Awareness is the Key to Security

1. Awareness is the Key to Security June 20, 2003 Krizi Trivisani Chief Security Officer Amy Hennings Systems Security Engineer Guy Jones Chief Technology Officer

2. Agenda Security Implementation Reliance What is security awareness? Why is awareness important? The Security Landscape � The Violation Situation GW�s Awareness Program Cultural Impacts of Security Programs Questions

3. Security ImplementationRelies On: Policy implementation depends on processes being in place, technology being utilized to enforce policy, and users understanding the policy and how it relates to them (their responsibilities) We must set the policy, ensure compliance, enforce when out of compliance conditions are found, and utilize technology where ever possible to reduce reliance and burden on people Example of model � Policy on passwords, process on how to reset passwords, system developed to ensure passwords are 8 characters, users understand that they can not share their passwordsPolicy implementation depends on processes being in place, technology being utilized to enforce policy, and users understanding the policy and how it relates to them (their responsibilities) We must set the policy, ensure compliance, enforce when out of compliance conditions are found, and utilize technology where ever possible to reduce reliance and burden on people Example of model � Policy on passwords, process on how to reset passwords, system developed to ensure passwords are 8 characters, users understand that they can not share their passwords

4. What is Security Awareness?

5. Why is Awareness Important? Security is only as strong as it�s weakest link. You can build the a strong firewall architecture but someone sharing their password can bypass the technology. You can install virus filters on email systems, but unless users keep their desktop anti-virus software up-to-date, your systems are vulnerable. Technology is an important part of security. Equally important though is the reliance on people and making sure they are security aware. If people are ill-prepared, information is threatened by: Social engineering Abuse of privileges and trust Misuse of systems and network Password guessing Physical access to bypass controls Theft of laptops, storage media, and other technologies Accidental disclosure Financial fraudSecurity is only as strong as it�s weakest link. You can build the a strong firewall architecture but someone sharing their password can bypass the technology. You can install virus filters on email systems, but unless users keep their desktop anti-virus software up-to-date, your systems are vulnerable. Technology is an important part of security. Equally important though is the reliance on people and making sure they are security aware. If people are ill-prepared, information is threatened by: Social engineering Abuse of privileges and trust Misuse of systems and network Password guessing Physical access to bypass controls Theft of laptops, storage media, and other technologies Accidental disclosure Financial fraud

6. Poor Awareness Exposed� Human Firewall campaign sponsored a recent security awareness survey (www.humanfirewall.org) Responses from more than 1,400 workers and nearly 600 organizations Nearly every industry falls in the �D� grade score of 60 � 69, with higher education falling under �other� with the lowest score of 61 GW intends to participate in the survey (Security Awareness Index) next year to find out: How do my organization�s security awareness practices compare with others in the world and in my industry? How do I measure and benchmark my own employee�s security awareness level and track progress in raising security awareness over time? Human Firewall campaign sponsored a recent security awareness survey (www.humanfirewall.org) Responses from more than 1,400 workers and nearly 600 organizations Nearly every industry falls in the �D� grade score of 60 � 69, with higher education falling under �other� with the lowest score of 61 GW intends to participate in the survey (Security Awareness Index) next year to find out: How do my organization�s security awareness practices compare with others in the world and in my industry? How do I measure and benchmark my own employee�s security awareness level and track progress in raising security awareness over time?

