Perimeter

9/29/2014
05:00 PM
Sara Peters
Sara Peters
Slideshows
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Be Aware: 8 Tips for Security Awareness Training

Hint: One giant security training session to rule them all is not the way to go.
Previous
1 of 9
Next

It's every security professional's nightmare. All your best security measures: rendered useless by one great social engineering attack, one lost smartphone, or one weak password.

If only your users understood that security is everyone's job. If only they took your friendly reminders, heartfelt pleas, angry threats, and authoritative demands seriously. If only they weren't so stupid.

Maybe the problem isn't just your users -- it's your lousy security awareness program.

Awareness may be even more difficult than the most complex security architecture rip-and-replace. It's hard.

During the "Securing the Human" panel discussion at the Cyber Security Summit in New York earlier this month, experts shared some tips on how to make security awareness easier and more effective.


Image: "Anna Held's Eyes," Library of Congress via plaisanter~.

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Previous
1 of 9
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
anon7110993809
50%
50%
anon7110993809,
User Rank: Apprentice
3/30/2015 | 6:52:17 PM
digital security training
All 8 of these tips are great for running a digital security training. As you say, having one giant meeting to cover everything is not the way to go at all. People will start to get bored, and no one remembers anything when they are bored. Break it up into a few smaller meetings stretching over a few weeks. That way people are more likely to remember what was taught in each meeting. 
jn94583
50%
50%
jn94583,
User Rank: Strategist
10/8/2014 | 4:16:25 PM
Informal Power
I would posit that Security Awareness and Training programs are woefully undervalued. Not simply because "education is the only patch for human error", but because informal power is more effective than sanctions. 

Shaping the culture towards being more security concious is more effective than threatenting them with penalties. While people may take the tests and nod when you emphasize how importent security is, they ultimately have a job to do. They will tend to discount the tutelage if it interferes with what they need to do.

I agree, emphais on explaining the "why" is essential, however this does not guarantee compliance, which is ultimately an internal decision. It's a decision the person makes. If a corporate culture has been shaped to make security "normal" and expected, then compliance emerges from a good feeling rather than a fear.

It's much like the change in wording one might use in a Standard to reduce the natural resistance created by commands. Words like "must" are replaced by "do".

For example:

"All admins must report malware alerts" becomes "All admins report malware alerts" (the "do" is implied). This approach makes the requirement a statement of fact (it's how we do it here) rather than a prescriptive mandate...(of course it's how we do it here) :-)

 

  
Sara Peters
100%
0%
Sara Peters,
User Rank: Author
10/6/2014 | 4:21:17 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@SecOps Specialist   WOW! Good for you. That's the first time I've heard someone say they quit their brand-new job because of bad information security. 

And you're right: it certainly varies from company to company. One of the best security awareness training experts I know is hilarious and comes up with all kinds of ways to get people engaged. One example I remember: He wanted to teach people about keeping clean desks -- making sure that when people walked away from their desks their cubicles weren't wallpapered with login data, their computer screens weren't unlocked, their desks weren't covered in confidential documents and/or portable storage devices full of confidential documents.  

So... he and a few members of his team dressed up like aliens! They wandered around the office, gathering up all the sensitive data they could just by wandering around. The idea being that even an alien with no prior knowledge of a company could be dropped in the office one day and walk away with everything they needed to know to breach the company. Whether or not it worked long-term, it certainly got the message across in an inventive way.
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
10/6/2014 | 3:48:43 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@Sara

That's a tough one really. It is truly dependent on the business and how vested they are in Security and making sure that their program is more than a checkbox. If a company is only caring about compliance, they will not, in general, have a developed security program. They will have policies, as you said, that every person has to read every year as a way to meet compliance. Very rarely do you see companies that have a large program regarding security.

The hope is that if the program as you said "should" be about improving security, but like I had said earlier, some businesses just do not have the resources to dedicate to something like that. As a prime example, I went to go work for this company, I quit after a week because of how lax their security was. Their idea of security was allowing anyone access to the network room where the servers and cabling was located, everyone knew the username and password of everyone in the building, including the administrators such as the network admin and the server admin. The list goes on. I couldn't handle it and I quit within my first week and sought out a different job.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 3:27:59 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@SecOps Specialist  Well it certainly SHOULD be about improving security, not about checking a box. I expect that most awareness programs simply give out policies, without properly explaining why such policies exist???
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
10/6/2014 | 12:31:50 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@Sara -

Often times the Security training, much like HR training, is treated like a checkbox because it needs to meet compliance standards. The difference between Security training and Security Awareness training is that Security training is designed to meet compliance standards like FERPA or HIPAA/HITECH. Security Awareness training is about bringing, well, awareness, to the forefront of everyone's mind. There's more to Security than just blocking bad websites and keeping the "bad guys" out.

If people don't know that links are harmful, a checkbox solution won't help them with that. If people don't know that Social Engineering is something that happens almost every day and they don't know what signs to look for, they are vulnerable to it. Same thing with Phishing, Vishing, or Whaling. It's all a matter of how important the company views security. Is it something that needs a checkbox, or it is about getting people to change their views and get better at locking their workstations?

 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 12:18:47 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@SecOps Specialist  I love this extra bit of advice you mention:  "Computer-Based Training is a great way to meet compliance, but don't stop there."  I think that of all the many things security professionals do, awareness training is the one most likely to be treated with a "checkbox-only" approach. What do you think?
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
9/30/2014 | 4:06:23 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@Marilyn - I'm not sure that is even effective still. In my experience, if a user knows something is coming, they are more likely to try to circumvent it than if they don't know it's coming. Truthfully, vulnerability testing done by outside vendors should not be announced because then the results are skewed and do not actually provide accurate data which can hurt the company overall. You can tell users til you're blue in the face that Security is important but until they fall victim to something, they will not change.
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
9/30/2014 | 2:14:33 PM
Re: Good, practical advice on security awareness training
Great points!  As part of the training for different audiences, it might make sense to look at different types of departments as they have different risks.  For example, marketing folks are known to use portable storage and cloud storage so they can work on files remotely.  Sales users risks come from how and where they access customer data.  Tailoring training to talk about these types of users specifically might get a better reposnse than the infamous "thou shalt be secure" corporate snooze sessions we've all sat through.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
9/30/2014 | 1:49:35 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@SecOpsSpecialist. My guess is that the warning is more general. Tell users that they will tested by an attack, but not be specific as to timing and the nature of the attack. I suspect, even with such warning, users will fall victm, and a serious lesson will be learned.
Page 1 / 2   >   >>
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Compliance and Risk Management Officer, AvePoint, Inc,  8/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15601
PUBLISHED: 2018-08-21
apps/filemanager/handlers/upload/drop.php in Elefant CMS 2.0.3 performs a urldecode step too late in the "Cannot upload executable files" protection mechanism.
CVE-2018-15603
PUBLISHED: 2018-08-21
An issue was discovered in Victor CMS through 2018-05-10. There is XSS via the Author field of the "Leave a Comment" screen.
CVE-2018-15598
PUBLISHED: 2018-08-21
Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable.
CVE-2018-15599
PUBLISHED: 2018-08-21
The recv_msg_userauth_request function in svr-auth.c in Dropbear through 2018.76 is prone to a user enumeration vulnerability because username validity affects how fields in SSH_MSG_USERAUTH messages are handled, a similar issue to CVE-2018-15473 in an unrelated codebase.
CVE-2018-0501
PUBLISHED: 2018-08-21
The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail.