E N D
1. Awareness is the Key to Security June 20, 2003
Krizi Trivisani
Chief Security Officer
Amy Hennings
Systems Security Engineer
Guy Jones
Chief Technology Officer
2. Agenda Security Implementation Reliance
What is security awareness?
Why is awareness important?
The Security Landscape – The Violation Situation
GW’s Awareness Program
Cultural Impacts of Security Programs
Questions
3. Security ImplementationRelies On: Policy implementation depends on processes being in place, technology being utilized to enforce policy, and users understanding the policy and how it relates to them (their responsibilities)
We must set the policy, ensure compliance, enforce when out of compliance conditions are found, and utilize technology where ever possible to reduce reliance and burden on people
Example of model – Policy on passwords, process on how to reset passwords, system developed to ensure passwords are 8 characters, users understand that they can not share their passwordsPolicy implementation depends on processes being in place, technology being utilized to enforce policy, and users understanding the policy and how it relates to them (their responsibilities)
We must set the policy, ensure compliance, enforce when out of compliance conditions are found, and utilize technology where ever possible to reduce reliance and burden on people
Example of model – Policy on passwords, process on how to reset passwords, system developed to ensure passwords are 8 characters, users understand that they can not share their passwords
4. What is Security Awareness?
5. Why is Awareness Important?
Security is only as strong as it’s weakest link. You can build the a strong firewall architecture but someone sharing their password can bypass the technology. You can install virus filters on email systems, but unless users keep their desktop anti-virus software up-to-date, your systems are vulnerable. Technology is an important part of security. Equally important though is the reliance on people and making sure they are security aware.
If people are ill-prepared, information is threatened by:
Social engineering
Abuse of privileges and trust
Misuse of systems and network
Password guessing
Physical access to bypass controls
Theft of laptops, storage media, and other technologies
Accidental disclosure
Financial fraudSecurity is only as strong as it’s weakest link. You can build the a strong firewall architecture but someone sharing their password can bypass the technology. You can install virus filters on email systems, but unless users keep their desktop anti-virus software up-to-date, your systems are vulnerable. Technology is an important part of security. Equally important though is the reliance on people and making sure they are security aware.
If people are ill-prepared, information is threatened by:
Social engineering
Abuse of privileges and trust
Misuse of systems and network
Password guessing
Physical access to bypass controls
Theft of laptops, storage media, and other technologies
Accidental disclosure
Financial fraud
6. Poor Awareness Exposed…
Human Firewall campaign sponsored a recent security awareness survey (www.humanfirewall.org)
Responses from more than 1,400 workers and nearly 600 organizations
Nearly every industry falls in the “D” grade score of 60 – 69, with higher education falling under “other” with the lowest score of 61
GW intends to participate in the survey (Security Awareness Index) next year to find out:
How do my organization’s security awareness practices compare with others in the world and in my industry?
How do I measure and benchmark my own employee’s security awareness level and track progress in raising security awareness over time?
Human Firewall campaign sponsored a recent security awareness survey (www.humanfirewall.org)
Responses from more than 1,400 workers and nearly 600 organizations
Nearly every industry falls in the “D” grade score of 60 – 69, with higher education falling under “other” with the lowest score of 61
GW intends to participate in the survey (Security Awareness Index) next year to find out:
How do my organization’s security awareness practices compare with others in the world and in my industry?
How do I measure and benchmark my own employee’s security awareness level and track progress in raising security awareness over time?
7. Top Ten Most Common Security Mistakes…
The study also revealed the Top Ten Most Common Security Mistakes made by people. Some of them are self explanatory like passwords on post-it notes. Number 2 is an issue here for us at the University, especially in public labs. Number 9 is also very relevant to us – keeping systems patched and up to date will greatly reduce the risk of infection by new viruses, worms, etc.
JUST NOTES IN CASE!!!!
Plug and Play without protection In the rush to get things going too many folks plug modems straight into servers, or servers straight into the Internet, bypassing routers with firewalls or other corporate security measures. Like calling the phone and cable company before you start digging holes in your backyard, check with your corporate security officer before you plug and play.
Always behind the times (the patch procrastinator) One of the biggest vulnerabilities of any system is the failure to install updates and patches for deployed software. Updates often close any loopholes that may exist. Ignoring them or putting them off for another day could cost you and your company dearly.
