Guide to Implementing an Effective Security Education &
Awareness ProgramPresented by:
Calvin Weeks, Director, OU Cyber Forensics Lab, University of OklahomaShirley Payne, Director, Security Coordination and Policy, University of
VirginiaKrizi Trivisani, Chief Security Officer, The George Washington University
Copyright Calvin Weeks, Shirley Payne, Krizi Trivisani 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors.
2
Overview
This presentation will offer help in implementing a security awareness
program that teaches physical and system security precautions, establishes realistic expectations, and decreases the overall
cost of securing an enterprise network by teaching users to share best practices with
peers and by improving security in the workplace and in home work
environments.
6
Introduction
Security programs cannot be successful without good leadership from the very top of your organization down. Even with all the staff, technology, resources, and budget, a Chief Information Officer (CIO) or Chief Security Officer (CSO) will not and cannot secure an environment without the rest of the organization. Every person in your organization plays a very important role in the security of all physical and virtual assets. But, why would anyone be motivated to participate in security? What are the key issues and concerns for your organization, CIO, CSO, directors, staff, faculty, students, parents, system / network administrators, contractors, guests, and many other types of people internally and externally? How do these people know what their role or responsibilities are?
7
EDUCAUSE Security Awareness & Education Task Force
Mission/Purpose:The Education and Awareness Initiative team will identify and take steps to implement and/or publicize various methods by which awareness of information technology security issues are raised amongst university and college computer and network users, administrators, and executives.
8
EDUCAUSE Security Awareness & Education Task Force
Team Goals/ Expected Outcomes (Deliverables and Metrics):
The team will:1) Identify current projects and current materials and methods (primarily developed within the higher education and non-profit communities, but also vended products where they have been proven to be (or may be) particularly useful to universities and colleges.2) Use existing methods available via EDUCAUSE to publicize identified offerings.3) Where gaps may exist in available offerings, commission development of programs or materials as needed.
9
EDUCAUSE Security Awareness & Education Task Force
Boundaries for the Team (Scope of Work & Authority):The team will concern itself with education and awareness
of 1) end-users (essentially faculty, staff, and students)2) technicians and administrators who maintain systems for campuses3) executives.The team will not venture into the realm of educating security professionals, or into formal for-credit curriculum development.
10
EDUCAUSE Security Awareness & Education Task Force
Team Leadership:
Co-Chairs:
Kelley Bogart, University of Arizona
Mark Bruhn, Indiana University
11
Definition
Webster’s New World Dictionary, Third College Edition Awareness – Knowing or realizing; conscious; informed.Training – the process or experience of being trained. [train] – to instruct so as to make proficient or qualified.Education – knowledge, ability, etc. thus developed. [develop] – to become larger, fuller, better, etc.; grow or evolve, esp. by natural processes.
12
Awareness
“Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.”
National Institute of Standards and Technology (NIST), Special Publication 800-50
13
Awareness
What behavior are we wanting to influence?
Examples:
“Change your password every 60 days”
“Sec-U-R-IT-y”
“Secure-IT”
“Time for a checkup: Patches, Virus definitions, passwords”
14
Awareness Links
http://www.itsa.ufl.edu/posters/passwords.pdfhttp://www.itsa.ufl.edu/posters/10reasons.pdfhttp://www.asu.edu/it/security/s101/https://www.itso.iu.edu/howto/http://security.ou.edu/bestpractices/index.html
16
Training
“Training strives to produce relevant and needed security skills and competencies.”
National Institute of Standards and Technology (NIST), Special Publication 800-50
17
Training
What skills do we want to have learned?
Examples:
Professional development training
Seminars
Workshops
Conferences
Employment job duty performance
18
Sample Programs
http://security.ou.edu/sec_catalog.htm
http://www.it.ufl.edu/training/
http://register.perfectorder.com/it/2005/workshop.php
http://sans.org/
19
Education
“Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge…and strives to produce IT security specialists and professionals capable of vision and proactive response.”
National Institute of Standards and Technology (NIST), Special Publication 800-50
20
Education
What knowledge do we have to share/collaborate?
Examples:
EduCause National Conference, College degree, 10 years experience, and 400 contact hours of training.
21
Why?