7. Top Ten Most Common Security Mistakes� The study also revealed the Top Ten Most Common Security Mistakes made by people. Some of them are self explanatory like passwords on post-it notes. Number 2 is an issue here for us at the University, especially in public labs. Number 9 is also very relevant to us � keeping systems patched and up to date will greatly reduce the risk of infection by new viruses, worms, etc. JUST NOTES IN CASE!!!! Plug and Play without protection In the rush to get things going too many folks plug modems straight into servers, or servers straight into the Internet, bypassing routers with firewalls or other corporate security measures. Like calling the phone and cable company before you start digging holes in your backyard, check with your corporate security officer before you plug and play. Always behind the times (the patch procrastinator) One of the biggest vulnerabilities of any system is the failure to install updates and patches for deployed software. Updates often close any loopholes that may exist. Ignoring them or putting them off for another day could cost you and your company dearly. No knowing internal threats While most managers believe an information security breach will come from an outside intruder, they are wrong. The biggest risk comes from within. Disgruntled employees, laid-off employees, a less than ethical contractor, or a partner working both sides of the fence. Every employee has to be responsible for themselves and the behavior they observe in others. "Only you can prevent security incidents," says Smokey the anti-hacker. The study also revealed the Top Ten Most Common Security Mistakes made by people. Some of them are self explanatory like passwords on post-it notes. Number 2 is an issue here for us at the University, especially in public labs. Number 9 is also very relevant to us � keeping systems patched and up to date will greatly reduce the risk of infection by new viruses, worms, etc. JUST NOTES IN CASE!!!! Plug and Play without protection In the rush to get things going too many folks plug modems straight into servers, or servers straight into the Internet, bypassing routers with firewalls or other corporate security measures. Like calling the phone and cable company before you start digging holes in your backyard, check with your corporate security officer before you plug and play. Always behind the times (the patch procrastinator) One of the biggest vulnerabilities of any system is the failure to install updates and patches for deployed software. Updates often close any loopholes that may exist. Ignoring them or putting them off for another day could cost you and your company dearly. No knowing internal threats While most managers believe an information security breach will come from an outside intruder, they are wrong. The biggest risk comes from within. Disgruntled employees, laid-off employees, a less than ethical contractor, or a partner working both sides of the fence. Every employee has to be responsible for themselves and the behavior they observe in others. "Only you can prevent security incidents," says Smokey the anti-hacker.

8. The Security Landscape � The Violation Situation 2001 Minor Violations Minor scans � consecutive attempts to find out information about 10 or less different IP addresses Minor hack � attempts to exploit specific vulnerabilities � BLOCKED Incidents of suspicious activity � activity that is tracked but not necessarily believed to be persistent or deliberate; for example trying to telnet to the same box three times Severe Violations External Attempted Hacks - planned, strategic, malicious activity originating from outside the University; for example attempting to gain access to a specific box by exploiting known vulnerabilities - BLOCKED Outgoing Hacking Attempts - activity originating from University IP space which resulted in notification from non-University system administrators Compromised Boxes - Specific Infections - Severe infections, such as Code Red, Nimda, or new infections Compromised Boxes - Virus Infections - infections other then the specific that are tracked for trends Email Violations - violations of the University's email policy; for example internal spam, inappropriate usage, etc. SPAM Complaints - complaints sent from GW users Severe SPAM - involves blocking of addresses, IP's, or domains False Alarms - security cases that were investigated and determined the issue was not a security violation Security Cases - security violations that fall outside normal categories/policiesMinor Violations Minor scans � consecutive attempts to find out information about 10 or less different IP addresses Minor hack � attempts to exploit specific vulnerabilities � BLOCKED Incidents of suspicious activity � activity that is tracked but not necessarily believed to be persistent or deliberate; for example trying to telnet to the same box three times Severe Violations External Attempted Hacks - planned, strategic, malicious activity originating from outside the University; for example attempting to gain access to a specific box by exploiting known vulnerabilities - BLOCKED Outgoing Hacking Attempts - activity originating from University IP space which resulted in notification from non-University system administrators Compromised Boxes - Specific Infections - Severe infections, such as Code Red, Nimda, or new infections Compromised Boxes - Virus Infections - infections other then the specific that are tracked for trends Email Violations - violations of the University's email policy; for example internal spam, inappropriate usage, etc. SPAM Complaints - complaints sent from GW users Severe SPAM - involves blocking of addresses, IP's, or domains False Alarms - security cases that were investigated and determined the issue was not a security violation Security Cases - security violations that fall outside normal categories/policies

