Design of a cyber security awareness campaign for Internet Cafés users in

rural areasWA Labuschagne, MM Eloff, N Veerasamy, L Leenen, M Mujinga

CSIR / UNISA

IST Africa12 May 2011

Internet Usage in Africa

• Africa has the lowest number of Internet users• 5.6% of total world users• 2000% growth in last decade• Possible causes:

• Lack of infrastructure– High cost– Low bandwidth

• Lack of equipment

© CSIR 2011

Lack of Infrastructure

• Development of infrastructure with deployment of:• Seacom (2009)• EASSY (2010)• TEAMS (2009)

• Improvement in bandwidth and lower costs to access Internet

© CSIR 2011

Lack of Equipment

• Not have computer to access Internet due to cost• Internet Café provides equipment to access the Internet

© CSIR 2011

Background

• More Internet Cafés in less affluent areas • Repeat users • High demand for training • Use for business activities, search for employment,

communication and establish business contacts • Access resources, if employed, not allowed to access at work

© CSIR 2011

Problem

• Security measures implemented by the establishment (No control)

• Knowledge & Skill set of the Internet users (Address with Security Awareness)

© CSIR 2011

Corporate Environment vs Other Users

• Companies protected by expensive complex security system (IDS, Firewalls, Anti-Virus, etc.)

• Security is delegated to specialized teams• Users are only provided access to enough functionality to

perform responsibilities• Security awareness programs are usually part of training

provided within companies• Security is automatically applied by systems at no cost to the

user

Case Study of Internet Cafés to determine security weaknesses

© CSIR 2011

Feedback on Observation

• Use of outdated Web browsers• Use outdated 3rd party applications for example Acrobat

Reader, Flash Player• Most Not using latest Service Packs (Most using SP2)• Allow user to install application (Administrative privileges)• Can access and edit the registry• No security awareness• Using Microsoft Windows XP• Autorun is enabled• No Anti-malware installed

© CSIR 2011

Need Identified

© CSIR 2011

What is Security Awareness?

• Awareness - Focus attention on a set of security issues• Training – Teach skills to allow person to perform a

specific function• Education – Aims to produce IT security specialists

capable of proactive responses

© CSIR 2011

NIST Special Publication (800-50)

National Institute of Standards and Technology 800 Series reports on the Information Technology Laboratory

(ITL): Research Guidance Outreach efforts in computer security Collaborative activities with industry, government, and

academic organizations Building an Information Technology Security Awareness and

Training Program

© CSIR 2011

Steps in NIST (800-50) Life Cycle

© CSIR 2011

Design Awareness

Program

Implement Awareness

Program

Post-Implementa

tion

Develop Awareness

Material

© CSIR 2011

Design Awareness

Program

Implement Awareness

Program

Post-Implementa

tion

Develop Awareness

Material

Conduct needs

assessment

Develop awareness

Material· Select Topic· Sources of

Material

Techniques for

delivering awareness

material

Evaluation and

Feedback

· Determine organisation’s awareness needs.

· Understanding of security issues helps shape design of IT security awareness program.

· Develop material considering: “What behavior should be reinforced?”

· Material can address specific issue.

· Dependant on resources and message(s).

· Based on ease of use, scalability, accountability, and industry support.

· Ensure relevance and compliance with overall objectives.

· For continuous improvement need good sense of how existing program is working.

Design Step

• Needs assessment• Identify most threats at

Internet Café• Identify critical topics that

form part of security awareness program addressing threats at Internet Cafés

© CSIR 2011

Design Awareness

Program

Develop Awareness

Material

Conduct needs

assessment

Develop awareness

Material· Select Topic· Sources of

Material

Internet Use Classification

© CSIR 2011

Type of Use Classification

Seeking information Information

Email Communications

Chatting Entertainment

Reading online news Information

Research Information

Computer games Entertainment

Downloading software for professional use Business

Downloading software for amusement Entertainment

Downloading music Entertainment

Visiting pornographic sites Entertainment

Doing business Business

e-shopping Financial

Gambling Financial

Social networks Communications

Internet Uses to Threats (1)

© CSIR 2011

UseThreat Info Entertain-

ment Financial Business Comms

Spam

DOS

Phishing P P

Malware

Virus

Spyware

Password/Info stealer

Backdoor

Downloader

Dropper

Rootkit

Internet Uses to Threats (2)

© CSIR 2011

UseThreat Info Entertain-

ment Financial Business Comms

Browser Based

Firefox

IE

PDF

Hacking(Exploit)

Social engineering X

Inherent software vulnerabilities

Patch management

Online scams P

Physical harm X X X

Cyber bullying X X X

Identity Theft X P P

Selection Process

© CSIR 2011

Development Step

• Critical Topics for Internet Café• Social Engineering• Scams• Cyber Bullying• Physical Harm• Identity Theft• Social Networking• Email• Phishing

© CSIR 2011

Design Awareness

Program

Implement Awareness

Program

Develop Awareness

Material

Conduct needs

assessment

Develop awareness

Material· Select Topic· Sources of

Material

Techniques for

delivering awareness

material

Implementation Step

• Material can be delivered:• Interactive video training - Applicable• Web-based training (Passive) - Applicable• Instructor-led training• Placement of awareness messages (posters, screen

savers, email) - Applicable• Discussion Groups

© CSIR 2011

Post Implementation

• Interviews• Questionnaires• Analysis of Internet usage

© CSIR 2011

What about..

• Mobile phone adoption vs Internet Café• Decline in Internet Café • Lessons learned could be used with personal computer

at home • Other frameworks• Other tools to deliver content• e-Awareness Model

© CSIR 2011

Conclusions

• The NIST (800-50) Framework is feasible solution to design a cyber security awareness program.

• A need has been identified to address threats at Internet Cafés in rural areas.

• Email, social engineering, phishing, social networking, scams, cyber bullying and identity theft are prominent threats at Internet Cafés.

© CSIR 2011

Q&A

© CSIR 2011