Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: User Awareness and Education SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
User Awareness and Education

User education and awareness is a very generic term that is often used in business today to refer to the process of
'educating' users on the company's internal computer policy.  This effort often times addresses company policy, best, practices, security, etc.  What I don't see in most of these programs that I have reviewed as part of audits is the 'awareness' portion, and most likely because this takes a bit more effort.  Security professionals for years have been aware that a vulnerability within one of our systems has the potential to become an exposure on a global scale; most users and many system administrators have yet to recognize this new dynamic.  The very statement "we are a mid-size company in America, why would anyone in Asia care about our systems, even if they are vulnerable", is a concern. 

So my question to all IT Managers out there today is "what are we trying to accomplish? with this training effort?"  In the past my goal was to raise the level of awareness for the users so that they can begin to understand the scale of threats that exist on the Internet today. One website that has a great basic summary of things a user can do to improve the overall security of their computer or computers is the IS site at MIT.  This article reflects simple approaches, talking about technical and user practices that will aide tremendously in the overall security effort.

The title of my article today is "User Awareness and Education", as opposed to "User Education and Awareness", because I believe that user awareness is one of the most effective cybersecurity tools in our arsenal.  With awareness usually comes the desire for education, to understand the why. 

As an old friend used to say "This is where we have to engage the gray matter in our brain".

What say you?


tony d0t carothers --gmail

Tony

150 Posts
ISC Handler
I work for a large ecommerce global company. My belief is that awareness must both pertain to the business but be strong on users personal life. After all, employees don't care about the business and security but do care about their own personal security. Every year, I take national cyber securi awareness month and run a month long campaign at my company. My campaign includes everything from global posters, daily blog entries, emails, contests, classroom sessions, and events! I solicited some of our biggest vendors for donations such as iPads, iPods, tvs...etc, as well as lots of swag. I hold contests and surveys. We run social engineering campaigns. We release the results of the month from surveys and other tangible metrics to the employees. I hold an end of the month event where I put on display challenges for people to team up on, such as breaking the code using a couple enigma-e and software engimas, security awareness jeopardy...etc. by engaging the employee in a fun and exciting way, we have been able to see a huge increase in user awareness through many ways. My campaign is pretty detailed, so if anyone would like to discuss it more, bounce ideas around let me know. It's been so successfully the business has allocated an annual budget for this month.
Anonymous
The problem with "security awareness training" is it has the same failure rates as any other type of training. Not everyone "gets it" and it wears off.

Roughly 30% of people don't fully understand whatever training is being offered. Sometimes it just takes a lot of repetition to sink in. Sometimes they just don't care. A 30% failure rate means the bad guys now have to send just three or four emails total in order to be assured that one gets through. Big deal.

Even worse, no one ever gets dinged in a performance review because they clicked on a link or went to a search engine result that took them to a bad site. It's simply not a job requirement that affects their performance rating. Their real work is what matters in performance reviews.

Security awareness training is at best a minor control, if it can even be called a control. Any process that has a 30% or so failure rate is actually out of control.
Anonymous
When there is "big cyber security news," I usually take the occasion to send out a scary email reiterating the magic three bullet points: don't click, don't download, don't install.

Last week, I sent out the following email:

"
Hello all,


The purpose of this Email is to continue to raise awareness about computer and information security.

This would be the first Email for a few of you new comers to Company, and may be the second this year for you old timers.


Making security news today is analysis of a statement released by the European Network and Information Security Agency, about a report [1] released by McAfee and Guardian Analytics about the state of banking web site security.

A promenently meaningful statement in Brian Krebs's analysis [2] is:
"Many simply urge customers to follow security advice that is increasingly quaint and irrelevant: Use firewall and antivirus software; don’t respond to phishing emails; pick complex passwords and change your password often… I'm not saying antivirus software is completely useless, just that users should behave as though it is."


I agree with Krebs, and when dealing with the challenge of data security, it is best to always act exactly this way; to behave as if all the security mechanisms that are in place are useless.

This means that you should consider your hard work an asset worth protecting. Consider where you expose this and other data.


Pragmatically, continue to follow the three magic rules:
• Never click on links you are unfamiliar with.
• Never download files where you are unsure of the contents.
• Never install software that is from an unreliable source.

But also, consider the following:
• Don't send highly sensitive data over Email, IM, or other mechanisms that involve third parties.
• Beware of data transport. If you bring data from the outside into our network, consider that other computers might be compromised.

Feel free to pose questions as to what you can do solve these security challenges while maintaining a good work flow.


As always, if you have any questions, reach out and grab your closest IT professional."
[1] http://www.mcafee.com/us/resources/reports/rp-operation-high-roller.pdf
[2] http://krebsonsecurity.com/2012/07/eu-to-banks-assume-all-pcs-are-infected/

The hardest thing to do when communicating to raise awareness is to balance being the good Cop, the bad Cop, and being the scary/overly power hungry IT guy that everyone dislikes.

I frequently try to create a separation between people, their work, and their ability to use "network resources, such as the Internet" to improve their work flow. It reminds me of how I felt when I sat down at my University and was exposed to Lexis-Nexus for the first time. It's a resource, a separate system. It's not for Facebook, Gmail, to play flash games, etc.

I also use the phrase "You are the last firewall to protect our network and systems," to put more ownership and responsibility on the user themselves.

mbrownnyc

19 Posts
The timing of this article is perfect for me. As the only InfoSec guy in my company, I've been tasked with creating a security awareness training at my company. I did put something together, but I would like to get more ideas. NICK, if you're reading this post, I'd like to know about your program. You can reach me at aalborz06 --gmail.
AAInfoSec

48 Posts
It will be great if there is a pkatform that we can bound ideas around as suggested by Nick. I would love to learn from your experience in running this kind of program. Nick, and Alex, you can reach me at isc.sans at gmail.com
AAInfoSec
1 Posts
Hi TOny. I see it so often that even I get numb to the terms thrown around to define everything. One here I will point out that is the cruxt of many sleepless nights. User. We tend to define user so loosley as to forget that the mass of corporate end-users are not savvy to IT at all.
I had an example last week of this as the user, when asked when they last used this item (an old usb drive from about 2004-6 timeframe) and the response made my eyes water. "I couldnt even tell you what that is for or where to put it in." WTF??? RIGHT?
Truth is he knew exactly what it was because unless I missed a millena jump somewhere, quantum bit transfer through the air still is Sci-Fi.

My point is that we are seasoned, obviously as we are reading this, and therefore what we consider informed. We are not, however, anything like the masses. Just ask you grandmother to change her password to a 16 character complex one or explain to you her backup strategy and she wil as likely punch you in the mouth as be able to give you any answer --- EVER.

I think that we take too much credit at times for being educated and not enough credit for educating, correctly. I like the MIT version of the top ten but remember that MIT is for REALLY smart people and if you tell end-users to go to an MIT site and do anything there, their eyes will haze over faster than an Absinthe induced drunken stupor.

So, what is your point, you are asking??? We as professional IT engineers, admins, guru sprctral phenoms are still a rare breed that often more than not, havent the ability to talk to users in a language they understand.

We need to come up with language and education practices that meet their level of competency and then dumb it up a little more. Secondly, we need to learn, fluently, that language. We need to remember that docking clerks, administrative assistants, Tier one help desk, janitorial services, volunteers and anyone thaqt has graduated recently from college with a degree in computer sciences that never logged into any *nix flavour or managed anything larger than their own dorm-room NETWORK, are still only 30% of the 99% of corporate Users we will have to run across and assist.

Each day gives us an opportunity to grow as professionals. If we do not enable our User base with the right education, we secure our future as hair on fire, the whole damn network is down, why the hell did this happen to our mid-level America corporation that no one gives a shite about in Brazil (good oint to point out for Sont PS users tooo). Well, Mr. CEO of midlevel America Corporation, sir, you cannot click on the hyperlink in the email telling you your corporate banking card password is bunk and we need you to tell us all about yourself and you network so we can verify you are who you think you are telling us you are, emails. I thought I made that clear last week. Oh, ok so maybe I didnt.

End Rant.................
AAInfoSec
5 Posts
Spelling mistakes are intentional :)
AAInfoSec
5 Posts
Since I am at the end of my day and this has become a great topic in my IT office, I thought I would add this last observation.

We just received and email from our Director of Software Development. The screenshot is the MS Run Advertised Programs and his question is Should I run this? The window just popped up on my desktop.

Well there you go. Highly educated yet still the question remains.
At least he asked. Right???

Remember before giving someone enough rope to hang themselves, be sure they do not have a roll of Duct tape.
AAInfoSec
5 Posts
I emailed Alex and Chris earlier pretty much a novel on how I do awareness. It addresses the point Stryker is making about us needing to talk a language "they" understand. My method has proven, tangible results. Alex reached back out to be after my first email wanting more details on what I do, and i just wrote another novel back. I'd love the chance to show others, just reach out to me at nduda78 at gmail.

As I mentioned to them, we need to lose the word "training" at the end of "Security awareness" because it is something that you cant train someone on. They need to adopt it as a lifestyle. It's a tough battle we face with the digital immigrants :)
Anonymous
Nick, I am glad to hear you also see the need for a lifestyle change and not more training. I remember going to work for McDonnell Douglass when I was 18 building wiring harnesses for the Apache helicopter and the C-5 Strato Fortess. Before we were even allowed to do anything there was a two week class to teach us how to strip and crimp a wire (simplified). After that I went into the Army. Before I was allowed to be a soldier, I went through 26 weeks of vigirous training, just to be an infantryman. The "bullet catchers" as we were called. I went ont to Airborne and Ranger training. After my first year in the ARMY, I had yet to be at my permanent duty station and ready for combat. We endured weekly emphasis exercises to hone those skills and then when duty called, we went into action.

My point is that if a mentality shift, paradigm shift or just a plain "No-Shite" shift in the approach to what the corporate world does to ensure the major portion of there workforce has the knowledge is to ever take place, some sort of pre-employment and then again yearly re-certification (this happens in many of the DoD organizations I work with now) can have major and positive advances into how we as people, start looking at what we do and how it impacts the overall organizations. Create a two day seminar, unpaid and mandatory, like background and urine tests, that takes the prospects through the designed daily exercises, pitfalls of laxed attention to detail and steps to do in the event of a cock-up.

I created a call-center training program for a company in the cable internet business in 1999-2000. I called it the "Grandma approach" to customer service. I also worked with the network team to create what I still consider the best Tier 1 support package in the industry. Give them ALL of the tools to do their job and empower them to ask, input and then do the job. I also implemented this pre-employment seminar for them. They are still one of my most valued clients and one of the happiest Call Center NOC elements in the world.

My point and I believe Nick has it as well is that when you make people engage into their own success, they succeed. When you give them easily understood tools that are not only good for the company but are transparently transferrable into their own personal lives, they accept it as a free gift from you. When you let them engage you, at their level and you interact in return, at their level, they are greatful and feel valuable. We have an opportunity and I think an obligation to make our world a better place. How we approach that is as vital as the end result we are talking about and in the business to do. I want my children, grandchildren and their children and grand children to live in a safer and more life giving world. What we see today scares the crap out of them and that makes me more and more focused on doing whatever it takes.

What can one do to make the world a better place? What can one Engineer do to make the workplace a better place? Take one step closer to someone that needs our assistance and see how fast it starts to change.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!