310 likes | 325 Views
Learn how to promote awareness and behavioral change, prioritize top human risks, and create effective learning objectives to enhance security awareness. Discover key strategies and metrics for successful security awareness programs.
E N D
Achieving and Measuring Success with the Security Awareness Maturity Model Lance Spitzner LAB2-R04 Director SANS Securing The Human @lspitzner
EMET WindowsOS Microsoft Security Essentials Encrypted File System AppLocker Mandatory Integrity Control Windows Service Hardening Bitlocker User Account Control Windows Defender Security Controls ASDL Malicious Software Removal Tool Data Execution Protection (DEP) HumanOS Baseline Security Analyzer Firewall Enabled by Default Microsoft Secure Development Lifecycle Automatic Updating 2008 2010 2012 2002 2004 2006 2014 Software Restriction Policies Trustworthy Computing
Security Awareness Maturity Model Security Awareness Maturity Model Security Awareness Maturity Model Metrics Framework Metrics Framework Long-Term Sustainment and Cultural Change Long-Term Sustainment & Culture Change Promoting Awareness and Behavioral Change Promoting Awareness & Behavior Change Compliance- Focused Compliance Focused Nonexistent Non-existent
Your Strategic Plan WHO WHAT – This is what we will focus on for today, completing two group labs. This is also what drives your metrics. HOW
WHAT Do You Teach? • Focus on topics that have the greatest ROI: • People can remember only so much—cognitive overload • You have limited time and resources to teach • Fewer topics are easier to reinforce • Avoid “training fatigue” • Identify the greatest human risks to your organization, and then develop training modules to address each of those risks
Start With Key Assets / Data • For most organizations, key assets are your data • Identify who is handling your most sensitive data and how • This will help identify your highest risks areas / highest risk target groups • Then identify what threats / behaviors expose that data to the greatest risk (don’t worry about prioritizing yet)
Past Assessments / Incidents • Any penetration tests in the past 6-12 months? If so, which human risks were identified? • What were the most common or damaging human-related incidents in the past 6-12 months? • Take your Incident Response and Help Desk teams out to lunch. They are great sources of information.
Staying Current on Human Risks • Blogs / Twitter are a great way to stay current • www.schneier.com@schneierblog • krebsonsecurity.com @briankrebs • taosecurity.blogspot.com @taosecurity • isc.sans.org @sans_isc • securingthehuman.sans.org/blog @securethehuman • nakedsecurity.sophos.com @nakedsecurity
Measuring Your Human Risk • Every organization measures risk differently; use what works best for your organization • Quantitative • A precise / accurate measurement that produces a numeric value—a complex and time-consuming approach • Qualitative • An estimate or comparative measurement (high, medium, low)—a fast and simple approach
Qualitative Analysis X VH / 5 X H / 4 Probability 4 4 Phishing 16 M / 3 1 5 5 Tracking Cookies L/ 2 VL / 1 L / 2 H / 4 M / 3 VL / 1 VH / 5 Impact
Lab – Prioritize Your Human Risks • You have identified 18 human risks in your organization, prioritize the top nine for your organization; this is your Core training for all employees • You can find a description of each risk/topic in your Lab workbook • Be sure to take into consideration your existing technical controls and past training
Top Risks? • Which topics do you feel are the most important and why? • Which topics would you eliminate and why? • What was missing? • Which topic would you start and end with? • Want to learn more about risk analysis? Consider SANS MGT415.
Learning Objectives • Your job is only half done; you now need to identify what behaviors manage those top risks • Create a separate learning objectives document for each risk • This is a living document that covers the target, goal, and learning objective of each risk
Typical Password Learning Objectives • A common security awareness topic is passwords: • Minimum of 12 characters • 1 symbol • 1 number • 1 capital letter • No two repeated letters • Change every 90 days • Costs associated with this
What Are We Missing? • Do not get infected • Do not share your passwords • Do not log in using untrusted systems • Personal questions are just another password • Passphrases—Where is my Coffee? • Password Managers • Use two-step verification whenever possible
Lab – Learning Objectives • Pick one of the most important topics from your top nine topic list • Document that topic using the Learning Objective template • What did you pick and why?
Example Metric: Phishing • Phishing is a useful metrics for most organizations: • Measures a key human risk organizations care about • Simple, low cost and easy to repeat • Quantifiable measurements that are actionable • 90% fall victim in the first hour
Key Points • Biggest difference between technical and human metrics is that humans have feelings • Announce your metrics program ahead of time, and then start slow and simple • Do not embarrass people (no Viagra e-mails) • Do not release names of those who fail. Only notify management of repeat offenders • Focus on real-world risks, do not “trick” people • Always make sure there are at least two ways to detect an assessment
Click Results If an end user falls victim to a phishing assessment, you have two general options: • No feedback • Immediate feedback that explains this was a test, what they did wrong, and how to protect themselves
Human Risk Survey • Sometimes, the simplest way to measure a behavior is to simply ask • Survey can measure behaviors that you normally do not have access to • Survey can also measure attitudes and perceptions (culture) • Think of a human risk survey as a human vulnerability scanner
Data May Already Be There • There may not be a need to collect data because you already have the data. Check with: • Security Operations Center • Incident Response Team • Help Desk • Human Resources • Example: Number of infected computers per month
Summary Key to building a mature awareness program is having a strategic plan that answers WHO, WHAT and HOW WHAT consists of two parts, prioritizing your top human risks and then identifying the key behaviors that manage that risk Those key behaviors drive your metrics Often the hardest part about awareness is NOT deciding what to teach, but deciding what NOT to teach.
Webcasts / Courses / Summits securingthehuman.sans.org/events