1 / 23

Worker Involvement in Security at a DOE Laboratory

Roy Nielsen CTN-1 CSD. Worker Involvement in Security at a DOE Laboratory. Abstract.

rockyl
Download Presentation

Worker Involvement in Security at a DOE Laboratory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Roy Nielsen CTN-1 CSD Worker Involvement in Security at a DOE Laboratory

  2. Abstract Ten Thousand dollars. The approximate direct cost of an incident. Some estimates of IT related security incidents can be ten times that. VPP is a business architecture and third party verification for safety that has proven to reduce incidents by fifty percent. Cyber and human, social engineering security for our organization is just as important.

  3. Intro to Social Engineering Cyber threat vector Phishing Pharming Viruses, Trojans and PED’s Oh My! Human threat vector Dumpster diving Maintenance impersonation Support staff impersonation Personal electronic devices(PED)

  4. Costs Direct Indirect Moral Bailiwick prestige

  5. ExampleHuman SE – Shipping firm The research – or – casing the joint Impersonation of the CIO “I lost my key – I need an emergency copy now!” Dumpster diving Hacking tools

  6. ExampleHuman SE – the personal phone call The call The instructions The loss

  7. ExampleCyber SE – the trojan horse History Cain Mail – the malicious attachment Passionate subject line – the malicious attachment

  8. ExampleCyber SE – Malicious pop-up Username & password – please re-enter Personal identification information Financial account information Access control information

  9. Which Are Real to Us Socially engineered PED installation Professional heist of information Personal rip-off Trojan The Pop-up All of the above

  10. Using SE for our benefit Training, Training, Training Announcements Institution wide emails Worker teams

  11. Training, Training, Training Initial employee training Continuing training – on up to date threats Specific examples Lessons learned

  12. Announcements Institutional web Porcelain news Bulletin boards

  13. Institution wide emails How often How concise – or long The /dev/null filter

  14. Worker Teams Worker involvement integral to VPP Institutional wide structure Purpose Function from top to bottom

  15. Why use the Voluntary Protection Program (VPP)? • LANS contractually committed to VPP recognition by 9/2009 • VPP is a proven program (25 years in OSHA) • VPP sites operate at 60% below industry average for incidence rates and 50% below industry average for worker’s compensation costs • Aligns LANL with the Secretary of Energy’s request to reinvigorate VPP across DOE sites (2/8/07) • VPP is an industry standard for measuring safety success, verify by third party certification and insures our infrastructure implements safety from worker to director • VPP is to safety as Balderidge is to quality and ISO14001/EMS is to the environment

  16. VPP – 5 Elements • Management leadership is required • Motivating force and resources • Lead by example, not by directive • Safety and security priority is at the same level as mission and production • Safety and security direction, expectations and accountability are clear • Employee-driven safety and security are key • Employees understand our safety and security issues • Employees know effective solutions for these issues • Employee/management interactions are increased 4. Hazard Prevention & Control 5. Safety & Health Training 1. Management Leadership 2. Employee Involvement 3. Worksite Hazard Analysis

  17. Worker Safety and Security Teams Voluntary Protection Program (VPP) 4. Hazard Prevention & Control 1. Management Commitment 5. Safety & Health Training 2. Employee Involvement 3. Worksite Hazard Analysis WSSTs

  18. Lab-Wide WSST One from each AD with an alternate Meet every 1st and 3rd Thursdays with pre-announced agenda Meetings open to all Sub-teams meet on the “off” week

  19. Lab-Wide WSST Teams Safety Security Environment • Communications • Management & Employee Commitment • Human Performance Improvement

  20. Some WSST successes in a directorate Sweep tags Cell phone detectors RFID AED behind the fence Policy sanity checking Snow removal for 24/7 support staff at a computing facility behind the fence

  21. Which do we do effectively? Training, training, training Announcements Institution wide emails Worker teams All of the above

  22. Conclusion:We can use SE to our benefit Discourage risky behaviour Roll out effective policies Continue active training on current threats Don’t forget to involve the workers!

  23. Good Reference Material http://www.sans.org/reading_room/whitepapers/engineering/ http://www.us-cert.gov/cas/tips/ST04-014.html http://www.cert.org/incident_notes/IN-2002-03.html http://www.cert.org/advisories/CA-1991-04.html http://arstechnica.com/news.ars/post/20070805-study-finds-irs-vulnerable-to-social-engineering-based-attacks.html http://www.securityfocus.com/infocus/1527 http://www.crime-research.org/library/Razum2.htm http://www.infosecwriters.com/text_resources/pdf/Social_Engineering_CRhodes.pdf http://jtbevis.files.wordpress.com/2007/09/article-social-eng-v-7921.pdf http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1060516,00.html http://searchfinancialsecurity.techtarget.com/tip/0,289483,sid185_gci1294530,00.html

More Related