maximizing roi through security training (for developers)
DESCRIPTION
How can a company implement an effective security training program with limited budget and scarce resources? The first step is to assess needs and define training objectives. Then comes the challenging and often perplexing decision of build versus buy, instructor led versus CBT (computer based training), and generic versus customized training which references internal security standards, development policies, and secure coding guidelines. Finally how does the company define success and measure results? How does the company ensure developers retain and apply the skills they learn to develop secure software? Kartik Trivedi, Symosis Kartik is a senior information security, technology, and business professional, renowned speaker and cofounder of Symosis. Symosis is a boutique hi-tech information security consulting firm specializing in software security with focus on delivering solutions for organizations coping with the broad spectrum of security threats, risks, infrastructure needs, and regulatory compliance requirements. Kartik has a decade of experience selling and managing the delivery of services to the Fortune 500. He is a solutions-driven, collaborative leader known for consistently driving profitability and client satisfaction in rapidly growing and evolving organizations.TRANSCRIPT
Maximizing ROI through Security Training
Who am I?
• VP / Co-‐Founder of Symosis, 10+ years in informaFon security consulFng & Training, USC, Foundstone, McAfee, Accuvant, C-‐Level security, etc
• Invited speaker, author and educator
• MBA, MS Comp Sc, CISM, CISA, CISSP
Table of Contents
• Business case for security • Evolving threats • How to build an effecFve training program?
• Case Studies
The Business Case for Security
Proper security enables a company to meet its business objec-ve by providing a safe and secure environment
Impact of Security Breaches
Loss of Revenue Damage to ReputaFon
Loss or Compromise of Data
Damage to Investor Confidence
Legal Consequences
InterrupFon of Business Processes
Damage to Customer Confidence
Dollar Amount Of Loss The cost of implemenFng security measures is not trivial;
however, it is a fracFon of the cost of miFgaFng security compromises
* CSI 2006
Cost of Security Breach
* Aberdeen Group August 2010
Security Breach Example Costs
Cost of Recent Customer Records Breach • $6.5 Million: DSW Warehouse Costs from Data Thea • $5.7 Million: BJ’s Wholesale Club from Data Breach
AddiFonal impact/cost due to lost customers • 20% of customers have ended a relaFonship with a company aaer being noFfied of a breach (Ponemon InsFtute)
• 58% said the breach decreased their sense of trust and confidence in the organizaFon reporFng the incident
TOC
• Business case for security • Evolving threats • How to build an effecFve training program?
• Case Studies
Emerging Threats -‐ Aiack Methods
* SANS 2010
Emerging Threats -‐ ApplicaFon Weaknesses
* SANS 2010
Emerging Threats
GLOBAL Infrastructure
Impact
REGIONAL Networks
MULTIPLE Networks
INDIVIDUAL Networks
INDIVIDUAL Computer
Target and Scope of Damage
Rapidly Escalating Threat to Businesses
First Gen Boot
viruses
Weeks Second Gen Macro
viruses Denial of
Service
Days Third Gen Distributed
Denial of Service
Application threats
Malware
Minutes
Next Gen Flash
threats Massive
“bot”-driven DDoS
Damaging payload worms
Seconds
1980s 1990s Today Future
13
Emerging Threats Categories
Malware
Botnets
Threats to VOIP and mobile convergence Cyber warfare
Data thefts
Threats becoming increasingly difficult to detect and mitigate
THR
EAT
SE
VE
RIT
Y
1990 1995 2000 2005 WHAT’S NEXT?
FINANCIAL Theft & Damage
FAME Viruses and Malware
TESTING THE WATERS Basic Intrusions and Viruses
TOC
• Business case for security • Evolving threats • How to build an effec-ve training program?
• Case Studies
Why Security Training
• Reduce accidental security breaches • Improve employee behaviour • Enable organization to hold employees
accountable for their actions • Build in-depth knowledge to design,
implement, or operate security programs for organizations & systems
• Develop skills & knowledge so that computer users can perform their jobs while using IT systems more securely
Why Security Training?
