Michael Holcomb
Jumpstarting Your Security
Awareness Program
Jumpstarting Your Security Awareness
Program
Classification: Confidential
Owner: Michael Holcomb
Approver: Phil Cirulli
The Need for Security Awareness
Most organizations focus on controlling the perimeter
through firewalls, intrusion detection systems and other technical security controls
Attackers are targeting your employees as ways to gain
access to your internal network
Employees can be targeted in their personal life as well
as back at the office
More than likely, someone is on your network right now
Initial Questions to Answer
Why are you providing security awareness?
– Compliance requirements? Grassroots initiative? Or?
What do you want to accomplish?
– What type of behaviors are you trying to change?
Who do you have support from?
– Your Executive Management? Your boss? Just you and yourself?
What type of budget support do you have?
– Feast or famine? Or somewhere in between?
Leverage Security Awareness Frameworks
Several security awareness frameworks and sets of
best practices exist to leverage in establishing a new program or identifying gaps in existing
– Microsoft Security Awareness Toolkit
• www.microsoft.com/en-us/download/details.aspx?id=11428
– SANS Security Awareness Planning Kit
• www.securingthehuman.org/resources
– PCI Best Practices for Implementing a Security Awareness Program
• www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Pr actices_for_Implementing_Security_Awareness_Program.pdf
– SANS Top 20 Critical Controls
Microsoft Security Awareness Toolkit
Provides baseline documentation for security
PCI Best Practices for Implementing a
Security Awareness Program
Focuses on assigning responsibilities for members of
the security awareness team
Includes various levels of training for specific groups of
users
Provides a number of simple metrics for measuring
effectiveness of security awareness efforts
– All Personnel
– Management
SANS Top 20 Critical Controls
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Malware Defenses
6. Application Software Security 7. Wireless Access Control 8. Data Recovery Capability
9. Security Skills Assessment and Appropriate Training to Fill Gaps
10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11. Limitation and Control of Network Ports,
Protocols, and Services
12. Controlled Use of Administrative Privileges 13. Boundary Defense
14. Maintenance, Monitoring, and Analysis of Audit Logs
15. Controlled Access Based on the Need to Know
16. Account Monitoring and Control 17. Data Protection
18. Incident Response and Management 19. Secure Network Engineering
Other Suggestions
Leverage Free Resources
Make It Personal
Pull Back the Curtains
Focus on Target Groups of Employees
Social Engineering Tests
Leverage Free Resources
National Cyber Security Alliance (NCSA)
– staysafeonline.org
SANS Ouch! Newsletter
– securingthehuman.org/resources/
SANS Security the Human Community
Led by SANS’ Lance Spitzner, the STH Community is
the most valuable resource for security awareness today
Access to some of the top minds practicing security
awareness today in organizations of all sizes
No vendors are allowed on the mailing list
Sign up today at
Make It Personal
Employees take cyber security practices to heart when
taught from a personal perspective
Teach your employees how to keep themselves and
their families cyber safe at home
Employees will bring their cyber safety practices back
Do Not Reuse Passphrases/Passwords
(Example)
If an attacker was to compromise the username and
password for your Netflix account, would they…
– Be able to read your personal email messages?
– Be able to make purchases with your Amazon or other accounts?
– Be able to transfer money from your bank account?
– Be able to access your company’s systems remotely and steal information?
At a minimum, never share passwords between
resources used for company business and personal use
Pull Back the Curtains
Employees need to understand that security threats
against the company they work for are real and that they do occur
Reveal information related to actual security events and
incidents with your employees to raise awareness
Employees need to understand that they and their
Cyber Attacks Against Fluor Employees
(Example)
An advanced group of attackers targeted Fluor
employees in order to gain access to one of our client’s resources
Initial contact was made via Facebook with a fake
Focus on Target Groups of Employees
While all employees should be provided with a basic
level of security awareness training, specialized groups of employees requiring additional training should be
identified – Executives – New Employees – Accounting/Finance – System administrators – Application developers
Social Engineering Tests
Determine the need for an internal phishing campaign
platform for raising phishing awareness
– Leverage the most common examples of phishing campaigns targeting your company today
– If you don’t know what these are – you need to find out!
Consider conducting social engineering phone calls of
your employees
– Pretend to be a member of your company’s help desk or from the company’s Internet Service Provider
For additional ideas, visit the Capture the Flag (CTF)
Metrics
Use simple metrics to communicate to senior
leadership the level of perceived risk with the human factor in your organization
Ideally metrics will be used to demonstrate the
Metrics Suggestions
Some examples of simple metrics for tracking various
aspects of your security awareness efforts:
– Phishing Tests
• Percentage of employees clicking on test phishing links
• Percentage of employees opening test phishing attachments
• Percentage of employees providing company credentials online
– Phone Call Tests
• Percentage of employees providing company credentials over the phone to unknown party
• Overall level of cooperation for called employees
– Don’t forget special interest groups such as IT, HR & Finance
– USB Drops
