educating the masses

© 2008 Lenovo

Educating the Masses

George J. Dolicker, CISA, CISSP | 06.04.08

New York State Cyber Security Conference 2008 | © 2008 Lenovo

Agenda

In this session you will learn how to develop and deploy a balanced information security training and awareness program that will increase compliance within your regulatory environment, and result in evolved employee behaviors that are more resistant to both insider and outsider attack. There are two main focus areas to achieving these goals:

1) delivering information that meets the needs of the organization and has significant perceived value to the employee; and

2) an in-depth, visceral understanding of what is actually important in information security. You will leave this session with direction in the first, and well on your way on the second.

75 minutes


Agenda

• Agenda• Two Critical Questions• Where Training Fits in Your Total Program• Goals• A Look at NIST 800-16• What You Really Need• Awareness Programs• Conclusions


Two Critical Questions

How Do You Know?

Whom Do You Trust?


Security Program Essentials

• Policy

• Training and Awareness• Perimeter

• Host

• Application and Content

• Intrusion Detection

• Incident Response

• Audit and Assessment.


Security Awareness and Training

Goal: To educate the populace so that they...– Understand what is expected of them– Are aware of common user errors that can compromise security– Are aware of common attacks– Recognize abnormal events – Understand reporting avenues for suspicious events or activities

… comply with applicable contracts, statutes, and regulations.



• Consistently the Best Value for Dollars Spent

• Combats 50%-80% of all Attacks

• Raises the Index of Suspicion.



• New-Hire Training

• Annual Certification of Policy Understanding and Compliance

• Customized Training for those with Elevated Privileges

• On-going Awareness Events and Stunts.


Training vs. Awareness

Training is more formal, having a goal of building knowledge and skills to facilitate job performance. The learner in a training environment has a more active role in the learning process. The desired outcome of training is a change in behavior

In Awareness activities, the learner is the recipient of information. Awareness relies on reaching broad audiences with attractive packaging techniques. The desired outcome of awareness is a reinforcement of learned behaviors, and an elevated index of suspicion.


The Training Continuum


ISO-27002 on Training

• Specifies that All employees of the organization and, where relevant, third party users, should receive appropriate training and regular updates in organizational policies and procedures…

… before access to information services is granted. • Topics include:

– Security requirements– Legal responsibilities– Business controls– Appropriate use– Log-on procedure– Use of software packages.


A Look Inside NIST 800-16:Information Security Technology

Training Requirements:

A Role- and Performance-Based Model


IT Security Training Matrix



Six Functional Specialties

Three Major Training Areas

(One Spare in Each Category)


Functional Specialties

Manage– Chief Information Officer (CIO)– System Designer/Developer– Information Resources Manager– System Administrator

– Network Administrator– Database Administrator– Data Center Manager– IT Security Officer/Manager– Program Manager– System Owner



Acquire– Contracting Officer

– Information Resources Management

– IT Security Officer/Manager

– Source Selection Board Member

– Telecommunications Specialist

– System Owner



Design and Develop– Auditor, Internal – Chief Information Officer (CIO)– Information Resources Manager– System Owner– IT Security Officer/Manager– Records Management– Privacy Officer

– Database Administrator– Program Manager– IT Security Officer/Manager– Network Administrator– Programmer/Systems Analyst– System Administrator– System Designer/Developer– Systems Operations Personnel



Implement and Operate– Programmer/Systems Analyst– Internal Auditor– Chief Information Officer– Program Manager– Information Resources Manager– System Owner– Data Center Manager

– System Designer/Developer– Database Administrator – System Administrator– IT Security Officer/Manager – Systems Operations Personnel– Network Administrator – Technical Support Personnel



Review and Evaluate– External and Internal Auditors

– Certification Reviewer

– Information Resources Manager

– IT Security Officer/Manager

– CIO

– System Owner

– Program Manager



Use– User

(‘magine that!)


Training Areas

Laws and Regulations

The types of knowledge, skills, and abilities relative to the laws and regulations pertaining to information and asset protection that govern the management and use of IT within the Organization. These may include HIPAA, GLBA, Sarbanes-Oxley, 21CFRpart11, as well as policies and procedures specific to a organization.


