The Human Firewall How Security Awareness Impacts Your Control Environment

(1)

SecureWorks

The Human Firewall –

How Security Awareness

Impacts Your Control

Environment

Dane Boyd, Security Awareness Training

Principal Consultant

John Andrew, IT Security Auditor

Dell SecureWorks

(2)

2

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

Agenda

• Introduction

• In The News …

• ‘Red Team’ Stories

• Defining the Problem

• Winning Awareness Strategies

• Winning Awareness Tactics

• Q&A

(3)

3 SecureWorks

Introduction

• Dane Boyd, Security Awareness

Training Principal Consultant

- Awareness Com Leader – CISO

- Led DSWx Awareness practice for

5 years

- Fun facts: (From, Speak, Hobby)

• John Andrew, CISA, CISSP,

GLEG

-

IT Security Auditor – dotted

line to CISO

-

Over 20 Years IT, IT Audit,

and IT Security experience

-

Fun facts: (From, Speak,

(4)

4

SecureWorks

Disclaimer – Rules of the Road

• This presentation is prepared

solely

for educational purposes.

• Our goal is to engage IT Auditors in Security Awareness efforts.

• Much of what we will share is based on our personal experience.

Take what benefits you… forget the rest.

(5)

5 SecureWorks

In The News…

‘Wired’ writer Andy

Greenberg reports on Jeep

Cherokee exploit

All of this is possible only because Chrysler, like

practically all carmakers, is doing its best to turn the

modern automobile into a smartphone. Uconnect, an

Internet-connected computer feature in hundreds of

thousands of Fiat Chrysler cars, SUVs, and trucks,

controls the vehicle’s entertainment and navigation,

enables phone calls, and even offers a Wi-Fi hot spot.

(6)

6

SecureWorks

In The News…

‘Wall Street Journal’ –

Michael Hayden describing

the OPM hack – 21 MM

Security Clearance Records

compromised.

(7)

7 SecureWorks

(8)

8

SecureWorks

In The News…

Critical Infrastructure

Survey Results –

48% of IT Executives

believe that it is likely

that there will be an

attack on critical

infrastructure.

When - in the next three

years…

Impact – resulting in loss

of life…

(9)

9 SecureWorks

Critical Infrastructure

The ERIPP and SHODAN search engines can be easily used to find

Internet facing ICS devices, thus identifying potential attack targets.

These search engines are being actively used to identify and

access control systems over the Internet. Combining these tools

with easily obtainable exploitation tools, attackers can identify and

access control systems with significantly less effort than ever

before.

(10)

10

SecureWorks

Red

Team Stories

Project Shine - Control Systems Found Include-

• Traffic light controls

• Traffic cameras

• Swimming Pool Acid Pump

• Hydroelectric plant

• Nuclear Power Plant

• Hotel Wine Cooler

• Hospital Heart Rate Monitor

• Home Security System

• Gondola Ride

• Car Wash

Source:

http://money.cnn.com/2013/04/08/technology/security/shodan/index.

html

(11)

11 SecureWorks

Red

Team Stories

DHS Public Private Partnership

2014 IC Analyst – Private Sector Program –

Critical Manufacturing Findings

• Lack of Awareness and information sharing

• Interpretation of cyber threats and the cyber security posture

differed significantly between management, engineering, audit,

compliance, and IT security.

• Need for more training, education, and awareness across all

Critical Sectors.

(12)

12

SecureWorks

(13)

13 SecureWorks

“

95% of all attacks on

enterprise networks are

the result of successful

spear phishing”

Source: Allan Paller, Director of

Research - SANS Institute

(14)

14

SecureWorks

Firewall

IDS/IPS

Web Proxy

Anti-Virus

User

Network

Defense

Layers

End-point

Defenses

Key

Terrain

Endpoint

Monitoring

Defense in Depth

(15)

15 SecureWorks

Vigilant

Employee

Strategies for a Vigilant Employee

Proper

Attention

Executive

Support

Inspect what

you expect

(16)

SecureWorks

Strategy:

(17)

17 SecureWorks

Defense in Depth: A Closer Look

User

Only

60%

…

of organizations have a Security Awareness Program.

Source: PwC The Global State of Information Security Survey 2014

Testing

Key

Terrain

(18)

18

SecureWorks

Testing Improves Learning

“The added effort required to

recall the information makes

learning stronger.”

