Date post: | 14-Dec-2015 |
Category: |
Documents |
Upload: | keanu-letchworth |
View: | 218 times |
Download: | 0 times |
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 11
Best Practices in User Education:Best Practices in User Education:
A Critical Component in any A Critical Component in any Information Security ProgramInformation Security Program
Shirley PayneShirley PayneDirector, Director, Security Coordination & Policy Security Coordination & Policy University of VirginiaUniversity of Virginia
Cedric BennettCedric BennettDirector, Director,
Information Security ServicesInformation Security ServicesStanford UniversityStanford University
Security Professionals WorkshopSecurity Professionals Workshop
April 22, 2003April 22, 2003
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 22
TopicsTopics
Why education?Why education? Who needs to be educated?Who needs to be educated? CommunicatingCommunicating Effective PracticesEffective Practices
ExerciseExercise
Wrap upWrap up
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 33
The Need For EducationThe Need For Education
Statistics show most breaches are Statistics show most breaches are caused by insiders:caused by insiders: Disgruntled employees and contractorsDisgruntled employees and contractors Inquisitive students Inquisitive students Unintentional actions or lack of actionUnintentional actions or lack of action
Excuses:• I didn’t know• I thought someone else would take care of that• I don’t know how• I‘ve got more important things to do
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 44
Threats To Computer Systems**
Threats By PeopleThreats By People Unintentional Employee ActionUnintentional Employee Action 50-60%50-60% Intentional Employee ActionIntentional Employee Action 15-20%15-20% Outside ActionsOutside Actions 1- 3%1- 3%
Physical & Environmental ThreatsPhysical & Environmental Threats Fire DamageFire Damage 10-15%10-15% Water DamageWater Damage 5-10%5-10% Electrical FluctuationsElectrical Fluctuations 1- 5%1- 5% Natural DisasterNatural Disaster 1%1%
OtherOther 5-10%5-10%
* Dr. Corey D. Schou
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 55
““Automakers have added systems to Automakers have added systems to cars that can pinpoint their location and cars that can pinpoint their location and even call emergency services if a crash even call emergency services if a crash is detected. However, have these smart is detected. However, have these smart cars made the roadways safer? This is cars made the roadways safer? This is an analogous situation for information an analogous situation for information security. security. Overall security will only Overall security will only improve if users are educated about the improve if users are educated about the technology they are usingtechnology they are using.” .”
Richard Hunter, VP of Gartner’s G2Richard Hunter, VP of Gartner’s G2
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 66
Lack Of Education Causes Lack Of Education Causes Major Problems Major Problems
We’ve exposed student, employee, donor and We’ve exposed student, employee, donor and medical datamedical data
Our IT resources have been used for attacks Our IT resources have been used for attacks on businesses and the Federal governmenton businesses and the Federal government
Our research data have been compromised Our research data have been compromised Our hardware has been confiscated by FBI Our hardware has been confiscated by FBI
investigators investigators We’re spending significant time in reaction We’re spending significant time in reaction
mode mode
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 77
More Bad News: More Bad News: Education Is Hard!Education Is Hard!
Few acknowledge personal responsibility Few acknowledge personal responsibility for securityfor security
Many consider the issue too technically Many consider the issue too technically complexcomplex
Management fails to comprehend Management fails to comprehend business implicationsbusiness implications
Security budgets and staff stretched to Security budgets and staff stretched to limitlimit
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 88
How Do We Approach This?How Do We Approach This?
Finely sharpen education program Finely sharpen education program design:design: Well define target audiences and what they Well define target audiences and what they
need to knowneed to know Determine how best to communicate the Determine how best to communicate the
messagemessage
Leverage what others are doingLeverage what others are doing
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 99
Who Needs To Be Who Needs To Be Educated?Educated?
