My Lessons Learned in Security Awareness. Pedro Serrano, CISSP Security Architect Cimarex Energy

Transcription

1 My Lessons Learned in Security Awareness Pedro Serrano, CISSP Security Architect Cimarex Energy

2 Phishing, how ransomware and malware get delivered! Billion s sent and received per day in 2016! The change is upward we know this, because is how we do business 85% of organizations have suffered phishing attacks I call this the new normal (expected behavior) 90% of all malware starts via This key ingredients 1. Receive - with a link or malicious payload (unsuspicious user clicks) 2. Go get Internet access, download malicious data, start the damage 65% of mail users worldwide access their via a mobile device The phone is personal I carry in my pocket, the PC stays its disconnected When this access gets exploited I predict a change in how we access

3 But I have a new firewall! You can add all the technical controls that you want but if your employees click and enable the wrong link, its game over! I am not against technical controls, but technical controls were my excuse (scape goat). many organizations hide behind this excuse so that they do not have to do security awareness. The human element needs to be considered as a security risk What is your company culture tolerance

4 Why is security awareness the new hot topic? Because what you do at home you will tend to do at work Because Web, , and Social Media is now accepted behavior, after all is how we do business Because of the overwhelming realization that my users will not pay attention to s and click on the links after all this is what we do when we get an you have to read it In many companies receiving an requires action Because cost are less than physical controls this is huge in companies that work in a balanced budget environment

5 We emphasized on changing behavior How? Monthly newsletters (enhanced with images) one page, no attachments

6 Made it easy to report suspicious Implemented a new icon One Click button in the Outlook client where users could report suspicious for the security team to review. The premise make it so easy that my CEO would use it! And it worked once I made the reporting a one click away

7 Bribe with food! Created Lunch and Learns to talks about security awareness with lunch provided - we called this the honey effect. We did not enforced a mandatory meeting where employees attended because they were required, instead I wanted them to want to be there! all about the expectation! Convinced upper management to budget for $10.00 per meal / per employee This was the most difficult step. Actually our first meeting was a pilot (test), and it was so successful that after the meeting we had a commitment to continue. Executive team understood the dynamic and importance of cyber education

8 Create competition phishing campaign After the first round of test phishing send congratulating the winner groups Let me tell you my engineers like to win!!! Got high fives and dirty looks in the elevators Created buzz about Pedro s tricked s Many folks actually were impressed and wanted to know why they had fail the phishing This open the door to discuss how to review s and the 7 different places that I could trick you in an .

9 Made the training fun, animated, easy going This created acceptance This was not the security guys trying to get me! Trust I actually received calls of employees telling me that they had failed and that they would have never look at the from in the because everything else look legit. Elevator talks I got daily questions on web, s, or out of office etiquette

10 Summary what we learned is the delivery method let s learn how to stop it. Technical controls work but people are going to be people Security Awareness single most effective control for the least money Behavior modification Is key, so relate to what matters to users (home) Make it easy to report bad Bribe with Food. The Honey effect Make security awareness fun (acceptance factor) Above all create trust and acceptance, you are not the enemy!

11 Pedro Serrano, CISSP President ISSA Oklahoma Speak Train

12 References 1. US Statistics Report,