No knowing internal threats While most managers believe an information security breach will come from an outside intruder, they are wrong. The biggest risk comes from within. Disgruntled employees, laid-off employees, a less than ethical contractor, or a partner working both sides of the fence. Every employee has to be responsible for themselves and the behavior they observe in others. "Only you can prevent security incidents," says Smokey the anti-hacker.
The study also revealed the Top Ten Most Common Security Mistakes made by people. Some of them are self explanatory like passwords on post-it notes. Number 2 is an issue here for us at the University, especially in public labs. Number 9 is also very relevant to us – keeping systems patched and up to date will greatly reduce the risk of infection by new viruses, worms, etc.
JUST NOTES IN CASE!!!!
Plug and Play without protection In the rush to get things going too many folks plug modems straight into servers, or servers straight into the Internet, bypassing routers with firewalls or other corporate security measures. Like calling the phone and cable company before you start digging holes in your backyard, check with your corporate security officer before you plug and play.
Always behind the times (the patch procrastinator) One of the biggest vulnerabilities of any system is the failure to install updates and patches for deployed software. Updates often close any loopholes that may exist. Ignoring them or putting them off for another day could cost you and your company dearly.
No knowing internal threats While most managers believe an information security breach will come from an outside intruder, they are wrong. The biggest risk comes from within. Disgruntled employees, laid-off employees, a less than ethical contractor, or a partner working both sides of the fence. Every employee has to be responsible for themselves and the behavior they observe in others. "Only you can prevent security incidents," says Smokey the anti-hacker.
8. The Security Landscape – The Violation Situation 2001 Minor Violations
Minor scans – consecutive attempts to find out information about 10 or less different IP addresses
Minor hack – attempts to exploit specific vulnerabilities – BLOCKED
Incidents of suspicious activity – activity that is tracked but not necessarily believed to be persistent or deliberate; for example trying to telnet to the same box three times
Severe Violations
External Attempted Hacks - planned, strategic, malicious activity originating from outside the University; for example attempting to gain access to a specific box by exploiting known vulnerabilities - BLOCKED
Outgoing Hacking Attempts - activity originating from University IP space which resulted in notification from non-University system administrators
Compromised Boxes - Specific Infections - Severe infections, such as Code Red, Nimda, or new infections
Compromised Boxes - Virus Infections - infections other then the specific that are tracked for trends
Email Violations - violations of the University's email policy; for example internal spam, inappropriate usage, etc.
SPAM Complaints - complaints sent from GW users
Severe SPAM - involves blocking of addresses, IP's, or domains
False Alarms - security cases that were investigated and determined the issue was not a security violation
Security Cases - security violations that fall outside normal categories/policiesMinor Violations
Minor scans – consecutive attempts to find out information about 10 or less different IP addresses
Minor hack – attempts to exploit specific vulnerabilities – BLOCKED
Incidents of suspicious activity – activity that is tracked but not necessarily believed to be persistent or deliberate; for example trying to telnet to the same box three times
Severe Violations
External Attempted Hacks - planned, strategic, malicious activity originating from outside the University; for example attempting to gain access to a specific box by exploiting known vulnerabilities - BLOCKED
Outgoing Hacking Attempts - activity originating from University IP space which resulted in notification from non-University system administrators
Compromised Boxes - Specific Infections - Severe infections, such as Code Red, Nimda, or new infections
Compromised Boxes - Virus Infections - infections other then the specific that are tracked for trends
Email Violations - violations of the University's email policy; for example internal spam, inappropriate usage, etc.
SPAM Complaints - complaints sent from GW users
Severe SPAM - involves blocking of addresses, IP's, or domains
False Alarms - security cases that were investigated and determined the issue was not a security violation
Security Cases - security violations that fall outside normal categories/policies
9. The Security Landscape – The Violation Situation 2002
10. The Security Landscape – The Violation Situation 2003
11. The Violation Situation ContinuedEmail Viruses Filtered
12. GW’s Security Awareness Programwww.gwu.edu/~infosec
So what is GW doing to address gaps in security awareness? The Information Security Office is rolling-out a formal Security Awareness Program which includes both online and printed material.
The Goals of GW's Security Awareness Program are:
To educate members of the University community
To identify and address risk and
To promote and encourage good security habits
Security awareness is not a one-shot effort. An effective program requires security concepts to be reinforced through ongoing education. Our audience for the first roll-out is the general University community. Topics are non-technical and relevant to the average user. The first resource I would like to demo is the security awareness web site. GO TO www.gwu.edu/~infosec
I would like to point out - For security, as well as copyright reasons, the Information Security web pages will currently only be available to users on GW IP space. Users off campus can access the web pages via the GW Proxy (LDAP authentication required).