• Dissemination & enforcement of policy become easier when training & awareness programs are in place
• Demonstrating due care & diligence can help indemnify the institution against lawsuits
• By improving awareness of the need to protect system resources
How is InformaFon Security JusFfied?
PWC security survey 2011
Step 1: Define Training ObjecFves
• Compliance, RegulaFons and Governance
• Client / Partner requirements
• Increase the general level of security awareness • Reduce the incidences of computer fraud, waste and abuse
• Create a more security savvy workforce
• Design, develop and maintain secure IT infrastructure and applicaFons
PCI Compliance
All service providers with which cardholder data is shared must adhere to the PCI DSS requirements and must sign an agreement acknowledging that the service provider is responsible for the security of cardholder data the provider possesses.
PCI Compliance
Payment Card Industry (PCI) Data Security Standard mandates security awareness program that
12.6.1: Educate employees upon hire and at least annually
12.6.2: Require employees to annually acknowledge in wriFng that they have read and understood the company's security policy and procedure
HIPAA Compliance
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that Covered EnFFes, which includes health plans, healthcare clearinghouses, and most healthcare providers, may not use or disclose individuals’ health informaFon for purposes unrelated to providing health-‐ care, managing their organizaFon, or meeFng their obligaFons under state and federal law, unless individuals specifically authorize them to do so.
HIPAA Compliance
Ensuring all employees including management, agents and contractors in an organizaFon understand and uphold these rules is no easy task and is, to a large degree, a training and management problem. This is why the Department of Health and Human Services (HHS) has mandated annual privacy and security training, as well as regular reminders for all employees.
HIPAA Compliance
• Upper Management Training • Security Awareness Day • Security Awareness and Ongoing Training for all staff
• Computer Users’ Supervisor Training • Security “MarkeFng” Efforts • Annual System-‐specific training • Professional EducaFon Training
GLBA Compliance
Gramm-‐Leach-‐Bliley Act of 1999 Employee Training Requirements mandates IT Security Awareness Training for all employees of financial service providers (FSPs) covered by the GLB act, which includes all companies "engaging in financial acFviFes.”
GLBA Compliance
• Examples of organizaFons who are affected by these rules include – insurance agencies – tax preparers – finance companies – collecFons agencies – leasing agencies – travel agencies – financial advisors
ISO 27002
• ISO 27002 is an internaFonally recognized standard published by the InternaFonal OrganizaFon for StandardizaFon covering informaFon security best pracFces. Many global organizaFons use this comprehensive standard to gauge their informaFon security programs.
• Provide an adequate level of security educaFon and training to your organizaFon’s employees, contractors and third party users
FISMA
• Federal InformaFon Security Management Act (FISMA) is Title III of the E-‐Government ACT, which requires federal agencies to develop, document, and implement a comprehensive agency-‐wide informaFon security program.
• Part of such a program is security training program that educates personnel, including contractors and other users, of their responsibiliFes in maintaining informaFon security, complying with organizaFonal policies and procedures, and reducing the risks associated with their acFviFes
Red Flag Thea PrevenFon
• Under the new Red Flag regulaFons, financial insFtuFons and creditors must develop a wriien program that idenFfies and detects the relevant warning signs (Red Flags) of idenFty thea, such as unusual account acFvity, fraud alerts on a consumer report, or aiempted use of suspicious account applicaFon documents,
• Includes appropriate staff training and oversight of any service providers
SOX (Sarbanes Oxley)
• Sarbanes Oxley requires the CEO and CFO of publicly traded companies to be held accountable for financial statements filed with the SecuriFes and Exchange Commission and includes criminal penalFes for false cerFficaFon
• Top management must ensure that there are adequate 'internal controls' to ensure reliable financial reporFng and protect financial data that resides in informaFon systems
Step 2: Assess Needs
• IdenFfy training administrator – Primary responsibility lies with Chief InformaFon Security Officer, top management and security team
Assess Needs
• Who needs to be trained and on what? – All stakeholders: Security Awareness Training, Compliance