HIPAA
FERPA
GLBA
Sarbanes Oxley Act
Grant requirements
Compliance
other local state and federal regulations.
22
Does it make a difference?
RPC vulnerability and the Welchia/Nachia attacks – users aware
SQL Slammer attacks – technical education
SoBIG.F e-mail attacks – users aware and technical training
23
Centers of Academic Excellence
The Centers of Academic Excellence in Information Assurance Education (CAEIAE) program, established in November 1998, helps NSA partner with colleges and universities across the nation to promote higher education in information assurance (IA). This program is an outreach effort that was designed and is operated in the spirit of Presidential Decision Directive 63 (PDD 63), the Clinton Administration's Policy on Critical Infrastructure Protection, dated May 1998. The program is now jointly sponsored by the NSA and Department of Homeland Security (DHS) in support of the President's National Strategy to Secure Cyberspace, February 2003. The goal of the program is to reduce vulnerability in our national information infrastructure by promoting higher education in information assurance (IA), and producing a growing number of professionals with IA expertise in various disciplines.59 Centers throughout the US.
24
Who is our Audience?
Faculty
Staff
Students
Parents
Contractors
Visitors
Community/industry partners - outreach
25
Target your Audience!
GeneralTechnical/non-technicalLocal/remoteFaculty/researchers/professorsManagement/staffSystem/network administrators/support staffStudents/parentsHome/travel usersHIPAA, FERPA, GLBA, Sarbanes OxleyContractors/new employees
26
Roles
President or Head
CIO/CSO
Information System Security Officer Security T.E.A. Program Manager
Directors/managers
Faculty/staff/students/Users
27
T.E.A. Manager
Training, Education, and Awareness (T.E.A.)
Program/Curriculum development
Course and Instructor coordination
Program promotions
Measure expectations/requirements vs. outcomes/results.
29
When I Go To U.Va….
http://www.itc.virginia.edu/pubs/docs/RespComp/videos/when-I-go-to-UVA-lg.mov
31
IT Security Staffing Landscape
What percent of surveyed institutions have a chief IT security officer?
What is the average number of full-time security staff at surveyed doctoral institutions? At baccalaureate institutions?
What percent of surveyed institutions have no formal awareness programs for students, faculty and staff?
From 2003 EDUCAUSE Center for Applied Research Survey
32
Typical Responsibilities of Security Officers
Strategic PlanningAwareness, Education & Technical TrainingTechnical Communications (Alerts)Policy Development ComplianceRisk Assessment & Business ContinuityIncident Detection & Response
33
These Responsibilities Require Many Roles To Be Filled
Strategic Planner
Champion
Communications Expert
Teacher
Technical Expert
Policy Writer
Lawyer
Enforcer
Watch Dog
Incident Responder
Etc., etc., etc.
34
Which Roles Suffer First?
Strategic Planner
Champion
Communications Expert
Teacher
Technical Expert
Policy Writer
Lawyer
Enforcer
Watch Dog
Incident Responder
Etc., etc., etc.
35
Collaborations Make All The Difference!