Some features of the site are:
On the main page, there is a link to alerts from CERT. We receive hourly updates on the latest security alerts. MAIN PAGE CLICK ON A SAMPLE CERT ALERT AND GO BACK TO THE MAIN PAGE
Along the left side of the page, you will see a link to the University’s Policy Center where security policies are published CLICK ON SECURITY POLICY LINK AND GO BACK
You will also see links to other GW and external Security Sites CLICK ON LINKS AND PAUSE If you have a GW site that you would like linked from the security pages, please contact me GO BACK TO MAIN PAGE
Other links off the main page include:
What is Information Security
The Information Security Office and Staff
Reporting Security Incidents and
Risk Assessment CLICK ON RISK ASSESSMENT AND SCROLL TO THE BOTTOM OF THE PAGE Under this link you will find a presentation on understanding and managing risk CLICK PRESENTATION AND CLICK THROUGH A SLIDE OR TWO AND GO BACK TO MAIN PAGE
Now, let’s go back to the presentation and talk about the additional print and online media available for security awareness.
GO BACK TO THE PRESENTATION AND GO TO SLIDE 7
So what is GW doing to address gaps in security awareness? The Information Security Office is rolling-out a formal Security Awareness Program which includes both online and printed material.
The Goals of GW's Security Awareness Program are:
To educate members of the University community
To identify and address risk and
To promote and encourage good security habits
Security awareness is not a one-shot effort. An effective program requires security concepts to be reinforced through ongoing education. Our audience for the first roll-out is the general University community. Topics are non-technical and relevant to the average user. The first resource I would like to demo is the security awareness web site. GO TO www.gwu.edu/~infosec
I would like to point out - For security, as well as copyright reasons, the Information Security web pages will currently only be available to users on GW IP space. Users off campus can access the web pages via the GW Proxy (LDAP authentication required).
Some features of the site are:
On the main page, there is a link to alerts from CERT. We receive hourly updates on the latest security alerts. MAIN PAGE CLICK ON A SAMPLE CERT ALERT AND GO BACK TO THE MAIN PAGE
Along the left side of the page, you will see a link to the University’s Policy Center where security policies are published CLICK ON SECURITY POLICY LINK AND GO BACK
You will also see links to other GW and external Security Sites CLICK ON LINKS AND PAUSE If you have a GW site that you would like linked from the security pages, please contact me GO BACK TO MAIN PAGE
Other links off the main page include:
What is Information Security
The Information Security Office and Staff
Reporting Security Incidents and
Risk Assessment CLICK ON RISK ASSESSMENT AND SCROLL TO THE BOTTOM OF THE PAGE Under this link you will find a presentation on understanding and managing risk CLICK PRESENTATION AND CLICK THROUGH A SLIDE OR TWO AND GO BACK TO MAIN PAGE
Now, let’s go back to the presentation and talk about the additional print and online media available for security awareness.
GO BACK TO THE PRESENTATION AND GO TO SLIDE 7
13. GW’s Security Awareness Program - Materials
Partnered with Security Awareness Incorporated which is endorsed by:
CERT® Computer Emergency Response team
CERIAS Center for Education and Research in Information Assurance and Security
CIAC Computer Incident Advisory Capability
CRSC Computer Security Resource Clearinghouse
FedCIRC Federal Computer Incident Response Capability
FIRST Forum of Incident Response and Security Teams
IBM ERS IBM Emergency Response Service
ISSA Information Systems Security Association, Inc.
SANS System Administration, Networking and Security
Information Security Magazine
“Project IT” – A presentation and workshop designed for classroom-based awareness training
Includes:
PowerPoint Presentation
Speaker Notes
Quiz
We also hold our quarterly Security Forum to communicate security information.Partnered with Security Awareness Incorporated which is endorsed by:
CERT® Computer Emergency Response team
CERIAS Center for Education and Research in Information Assurance and Security
CIAC Computer Incident Advisory Capability
CRSC Computer Security Resource Clearinghouse
FedCIRC Federal Computer Incident Response Capability
FIRST Forum of Incident Response and Security Teams
IBM ERS IBM Emergency Response Service
ISSA Information Systems Security Association, Inc.
SANS System Administration, Networking and Security
Information Security Magazine
“Project IT” – A presentation and workshop designed for classroom-based awareness training
Includes:
PowerPoint Presentation
Speaker Notes
Quiz
We also hold our quarterly Security Forum to communicate security information.
