My Lessons Learned in Security Awareness. Pedro Serrano, CISSP Security Architect Cimarex Energy

Similar documents
Developing a culture of security awareness: Based on your culture

Securing the User: Winning Hearts & Minds to Drive Secure Behavior

Who We Are! Natalie Timpone

RANSOMWARE PROTECTION. A Best Practices Approach to Securing Your Enterprise

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

Managing and Preparing for Cyber Incidents

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

with Advanced Protection

Getting Your s Read!

DEFENCE IN DEPTH HOW ANTIVIRUS, TRADITIONAL FIREWALLS, AND DNS FIREWALLS WORK TOGETHER

Ages Donʼt Fall for Fake: Activity 1 Don t bite that phishing hook! Goals for children. Letʼs talk

Too Little Too Late: Top Reasons Why You Got Hacked

falanx Cyber Falanx Cyber Awareness Training: Educating your staff

AKAMAI CLOUD SECURITY SOLUTIONS

One Phish, Two Phish, Three! Building an Active Threat Management Framework for Malicious

The Fight Against Phishing: Defining Metrics That Matter

falanx Cyber Falanx Phishing: Measure your resilience

KnowBe4 is the world s largest integrated platform for awareness training combined with simulated phishing attacks.

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

CYBERSECURITY SAVE YOUR BOTTOM LINE IBC Annual Convention Anne Benigsen, Bankers Bank of the West

Security and social engineering

2017 Annual Meeting of Members and Board of Directors Meeting

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

HOW TO PHISH YOUR BUSINESS (AND GET MANAGEMENT S BUY-IN)

Hearing Voices: The Cybersecurity Pro s View of the Profession

How Cyber-Criminals Steal and Profit from your Data

Kaspersky Security Awareness

3 Ways to Prevent and Protect Your Clients from a Cyber-Attack. George Anderson Product Marketing Director Business October 31 st 2017

The First 12. An Hour-by-Hour Breakdown of a Threat Actor Inside Your Environment. Dr. Chase Cunningham ECSA,

Introduction to

To learn more about Stickley on Security visit You can contact Jim Stickley at

EPISODE 23: HOW TO GET STARTED WITH MAILCHIMP

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

Treasury Services Group Number Treasury Management Officer

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

WHITEPAPER. Protecting Against Account Takeover Based Attacks

How Breaches Really Happen

EMERGING CYBER SECURITY - THREATS AND RISKS

Service Provider View of Cyber Security. July 2017

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Fighting Phishing I: Get phish or die tryin.

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

Cyber Security Stress Test SUMMARY REPORT

CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW

What can we lose not implementing proper security in our IT environment? Aleksandar Pavlovic Security Account Manager Cisco

HOSTED SECURITY SERVICES

Training & Certification Guide

South Central Power Stop Scams

Strategy is Key: How to Successfully Defend and Protect. Session # CS1, February 19, 2017 Karl West, CISO, Intermountain Healthcare

OPERATIONS CENTER. Keep your client s data safe and business going & growing with SOC continuous protection

Digital Marketing Manager, Marketing Manager, Agency Owner. Bachelors in Marketing, Advertising, Communications, or equivalent experience

Securing Digital Transformation

CYBER SECURITY EFFECTIVENESS FOR THE RESOURCE-CONSTRAINED ORGANIZATION

Security Awareness & Best Practices Best Practices for Maintaining Data Security in Your Business Environment

The five questions I am being asked by National Policy Makers and Utility CEOs; My Best Answers; And Where the Questions Don't Have Answers

30/01/ Tips To Boost The Open & Response Rate Of Your Marketing Campaigns. Hi I m Jesse Forrest, chief copywriter at TheWebCopywriter.

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Understanding the Changing Cybersecurity Problem

Entertaining & Effective Security Awareness Training

Ransomware A case study of the impact, recovery and remediation events

What a lot of folks might call the class but as we ll see later, it s not entirely accurate.

Sage Data Security Services Directory

The GenCyber Program. By Chris Ralph

Welcome! Copyright 2017 MAC. All Rights Reserved.

Cyber Security Guide. For Politicians and Political Parties

Evolution of Spear Phishing. White Paper

A CFO s Guide to Cyber Security in the Coming Year

HyperDialer Tutorial By Phone Broadcast Club

OPSEC and defense agains social engineering for devels, execs, and sart-ups

2 User Guide. Contents

The Problem with Privileged Users

Are You Too Busy? Practical Tips For Better Time Management

Attack Vectors in Computer Security

The Eight Rules of Security

contents Take Action! writing a plan page 21 making money page 66 usability testing page 129 improving site speed page 218 increasing traffic page 266

Machine-Powered Learning for People-Centered Security

Cyber Hygiene Guide. Politicians and Political Parties

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

Information Governance, the Next Evolution of Privacy and Security

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Lesson Guides PRE-INTERMEDIATE

Cybersecurity for IT Online. kaspersky.com/awareness #truecybersecurity. Kaspersky Enterprise Cybersecurity

All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too?

