Embed Size (px)
DESCRIPTION
We need to have an understanding of what actually constitutes "awareness". In addition, we also need to be able to measure people's awareness, which isn't always easy.
Citation preview
Security AwarenessChris MerkelDirector, IS SecurityBrunswick Corporation
Why “Awareness”?
…when I have an IDS/IPS, UTM Gateway, Encryption, DLP, Vuln Scanning, Patch Management, AV, HIDS, WAF, SEIM, Secure Code Review, Whitelisting, MDM, cable locks, lo-jack and epoxy in all of my USB ports!!!!
Hint: You don’t have a technology problem.
“A computer lets you make more mistakes
faster than any invention in human history – with the
possible exception of handguns and tequila.”
- Mitch Ratliff
What is awareness?
This is not awareness:
Neither is this:
92%
3% 5%
Percentage of US Employees Completing Security Awareness Module in the Past
12mo.
Complete
Incomplete
COMPLIANT
…or this:
Awareness is knowledge:
•That *you* are being targeted as part of a larger campaign to steal something.
•Within your specific business risk context.•Which will require you to be able to
identify suspicious “things”.•To understand and avoid a negative
outcome.•By taking appropriate action.•Or immediate corrective actions, if a
thoughtless or incorrect choice is made.
Excellent Awareness
Poster
What’s the problem?
How does it affect me?
What should I do?
Does Awareness “Work”?
Common criticisms:•One click, by one user, and you’re
compromised, so why bother?•We told them not to do that, and they still
did it.•They didn’t remember our advice.
Our Goal:Harm Reduction,Not Elimination
Awareness Ideas
•Publish informational content in your IT knowledgebase / wiki.
•Periodic informational emails.•“Point of failure” education on your
internet gateways.•“Coaching” people when they visit sites
common to scams.•Internal phishing campaigns.•Scam bounty programs.•Annual, self-paced, awareness training.
Measuring Efficacy – A Must
The best possible outcome is that *nothing* happens. Measure that.
Next best option – reduction in bad things:- Web content filter hits.- Phishing assessments.- Anti-virus hits / infections.
But….
Correlation ≠ Causation
Be rigorous with your data.
Educational Resources:• SANS Securing the human blog / newsletter• US-CERT National Cyber Awareness System• Krebs on Security• Office of the National Counterintelligence
Executive• NIST Computer Security Resource Center• Infragard Center for Information Security
Awareness• FTC – Onguard Online• StaySafeOnline.org - National Cyber Security
Alliance
Phishing Resources
•Free: SPT•Commercial:
▫Phish5▫Phishline▫Phishme
Thank You!Q&A