New ideas
Access to others' competencies
Expanded scope of influence
Shared labor and cost
36
Executives
Examples:Boards of TrusteesPresidentsVice Presidents & ProvostsDeans & Department HeadsChiefs of Staff
Potential Gains:Policy approvalFunding and staffing approvalInfluence (directives, reviews, role-models)Appropriate expectations
37
Testimonial
Tom Hennessey, Chief of Staff, George Mason UniversityShown with permission from the producer Cathy Hubbs, IT Security Coordinator, George Mason
University
http://security.gmu.edu/HennesseyResponse.mpg
38
Faculty, Staff, & Student Leaders
Examples:Chief of Human ResourcesFaculty Senate ChairDean of StudentsStudent CouncilDorm Resident AdvisorsStudent Honor Committee
Potential Gains:Input on security awareness plansNew championsPeer-to-peer influence
39
Central IT Staff
Examples:Network and System EngineersUser Support Staff, e.g. Help Desk
Potential Gains:Identification of problem areas, emerging threats, and prioritiesSecurity alertsSecurity awareness tool development
40
Departmental Staff
Examples:System AdministratorsOffice Managers
Potential Gains:Input on security awareness needs and prioritiesInput on guidelines and policiesSecurity champions in their departmentsDissemination of security alerts within their departments
41
Departments with Security Interests
Examples:Audit DepartmentLegal CouncilCampus Police
Potential Gains:Participation in awareness eventsInput on awareness prioritiesContribution to development of guidelines and policies
42
Interested Faculty & Students
Examples:
Instructors
Student class projects
Potential Gains:
Participation in awareness events
Input on awareness tool design
Tool development
43
Communications Experts
Examples:
Public Relations Office
Campus and Community Press
Potential Gains:
Design of professional literature
Development of creative marketing tools that deliver the security message in unique and innovative ways
Communication of alerts, events and other information
44
Security Experts & Organizations
Examples:EDUCAUSE http://www.educause.edu/security Virginia Alliance for Secure Computing & Networking http://vascan.org
Others
Potential Gains:Multiple perspectivesFresh ideasEliminates wheel reinvention
•SANS Institute http://www.sans.org
•CERT Coordination Center http://www.cert.org
•CERIAS http://www.cerias.purdue.edu
•NIST Computer Security Resource Center http://csrc.nist.gov
•and many more
45
Back to that U.Va. video…
Collaborators: Concept and story board – IT Publications
staff Video production – School of Continuing &
Professional Studies Actors: children of IT staff Closed captioning – local commercial firm
Cost was less that $3,000
47
Choose Long-term Collaborators Carefully
Should have common goals
Should be recognized benefits on both sides
Should be based upon mutual trust
48
Manage the Collaborations
Set realistic expectations
Communicate well
Resolve issues quickly
Periodically review collaboration health
Recognize their contributions
50
What Defines Culture?
Strategic Planning and Decision-Making Examples:
• Top-down• Bottom-up• Consensus-based
Institutional Values Examples:
• Student honor code• Strong faculty influence• Emphasis on accountability at all levels of institution• High bond rating
51
What Defines Culture?
Control of Operational Functions Examples:
• Centralized
• Decentralized
Long-term Institutional Priorities Examples:
• Increase research
• Increase community outreach
Other influences on culture?
52
Ideas For Using Culture
Decentralized Control Over Computing
Formalize and leverage network of departmental system administrators
How? Some Examples:University of Virginia LSP Program
http://www.itc.virginia.edu/dcs/lspGeorge Mason University SALT Group
http://itu.gmu.edu/security/sysadmin/salt-description.html
53
Ideas For Using Culture
Increasing Emphasis on Compliance
Spotlight Federal Regulations Related to Security & Privacy
How? Some Examples:IT Security for Higher Education: A Legal Perspective
http://www.educause.edu/ir/library/pdf/csd2746.pdfFamily Educational Rights & Privacy Act
http://www.ed.gov/policy/gen/guid/fpcp/ferpa/index.htmlGramm Leach Bliley Act
http://www.ftc.gov/privacy/glbact/index.htmlHealth Insurance Portability & Accountability Act
http://www.hhs.gov/ocr.hipaa
54
Ideas For Using Culture
Strong Leadership at the Top
Make Executive-level Awareness a Top Priority
How?ACE Letter to Presidents Regarding Cybersecurity
http://www.acenet.edu/washington/letters/2003/03march/cyber.cfmInformation Security: A Difficult Balance
http://www.educause.edu/pub/er/erm04/erm0456.aspGaining the President’s Support for IT Initiatives at Small Colleges
http://www.educause.edu/apps/eq/eqm04/eqm0417.aspPresidential Leadership for Information Technology
http://www.educause.edu/ir/library/pdf/erm0332.pdf
55
Changing Culture
Awareness, education, and training change attitudes
Changing attitudes can force change in institutional culture.
Also, major security incidents should initiate examination of cultural influences and possible need for change
58
Exercise
Divide into groupsAssign target audience to each group: Executives Administrative staff Students Faculty Researchers IT professionals
Brainstorm ideas for building awareness 8 minutes Prepare bulleted list Select spokesperson
Share results
60
Let’s Play!
I’ve Got Email is an educational form of bingo that incorporates IT security related words and phrases. This is a good activity for a security or IT department. Play it as a normal bingo game but when someone gets five in a row (or four corners, etc) they shout “I’ve Got Email!” To add an additional educational affect to it, you might ask them to explain each of the terms in the winning row.
