Lance Spitzner.

Similar documents
Evolution of a Phish That Got Through the Net[work]

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Cybersecurity: Incident Response Short

Building a Resilient Security Posture for Effective Breach Prevention

State of the Phish 2016

Cyber Security. June 2015

Phishing Discussion. Pete Scheidt Lead Information Security Analyst California ISO

Lessons Learned from 4,000 Security Assessments. Sadik Al-Abdulla Security Practice Director, CDW

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

Skybox Security Vulnerability Management Survey 2012

Security Governance and Management Scorecard

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Maximize your move to Microsoft in the cloud

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too?

HOW TO PHISH YOUR BUSINESS (AND GET MANAGEMENT S BUY-IN)

How Cisco IT Improved Development Processes with a New Operating Model

The Data Breach: How to Stay Defensible Before, During & After the Incident

falanx Cyber Falanx Phishing: Measure your resilience

MIS5206-Section Protecting Information Assets-Exam 1

10 FOCUS AREAS FOR BREACH PREVENTION

Cybersafety Culture Assessment

SANS Summit. London, GB July 10, Cheryl Conley Sr Mgr, Security Education & Awareness Lockheed Martin Corporation

Kaspersky Security Awareness

Certified Information Security Manager (CISM) Course Overview

CYBERSECURITY RESILIENCE

IT Needs More Control

Twilio cloud communications SECURITY

Promote Your Event App Internally. How to get your internal teams to use mobile apps for all your meetings & events.

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

Panda Security 2010 Page 1

Cyber Security Guide. For Politicians and Political Parties

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Security Automation Best Practices

CLEARING THE PATH: PREVENTING THE BLOCKS TO CYBERSECURITY IN BUSINESS

Google Cloud & the General Data Protection Regulation (GDPR)

NOTICE TO ALL PROSPECTIVE RESPONDENTS RFP 18-ITSS/CY. Addendum No. 1 issued September 7, RFI responses are in red bold print

A company built on security

Rate Plan Analysis Reports in Premier

How Breaches Really Happen

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Cybersecurity 2016 Survey Summary Report of Survey Results

Machine-Powered Learning for People-Centered Security

MEETING ISO STANDARDS

Larry Clinton President & CEO Internet Security Alliance

The Data Protection Act 1998 Clare Hall Data Protection Policy

Introduction, Overview and Capabilities. Revision Date: 01/11/13 Copyright MicroSolved, Inc., 2013 All Rights Reserved.

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

security mindfulness dwayne.

CLOSING IN FEDERAL ENDPOINT SECURITY

ACTIONABLE SECURITY AWARENESS: CONVERT THE WEAKEST LINK INTO THE SAFETY FORCE

Device Discovery for Vulnerability Assessment: Automating the Handoff

Survey Results: Virtual Insecurity

Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services

Phishing: When is the Enemy

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Data Privacy Breach Policy and Procedure

GDPR Compliance. Clauses

Altitude Software. Data Protection Heading 2018

Building a Threat Intelligence Program

DATA PROTECTION AND PRIVACY POLICY

University of Pittsburgh Security Assessment Questionnaire (v1.7)

PEOPLE CENTRIC SECURITY THE NEW

Security. Bob Shantz Director of Infrastructure & Cloud Services Computer Guidance Corporation. All Rights Reserved.

with Advanced Protection

How We Delivered Compliance to a London-based Law Firm. A Network Security Project Case Study.

MaaS360 Secure Productivity Suite

2018 CANADIAN ELECTRICAL CODE UPDATE TRAINING PROVIDER PROGRAM Guidelines

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

Foundation Level Syllabus Usability Tester Sample Exam

Sheryl Hanchar C EH, GCIH, CISSP,CISA

Employee Security Awareness Training Program

Teradata and Protegrity High-Value Protection for High-Value Data

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

Securing Health Data in a BYOD World

Canada s Anti-Spam Legislation (CASL) What it means for Advisors. Distributor Learning & Development

Physical Security Reliability Standard Implementation

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Defensible and Beyond

GLBA. The Gramm-Leach-Bliley Act

SECURITY & PRIVACY DOCUMENTATION

Identity Theft, Fraud & You. PrePare. Protect. Prevent.

