Practical User Awareness Training - Rochester Security Summit€¦ · consultant, I have repeatedly heard that all of the technical point defenses and detective controls in the book

Practical User Awareness Training

Copyright 2014 - ISecure LLC

Prepared for the 2014 ISSA Rochester Security SummitOctober 7 - 8 2014

Presenter

• Kevin Wilkins, CISSP – Chief Technical Officer, iSecure LLC

– Kevin Wilkins is the Chief Technology Officer (CTO) at iSecure LLC. Mr. Wilkins oversees the implementations of Network Security product portfolios specializing in the heavily regulated environments such as PCI, SOX, HIPPA/HITECH. Mr. Wilkins has been in the IT industry since 1998 and has had extensive operational experience in Network Engineering, Systems Administration, Telecommunications, and Information Security.


Abstract

• In various surveys and interviews conducted in my role as an Information Security

consultant, I have repeatedly heard that all of the technical point defenses and

detective controls in the book cannot really protect an organization from the actions of

the End User. People are easily fooled, or are overwhelmed by their highly interactive

and interconnected technology.

• Obvious attacks are willingly accepted, or information security controls are

circumvented for convenience and personal entertainment.

• Weather this is due to a lack of knowledge regarding safe use of Information Assets

or willful misconduct, the human is often the weakest link.


Introduction

• We will talk a little bit about user communication and training techniques, but first

and foremost are some important points related to common risky and insecure

behavior.

• In each example, while pointing out a problem, it is also important to point out a

solution.

• If an effective and useful way of doing things can be presented as an alternative to

the risky behavior it becomes a lot easier to change the behavior.


Media, Games, and Promotions

• PC: Watch out for Flash/Java, Facebook Apps, and Social Media.

• Someone asked me today about installing a coupon printer on their work PC!

• Mobile: There are TONS of free apps and games. Some are ad-sponsored, others

are pay to play.

• These can carry malware and spyware.



• Its hard to be the mean boss, and it might be nice to give people their “free time” or

access to minor diversions while at work.

• But in addition to time and resource wasting, these introduce activities genuine risk

into the business environment with no benefit.

• The same applies the use of personal email services such as Gmail and Hotmail.

Why allow a 2nd avenue for spam, phishing, and other unsavory activity to touch your

company’s network?



• Do not use a company device for any non-productive purpose, and do not connect a

personal device to the company network.

• It is generally recommend that the activities we just discussed take place on a

PERSONAL device on the GUEST/CELLULAR network.

• Setting up a Guest network is easy and fun!


Mobile and Personal Devices

• Some of these comments on Mobile devices relate to the previous section. Enabling

a device for corporate access indicates that it is intended for “work”, not for “fun”.

• Comprehensive MDM ( Mobile Device Management ) is recommended on a

corporate owned mobile device. Apply as much security and management as you

would to an on-net PC, maybe more! Only allow installation of business related

applications and restrict the use of web-browsers through content filters.

• Restricted corporate access ( email only? ) with remote wipe capability on Bring Your

Own Device ( BYOD ) seems to be the standard.

• If you MUST be mobile and you MUST have fun, get a second phone.


Mobile and Personal Devices ( An Aside… )

• BYOD… Don’t get me started on BYOD…

• Sometimes asking to integrate the hottest new device into the corporate

environment is a problem in search of a solution.

• Great, you got a new toy! But is there a WORK RELATED APPLICATION that you

intend to use with the new technology?

• BYOD is one of the biggest challenges that affect IT and User Access.



• Physical loss of a device is one of the greatest threats with any Mobile hardware, so

be sure that the device is locked down and there is little of value for a bad guy to

recover. This means the use of a PIN, and limit the amount of data which is locally

stored.

• VDI (Virtual desktop Infrastructure), which we will see mentioned again, is also an

alternative for on-net access by mobile devices especially where BYOD is concerned.

Data and Applications are abstracted via a remote view and are not stored and

processed locally.



• Finally, don’t let your kids or your friends use your work-related device – PC or

Mobile. Keep a PIN lock.

• You can compare this to letting someone play with your wallet. Does your wallet

contain Money, ID, Credit Cards, and any other account information that you might

have written down and kept for easy access? What’s in your phone?


Lets Take a Break…

• We have talked a lot about do and don’t.

• We have mentioned a lot of methods requiring technical controls, hardware, and

software.

• Ultimately we are looking to establish an understanding of risky behavior and stop it

from happening.

• But to accomplish that, we are looking to establish secure and accepted methods for

achieving a goal ( Fun and Games, Mobile Access ) and TRAINING personnel in their

use.


