURE PROGRAM
15
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
SANS MATURITY MODEL
16
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
MATURE PROGRAM
• Metrics track progress and measure impact.
• Each project is planned, analyzed, designed, implemented and continually maintained.
• Given a technology, the dashboard can show which human and insecure activity poses the greatest danger.
• Awareness programs continually improve with time.
• A culture is built inherently that humans want to participate in.
• Program and projects are robust.
17
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
CHANGE
• Change our need for control when it comes to the human factor.
• Change will bring more than you’ve ever dreamed of to your whole security program and team.
18
• Customer service is key.• Your department’s reputation has
everything to do with it.• Have “honey” at the ready.
• You can catch more flies with honey than you can with vinegar.
• Plan fun activities.• What do they know about the
Security Dept.?
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
BUY IN
• Humans must have a stake in the game.
• “What’s in it for me?”• Protect your family.• Protect your
401k/retirement funds.
• Gain useful items.• Gain fun prizes.• Share with others
(knowledge).• Resume builder for
some.
19
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
DASHBOARD
• Includes metrics:
• Compliance
• Incident
• Culture
• Technology
• Others
20
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
COMPLIANCE METRICS
• Regulations not followed.
• Internal Audit
• Outside Audits
• Specialized Audits
• Training course completions.
• Remote employee attestations.
• Non-compliancy reports received to audit/security.
• Policy not followed.
21
Training Completions
1st Qtr 2nd Qtr
3rd Qtr 4th Qtr
Attestations
1st Qtr 2nd Qtr
3rd Qtr 4th Qtr
Non-Compliant
1st Qtr 2nd Qtr
3rd Qtr 4th Qtr
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
INCIDENT METRICS
• SPAM and phishing reported.• Social engineering phone calls
reported.• Phishing texts reported.• Number of brute forced
passwords cracked.• Screen viewable area checks.• Confidential data printed and
left unattended checks.• Screen lock checks.
22
SPAM
1st Qtr 2nd Qtr
3rd Qtr 4th Qtr
Security Check
1st Qtr 2nd Qtr
3rd Qtr 4th Qtr
Passwords Cracked
1st Qtr 2nd Qtr
3rd Qtr 4th Qtr
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
CULTURE METRICS
• Number of respondents to SA surveys.
• Number of attendees at road shows.
• Number of newsletter readers.• Number of complimentary
emails to program.• Number of badge warnings.• Number of visits to intranet
site.
23
Road Show Attendance
1st Qtr 2nd Qtr
3rd Qtr 4th Qtr
Newsletter Unique Views
1st Qtr 2nd Qtr
3rd Qtr 4th Qtr
Intranet Unique Views
1st Qtr 2nd Qtr
3rd Qtr 4th Qtr
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
TECHNOLOGY METRICS
• Phishing and other SA metrics go much, much further than a simple program.
• Learn which databases, which machines, etc. are at the greatest risk.
24
Server Z
1st Qtr 2nd Qtr
3rd Qtr 4th Qtr
Database A
1st Qtr 2nd Qtr
3rd Qtr 4th Qtr
Data Store 3
1st Qtr 2nd Qtr
3rd Qtr 4th Qtr
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
AWARENESS LIFE CYCLE
• Follow the Security Awareness Life Cycle (SALC)*.• Requirement analysis
• Design
• Implement
• Test and integrate
• Maintain and Evolve
• SALC applies to each project.
*Software/Systems Development Life Cycle (SDLC)
25
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
NEXT STEPS
26
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
NEXT STEPS
• Discuss a Security Awareness program with your CSO.
• Get executive buy-in. Present or invite FBI, Police or other authoritative speaker(s).
• Navigate to SANS Securing the Human.
• Discuss the importance of human security to your CISO and/or CSO. Use real examples.
• Follow the SANS maturity model to find your company’s level and challenge them to move forward.
27
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
QUESTIONS
28
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Laurianna Callaghan, CISSP, CCNA Security
29
Thank you