9. The Security Landscape � The Violation Situation 2002

10. The Security Landscape � The Violation Situation 2003

11. The Violation Situation ContinuedEmail Viruses Filtered

12. GW�s Security Awareness Programwww.gwu.edu/~infosec So what is GW doing to address gaps in security awareness? The Information Security Office is rolling-out a formal Security Awareness Program which includes both online and printed material. The Goals of GW's Security Awareness Program are: To educate members of the University community To identify and address risk and To promote and encourage good security habits Security awareness is not a one-shot effort. An effective program requires security concepts to be reinforced through ongoing education. Our audience for the first roll-out is the general University community. Topics are non-technical and relevant to the average user. The first resource I would like to demo is the security awareness web site. GO TO www.gwu.edu/~infosec I would like to point out - For security, as well as copyright reasons, the Information Security web pages will currently only be available to users on GW IP space. Users off campus can access the web pages via the GW Proxy (LDAP authentication required). Some features of the site are: On the main page, there is a link to alerts from CERT. We receive hourly updates on the latest security alerts. MAIN PAGE CLICK ON A SAMPLE CERT ALERT AND GO BACK TO THE MAIN PAGE Along the left side of the page, you will see a link to the University�s Policy Center where security policies are published CLICK ON SECURITY POLICY LINK AND GO BACK You will also see links to other GW and external Security Sites CLICK ON LINKS AND PAUSE If you have a GW site that you would like linked from the security pages, please contact me GO BACK TO MAIN PAGE Other links off the main page include: What is Information Security The Information Security Office and Staff Reporting Security Incidents and Risk Assessment CLICK ON RISK ASSESSMENT AND SCROLL TO THE BOTTOM OF THE PAGE Under this link you will find a presentation on understanding and managing risk CLICK PRESENTATION AND CLICK THROUGH A SLIDE OR TWO AND GO BACK TO MAIN PAGE Now, let�s go back to the presentation and talk about the additional print and online media available for security awareness. GO BACK TO THE PRESENTATION AND GO TO SLIDE 7 So what is GW doing to address gaps in security awareness? The Information Security Office is rolling-out a formal Security Awareness Program which includes both online and printed material. The Goals of GW's Security Awareness Program are: To educate members of the University community To identify and address risk and To promote and encourage good security habits Security awareness is not a one-shot effort. An effective program requires security concepts to be reinforced through ongoing education. Our audience for the first roll-out is the general University community. Topics are non-technical and relevant to the average user. The first resource I would like to demo is the security awareness web site. GO TO www.gwu.edu/~infosec I would like to point out - For security, as well as copyright reasons, the Information Security web pages will currently only be available to users on GW IP space. Users off campus can access the web pages via the GW Proxy (LDAP authentication required). Some features of the site are: On the main page, there is a link to alerts from CERT. We receive hourly updates on the latest security alerts. MAIN PAGE CLICK ON A SAMPLE CERT ALERT AND GO BACK TO THE MAIN PAGE Along the left side of the page, you will see a link to the University�s Policy Center where security policies are published CLICK ON SECURITY POLICY LINK AND GO BACK You will also see links to other GW and external Security Sites CLICK ON LINKS AND PAUSE If you have a GW site that you would like linked from the security pages, please contact me GO BACK TO MAIN PAGE Other links off the main page include: What is Information Security The Information Security Office and Staff Reporting Security Incidents and Risk Assessment CLICK ON RISK ASSESSMENT AND SCROLL TO THE BOTTOM OF THE PAGE Under this link you will find a presentation on understanding and managing risk CLICK PRESENTATION AND CLICK THROUGH A SLIDE OR TWO AND GO BACK TO MAIN PAGE Now, let�s go back to the presentation and talk about the additional print and online media available for security awareness. GO BACK TO THE PRESENTATION AND GO TO SLIDE 7

13. GW�s Security Awareness Program - Materials Partnered with Security Awareness Incorporated which is endorsed by: CERT� Computer Emergency Response team CERIAS Center for Education and Research in Information Assurance and Security CIAC Computer Incident Advisory Capability CRSC Computer Security Resource Clearinghouse FedCIRC Federal Computer Incident Response Capability FIRST Forum of Incident Response and Security Teams IBM ERS IBM Emergency Response Service ISSA Information Systems Security Association, Inc. SANS System Administration, Networking and Security Information Security Magazine �Project IT� � A presentation and workshop designed for classroom-based awareness training Includes: PowerPoint Presentation Speaker Notes Quiz We also hold our quarterly Security Forum to communicate security information.Partnered with Security Awareness Incorporated which is endorsed by: CERT� Computer Emergency Response team CERIAS Center for Education and Research in Information Assurance and Security CIAC Computer Incident Advisory Capability CRSC Computer Security Resource Clearinghouse FedCIRC Federal Computer Incident Response Capability FIRST Forum of Incident Response and Security Teams IBM ERS IBM Emergency Response Service ISSA Information Systems Security Association, Inc. SANS System Administration, Networking and Security Information Security Magazine �Project IT� � A presentation and workshop designed for classroom-based awareness training Includes: PowerPoint Presentation Speaker Notes Quiz We also hold our quarterly Security Forum to communicate security information.

14. GW�s Security Awareness Program - Materials Let�s move on to the online awareness materials available by going back to the security web site GO TO www.gwu.edu/~infosec Under the security awareness tab CLICK ON SECURIY AWARENESS you will see: Animated security awareness banners located on the top of the screen. Every time you refresh, you will see a different tip. CLICK REFRESH Also on the site you will find: General awareness information SCROLL DOWN SCREEN A link back to the hourly CERT alerts During breakfast you may have noticed the security screen saver we had running. This free screen saver will be available for download around July 19th. We will be running the screen saver again during the break. CLICK ON THE SAMPLE PASSWORD CHECKER What is the most commonly used unsecure password? Password! TYPE PASSWORD AND CHECK That is a pretty weak, easily guessed password. So what can we do to make a better password? Use a combination of 8 or more letters � upper and lower case, special characters, and numbers. Let�s check one of the passwords on our �biker� poster TYPE 2#gluvsHelp AND CHECK Again, this is just a sample password checker � we don�t recommend typing in your actual password unless you are going to immediately change it to one that is more secure. GO BACK TO MAIN AWARENESS PAGE There is also an online security tutorial CLICK ON TUTORIAL START Security Training, Awareness and Reference Tool�Topics covered by this security tutorial include: password construction, password management, internet usage, telephone fraud, e-mail usage, viruses, PC security, software licensing, backups, physical security social engineering, and data confidentiality. Your opinion is important to us! Please take a look at the new web pages and give us your feedback. GO BACK TO THE PRESENTATION Let�s move on to the online awareness materials available by going back to the security web site GO TO www.gwu.edu/~infosec Under the security awareness tab CLICK ON SECURIY AWARENESS you will see: Animated security awareness banners located on the top of the screen. Every time you refresh, you will see a different tip. CLICK REFRESH Also on the site you will find: General awareness information SCROLL DOWN SCREEN A link back to the hourly CERT alerts During breakfast you may have noticed the security screen saver we had running. This free screen saver will be available for download around July 19th. We will be running the screen saver again during the break. CLICK ON THE SAMPLE PASSWORD CHECKER What is the most commonly used unsecure password? Password! TYPE PASSWORD AND CHECK That is a pretty weak, easily guessed password. So what can we do to make a better password? Use a combination of 8 or more letters � upper and lower case, special characters, and numbers. Let�s check one of the passwords on our �biker� poster TYPE 2#gluvsHelp AND CHECK Again, this is just a sample password checker � we don�t recommend typing in your actual password unless you are going to immediately change it to one that is more secure. GO BACK TO MAIN AWARENESS PAGE There is also an online security tutorial CLICK ON TUTORIAL START Security Training, Awareness and Reference Tool�Topics covered by this security tutorial include: password construction, password management, internet usage, telephone fraud, e-mail usage, viruses, PC security, software licensing, backups, physical security social engineering, and data confidentiality. Your opinion is important to us! Please take a look at the new web pages and give us your feedback. GO BACK TO THE PRESENTATION

15. Awareness Requires a Change in CultureAnalogy - Seatbelts Research shows that states with primary enforcement laws, which permit police to stop and ticket for failing to wear a seat belt, yield an average of 15 percentage points higher seat belt use than states with secondary enforcement laws. Legislation, Enforcement, Public Information and Education, and Partnerships: MI � 1998 � 2000Research shows that states with primary enforcement laws, which permit police to stop and ticket for failing to wear a seat belt, yield an average of 15 percentage points higher seat belt use than states with secondary enforcement laws. Legislation, Enforcement, Public Information and Education, and Partnerships: MI � 1998 � 2000

16. Awareness is the Key to Security Every member of the GW University Community has a responsibility in keeping our information and resources secure. Effective security relies on people. Remember � Awareness is the key to security. If you have questions about the awareness program, please do not hesitate to contact me. GO TO LAST SLIDEEvery member of the GW University Community has a responsibility in keeping our information and resources secure. Effective security relies on people. Remember � Awareness is the key to security. If you have questions about the awareness program, please do not hesitate to contact me. GO TO LAST SLIDE

17. Questions and Presentation Wrap-up Recommended information sources http://www.securityawareness.com/ http://www.humanfirewall.org/ http://cs-www.ncsl.nist.gov/ http://www.educause.edu/security/ http://www.nipc.gov/