FacultyFaculty Staff Staff StudentsStudents ParentsParents ResearchersResearchers Healthcare professionalsHealthcare professionals Local businessesLocal businesses Governmental agenciesGovernmental agencies Local citizensLocal citizens Institution executivesInstitution executives
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 1010
Communication Is 2-wayCommunication Is 2-way
Don’t forget to listenDon’t forget to listen Check your understandingCheck your understanding EmpathyEmpathy
The Platinum RuleThe Platinum Rule
Do unto others as they would preferDo unto others as they would prefer
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 1111
Be The ListenerBe The Listener
Use language familiar to the listenerUse language familiar to the listener Avoid jargonAvoid jargon Only moderate use of FUDOnly moderate use of FUD
Reference concerns of the listenerReference concerns of the listener Use metaphor to make your pointsUse metaphor to make your points Don’t assume facts or understandingDon’t assume facts or understanding Use humor and informality appropriatelyUse humor and informality appropriately Repetition is importantRepetition is important
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 1212
Provide What Is NeededProvide What Is Needed
Get lots of inputGet lots of input Check with Help Desk, consultants, system Check with Help Desk, consultants, system
administratorsadministrators
Prioritize the messagesPrioritize the messages Focus the program to get the “biggest bang”Focus the program to get the “biggest bang”
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 1313
Effective PracticesEffective Practices
Web sites & emailWeb sites & email Articles in local publicationsArticles in local publications Posters and postcardsPosters and postcards Show & Tell presentations and meetingsShow & Tell presentations and meetings Enlist others to helpEnlist others to help Mount a campaignMount a campaign Never stopNever stop
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 1414
Effective Practices ExerciseEffective Practices Exercise
Interactive group sessionInteractive group session Form groupsForm groups Each group will be assigned a Target AudienceEach group will be assigned a Target Audience
Choose what the educational focus will be Choose what the educational focus will be Consider best ways to reach that targetConsider best ways to reach that target
Work on problem for 6 minutesWork on problem for 6 minutes Make bulleted list of approachesMake bulleted list of approaches
Some groups will report results Some groups will report results Every group will hand in resultsEvery group will hand in results We will make all results available on workshop / session We will make all results available on workshop / session
web siteweb site Thirteen pages of exercise results follow the wrap-up pageThirteen pages of exercise results follow the wrap-up page
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 1515
Selected ExamplesSelected Examples
University of Florida’s security awareness day University of Florida’s security awareness day http://www.itsa.ufl.eduhttp://www.itsa.ufl.edu
Texas A&M’s security awareness training Texas A&M’s security awareness training http://infosec.tamu.edu/sat/main.htmlhttp://infosec.tamu.edu/sat/main.html
Indiana University’s “how-to” page Indiana University’s “how-to” page http://http://www.itso.iu.edu/howtowww.itso.iu.edu/howto
James Madison University’s R.U.N.S.A.F.E. program James Madison University’s R.U.N.S.A.F.E. program http://http://www.jmu.edu/computing/runsafewww.jmu.edu/computing/runsafe//
University of Virginia’s security toolkit University of Virginia’s security toolkit http://http://www.itc.virginia.edu/securitytoolkitwww.itc.virginia.edu/securitytoolkit
Stanford’s secure computing site Stanford’s secure computing site http://http://securecomputing.stanford.edusecurecomputing.stanford.edu
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 1616
Selected ReferencesSelected References
Center for Education and Research in Center for Education and Research in Information Assurance and Security Information Assurance and Security http://http://www.cerias.purdue.eduwww.cerias.purdue.edu
National Institute of Standards and Technology National Institute of Standards and Technology Computer Security Resource Center Computer Security Resource Center http://http://csrc.nist.govcsrc.nist.gov/ATE/ATE
SANS Institute SANS Institute http://http://www.sans.orgwww.sans.org Virginia Alliance for Secure Computing and Virginia Alliance for Secure Computing and
Networking Networking http://http://vascan.orgvascan.org
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 1717
Wrap UpWrap Up
Other Questions and Answers?Other Questions and Answers?
Check the Security Professionals Workshop site for Check the Security Professionals Workshop site for these slides plus session developed materialsthese slides plus session developed materials
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 1818
Effective Practices ExerciseEffective Practices Exercise
The thirteen pages which follow are the results The thirteen pages which follow are the results from the session exercise, by group from the session exercise, by group In some cases, the same target audiences were In some cases, the same target audiences were
considered by different session work groupsconsidered by different session work groups
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 1919
Ideas for reaching “target” groups –Ideas for reaching “target” groups –ExecutivesExecutives
Make them think they make decisionsMake them think they make decisions Low tone “Fox” news – fear – stress need for information protectionLow tone “Fox” news – fear – stress need for information protection Cost benefit analysisCost benefit analysis Address their concernsAddress their concerns Metaphors in terms s/he can understandMetaphors in terms s/he can understand Put a positive spinPut a positive spin ““Security can protect productivity”Security can protect productivity” Educate them about security [problem & resolutionsEducate them about security [problem & resolutions Tailor to their areas of expertise – this is actually a very diverse Tailor to their areas of expertise – this is actually a very diverse
groupgroup Brief, pithyBrief, pithy Identify reputation (and other risks) for divisionIdentify reputation (and other risks) for division
Exercise results page
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 2020
Target includes “student staff”Target includes “student staff” Educate on security policies by incorporation in Educate on security policies by incorporation in
orientationorientation Identify Identify keykey staff member(s) to become trainers staff member(s) to become trainers
Widely publish security policies and usageWidely publish security policies and usage
Ideas for reaching “target” groups –Ideas for reaching “target” groups –Staff (1Staff (1stst Group) Group)
Exercise results page
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 2121
Ideas for reaching “target” groups –Ideas for reaching “target” groups – Staff (2 Staff (2ndnd Group) Group)
Staff associations / forumsStaff associations / forums EmailEmail Print info on payroll check advice Print info on payroll check advice
E.g., an announcement of an eventE.g., an announcement of an event Voice mailVoice mail Importance of making it clear that each staff member has a responsibility Importance of making it clear that each staff member has a responsibility
to protect information of which are a stewardto protect information of which are a steward Use parking permits as a means to contact people (meetings, dates, etc.)Use parking permits as a means to contact people (meetings, dates, etc.) Simple give-away gifts with messagesSimple give-away gifts with messages Website, intranetWebsite, intranet PostersPosters Log-in bannerLog-in banner Orientation / training programOrientation / training program Tents on cafeteria tablesTents on cafeteria tables Interactive contestsInteractive contests Recognize people for doing something rightRecognize people for doing something right
““Good Job” or “Pat on the Back” –a-weekGood Job” or “Pat on the Back” –a-week Employee newslettersEmployee newsletters
Exercise results page
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 2222
Ideas for reaching “target” groups Ideas for reaching “target” groups ––
Staff (3 Staff (3rdrd Group) Group) Problem: Problem:
Not teaching passwords as secureNot teaching passwords as secure Issue: Issue:
Writing passwords on desk or posting them on telephone.Writing passwords on desk or posting them on telephone. Weak policies – not ensuring strong passwordsWeak policies – not ensuring strong passwords
Outreach:Outreach: PowerPoint, emailPowerPoint, email Use “live” examples (e.g., $25,0000 debt on telephone calls – Use “live” examples (e.g., $25,0000 debt on telephone calls –
lecturers inviting study groups of students also see password lecturers inviting study groups of students also see password on telephone)on telephone)
Use Use CrackCrack Send notification that passwords have been compromised and Send notification that passwords have been compromised and
need to be changedneed to be changed
Exercise results page
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 2323
Ideas for reaching “target” groups –Ideas for reaching “target” groups –StudentsStudents
What to focus onWhat to focus on Not sharing passwordsNot sharing passwords Peer to peerPeer to peer
Sharing softwareSharing software ““down-ware”down-ware”
Use of emailUse of email Use of virus protectionUse of virus protection HarassmentHarassment No threats in chat roomsNo threats in chat rooms
How to reach themHow to reach them *Student information privacy – protect their own info*Student information privacy – protect their own info Freshman orientationFreshman orientation NewspapersNewspapers Information literacy course (mandatory coursework)Information literacy course (mandatory coursework) Public service pop-upsPublic service pop-ups Include a required technology classInclude a required technology class Provide reading material with acceptance packageProvide reading material with acceptance package Fraternity security partiesFraternity security parties Student orientation pamphlets / postersStudent orientation pamphlets / posters
Exercise results page
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 2424
Ideas for reaching “target” groups –Ideas for reaching “target” groups –Students (2Students (2ndnd Group) Group)
Some techniquesSome techniques Door hangers with security informationDoor hangers with security information
E.g., on password changingE.g., on password changing Posters (residences halls and classrooms)Posters (residences halls and classrooms) Stickers on restroom doorsStickers on restroom doors Freshman orientation – ½ hourFreshman orientation – ½ hour Student media (radio, cable TV)Student media (radio, cable TV) Contests with prizesContests with prizes Free Anti-virus CD in every residence hall room Free Anti-virus CD in every residence hall room