Training Areas

Security Program

Knowledge, skills and abilities relative to the establishment, implementation, and monitoring of an IT Security Program within an organization


Training Areas

System Life Cycle Security

Knowledge, skills and abilities relative to the nature of IT security needed throughout each phase of a given system’s life cycle. In this instance, a six-phased system life cycle model was used (Initiation, Development, Test and Evaluation, Implementation, Operations, and Termination)



Six Functional Specialties

X

Three Major Training Areas

-

Non Applicable Combinations

=

46 Discrete Security Program Training Modules!



The Good News:That’s All You Need!Mix and match to meet individual needs

The Bad News:Yours is Different from Everybody Else’s…… and it changes with

• Technology• Corporate Culture• The Threat Environment• Your Security Policy• And TIME.


Mix & Match Modules by Role


But What Do You Really Need?

• Training Programs Based on a Combination of Policies and Good Practices

• A Limited Group of “Roles”:– All Users

– Management

– Audit and Security

– IT• Operations• Development.


ISO-27002 on Training

Recommended Topics include:– Security requirements

– Legal responsibilities

– Business controls

– Appropriate use

– Log-on procedure

– Use of software packages.


Delivery Vectors

• Instructor-lead• Webinar• Web-based• Video• CBT• Pamphlets as adjuncts


Security Policy-at-a-Glance

It is the individual responsibility of every X-Corp employee to protect the Confidential information assets of the Company. You may also see Confidential information referred to as “sensitive”, “personal”, “privileged”, “proprietary”, or other similar terms. When in doubt, treat all X-Corp information as if it were Confidential. X-Corp systems are for Company use only. X-Corp Reserves the Right to Monitor, Access, Store, Disclose, and Use for Any Purpose All Electronic Data or Communications On Company Systems. -Secret Squirrel, Chief Information Officer Definitions:

Information is everything that is written on paper, stored in a computer system or PC, sent over a computer network, or known by employees.

Confidential information is information that would cause damage to the Company if it were released to those outside the Company.

36 Ways to Protect X-Corp’s Information on a Global Basis: GENERAL

1. Be observant! Report all information security issues or suspicious activity to your supervisor immediately. Supervisor not available? Call Corporate Security and your local IT Security Organization.

2. A PDA or Palm Pilot is a small PC: business information on a PDA must be protected; Confidential information must be encrypted.

3. When in doubt, check the policy or ask your supervisor: don’t guess.

Your PC and User ID

4. Your UserID and Password is your digital identity at X-Corp. Pick a good password, and don’t share it or tell anyone what it is. A good password is at least 8 characters long; is not a word or acronym in any language; and contains letters, numbers, special characters (i.e.: “whim&flex”; “tnx41qso”). Can’t think of a good password? Try the password generator on the security website.

5. Don’t write passwords down anywhere. There is no such thing as a secret hiding place.

6. No one from X-Corp will call you to ask for your password under any circumstances. If someone does call and asks for your password, refuse to give it to them, and immediately report the incident to Corporate Security and your local IT Security Organization.

7. Always lock your workstation before you walk away from it… even for a minute.

8. Use a password-protected screen-saver set for no more than 15 minutes.

9. Report loss of a PC or your authentication device (eg. SecurID token) to your IT group, site security, and CIT/Corporate Security and your local IT Security Organization.

10. Don’t load any unauthorized software on your Company PC. Contact your local desktop support group with any additional requirements.

11. Always have Company-issued virus software running on your PC.

12. Be alert to who can see your PC screen. This includes positioning your display in your office so it cannot be seen by passers by.

13. Use only X-Corp email for sending and receiving business related emails

14. Store all Company information on X-Corp servers whenever possible, not on your local PC. X-Corp information on your PC must be protected; Confidential information must be encrypted.

15. Back up all business information stored on your local PC to a X-Corp server at least once a month.

16. If your PC is acting abnormally, it may be infected with a virus. Stop using it immediately and call Corporate Security and your local IT Security Organization.


Security Policy-at-a-Glance

Confidential Information 17. The determination of the

classification of information is made by the business unit head.

18. It is your responsibility to classify information and documents that you create. Label all Confidential documents as “X-Corp Confidential”.