14. GW’s Security Awareness Program - Materials
Let’s move on to the online awareness materials available by going back to the security web site GO TO www.gwu.edu/~infosec
Under the security awareness tab CLICK ON SECURIY AWARENESS you will see:
Animated security awareness banners located on the top of the screen. Every time you refresh, you will see a different tip. CLICK REFRESH
Also on the site you will find:
General awareness information SCROLL DOWN SCREEN
A link back to the hourly CERT alerts
During breakfast you may have noticed the security screen saver we had running. This free screen saver will be available for download around July 19th. We will be running the screen saver again during the break.
CLICK ON THE SAMPLE PASSWORD CHECKER What is the most commonly used unsecure password? Password! TYPE PASSWORD AND CHECK That is a pretty weak, easily guessed password. So what can we do to make a better password? Use a combination of 8 or more letters – upper and lower case, special characters, and numbers. Let’s check one of the passwords on our “biker” poster TYPE 2#gluvsHelp AND CHECK Again, this is just a sample password checker – we don’t recommend typing in your actual password unless you are going to immediately change it to one that is more secure. GO BACK TO MAIN AWARENESS PAGE
There is also an online security tutorial CLICK ON TUTORIAL START Security Training, Awareness and Reference Tool Topics covered by this security tutorial include: password construction, password management, internet usage, telephone fraud, e-mail usage, viruses, PC security, software licensing, backups, physical security social engineering, and data confidentiality.
Your opinion is important to us! Please take a look at the new web pages and give us your feedback.
GO BACK TO THE PRESENTATION
Let’s move on to the online awareness materials available by going back to the security web site GO TO www.gwu.edu/~infosec
Under the security awareness tab CLICK ON SECURIY AWARENESS you will see:
Animated security awareness banners located on the top of the screen. Every time you refresh, you will see a different tip. CLICK REFRESH
Also on the site you will find:
General awareness information SCROLL DOWN SCREEN
A link back to the hourly CERT alerts
During breakfast you may have noticed the security screen saver we had running. This free screen saver will be available for download around July 19th. We will be running the screen saver again during the break.
CLICK ON THE SAMPLE PASSWORD CHECKER What is the most commonly used unsecure password? Password! TYPE PASSWORD AND CHECK That is a pretty weak, easily guessed password. So what can we do to make a better password? Use a combination of 8 or more letters – upper and lower case, special characters, and numbers. Let’s check one of the passwords on our “biker” poster TYPE 2#gluvsHelp AND CHECK Again, this is just a sample password checker – we don’t recommend typing in your actual password unless you are going to immediately change it to one that is more secure. GO BACK TO MAIN AWARENESS PAGE
There is also an online security tutorial CLICK ON TUTORIAL START Security Training, Awareness and Reference Tool Topics covered by this security tutorial include: password construction, password management, internet usage, telephone fraud, e-mail usage, viruses, PC security, software licensing, backups, physical security social engineering, and data confidentiality.
Your opinion is important to us! Please take a look at the new web pages and give us your feedback.
GO BACK TO THE PRESENTATION
15. Awareness Requires a Change in CultureAnalogy - Seatbelts Research shows that states with primary enforcement laws,
which permit police to stop and ticket for failing to wear a seat belt,
yield an average of 15 percentage points higher seat belt use than states with secondary enforcement laws.
Legislation, Enforcement, Public Information and Education, and Partnerships: MI – 1998 – 2000Research shows that states with primary enforcement laws,
which permit police to stop and ticket for failing to wear a seat belt,
yield an average of 15 percentage points higher seat belt use than states with secondary enforcement laws.
Legislation, Enforcement, Public Information and Education, and Partnerships: MI – 1998 – 2000
16. Awareness is the Key to Security
Every member of the GW University Community has a responsibility in keeping our information and resources secure. Effective security relies on people. Remember – Awareness is the key to security.
If you have questions about the awareness program, please do not hesitate to contact me.
GO TO LAST SLIDEEvery member of the GW University Community has a responsibility in keeping our information and resources secure. Effective security relies on people. Remember – Awareness is the key to security.
If you have questions about the awareness program, please do not hesitate to contact me.
GO TO LAST SLIDE
17. Questions and Presentation Wrap-up Recommended information sources
http://www.securityawareness.com/
http://www.humanfirewall.org/
http://cs-www.ncsl.nist.gov/
http://www.educause.edu/security/
http://www.nipc.gov/