© Copyright 2015 Vivit Worldwide © Copyright 2015 Vivit Worldwide Building a Human Firewall starts with Security Awareness April 28, 2015
© Copyright 2015 Vivit Worldwide© Copyright 2015 Vivit Worldwide
Building a Human Firewall starts with Security AwarenessApril 28, 2015
© Copyright 2015 Vivit Worldwide
Brought to you by
© Copyright 2015 Vivit Worldwide
Hosted by
Dominic ListermannVivit Security & Privacy SIG Leader
© Copyright 2015 Vivit Worldwide
Today’s Speakers
Anita ParrishESP Education Portfolio Lead
HP Software
Danny HarrisSenior Security Consultant
© Copyright 2015 Vivit Worldwide
Housekeeping
• This “LIVE” session is being recorded
Recordings are available to all Vivit members
• Session Q&A:
Please type questions in the Questions Pane
© Copyright 2015 Vivit Worldwide
Webinar Control Panel
Questions
Toggle View Window between Full screen/window mode.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Building a human firewall starts with security awarenessDanny HarrisAnita Parrish28 April 2015
Agenda
Today’s security landscape
Creating a security aware culture
HP Security Awareness Training
How to start building your human firewall
8
Polling question 1
9
10
“This is hard for a product guy to say out loud to an audience, but invest in your people and process," Gilliland said at HP's Software Government Summit in Washington, D.C. "The first thing that always gets negotiated out of every [security software] contract is the training and the services.”
HP tells cybersecurity customers to focus on people and processes, ComputerWorld Online, 8 April 2015 t bit.ly/1DVk1yu
11
Today’s security landscape
new malware threats released every day, CNN Money online
The time it takes for someone to get duped and become the first victim, after hackers release a wave of malware-laced spam emails, Verizon's 2015 Data Breach Investigations Report.
of breaches, where attackers leveraged social tactics, such as spear phishing, in which a tailored e-mail to the victim purports to come from a friend or business contact- Verizon's 2015 Data Breach
Investigations Report.According to a popular fraud report by RSA, in 2013 there were nearly 450,000 phishing attacks and record estimated losses of over
– Wall Street and Tech “Phishing Scams at All-Time High, Employee Training Not Keeping Pace”
1M82 seconds
29%
$5.9B
12
Traditional technology defenses
• Traditional technology defenses are very important in
preventing attacks
• These include things like:
– Firewalls
– Anti-virus software
– Intrusion detection/prevention systems
– Patching
– System hardening
• There is a strong tendency to “deploy and forget” these
technological defenses as they are productized and are
relatively easy to deploy
People
Technology
Process
Creating a security aware culture
13
14
People as an important defense element
• People and process are critical elements of proper
defense
– People are distributed across the network like sensors
– They can act like firewalls, allowing or blocking attacks
– They can detect attacks and raise alarms
– Just like traditional IT infrastructure, people need
configuration and patching – training and periodic security
awareness reminders
– Everyone has a role to play in keeping the organization
safe and data secure
• Providing people with the right tools and training can
help make personnel a human firewall
People
Technology
Process
What is a security awareness training program?
• A comprehensive security awareness training program provides workers a full range of topics
– Information security as it relates to their job and data, as well as any system responsibilities
• Security awareness training is not just a compliance requirement
– It’s part of your organization’s culture of security
• An integral part of your business and your overall information security program
– Without knowledge and understanding of what to do and how to do it, there is no security
15
Leadership commitment to training is the key to success
Leadership needs to commit to
supporting the training goals
by…
– Ensuring staff participates in training
– Modeling good security behavior
– Living by the principles covered in
the training
– Integrating security behavior into job
descriptions and performance
reviews as appropriate
16
17
Keys to a successful security awareness programBuilding a security aware culture
Maximize protection through effective people, process and technology engagement
Demonstrate management commitment
Making it part of an organizations “DNA”
•The single security “week” approach is WEAK
Role-based training and education
•General security
awareness
– Information Security
training
– General regulatory and
compliance requirements
•Application security
awareness
– For software development
teams
– Building secure applications
is a broad and complex topic
which requires training and
periodic refreshers
18
Security Awareness
Training
19
Who needs to be trained?All employees and stakeholders• Management
• General employees– Finance and accounting
– Customer support
– HR and legal
– And so on
• IT Professionals– Project Managers, Executives
– Business Analysts, Product Managers
– Security & Software Architects, DevOps
– Programmers, Software Engineers, Developers, DBAs
– Testers, QA, Audit
– System and Network Admins
20
Delivering the security awareness messages
• Formal vs Informal Security Awareness Training
– Formal security awareness training typically can be tracked and monitored
• Computer-based training (CBT) and instructor-led training (ILT)
– Informal delivery typically “happens” during the day
• Infographics, tip sheets, e-mails and circulars, memos, notices, bulletins, posters
• People have different learning styles and needs
– Having multiple approaches to getting the message out is critical
• A comprehensive security awareness program has both formal and informal security
awareness elements
When to deliver the security awareness messages
New hire
Annual refresher
Role change
New threats or major changes in
technology
21
22
The benefits of security awareness trainingSupporting technology with people and process
People must know certain things to do their jobs
Meet compliance requirements such as PCI-DSS, ISO 27002, FISMA, GLBA, COBIT, HIPAA, EU Data Protection, etc.
Reinforce the organization’s security culture
Prevent/Detect/Respond to attacks
Address the rapidly changing data security threat environment
23
Security awareness training works
Protection relies on a fully engaged and
knowledgeable workforce
– “…42% of respondents said security education and
awareness for new employees played a role in
deterring a potential criminal, among the highest of
all policies and technologies used for deterrence. “
– …Companies without security training for new
hires reported average annual financial losses of
$683,000, while those do have training said their
average financial losses totaled $162,000.”PricewaterhouseCoopers 2014 US state of cybercrime surveyhttp://www.pwc.com/en_US/us/increasing-it-effectiveness/publications/assets/2014-us-state-of-cybercrime.pdf
HP Security Awareness Training
25
HP Software Security Awareness course design
• Self-paced learning, highly interactive
• Role-based curriculum
• 100+ hours of content focused on creating secure software
• 60+ courses (100–400 level)
• Best practices from PCI-DSS, OWASP, Microsoft SDL and more
• All courses have internal quizzes and formal exams
Security awareness content and audiences
26
Security testing
Technical compliance content
Information security basics, literacy & policy
basic regulatory and compliance content
Application security & design
IT security
Secure coding
General audiences
(Non-IT)
IT Professionals
Application Development Teams
Programmers
Testers
More
tech
nica
l
Bro
ad
er, g
en
era
lized
know
led
ge
27
Email security
Malware awareness
Mobile device security
Password security
Phishing awareness
Social engineering awareness
Physical security
Travel security
Information Security & Privacy Awareness (ISPA) Training Program
General Audiences
IT Professionals
Software Development
Teams
Printable tip sheets
Infographics
Interactive challenge exercises
Customizable articles
CoursesSupplemen
tal materials
Information security &
privacy awareness
28
Information Security & Privacy Awareness (ISPA): General information
Audience:
– General staff in roles such as human resources,
legal, marketing, finance, sales, operations and
customer service, as well as IT professionals
Goals:
– Recognize the value of different types of
information
– Understand the scope, nature, and origin of the
diverse risks to such information
– Behave proactively to protect this information in
their everyday work
Modules:
– Engaging e-learning curriculum focusing
on 1-3 learning objectives
– An interactive challenge to engage the
learner and put their knowledge to the
test
– A formal assessment at the end of the
module
– Target duration: ~10-15 minutes each
ISPA Training Program supplemental materials
Printable tip sheets are tangible tools that break
down a larger concept into short, easy steps
Eye-catching infographics put a graphical and
artistic spin on the learning objectives, and help
reinforce what was learned
Interactive challenge exercises challenge and
engage students with activities to help students
internalize the learning from each course
29
Engaging and fun to reinforce concepts and security behavior
30
PCI EssentialsPayment Card Industry Security Awareness Training
General Audiences
IT Professionals
Software Development
Teams
PCI Essentials overview
• 10 interactive modules
• Average time to complete each module: 15
minutes
• Quizzes, interactive real-world scenarios to
engage the learner and test understanding
• Interactive training
– Audio narration and animation
– Problem solving exercises
– Real world scenarios
• Certificate of completion
• PCI compliance tracking
31
HP Software Security courses: By topic
General Audiences
IT Professionals
Software Development
Teams
33
Training for software development teams Learning paths for programmers – topics
• Developer courses provide technical, detailed training to help your development team know how
to build secure applications and avoid the pitfalls that result in security bugs
• Select courses to take based on programming language or platform
How to start building your human firewall
35
First time security awareness program
• Get senior executive commitment for the program
– Resources (staff, budget)
– Commitment for the time required to take the training
• Get outside help
• Build a team or assign a responsible party
• Design a training plan
• Execute
• Review results and adjust strategy
• Execute
36
Existing formal security awareness program• Evaluate the effectiveness of the program
• Review existing security awareness training– Are the messages up to date
– Ensure the right audiences get the right messages
– Are you meeting compliance needs?
• Update program and training offerings, if needed
• Adjust process if needed
• Execute
37
Security awareness program success factors • A culture of security is one that supports
and appreciates the value of security awareness training
• Make it relevant to the students– Training has to matter to the student in a
deeply personal way
– Training content should be strongly company-centric, with real examples from your organization, where possible• Illustrate breaches and that “it can happen here”
– What to do in the event of an incident
• Track awareness activities
• Training is not a one-time activity
• Provide multi-tiered and role-based training
38
Measuring success
% employees with current awareness training overall
% employees, by role with current awareness training
% employees, by site with current awareness training
# support tickets reporting phishing, suspicious
activity, or other attacks
# of successful phishing attacks
% completed employee surveys
# of employee surveys with positive results
# of management or other company security
communications
Three things to remember
2. The cost of security awareness training is small as compared to the cost of deploying vulnerable systems and the risk of a breach
1. People and processes are a critical part of a security culture – security software and IT departments cannot do it alone
3. Security awareness is an on-going effort – a security aware culture is one where programs and initiatives are re-evaluated and refreshed
Q&A
41
Thank you
HP ESP overviewHP's enterprise security software and solutions provide a proactive approach to security that integrates information correlation, application analysis and network-level defense.
HP TippingPointNetwork Security
HP FortifyApplication Security
HP ArcSightSecurity Intelligence & Event Management
HP AtallaPayments and Data Security
To register for an ESP Education offering visit the HP Enterprise Security
University at
http://www.hpenterprisesecurity.com/university
More information
HP Software Education Training Plan Guides
Read articles on thought leadership and contemporary IT education topics at www.hp.com/go/educationblog
Case studies, white papers, videos, testimonials at www.hp.com/go/softwareeducation
Find us on social media
https://twitter.com/HPSoftwareEDU
http://linkd.in/1HJSH5X
www.hp.com/go/educationblog
Insider’s Hubemail: [email protected] and ask to join – we will send instructions!
© Copyright 2015 Vivit Worldwide
HP Discover Las Vegas 2015
•June 2 – 4, 2015 at The Venetian Resort in Las Vegas.
•All members can Register Now via the unique Vivit link www.hp.com/go/discover/vivit and you will receive a $300 off the $1795 for HP Discover 2015
Deep Dive Sessions will be offered on Monday, June 1st from 1:00 – 5:00 pm. Find more information on the Vivit website under the training section.
____________________________________________
© Copyright 2015 Vivit Worldwide
Thank you
• Complete the short survey and opt-in for more information from HP Software.
www.hp.com
www.vivit-worldwide.org