Post on 16-Apr-2017
transcript
@NTXISSA#NTXISSACSC4
Red,Amber,GreenStatus:TheHumanDashboard
LauriannaCallaghan,CISSP,CCNASecurityInformationSecurityAnalystIII
HealthManagementSystems,Inc.October7– 8,2016
@NTXISSA#NTXISSACSC4
AlarmingSecurityStudies
“…in2015,60percentofallattackswerecarriedoutbyinsiders,eitheroneswithmaliciousintentorthosewhoservedas
inadvertentactors”1
“Spear-phishingcampaignstargetingemployeesincreased55%in2015”2
NTXISSACyberSecurityConference– October7-8,2106 2
@NTXISSA#NTXISSACSC4
PCIDSS3.1• 12.6Implementaformalsecurityawarenessprogramtomakeallpersonnelawareoftheimportanceofcardholderdatasecurity.
• 12.6.1Educatepersonneluponhireandatleastannually.(Note:Methodscanvarydependingontheroleofthepersonnelandtheirlevelofaccesstothecardholderdata.)
• 12.6.2Requirepersonneltoacknowledgeatleastannuallythattheyhavereadandunderstoodthesecuritypolicyandprocedures.
NTXISSACyberSecurityConference– October7-8,2106 3
@NTXISSA#NTXISSACSC4
HIPAA
• § 164.308Administrativesafeguards• (a)(5)(i)Standard:Securityawarenessandtraining.Implementasecurityawarenessandtrainingprogramforallmembersofitsworkforce(includingmanagement).• (ii)Implementationspecifications.Implement:
• (A)Securityreminders…• (B)Protectionfrommalicioussoftware…• (C)Log-inmonitoring…• (D)Passwordmanagement…
NTXISSACyberSecurityConference– October7-8,2106 4
@NTXISSA#NTXISSACSC4
WhatisSecurityAwareness3
• IndividualResponsibilityandSufficientUnderstandingtoComplywithPolicies
• AnotherLineofDefense
• TheBestROIforInformationSecurityPrograms
NTXISSACyberSecurityConference– October7-8,2106 5
@NTXISSA#NTXISSACSC4
TypicalSAActivities4
NTXISSACyberSecurityConference– October7-8,2106 6
• Formalizedtrainingcourses• Posters• Securitywalk-throughs• Intranetpages• BusinessunitSAmentors• SponsorshipofSAday
• Sponsorshipofanexternalevent• Trinkets• Specialeventday• Referencematerials• Phishingsimulations*
@NTXISSA#NTXISSACSC4
WhySecurityAwareness
• LawandRegulationCompliance• ReduceHard-To-PredictCosts• LayeredSecurity(Defense-in-Depth)5
• TeachHowtoComplywithSecurityPolicy4
• CorporateCitizenship• EmployeeRelations
NTXISSACyberSecurityConference– October7-8,2106 7
@NTXISSA#NTXISSACSC4
Goals
• Obtainandmaintaincompliance• Minimizethenumberandimpactofsecurityincidents• Alleviateothersecurityteamsandservicedeskofnumberofincidents
• Createasecurityculture
NTXISSACyberSecurityConference– October7-8,2106 8
@NTXISSA#NTXISSACSC4
ActivitiesSupportGoals
• Compliance• Training
• SecurityCulture• Newsletter• Survey• Intranetsite• Event
NTXISSACyberSecurityConference– October7-8,2106 9
• LessImpact,Lower#Incidents• Simulations• Phishing• Spearphishing• Whaling• Socialengineering• Physicalsecuritychecks
@NTXISSA#NTXISSACSC4
Quantifiable6
• Whatismeasured• Howitismeasured• Interval
• Indicators• Actionable
NTXISSACyberSecurityConference– October7-8,2106 10
WHAT HOW INTERVAL INDICATORS ACTIONABLE
AnnualSecurityTraining
TrainingScores Annual RED:If15%ormorefirstscore<= 74%AMBER:If15%ormorefirstscore75%- 79%;override:if35%ormorefirstscore95– 100%GREEN:If15%ormorefirstscore80%- 100%
RED:Reviewtestdifficulty,review contentdifficulty,discussionwithtrainingvendor,improvetrainingAMBER:ReviewcontentpresentationanddifficultyGREEN:Watchend oftestsurveyresultsforareasofimprovement.Checkfortesthacksandassureitisnottooeasy.