Lets Take a Break…


File Sharing

• Utilizing any methods of transferring company data outside of the company’s

oversight and control is very risky.

• This includes using Corporate or Personal email to send a working document off-site

to a non-company asset.

• Editing and storing sensitive data in these additional places broadens the attack

surface and increases the risk of the data being corrupted or stolen.

• In a regulated environment, it completely removes the data from your company’s

governance efforts and can make your company liable for violations.


File Sharing

• Do YOU want to be the person found at fault when your personally owned computer

is lost or compromised and company data is found in the wild? What if your Cloud file

share is hacked?

• Losing the data is one thing. What if you are accused of intentionally stealing or

disseminating it?


File Sharing

• Providing a VDI environment for remote work is becoming a popular solution. (This

does not mean full VPN!)

• Data is kept and operated on within the walls of your datacenter through an

“abstracted” display and control connection.

• Hosted Office365 with OneDrive is also an option. OneDrive for Business now has

DLP, auditing, and reporting capabilities for compliance officers.


Passwords

• Do not re-use passwords over time, and do not re-use passwords across multiple

systems. Change passwords regularly.

• Utilize complex passwords, and passphrases are becoming “OK”.

• Three or four words strung together with intentional misspellings, symbols, capital

letters, and character substitutions can result in a password that is mathematically

strong, hard to guess, but not impossible to remember.

• Providing password vault technology such as KeePass or CyberArk can help this

process a lot. But providing documentation and training on these packages is

essential!


Passwords

• In regards to Phishing, regular user awareness training to show little tricks for

validating a password challenge before entering credentials is the most difficult and

most important skill to teach.

- Check the Certificate.

- Check the URL, CAREFULLY. This applies to search results, and to auto-completed

URLs.

- Do not click on links from email and do not respond to requests via phone. If

prompted, refer to your own address and phone books for “call-back verification”

if a response is required.


User Awareness Tools and Techniques

• A weekly notice from IT or Corporate Security is helpful.

- Reiterate a security policy.

- Report on statistics for in-house security incidents.

- Show an example of an actual Phishing site or Email. Talk about spearphishing

- Explain an attack type, risk, etc.

• Send security tips via Email or Corporate Newsletter.



• A more timely notification can be sent in the event of an ongoing or emergent

threat at your organization.

• eScreenz is an example of software developed locally by Entre Computer Services.

– No sponsorship – this is a free plug! Some of iSecure’s customers use it.

– Pushes notifications to PC’s which are displayed on Screen Savers.

– Use for any corporate communication, not just IT alerts.



• Provide quarterly or yearly refreshers on Corporate/Information Security Policies

and Procedures.

• Get a new AUP (Acceptable Use Policy) and signed acknowledgement of Information

Security policy.

• Communicate clear disciplinary consequences for risky behavior! It’s not nice, but if

you have the detective controls and a mandate to enforce discipline you can get

people’s attention.



• As a part of developing Technical Documentation on the configuration and

management of a User-facing solution, also deveop User Facing documentation on its

effective use!

• Provide updated training on company-sponsored Guest Access, Mobile Solutions,

Data Sharing, and Password Management.



• The previous slides related to internal development of training and documentation.

• We will mention some tool based approaches in the next few slides, but if you have

an InfoSec staff they should spend some of their time teaching and communicating

rather than just locking things down.

• Although it can take time, internally developed training and documentation will

always be more relevant than 3rd party material.



• BlackFin Security ( www.blackfin.com ) offers ongoing interactive User Awareness

Training.

- 5-10 Minutes a month of Generalized Training.

- Customizable content is available for specific needs, trouble spots, and solutions.

- Quick games and quizzes follow content.

- Explaining attack type, risk, etc.

• Social engineering tests can be generated. Send a fake email with a fake link. See

who clicks on it, and who entered credentials.

- BlackFin Security and Rapid7 both offer this service, among others.


http://www.blackfin.com/

Conclusions

• Provide proper tools and resources for personnel to do what they need to do,

securely.

• Some of the most sensitive points are:

- Media/Games/Promotions

- Mobile/Personal Devices

- File Sharing

- Passwords


Conclusions

• Through a variety of methods ensure there is training and advisement as to what

these secure methods are, and what defines risky behavior.

• Be sure to communicate the real nature of the threat and how it can affect the

company, as well as what consequences may apply to company personnel.

• Take the time to do some of this yourself and “own” the process of user training.


Thank You!

Questions and Answers?


Prepared for the 2014 ISSA Rochester Security SummitOctober 7 - 8 2014

Practical User Awareness Training - Rochester Security Summit€¦ · consultant, I have repeatedly heard that all of the technical point defenses and detective controls in the book

Documents