is your company security aware? presented by: brian picard gsec
TRANSCRIPT
Is Your Company Security Aware?
Presented By:Brian Picard GSEC
Personal Background Progressive Insurance – Security Architect
10 Long Years ( 6 years in Identity/Security ) GIAC – GSEC Certified Wide range of background experience ( ie Server Administration,
Networking, Development, Identity, and Security Architecture ) Private Consulting – Anything Technical
9 Year ( 4 years in Identity/Security ) Network Development Server Implementations Custom Development Security Consultations and Instruction
Overview Security Awareness Program Security Effort Statements Sample Security Awareness Efforts
Social Engineering Public Information Gathering Development Challenges Physical Security Awareness Adjacent Risks Other Samples
Security Awareness Program
WARNING This should not be done as a group activity
WARNING Definition: This describes where your company’s
security awareness is focused and a rough outline of the scope.
Efforts: This describes what efforts will be made to meet your goals.
Timeframe: This will define how long your company will follow this initiative before re-evaluating it’s position.
Security Effort StatementWARNING
These need to be done as a group activity
WARNING Objective: Goals, Scope (In AND Out), Gaps Target Audience: Intended Targets, Depth Of
Technical Knowledge Actions: Mediums of Delivery, Durations,
Required/Optional Additional References: Other Sources Of
Information Measurements: Verification On Success
Sample Security Efforts(Social Engineering)
Objective: To inform employees about Social Engineering and to give them the ability to professionally deal with a suspected Social Engineer. The scope will include social engineering applied to phones, emails, and physical entry to the buildings.
Target Audience: All Company Employees
Actions: Company-wide web cast about Social Engineering. Including a definition, common real-world examples, and ways to deal with suspected social engineers.
Sample Security Efforts(Social Engineering)
<Cont>
Additional Resources:http://en.wikipedia.org/wiki/Pretextinghttp://www.securityfocus.com/infocus/1527http://www.sans.org/reading_room/whitepapers/engineering
Measurements: 1. A company-wide web test administered 6 months after
the training is completed.2. Random Social Engineering attempts done from outside
consultants.
Sample Security Efforts(Public Information Gathering)
Objective: To inform employees about Public Information Gathering. The scope includes web and verbal content with individuals inside and outside the company.
Target Audience: The target for this security effort is Web Content Analysts and Point Of Sale employees.
Actions: A web based find the information internal game. This game
will include potentially critical company information hidden on a typical looking company web site.
An internet scavanger hunt for public information on companies with explanations on how this information could be useful to an outsider.
Sample Security Efforts(Public Information Gathering)
<cont>
Additional Information: http://businessethics.suite101.com/article.cfm/corporate_intellig
ence_gathering
Measurements:1. Post assessment of Information Gathering
game.2. Internet Scavenger Hunt to gather required
pieces of information about companies based off their corporate web site
Sample Security Efforts(Development Challenges)
Objective: To inform developers of the potential problems with unsafe coding practices. The scope of this will include Cross-site scripting (XSS), SQL Injections, and Improper Input Validation.
Target Audience: Web developers that work on an external facing application.
Actions: This effort will be comprised of a progressive set of challenges regarding the above mentioned topics. After each challenge some hints will be given to help solve the next round of problems.
Sample Security Efforts(Development Challenges)
<cont>
Additional Resources: http://en.wikipedia.org/wiki/Cross-site_scripting http://www.cgisecurity.com/articles/xss-faq.shtml http://en.wikipedia.org/wiki/SQL_injection http://www.unixwiz.net/techtips/sql-injection.html
Measurements:1. The completion of the required challenges within a
designated time frame.2. The completion of a follow-up set of challenges,
different then the first, six months after completion of the previous round.
3. Bug tracking for reported SQL Injection, XSS, and Input Validation Issues.
Sample Security Efforts(Physical Security Awareness)
Objective: To inform the employees about potential problems with lacking physical security. The scope for this shall include only entering the building.
Target Audience: All employees with badges.
Actions: An online bulletin explaining the problems and statistics
around un-authorized individuals. Movable Plaques mounted around badging stations
explaining that every person should swipe their own badge and those attempting to tailgate should be questioned.
Sample Security Efforts(Physical Security Awareness)
<cont>
Rotation of entry staff to encourage the requirement of swiping and diminish the likelihood of known employees being allowed to enter.
Colorful Posters or Cutouts moved around the company encouraging employees to swipe for their own entry and question others attempting to enter on their swipe.
Measurements: 1. Trending on the number of un-authorized people in
the buildings.2. Trending on the number of card swipes per day.
Sample Security Efforts(Adjacent Risks)
Objective: To inform all company employees that work on external data transactions with other companies about Extended Security threats.
Target Audience: Any employee that work on external data transactions.
Actions: A Web Based Training (WBT) that explains the potential problems and history of known problems around network extensions.
Measurements: A post assessment of the content covered in the WBT.
Sample Security Efforts(Other Samples)
Security Informational Sessions Security Posters Security Bulletins Data Classification Awareness Phishing Source Code Management
Final Thoughts
Publish Your Security Awareness Statement
Trust but Verify Completion of Efforts