– Program Managers – Architecture & Design
– Architects & Developers – Threats, coding mistakes, secure soaware development
– Testers / QA – Security Test Cases
Assess Needs
FuncFonal Background
General User
Managerial User
Technical User
Skill Level
Novice
Intermediate
Expert
Using wrong training methods can:
Hinder transfer of knowledge
Lead to unnecessary expense
& frustrated, poorly trained employees
Step 3: Key Factors
• Build vs. Buy • Classroom / Instructor Led
• CBT / Web Based
• Generic vs. Customized
• HosFng
Build vs. Buy
• Business needs are unique • Internal capability available • Proprietary informaFon or data needs to be protected;
• Complexity of interface with company's LMS
• No COTS products or too costly
Build
• Reduce and control operaFng costs
• Free internal resources • Gain access to external capabiliFes
• Resources constraints • Improve company focus • Share risks
Buy
Key consideraFons -‐ cost, quality, and timeline
Costs
• “How to Spend a Dollar on Security” recommends that out of every security dollar you spend: – 15 cents: Policy – 40 cents: Awareness – 10 cents: Risk Assessment – 20 cents: Technology – 15 cents: Process
• We have seen it done from anywhere between $5K to $5M annual costs
Patrick McBride – ComputerWorld
Classroom / Instructor Led
• Study away from the office at another locaFon with Fme set aside dedicated to learning a new course (and in some cases, for cerFficaFon, siyng of an exam)
• Costs are more expensive as it involves the course fees, travel, accommodaFon and other expenses
• Access to a trainer for the duraFon of the course (and someFmes for a limited period aaer the course)
• Access to other students during the course and as a potenFal networking group aaer the course
Computer / Web Based
• Individuals can study at their own Fme and pace thereby learning at a rate that they are comfortable with
• Lower costs – CBT is much more cost effecFve than classroom training. MulF-‐user opFon allow a company to train more than one person with the same budget or less than sending on a classroom course
• Combines the “best bits of classroom training” such as the video clips of instructor sessions with the “best bits of reference material” such as technical informaFon and pracFce quesFons to provide a great all round training experience which is beneficial to both student and employer at the best price available.
Generic vs. Customized
• Generic training is cost effecFve and focuses on core security issues, OWASP Top 10 threats, etc
• CustomizaFon provides training that matches specific needs for content, compleFon requirements, quiz, policies, and even employee responsibility acknowledgment.
HosFng
• Web based training could be hosted internally or provided as soaware as a service (SAAS)
• Internal hosFng provides greater control but could be resource and cost intensive
• SAAS service is oaen turn key but may limit scalability and usage
Step 4: Metrics
• Quiz and survey results • Content • People
Metrics -‐ Quiz and survey results
• Score Results: How did people score? • Answer Breakdown: How did people answer? • Aiempt Detail: How did a user answer?
Metrics -‐ Content
• AcFvity: What was the acFvity for a content item?
• Traffic: How oaen was an item viewed?
• Progress: How many slides did people view?
• Popular Content: Which content was viewed the most?
Metrics -‐ People
• Group AcFvity: What content did a group view?
• User AcFvity: What content did a user view?
• AcFve Groups: Who were my most acFve groups?
• AcFve Users: Who were my most acFve users?
• Guestbook Responses: What were the responses to a guestbook?
TOC
• Business case for security • Evolving threats • How to build an effecFve training program?
• Case Studies
Case Study 1 -‐ Project management and custom soaware company
• Challenge: – Ensure secure coding elements have been taught – Prevent top 10 threats and miFgaFon techniques – Meet a Fme sensiFve requirement under a DoD contract
• SoluFon: – Implement best pracFces soaware security training for Java
– Provide access to training on demand from a SaaS model
• Challenge – Improve soaware quality by eliminaFng common mistakes
– Provide foundaFon for everyone to ‘own’ security
• SoluFon – Create custom course based on previously idenFfied risk and miFgaFon
– Integrate security cases into QA lifecycle – Measure year over year declines in security related CRs
• Challenge: – Meet PCI compliance for integraFng secure coding pracFces
• SoluFon – Implement JAVA/.NET secure coding pracFces – Address PCI Cardholder Data requirements within applicaFon development
Thanks for listening…
QuesFons?
Try out free Symosis training at hip://www.symosis.com