And other enhanced ways to distribute site-licensed free softwareAnd other enhanced ways to distribute site-licensed free software Web infoWeb info
FocusFocus Campuswide authentication (strong passwords)Campuswide authentication (strong passwords) Anti-virus software – using it and updating itAnti-virus software – using it and updating it Copyright Copyright EthicsEthics File-shares (closing open shares)File-shares (closing open shares) WinXP or W2K – problems with no administrative password, etc.WinXP or W2K – problems with no administrative password, etc. Personal firewallsPersonal firewalls Proper use of emailProper use of email Proper use of instant messagingProper use of instant messaging
Exercise results page
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 2525
Ideas for reaching “target” groups –Ideas for reaching “target” groups –Students (3Students (3rdrd Group) Group)
FocusFocus PasswordsPasswords General ethicsGeneral ethics File sharingFile sharing Anti-virusAnti-virus CopyrightCopyright WinXP/2K admin passwordsWinXP/2K admin passwords Personal firewallsPersonal firewalls Net-iquetteNet-iquette
ApproachesApproaches Residence hall bulletin boardsResidence hall bulletin boards Door hangersDoor hangers
Campus-wide IdentifiersCampus-wide Identifiers Posters inside bathroom stallsPosters inside bathroom stalls Freshman orientationFreshman orientation College radio / cable TVCollege radio / cable TV Contests with prizesContests with prizes Free Anti-virus and other softwareFree Anti-virus and other software CD distributionCD distribution
Exercise results page
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 2626
Ideas for reaching “target” groups –Ideas for reaching “target” groups –System AdministratorsSystem Administrators
To educate on:To educate on: What are their roles and responsibilitiesWhat are their roles and responsibilities What authority do they haveWhat authority do they have What are the best practicesWhat are the best practices Rules for decision makingRules for decision making Incident handling processesIncident handling processes What to do if media or police request infoWhat to do if media or police request info
Exercise results page
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 2727
Ideas for reaching “target” groups –Ideas for reaching “target” groups –Faculty (1Faculty (1stst Group) Group)
Start at the topStart at the top Dean of Faculty or equivalentDean of Faculty or equivalent Get support at that levelGet support at that level
Have the message come from the facultyHave the message come from the faculty Use Faculty Senate / Department meetings, etc.Use Faculty Senate / Department meetings, etc. Be proactive – “get in their face”Be proactive – “get in their face” Show the Show the Value PropositionValue Proposition to them (convince of value to to them (convince of value to
them)them) E.g., intellectual property, book in progress, etc)E.g., intellectual property, book in progress, etc)
Use Research Office or other offices, e.g., ProcurementUse Research Office or other offices, e.g., Procurement Bribe them with food, door prizesBribe them with food, door prizes ““Scare the pants off them” Scare the pants off them”
CNN News ideaCNN News idea
Exercise results page
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 2828
Ideas for reaching “target” groups –Ideas for reaching “target” groups –Faculty (2Faculty (2ndnd Group) Group)
Focus on protecting grades / reseachFocus on protecting grades / reseach ApproachesApproaches
Be added to faculty meeting / luncheonBe added to faculty meeting / luncheon Ask for assistance (e.g., secretary, TA, etc.)Ask for assistance (e.g., secretary, TA, etc.) Hold classes provided by IT staffHold classes provided by IT staff
Exercise results page
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 2929
Ideas for reaching “target” groups –Ideas for reaching “target” groups – Parent & Alumni Parent & Alumni
What to communicateWhat to communicate Communicate policies (AUP, Security, etc.)Communicate policies (AUP, Security, etc.) Policy violations have disciplinary consequences that Policy violations have disciplinary consequences that couldcould
interrupt their academic experienceinterrupt their academic experience ApproachesApproaches
Web page for technical specificationsWeb page for technical specifications Link to policiesLink to policies
Mailing (U.S. Mail) about policiesMailing (U.S. Mail) about policies Highlight legal and university judicial penaltiesHighlight legal and university judicial penalties Provide translations in multiple languages, if appropriateProvide translations in multiple languages, if appropriate Alumni newsletter, parent’s magazinesAlumni newsletter, parent’s magazines Use analogies to make the pointUse analogies to make the point
Exercise results page
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 3030
Ideas for reaching “target” groups –Ideas for reaching “target” groups –ResearchersResearchers
Where research brushes agains AUPs, contact Where research brushes agains AUPs, contact someone and discusssomeone and discuss
Approach it from their angleApproach it from their angle Dangers of losing research data – integrityDangers of losing research data – integrity Premature release of resultsPremature release of results Educate research compliance committees (IRBs) Educate research compliance committees (IRBs)
about thisabout this Educate campus office that takes in grant Educate campus office that takes in grant
proposals about security implicationsproposals about security implications Grant-tracking systemGrant-tracking system
Exercise results page
April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 3131
Ideas for reaching “target” groups –Ideas for reaching “target” groups –Application Systems StaffApplication Systems Staff
Speaker programSpeaker program Web siteWeb site List serveList serve On-side professional trainingOn-side professional training Web seminars designed for needWeb seminars designed for need Presentations at staff meetingsPresentations at staff meetings Application testing / certificationApplication testing / certification Peer-to-peer trainingPeer-to-peer training
Exercise results page