UNLOCKED DOORS RESEARCH SHOWS PRINTERS ARE BEING LEFT VULNERABLE TO CYBER ATTACKS

THE CYBERSECURITY LITERACY CONFIDENCE GAP

INFLUENCING QUALITY OF LIFE BY IMPROVING HEALTH

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Risky Business. How Secure is Your Dealership s Information? By Robert Gibbs

Data Breach Risk Scanning and Reporting

Tripwire State of Cyber Hygiene Report

Contents. About ACTIVITY METRICS Back to Contents

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Recognition and Remarks

ACM Retreat - Today s Topics:

Compliance & HIPAA Annual Education

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY:

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Data Protection Policy

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Defending Our Digital Density.

Transcription:

Lance Spitzner www.securingthehuman.org/blog lspitzner@sans.org @securethehuman

Security Awareness Maturity Model Metrics Compliance Focused Promoting Awareness & Change Long Term Sustainment Non-Existent

Useful Metrics Focus on just a few, high value metrics. A metric that measures a human risk or behavior that you care about A metric that is actionable A metric that is low cost / automate A metric that repeatable

2 Types of Awareness Metrics Metrics that measure the deployment of your awareness program. - Are you compliant? Metrics that measure the impact of your awareness program. Are you changing behavior?

Key Points Computers do not have feelings, people do Announce and explain your metrics program ahead of time, then start slow & simple Do not embarrass people nor release names to management of those who fail. Only notify management of repeat offenders Focus on real world risks, do not trick people

Example Metric - Phishing Recreate the very same attacks that the bad guys are launching. Excellent way to measure change in behavior. Measures a top human risk Simple, low cost and easy to automate Repeatable and quantifiable measurements Actionable

Get Approval Before conducting any type of assessment, make sure you have appropriate approvals Can t get approval, try a test run against the blockers (HR, Legal) Make sure security team knows ahead of time, let them know each time when you do it and whom to contact when things go wrong

How Many to Assess? Most metrics use a statistical sampling, you may not the have time or resources to test everyone Take lessons learned from sample and apply to whole organization www.surveysystem.com/sscalc.htm

Basic Phish

Click Results If an end user falls victim to an e-mail assessment you have two general options Error message / no feedback Immediate feedback that explains this was a test, what they did wrong and how to protect themselves

Follow-up Send results of test to all employees 24 hours later. Explain results and how they could have detected phishing email and what to look for in the future. Include image of phishing email. Include your monthly security awareness newsletter.

Violations First violation, employee is notified with additional or follow-on training. Second violation, employee is notified and manager is copied. Third violation, manager is required to have meeting with employee and report results to security. Fourth violation, employee reported to HR.

First phish: The Impact 6-12 months later: Low as 5%. 30-60% fall victim. The more often the assessments, the more effective the impact. Quarterly: 19% Every other month: 12% Monthly: 05% Over time you will most likely have to increase difficulty of tests.

Phishing Tools URL Shortners E-mail Marketing Solutions Cloud Phishing Services Pen Testing Software

Human Sensors Another valuable metric is how many reported the attack. At some point, may need to develop a policy on what to report. On example. Do not report when you know you have a phish, simple delete. Report if you don t know (think APT) Report if you fell victim.

Are People Updating Devices?

Physical Security Behaviors See if unauthorized person can enter or walk around facilities without an ID badge Check desktops to make sure computer screens are locked and there is no sensitive information left on desks Check parked cars for mobile devices left in open

Number of Infected Computers Track number of infected computers on monthly basis As most infections are the result of human behavior, the number should go down over time One Defense Industry organization had such a dramatic drop in infections they could free up half a FTE (Full Time Employee)

Human Risk Survey Sometimes the simplest way to measure a behavior is simply ask Survey can measure behaviors that you normally do not have access to Think of the human risk survey as the human vulnerability scanner

Visualizing Your Measurements

Rewarding Our focus so far has been looking for failure, what do you do for encouraging positive behaviors? Be careful about financial awards as you are setting up a precedent Public recognition / Hershey s kisses

Summary Metrics are powerful way to both measure and reinforce your awareness program. securingthehuman.org/resources sans.org/mgt433

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback