LAB MEASURING THE IMPACT OF YOUR AWARENESS PROGRAM

Transcription

1 SESSION ID: LAB3-W13 LAB MEASURING THE IMPACT OF YOUR AWARENESS PROGRAM Lance Spitzner Director SANS Security

2 Goals For Today The ability to measure the impact of your awareness program To ensure you look good Everything you will learn today you will be able to apply the day you get back to work

3 Welcome Facilities Today s plan of attack Class Logistics (handouts / interactive labs) - Take ten minutes, table introductions Lance Spitzner lspitzner@sans.org

4 WindowsOS EMET Microsoft Security Essentials Edge Browser Biometrics Credential Guard Security Controls Data Execution Protection (DEP) Baseline Security Analyzer Firewall Enabled by Default Microsoft Secure Development Lifecycle Automatic Updating Software Restriction Policies Trustworthy Computing Windows Defender Malicious Software Removal Tool Encrypted File System AppLocker Mandatory Integrity Control Windows Service Hardening Bitlocker User Account Control ASDL HumanOS

5 Security Awareness Maturity Model Security Awareness Security Awareness Maturity Model Maturity Model Nonexistent Non-existent Compliance- Focused Compliance Focused Metrics Metrics Long-Term Framework Long-Term Framework Sustainment Sustainment & and Promoting Culture Cultural Change Change Awareness and Behavioral Change Promoting Awareness & Behavior Change

6 BJ Fogg Behavior Model 15

7 Your Strategic Plan WHO WHAT This is what we will focus on for today, completing three group labs. This is what drives your metrics. HOW

8 WHAT Do You Teach? Focus on topics that have the greatest ROI: o o o o People can remember only so much cognitive overload You have limited time and resources to teach Fewer topics are easier to reinforce Avoid training fatigue Prioritize the greatest human risks to your organization, and then develop training modules to address each of those risks

9 Start With The Data For most organizations, key assets are your data. Start by identifying who is handling your sensitive data and how (often role based driven) Then identify what threats / behaviors expose that data to the greatest risk (don t worry about prioritizing yet) Numerous ways to approach risk assessments, one example is NIST SP800-30r1

10 Identify the Human Risks What were the most common and /or damaging human-related incidents in the past 6-12 months? This includes accidental Any penetration tests in the past 6-12 months? Take your Incident Response and Security Ops teams out to lunch. Ask them If we could wave a magic wand, what five things would you want people to do differently?

11 Verizon DBIR 20

12 Blogs / Twitter are a great way to stay current

13 Prioritizing Your Human Risks Once you identify your human risks you need to prioritize them. Quantitative A precise / accurate measurement that produces a numeric value a complex and time-consuming approach Qualitative An estimate or comparative measurement (high, medium, low) a fast and simple approach

14 Qualitative Risk Matrix VH / 5 X Probability H / 4 M / 3 L / 2 X Phishing Topic % Impact Risk Score Tracking Cookies VL / 1 VL / 1 L / 2 M / 3 Impact H / 4 VH / 5 23

15 Defining Variables of Risk In Your Lab Workbook 24

16 Lab Prioritizing Your Human Risks You have identified numerous human risks to your organization, prioritize the top 7; this is your Core training for all employees You can find a description of each risk/topic in your lab workbook Be sure to take into consideration your existing technical controls and past training

17 In Your Lab Workbook 26

18 Topic Number of Students You Are the Shield Social Engineering & Messaging Browsing Social Networking Mobile Device Security Passwords Malware Data Security Working Remotely Cloud Targeted Attacks Physical Security Creating a Cyber Secure Home Hacked

19 Learning Objectives Your job is only half done; you now need to identify what behaviors manage those top risks Create a separate learning objectives document for each risk This is a living document that covers the target, goal, and learning objective of each risk

20 Sample Learning Objectives In Your Lab Workbook

21 Example Learning Objective

22 Typical Password Learning Objective A common security awareness topic is passwords: Minimum of 12 characters 1 symbol 1 number 1 capital letter No two repeated letters Change every 90 days Costs associated with this

23 What Are We Missing Do not get infected Do not share your passwords Do not log in using untrusted systems Passphrases Where is my Coffee? Password Managers Use two-step verification whenever possible

24 33

25 Lab Learning Objectives Pick one of the most important topics from your top topic list Document three Learning Objectives for that topic. A good Learning Objective uses action verbs, is specific, and measureable. In Your Lab Workbook

26 Two Types of Metrics Compliance Metrics: Measure the deployment of your awareness program. Are you compliant? Impact Metrics: Measure the impact of your awareness program. Are you changing behavior? Metrics are not a single measurement in time of are we good or bad? Metrics are repeated over time are we moving the needle in the right direction.

27 Measuring Impact In Your Lab Workbook 36

28 How To Measure - Phishing Phishing is a useful metric for most organizations: Measures a key human risk organizations care about Simple, low cost and easy to repeat Quantifiable measurements that are actionable 90% fall victim in the first hour

29 Overall Approach Biggest difference between technical and human metrics is that humans have feelings Announce your metrics program ahead of time, and then start slow Do not embarrass people (no Viagra s) Do not release names of those who fail. Only notify management of repeat offenders Focus on real-world risks, do not trick people Always make sure there are at least two ways to detect an assessment

30 Click Results If an end user falls victim to a phishing assessment, you have two general options: No feedback Immediate feedback that explains this was a test, what they did wrong, and how to protect themselves

31 40

32 Human Risk Survey Sometimes, the simplest way to measure something is to just ask. Think of a survey as a human vulnerability scanner Survey can measure behaviors that you normally do not have access to Survey can also measure attitudes and motivation (culture) Value is multiple measurements over time Copy in the digital download package

33 Examples from the Security Awareness Survey

34 Data May Already Be There There may not be a need to collect data because you already have the data. Check with: Security Operations Center / Incident Response Team Help Desk Human Resources Data Loss Prevention (DLP)

35 Strategic Metrics Align your security awareness metrics with your security program. How are you helping your CISO and ultimately your organization s mission? Number of incidents per month Average time to detect an incident Number of data loss incidents Number of privileged Number of policy violations Number of compliance / audit violations

36 Lab: Measuring Your Metrics Identify and document your top three impact metrics How will you measure them and how often? Why did you pick them? Oh, and it can t be phishing. In Your Lab Workbook

37 Security Awareness Maturity Model Security Awareness Security Awareness Maturity Model Maturity Model Nonexistent Non-existent Compliance- Focused Compliance Focused Metrics Metrics Long-Term Framework Long-Term Framework Sustainment Sustainment & and Promoting Culture Cultural Change Change Awareness and Behavioral Change Promoting Awareness & Behavior Change

38 When You Get Back Build relations with your SOC / IR team, take them out to lunch and repeat monthly. Review and prioritize your topics, base this analysis on data, NOT emotion. Once prioritized, what are the key behaviors that manage those risks? Prioritize your metrics, both behavior and strategic. Dedicate 4 hours a month to collect those metrics and report to leadership.

39 Learning More