19. Confidential information on computer systems or PCs must be encrypted anytime it is NOT IN USE. This includes Confidential information stored on the network server, local PC, or when transmitted or emailed. When in doubt, encrypt it.

20. Confidential information on paper must be locked in a drawer or file cabinet when not in use. Confidential papers should be shredded when discarded, never placed in a trash basket.

21. When in doubt, treat all information as if it were X-Corp Confidential.

The X-Corp Network

22. Encrypt all Confidential information sent over the X-Corp network: the X-Corp network itself does not encrypt information.

23. Use only X-Corp-issued or approved PC’s and software to connect to the X-Corp network. Exceptions must be authorized by the X-Corp CIO.

24. Use X-Corp-provided PCs, software, email systems, and Internet gateways for Company business only.

Traveling 25. Use a disk encryption program and a

cable lock on all notebook and laptop PC’s.

26. Don’t store your PC and SecurID or Smartcard in the same bag or luggage.

27. Never access X-Corp Confidential information, including email, from a public or a competitors PC or terminal.

28. Remove the hard disk from your PC and keep it with you in high-risk areas.

29. Be alert to who can see your PC screen. Be particularly cautious when working on your PC while on a train or plane or public place.

Telephones

30. Never give Confidential information over the phone, unless you can identify the caller and verify their legitimate business need to know the information.

31. People tend to talk loudly on a cell phone and are easily overheard. Be extremely observant of your surroundings when discussing Company business on a cell phone. Better yet, wait until you can use a wired telephone.

Printed Information 32. X-Corp has a “Clean Desk” policy.

Keep all Confidential and business information stored in locked drawers and cabinets when not in use.

33. Don’t dispose of Confidential papers in the wastebasket: shred it.

34. Collect all papers and erase all boards when finished in a conference room.

Physical Security

35. No one should be in a X-Corp building without a visible X-Corp ID badge. Always wear your X-Corp ID badge in a visible place, and politely but firmly challenge anyone who isn’t wearing an ID badge to present one.

36. Don’t allow anyone entry into a X-Corp building without seeing their X-Corp ID badge.

References and Resources: X-Security: Do Ask and Do Tell! If you think it is security-related, it IS and emergency. X-Security Home Page: One stop shopping for all your security needs and questions, including policies. 888-555-HMMM: Confidential security incident tip reporting line, messages only.


“Evaluation”

<shhh… this means “test”… but we can’t say that>• Always include evaluations of learning• Document participation and effectiveness• Necessary for statutory programs• Bilateral evaluation: Person and Program


Awareness Programs


Awareness Topics

• Password usage and management

• Protection from viruses, worms, Trojan horses, and other malicious code

• Policy and Compliance

• Unknown e-mail/attachments

• Web usage

• Email

• Spam

• Data backup and storage

• Social engineering

• Incident response

• Shoulder surfing

• Personal use and gain issues

• Handheld device security issues

• Blogging

• Use of encryption.


Awareness Topics

• Laptop security

• Personally owned systems and software

• Patch Management

• Software license issues

• Supported/allowed software

• Access control issues

• Individual accountability

• Use of acknowledgement statements

• Visitor access

• Desktop security

• Protect information subject to confidentiality concerns

• E-mail list etiquette

• <Your Topic Goes Here!>.


Delivery Vectors

• Messages on awareness tools posters, “do and don’t lists,” or checklists

• Screensavers and warning banners/messages

• Newsletters

• Desk-to-desk alerts

• Agency wide e-mail messages

• Videotapes

• Web-based sessions

• Computer-based sessions

• Teleconferencing sessions

• In-person, instructor-led sessions

• IT security days or similar events

• “Brown bag” seminars

• Pop-up calendar with security contact information, monthly security tips, etc.

• Mascots

• Crossword puzzles

• Awards programs

• Audits.


Conclusions

• Effective Security Training and Awareness Programs can gain >90% compliance with policy

• Best “Bang for the Buck”

• Must match YOUR culture and policy

• Requires Executive Charter and Support

• Requires tapping the creative side of the security staff.


Questions?

Don’t Forget the Session Evaluations!

educating the masses

Documents

security awareness

security training matrix

appropriate training

training environment

training goal

training fits

training continuum

training areas laws