PhishingSimulations #ofClickers(responserate)
Quarterly RED:>=15%locationreturnrateAMBER:14% - 5%locationreturnrateGREEN:<=4%locationreturnrate
RED:CEOreminderemail,departmentSAmentorsmeetings,mandatory phishingspecifictrainingcourseAMBER: CISOreminderemail,reminderatanall-handsmeetingGREEN:Positivereinforcement/ acknowledgement
@NTXISSA#NTXISSACSC4
Goal:Compliance
• Activitiesthatarerequiredforcompliance• Keyperformanceindicators
NTXISSACyberSecurityConference– October7-8,2106 11
UserKPI ProgressAnnualRefresher 35%Onboarding 75%PCI 68%HIPAA 50%
COMPLIANCE
User
@NTXISSA#NTXISSACSC4
Goal:IncidentReduction
• Topactivitiesusedforincidentreduction• Keyperformanceindicators
NTXISSACyberSecurityConference– October7-8,2106 12
UserKPI PerformanceRefresherTrainingScores 70%PhishingSim 95%PhishingInformants 10%PhysicalSecurity 2%SocialEngineering 25%
INCIDENTREDUCTION
User
@NTXISSA#NTXISSACSC4
Goal:SecurityCulture
• Activitiesthatcontributetotheculture• Keyperformanceindicators
NTXISSACyberSecurityConference– October7-8,2106 13
UserKPI InterestNewsletter 75%Survey 55%IntranetSite 65%Event 88%
SECURITYCULTURE
@NTXISSA#NTXISSACSC4
TheSecurityAwarenessDashboard
• RepresentsSecurityAwarenessgoals
• Givesvisibilitytothehumanaspectofsecurity
• CombineslogicallywiththeoverallSecuritydashboard• Preventative• Proactive
NTXISSACyberSecurityConference– October7-8,2106 14
Dept:SecurityAwareness Dashboard Budget Roadmap Calloway,Jane
ALERTS: 1
UserKPI ProgressAnnualRefresher 35%Onboarding 75%PCI 68%HIPAA 50%
COMPLIANCE
UserKPI PerformanceRefresherTrainingScores 70%PhishingSim 95%PhishingInformants 10%PhysicalSecurity 2%SocialEngineering 25%
INCIDENTREDUCTION
UserKPI InterestNewsletter 75%Survey 55%IntranetSite 65%Event 88%
SECURITYCULTURE
2016SecurityAwarenessDashboard
Main
Compliance
Incide
ntCu
lture
@NTXISSA#NTXISSACSC4
OtherConsiderations• Baselineotherareasofsecuritythatmaychange• %infectedcomputersò• #passwordresetrequestsò• #securewebdeliverymessagesñ• #malicioussitesblockedò• Bandwidthusedforextracurricularò• #infectionsdetectedwhileremoteò• #lostelectronicdevicesò• #humanreportedinfectionsñ• #totalinfectionscleanedò
• Impacttootherdepartments
NTXISSACyberSecurityConference– October7-8,2106 15
@NTXISSA#NTXISSACSC4
ResourcestoShare
• DepartmentofHomelandSecurity• NationalSecurityAwarenessMonth• Stop.Think.Connect.• FEMAFree1HourSAVideoforEmployees• NationalInitiativeforCybersecurityCareersandStudies
• FederalTradeCommission• OnGuardOnline
NTXISSACyberSecurityConference– October7-8,2106 16
@NTXISSA#NTXISSACSC4
References1. I.X.-F.Research,“ReviewingaYearofSeriousDataBreaches,
MajorAttacksandNewVulnerabilities,”IBMSecurity,2016.2. Symantec,“InternetSecurityThreatReport,MountainView,
2016.3. L.Lindholm,“USDept ofStateDiplomaticSecretaryThe
AwarenessTeam,”BureauofDiplomaticSecurity.4. AdamGordon,OfficialISC2 GuidetotheCISSPCBK,Boca
Raton:Taylor&FrancisGroup,LLC,2015.5. J.Shenk,“LayeredSecurity:WhyItWorks,”SANSInstitute,
2013.6. L.Spitzner,“HumanMetrics:MeasuringBehavior,”SANS
Institute,2010-2016.
NTXISSACyberSecurityConference– October7-8,2106 17