1 / 116

To summit (surmount?) the Matterhorn

To summit (surmount?) the Matterhorn. Quinn Shamblin Executive Director & Information Security Officer Boston University qrs@bu.edu @BUInfoSec www.linkedin.com/in/quinnshamblin/. Harry Hoffman Security Operations Lead MIT hhoffman@mit.edu. Agenda – The Expurgated Version.

yolanda-russell
Télécharger la présentation

To summit (surmount?) the Matterhorn

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. To summit (surmount?) the Matterhorn

  2. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Quinn Shamblin Executive Director & Information Security Officer Boston University qrs@bu.edu @BUInfoSec www.linkedin.com/in/quinnshamblin/ Harry Hoffman Security Operations Lead MIT hhoffman@mit.edu

  3. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Agenda – The Expurgated Version • Security is a mountain [9 - 10*]Awareness programs: the what, why and overview of how • Topic [10 - 10:30] • Topic [10:45 - 11:15] • Topic [11:15 - 12] • Topic [1 - 2:15] • The route setters [2:30 - 3ish]Considerations in managing an awareness program (We will show the full agenda once we have talked through a few things…) *Times are very general. Today will be filled with discussion.

  4. Building an Effective Security Awareness and Training Program Shamblin | Hoffman What is Security?

  5. Security is a Mountain

  6. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Today’s metaphor • Security is a mountain that we are trying to surmount • Huge, many-faceted, challenging, ever-changing, treacherous • Formed by the tectonic plates of regulation and practicality • Regulatory requirements • Limits of practicality • The classic view of security • Getting in the way of end users getting things done • Department of Business Prevention

  7. Building an Effective Security Awareness and Training Program Shamblin | Hoffman What do we mean by Security Awareness?

  8. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Training v. Awareness • Training = how, practical skills • Awareness = why, emotional and intellectual motivation • “Security training provides users with a finite set of knowledge and usually tests for short-term comprehension…. • Security Awareness programs strive to change behaviors of individuals, which in turn strengthens the security culture. Awareness is a continual process. It is not a program to tell people to be afraid to check their e-mail. The discipline requires a distinct set of knowledge, skills, and abilities.” • “SETA” – Security Education Training and Awareness

  9. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Why should we have an awareness program?

  10. Building an Effective Security Awareness and Training Program Shamblin | Hoffman The Debate • Disagreement by some big names • Against (Bruce Schineier) • “I personally believe that training users in security is generally a waste of time and that the money can be spent better elsewhere. Moreover, I believe that our industry’s focus on training serves to obscure greater failings in security design.” • $ • Difficult to prove value • Breaches happen anyway • For (Ira Winkler)

  11. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Why should we bother doing this when some experts say it has no value?

  12. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Safety of Organizational Information Personal Security HIPAA Reputation PCI Trade or Research Secrets FISMA SOX Safety of Personal Information Network Hygiene

  13. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Perhaps a more satisfying answer • (Aside from being required by several regulations) • Focusing on technology misses the whole point • Understand and avoid fraudulent or malicious behavior • These scams have been around for years, sometimes hundreds of years

  14. Building an Effective Security Awareness and Training Program Shamblin | Hoffman What is the goal of Information Security Awareness?

  15. Building an Effective Security Awareness and Training Program Shamblin | Hoffman The Goal: To Change Behavior • In order for a person to change their behavior, they must want to change their behavior • This is an emotional issue not an intellectual one • We don’t need to make them an expert • (Feeds into recommendations on approach) • A little bit of knowledge goes a long way if they understand and believe • However, to Bruce’s point, we need to make it easier for them

  16. Building an Effective Security Awareness and Training Program Shamblin | Hoffman When you think of security training, what do you think of?

  17. Building an Effective Security Awareness and Training Program Shamblin | Hoffman What are you doing for Awareness?

  18. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Some Awareness Activities • Orientation/on-boarding • Regulatory Training • NCSAM • Email campaigns • Phishing campaigns • Movie nights • Posters • Hacking demos • Flyers/pamphlets • Local celebrity endorsements • Video campaigns • Contests • Teaching courses (zeitgeist) • Off-boarding • Shredding events • Sharing news articles

  19. Building an Effective Security Awareness and Training Program Shamblin | Hoffman The Awareness and Training Framework • There is no all-encompassing true path to the goal • Success requires a multi-tiered approach: • Getting buy-in and support from the highest level • Middle management support, both IT and business line • Building a security culture into your IT practitioners: Developers, Admins, Desktop Support • Giving the end users the tools and knowledge they need • Having a plan to successfully develop and manage an enterprise awareness program

  20. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Agenda • Q] The mountain is security [9 - 10]Awareness programs: the what, why and overview of how • Q] Shouting from (to?) the peaks [10 - 10:30]Tone from the top. Buy in and support from the highest level • H] Tone from the middle… [10:45 - 11:15]The importance of support by middle management, both IT and line • H] Those that help us climb [11:15 - 12]The real front line. Building a security culture into your IT practitioners: Developers, Admins, Desktop Support • H] The climbers [1 - 2:15]Those we are trying to help, the end users • Q] The route setters [2:30 - 3ish]Considerations in managing an awareness program

  21. Shouting From (To?) the Peaks The voice from the top is heard the farthest

  22. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Do we really need Senior Management support?

  23. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Things we can only get through Mgmt • Visible support • Exposure to the Board • Policies • Setting responsibility • Money

  24. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Things we can only get through Mgmt • Visible support • Exposure to the Board • Policies • Setting responsibility • Money • Beware the arête

  25. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Visible Support • High level organizational Priorities • Exposure to the Board • Reporting of status • Positive as well as negative • Example to next layer of management and down (the start of the support line) • Delegated authority • “The president has asked that we…”

  26. Building an Effective Security Awareness and Training Program Shamblin | Hoffman If you can’t get visible support • Doesn’t mean you have no program • Changes how your program will need to be run: • Middle tier management • Core IT • End users • Aligning security with core business objectives: • The argument: “security as an enabler” • Could Amazon exist without security?

  27. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Wait… Policies?Are policies necessary for a good awareness program?

  28. Building an Effective Security Awareness and Training Program Shamblin | Hoffman What policies might be helpful?

  29. Building an Effective Security Awareness and Training Program Shamblin | Hoffman What if I can’t make or pass policy?

  30. Building an Effective Security Awareness and Training Program Shamblin | Hoffman P. v. p. • [P] Data Classification • Training and sensitivity by context of sensitivity of the data • Signs in hospitals reminding nurses and doctors to be careful where and how they talk about patient information • [p] Onboarding training policy (or at least procedure) • Periodic refresh • [p] Mandatory refresher training • Those that fall for phishing…

  31. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Who is responsible for security?

  32. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Really?

  33. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Setting Responsibility • Changes to the actual organizational chart • Tie upper management incentives to security goals • Senior management bonuses – Goal for training • Creating dotted lines across the organization to InfoSec • Input to performance evaluations • SMART goals • Increase in average performance on a security evaluation • Requirement to measure against peers • Application updates per quarter • Passes OWAP Top 10/Security code audit

  34. Building an Effective Security Awareness and Training Program Shamblin | Hoffman How do I drive buy-in from Senior Management?

  35. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Have a Breach

  36. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Seriously, I can never get money for security. What can I do about that?

  37. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Is FUD bad?

  38. Building an Effective Security Awareness and Training Program Shamblin | Hoffman For management, yes FUD = bad • Talk risk not fear • Risk evaluation, base on REAL risk probabilities or estimates where known. • Quantified risk analysis • Be realistic with your probabilities • Regulation, monetizing the risk using standard risk assessment techniques • COSO • Binary risk analysis

  39. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Talk reputation and then talk numbers • Reputation • Peer institutions, ISACs, IVY+ • Best practices • Remember the bottom line. Control proposed cost. • What can you do on a shoestring? • Choose the biggest impact for lowest dollar • Value proposition – Cost/Benefit

  40. Building an Effective Security Awareness and Training Program Shamblin | Hoffman I have had high level buy-in in the past and my program still failed. Why!?

  41. Building an Effective Security Awareness and Training Program Shamblin | Hoffman This is not a guarantee of success • Sabotage by other senior managers or others • Don’t care • Not fond of change • Thinks it doesn’t apply to them • Stragglers • Impact of a single negative person • Crowd mentality • Don’t let it discourage you • Attempts before first successful attempt

  42. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Summary: Managing Senior Leadership • You are the lead climber • Forages ahead, gets support, establishes anchor, sets the line so the next group can be hooked in • Speak the language of business risk and value • Total cost, risk avoidance, protection of reputation • Monetize the impact of bad security choices • Compromised machines and accounts • Time and effort costs, time to fix/reimage, time to investigate and recover. • Breaches • Regulation, monetizing the risk using standard risk assessment techniques (COSO)

  43. Tone From the Middle…. My boss doesn’t care, why should I?..

  44. Building an Effective Security Awareness and Training Program Shamblin | Hoffman What do we need from business line management?

  45. Building an Effective Security Awareness and Training Program Shamblin | Hoffman Business Line Management • Security is the responsibility of the business, not IT • IT is a service organization, there to support the business • They are responsible for nothing but delivering what the business requires, but can be very helpful in doing so • They are acutely aware of this, sometime to the detriment • Recall the responsibility setting discussion from senior management…

  46. Building an Effective Security Awareness and Training Program Shamblin | Hoffman What do we need from business line mgmt? • Balance Risk - Fully understand the risk • Include security in the conversation • Introducing risk because they don’t understand the security implications of their decisions • Support • Understanding that there are needs that they sometimes don’t understand or care about • …but they are still needs (compliance, etc.)

  47. Building an Effective Security Awareness and Training Program Shamblin | Hoffman How do we get it? • Can we change that relationship premise? • Partner, not just provider • IT not just a service organization, but responsible for making the business better—another line • Having an equal voice in decisions • Establish dotted line ownership to IT • Align process—both business and IT—with overall business objectives and include security considerations along the way

  48. Building an Effective Security Awareness and Training Program Shamblin | Hoffman How do we get it? • IT and Cyber Security must be business analysts • “It is not my job to say no. It is my job to find a safe way to say yes.” • Suggest ways to meet the business goals, not just veto • Build and maintain credibility • Back suggestions with data, not just anecdotes • Be realistic about risk and what is really a “requirement” vs. just a nice-to-have or a “best practice”.

  49. Building an Effective Security Awareness and Training Program Shamblin | Hoffman The problem with autonomy ☺ • Procurement – Consumerization and the cloud • Going and buying their own stuff • Provide guidelines ,recommendations and considerations on safely using consumer products and cloud services • End run around procurement, general counsel, security • Relationship building and communication are important • Regularly meet/lunch with folks to find out what’s going on • Solution: relationship building • Give good, easy-to-use, trustworthy advice that people will want • Be the go-to person/group • Requires and openness to do more work

More Related