Henry L. Roediger III

, Washington University in St. Louis

and a co-author of “Make It Stick: The Science of

(19)

19 SecureWorks

Strategy:

(20)

20

SecureWorks

Reason #1: Employee Resentment

(21)

21 SecureWorks

Reason #2: Employees Understanding

(22)

22

SecureWorks

(23)

SecureWorks

(24)

24

SecureWorks

The Whale Hunt

• Salary

• Previous jobs

(25)

25 SecureWorks

(26)

26

SecureWorks

The Whale Hunt

• Salary

• Previous jobs

• Donations

• Children’s name

(27)

27 SecureWorks

The Whale Hunt

• Salary

• Previous jobs

• Donations

• Children’s name

• Mother’s death date

(28)

28

SecureWorks

The Whale Hunt

• Salary

• Previous jobs

• Donations

• Children’s name

• Mother’s death date

• City & State

• Tax Record

• Home Address

• Aerial Photo of

(29)

(30)

30

(31)

(32)

32

SecureWorks

Strategy:

Treat Awareness like a

vulnerability

(33)

33 SecureWorks

Proper Importance

In computer security, a vulnerability is a

weakness which allows an attacker to

reduce a system's information assurance.

Vulnerability is the intersection of three

elements: a system susceptibility or flaw,

attacker access to the flaw, and attacker

capability to exploit the flaw.

Source:

Wikipedia

CVE-2014-7861

Employee ID 24355

(34)

34

SecureWorks

Live Poll: How frequently are you patching the

human firewall?

• New Employee Security Awareness Training?

• Annual Security Awareness Training?

• Periodic Security Awareness Newsletter?

• Phishing Assessments?

• Lunch & Learn?

(35)

35 SecureWorks

(36)

36

SecureWorks

Typical Security Awareness Program Tactics

Once a year

“Too Long!”

Computer Expert

Policy

Acknowledgement

Form

?

(37)

37 SecureWorks

Reinforcement

Testing

Focus

Instructor

Duration

Frequency

Learn from

Arnold

Worked out twice a day

Trained each muscle group

3x/week

• 26 – 61 sets per workout

• Tens of thousands of pounds

(38)

38

SecureWorks

Pop quiz!

(39)

39 SecureWorks

Reinforcement

Testing

Focus

Instructor

Duration

Frequency

How often are you training

your employees?

(40)

40

SecureWorks

Reinforcement

Testing

Focus

Instructor

Frequency

Duration

Who is this???

Edward Everett, 1794 – 1865

Spoke at Dedication of Soldier's

National Cemetery

Two hours long speech

(41)

41 SecureWorks

Reinforcement

Testing

Focus

Instructor

Frequency

Duration

Learn from

Lincoln

Gettysburg Address

272 words

Two minutes

(42)

42

SecureWorks

Reinforcement

Testing

Focus

Instructor

Frequency

Duration

How long are your training

sessions?

(43)

43 SecureWorks

Reinforcement

Testing

Focus

Frequency

Duration Instructor

SAT Tip: Understanding security is a skill.

Communication is a separate skill!

(44)

44

SecureWorks

Reinforcement

Testing

Focus

Frequency

Duration Instructor

Who here is a strong

communicator?

(45)

45 SecureWorks

Reinforcement

Testing

Frequency

Duration Instructor Focus

SAT Tip: Training must be specific to threats

and adapt as threats change. Intel is key!

Learn from

Coast Guard

Continually adapted to smugglers

methods:

• Cargo ships

• Fast Boats

(46)

46

SecureWorks

Reinforcement

Testing

Frequency

Duration Instructor Focus

What threats do we see today?

How do we adapt?

(47)

47 SecureWorks

Reinforcement

Testing

Frequency

Duration Instructor Focus

What threats do we see today?

(48)

48

SecureWorks

Reinforcement

Frequency

Duration Instructor

Focus

Testing

Learn from the

US ARMY

What is the number one principle in

peacetime training?

Replicate battlefield conditions

(49)

49 SecureWorks

Reinforcement

Frequency

Duration Instructor

Focus

Testing

What are the battlefield conditions?

How do you simulate these

conditions?

• Phishing

• Vishing

• USB Drops

• Tail gating

• Bacon

(50)

50

SecureWorks

Frequency

Duration Instructor

Focus Testing

Reinforcement

Learn from

Advertisers

1.2 billion media impressions

Social Media

Television

Radio

Signage

107% Increase in Sales

SAT Tip: Consistent message & multiple mediums

(Combined with frequency) to change behavior

(51)

51 SecureWorks

Frequency

Duration Instructor

Focus Testing

Reinforcement

What does reinforcement look like?

• Posters

• Newsletters

• Signage

• Reward Program

• Recognition Programs

• “Secret Shopper”

• Trivia

(52)

52

SecureWorks

Frequency

Duration Instructor

Focus Testing

Reinforcement

Output

(53)

53 SecureWorks

(54)

54

SecureWorks

Phishing Failure Rate

(55)

55 SecureWorks

(56)

56

SecureWorks

(57)

SecureWorks

The Human Firewall How Security Awareness Impacts Your Control Environment

Full text