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organization from Impostors, Phishers and Other Non-Malware Threats.

Department of Management Services REQUEST FOR INFORMATION

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Governance Ideas Exchange

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

Advanced Systems Security: Putting It Together Systems

How To Build or Buy An Integrated Security Stack

Cyber fraud and its impact on the NHS: How organisations can manage the risk

ArcSight Activate Framework

How to Build a Culture of Security

Security at the Digital Cocktail Party. Social Networking meets IAM

VOXOX. A Tell-All Guide EVERYTHING YOU NEED TO KNOW ABOUT HOSTED PBX. a VOXOX ebook VOXOX, Inc A Comprehensive Guide

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Cybersecurity in the Financial Sector. Aquiles A. Almansi Lead Financial Sector Specialist

MANAGING CYBERSECURITY AWARENESS BY EXPERIENCE

Cisco Advanced Malware Protection (AMP) for Endpoints

Transcription:

My Lessons Learned in Security Awareness Pedro Serrano, CISSP Security Architect Cimarex Energy

Phishing, how ransomware and malware get delivered! 215.3 Billion emails sent and received per day in 2016! The change is upward we know this, because is how we do business 85% of organizations have suffered phishing attacks I call this the new normal (expected behavior) 90% of all malware starts via email This key ingredients 1. Receive - email with a link or malicious payload (unsuspicious user clicks) 2. Go get Internet access, download malicious data, start the damage 65% of mail users worldwide access their email via a mobile device The phone is personal I carry in my pocket, the PC stays its disconnected When this access gets exploited I predict a change in how we access email

But I have a new firewall! You can add all the technical controls that you want but if your employees click and enable the wrong link, its game over! I am not against technical controls, but technical controls were my excuse (scape goat). many organizations hide behind this excuse so that they do not have to do security awareness. The human element needs to be considered as a security risk What is your company culture tolerance

Why is security awareness the new hot topic? Because what you do at home you will tend to do at work Because Web, Email, and Social Media is now accepted behavior, after all is how we do business Because of the overwhelming realization that my users will not pay attention to emails and click on the links after all this is what we do when we get an email you have to read it In many companies receiving an email requires action Because cost are less than physical controls this is huge in companies that work in a balanced budget environment

We emphasized on changing behavior How? Monthly newsletters (enhanced with images) one page, no attachments

Made it easy to report suspicious email Implemented a new icon One Click button in the Outlook email client where users could report suspicious email for the security team to review. The premise make it so easy that my CEO would use it! And it worked once I made the reporting a one click away

Bribe with food! Created Lunch and Learns to talks about security awareness with lunch provided - we called this the honey effect. We did not enforced a mandatory meeting where employees attended because they were required, instead I wanted them to want to be there! all about the expectation! Convinced upper management to budget for $10.00 per meal / per employee This was the most difficult step. Actually our first meeting was a pilot (test), and it was so successful that after the meeting we had a commitment to continue. Executive team understood the dynamic and importance of cyber education

Create competition phishing campaign After the first round of test phishing email send email congratulating the winner groups Let me tell you my engineers like to win!!! Got high fives and dirty looks in the elevators Created buzz about Pedro s tricked emails Many folks actually were impressed and wanted to know why they had fail the phishing email This open the door to discuss how to review emails and the 7 different places that I could trick you in an email.

Made the training fun, animated, easy going This created acceptance This was not the security guys trying to get me! Trust I actually received calls of employees telling me that they had failed and that they would have never look at the from in the email because everything else look legit. Elevator talks I got daily questions on web, emails, or out of office etiquette

Summary what we learned Email is the delivery method let s learn how to stop it. Technical controls work but people are going to be people Security Awareness single most effective control for the least money Behavior modification Is key, so relate to what matters to users (home) Make it easy to report bad email Bribe with Food. The Honey effect Make security awareness fun (acceptance factor) Above all create trust and acceptance, you are not the enemy!

Pedro Serrano, CISSP President ISSA Oklahoma Speak Train Motivate pedro@stmtalk.com @InfoSecPedro https://www.linkedin.com/in/infosecpedro

References 1. US Email Statistics Report, 2016-2020 http://www.radicati.com 2. https://blog.barkly.com/phishing-statistics-2016 3. https://www.wombatsecurity.com/pressreleases/new-report-state-of-phishing-attacks

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback