1 / 30

Achieving and Measuring Success with the Security Awareness Maturity Model

Achieving and Measuring Success with the Security Awareness Maturity Model. Lance Spitzner. LAB2-R04. Director SANS Securing The Human @ lspitzner. EMET. WindowsOS. Microsoft Security Essentials. Encrypted File System. AppLocker. Mandatory Integrity Control. Windows Service Hardening.

banker
Télécharger la présentation

Achieving and Measuring Success with the Security Awareness Maturity Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Achieving and Measuring Success with the Security Awareness Maturity Model Lance Spitzner LAB2-R04 Director SANS Securing The Human @lspitzner

  2. EMET WindowsOS Microsoft Security Essentials Encrypted File System AppLocker Mandatory Integrity Control Windows Service Hardening Bitlocker User Account Control Windows Defender Security Controls ASDL Malicious Software Removal Tool Data Execution Protection (DEP) HumanOS Baseline Security Analyzer Firewall Enabled by Default Microsoft Secure Development Lifecycle Automatic Updating 2008 2010 2012 2002 2004 2006 2014 Software Restriction Policies Trustworthy Computing

  3. Security Awareness Maturity Model Security Awareness Maturity Model Security Awareness Maturity Model Metrics Framework Metrics Framework Long-Term Sustainment and Cultural Change Long-Term Sustainment & Culture Change Promoting Awareness and Behavioral Change Promoting Awareness & Behavior Change Compliance- Focused Compliance Focused Nonexistent Non-existent

  4. BJ Fogg Model

  5. Your Strategic Plan WHO WHAT – This is what we will focus on for today, completing two group labs. This is also what drives your metrics. HOW

  6. WHAT Do You Teach? • Focus on topics that have the greatest ROI: • People can remember only so much—cognitive overload • You have limited time and resources to teach • Fewer topics are easier to reinforce • Avoid “training fatigue” • Identify the greatest human risks to your organization, and then develop training modules to address each of those risks

  7. Start With Key Assets / Data • For most organizations, key assets are your data • Identify who is handling your most sensitive data and how • This will help identify your highest risks areas / highest risk target groups • Then identify what threats / behaviors expose that data to the greatest risk (don’t worry about prioritizing yet)

  8. Past Assessments / Incidents • Any penetration tests in the past 6-12 months? If so, which human risks were identified? • What were the most common or damaging human-related incidents in the past 6-12 months? • Take your Incident Response and Help Desk teams out to lunch. They are great sources of information.

  9. Verizon DBIR

  10. Staying Current on Human Risks • Blogs / Twitter are a great way to stay current • www.schneier.com@schneierblog • krebsonsecurity.com @briankrebs • taosecurity.blogspot.com @taosecurity • isc.sans.org @sans_isc • securingthehuman.sans.org/blog @securethehuman • nakedsecurity.sophos.com @nakedsecurity

  11. Measuring Your Human Risk • Every organization measures risk differently; use what works best for your organization • Quantitative • A precise / accurate measurement that produces a numeric value—a complex and time-consuming approach • Qualitative • An estimate or comparative measurement (high, medium, low)—a fast and simple approach

  12. Qualitative Analysis X VH / 5 X H / 4 Probability 4 4 Phishing 16 M / 3 1 5 5 Tracking Cookies L/ 2 VL / 1 L / 2 H / 4 M / 3 VL / 1 VH / 5 Impact

  13. Lab – Prioritize Your Human Risks • You have identified 18 human risks in your organization, prioritize the top nine for your organization; this is your Core training for all employees • You can find a description of each risk/topic in your Lab workbook • Be sure to take into consideration your existing technical controls and past training

  14. Prioritization Matrix

  15. Top Risks? • Which topics do you feel are the most important and why? • Which topics would you eliminate and why? • What was missing? • Which topic would you start and end with? • Want to learn more about risk analysis? Consider SANS MGT415.

  16. Learning Objectives • Your job is only half done; you now need to identify what behaviors manage those top risks • Create a separate learning objectives document for each risk • This is a living document that covers the target, goal, and learning objective of each risk

  17. Sample Learning Objectives

  18. Example Learning Objectives

  19. Typical Password Learning Objectives • A common security awareness topic is passwords: • Minimum of 12 characters • 1 symbol • 1 number • 1 capital letter • No two repeated letters • Change every 90 days • Costs associated with this

  20. What Are We Missing? • Do not get infected • Do not share your passwords • Do not log in using untrusted systems • Personal questions are just another password • Passphrases—Where is my Coffee? • Password Managers • Use two-step verification whenever possible

  21. Lab – Learning Objectives • Pick one of the most important topics from your top nine topic list • Document that topic using the Learning Objective template • What did you pick and why?

  22. Example Metric: Phishing • Phishing is a useful metrics for most organizations: • Measures a key human risk organizations care about • Simple, low cost and easy to repeat • Quantifiable measurements that are actionable • 90% fall victim in the first hour

  23. Key Points • Biggest difference between technical and human metrics is that humans have feelings • Announce your metrics program ahead of time, and then start slow and simple • Do not embarrass people (no Viagra e-mails) • Do not release names of those who fail. Only notify management of repeat offenders • Focus on real-world risks, do not “trick” people • Always make sure there are at least two ways to detect an assessment

  24. Click Results If an end user falls victim to a phishing assessment, you have two general options: • No feedback • Immediate feedback that explains this was a test, what they did wrong, and how to protect themselves

  25. Human Risk Survey • Sometimes, the simplest way to measure a behavior is to simply ask • Survey can measure behaviors that you normally do not have access to • Survey can also measure attitudes and perceptions (culture) • Think of a human risk survey as a human vulnerability scanner

  26. Data May Already Be There • There may not be a need to collect data because you already have the data. Check with: • Security Operations Center • Incident Response Team • Help Desk • Human Resources • Example: Number of infected computers per month

  27. Summary Key to building a mature awareness program is having a strategic plan that answers WHO, WHAT and HOW WHAT consists of two parts, prioritizing your top human risks and then identifying the key behaviors that manage that risk Those key behaviors drive your metrics Often the hardest part about awareness is NOT deciding what to teach, but deciding what NOT to teach.

  28. Webcasts / Courses / Summits securingthehuman.sans.org/events

More Related