I’ve Got EMAIL
1
Router
Virus
Standards
Risk
Infor-mation
Warfare
Phishing
Certifi-cation
Linux
Reliability
User ID
Privacy
Interface
Authoriz-ation
SnifferTech-nology
Solution
Architecture
Detection
Password
Policies
Modules
Firewall
Alert
Monitor
www.securityawareness.com
Copyright 2000-2004 Security Awareness, Inc - All Rights Reserved
E M A I L
FREE
61
Security ImplementationRelies On:
Process
People
Technology
Systems must be built to technically
adhere to policy
People must understand their responsibilities
regarding policy
Policies must be developed,
communicated, maintained and
enforced
Processes mustbe developed thatshow how policies
will be implemented
62
Policies
The cornerstone of an effective information security architecture is a well-written policy statement. This is the source from which all other directives, standards, procedures, guidelines and other supporting documents will spring. As with any foundation, it is important to establish a strong footing.
63
Why Implement a Security Policy?
In the absence of an established policy, the University’s current and past activities become the de facto policy.Since there is no formal policy with which to be defended, the University may be in greater danger of a breach of security, loss of competitive advantage, customer confidence and government interference.By implementing policies, the University takes control of its destiny.
64
Why Implement a Security Policy?
The goal of an information security policy is to maintain the integrity, confidentiality and availability of the information resources.
The basic threats that may prevent the University from reaching this goal are unauthorized access, modification, disclosure or destruction - whether deliberate or accidental - of the information or the systems and applications that process the information.
65
Why Implement a Security Policy?
When developing the policy, there is as much danger in saying too much as there is in saying too little.The policy should provide the direction required by the University while maintaining business unit management discretion in the actual implementation of the policy.The more intricate and detailed the policy, the more frequent the update requirements and the more complicated the training process for users.
66
Policy Structure
Laws, Regulations, and Requirements
Policy
Standards
Procedures,Practices
Guidelines
67
Awareness and Training on the Security Policy
Now you have a policy… but has anyone read it?
Or better yet… do they understand it?
Policy resources:
http://www.educause.edu/CampusPolicyInitiatives/332
68
Key Issues and Pitfalls
Make sure your Implementation Plan for the Security Policy includes training!Make sure your training materials and policy are not in conflict.Know your audience and adjust your training as appropriate by keeping their needs in mind.Get feedback! BUDGET for training and awareness.Utilize free resources and solicit volunteers, interns, and partnerships with departments and other Universities.
69
Resources
The Education & Awareness Working Group of the EDUCAUSE/Internet2 Security Task Force compiled cyber security awareness resources that will be distributed on a CD.
The resources were collected to showcase the variety of security awareness efforts underway at institutions of higher education and to provide resources for colleges and universities that are looking to jump-start a program for their organization.
70
What’s on the CD?
PamphletsLinks to School’s Security Web Page(s)VideosSecurity Awareness DocumentsSecurity CardsSecurity QuizzesScriptsSurveysSecurity Tools
Book MarksBrochuresChecklists FlyersGamesGovernment ResourcesHandoutsPost CardsPresentations
71
Measurement of Success
SurveysQuizzesPassword CrackingReduction/Increase in infectionsAudits – baseline then monitor progressMetrics (and yes, color graphics are worth it when presenting to management)Incentives and recognition to most improved and others actively working to increase security in their departmentsLather, rinse, repeat!
72
Measurement of Success
Did you meet the goals of your awareness program?Did you set goals?Samples: To reduce risk by implementing best practice information To reduce risk by implementing best practice information
security programs while balancing academic freedomsecurity programs while balancing academic freedom
What are the Goals of GW's Security Awareness Program? To educate members of the University community To educate members of the University community To identify and address risk To identify and address risk To promote and encourage good security habits To promote and encourage good security habits
73
Exercise
Divide into groupsYou are planning your first Cyber Security Awareness Day for your campus. What are your goals? What will the event involve? How will you make it interesting for your audience?
Brainstorm ideas 8 minutes Prepare bulleted list Select spokesperson
Share results
74
Questions?
Contacts Calvin Weeks [email protected] Shirley Payne [email protected] Krizi Trivisani [email protected]