human risk in information security - aitriaitri.org/2017aitri/docs/session2.pdf · human risk in...
TRANSCRIPT
www.cyberintelligence.my
Human Risk in Information SecurityAITRI Seminar on New Technology Risk and Cyber Security
Raj Kumar ([email protected])Principal Security Consultant
Threat Landscape
Threat landscape
More than 91% of all phishing attacks in 2016 targeted five industries:
• Financial institutions• Cloud storage/file hosting services, • Webmail/online services,• Payment services• Ecommerce companies.
The total number ofphishing attacks increased for each
of these five industries by an averageof 33%. – PhishLabs, 2017
Threat Landscape
Source: APWG 2015-16 Quarterly Report
Security Practice
Is your security awarenessprogram effective in training
end-‐users?
Do your end-‐users fall for phishing messages?
Are your email and spam filters failing to block phishing
messages?How vulnerable are your end-
‐users against phishing attacks?
Phishing Attacks Are On The Rise Because They Work
0
50
100
150
200
250
2009 2010 2011 2012 2013
Phishing Threat Actions Power (Phishing Threat Actions)
What Makes Phishing Works?
• Phishing uses tactics that motivate a response - greed, fear, ambition, curiosity
• Sometimes simple is dangerous - shipping notifications, funny pictures
• Employees don’t really know better
• Deception is key - look-alike URLs, obfuscated file attachment names
• Includes a “call to action” (e.g. “Open this now!”, “Click herenow!”)
• Employees are conditioned to both trust email and be responsive
Lack of real world condition
simulated attack based training
programs
Lack of cyber security
behaviour changing solution
Lack of affordable &
simplified infosec risk management
solution
Lack of highly trained & skilled cyber defenders
People – the weakest link
Awareness vs Behaviour
11
Problem Statement
.
Awareness –Something I
know
Behaviour (Competence) –Something I do
Culture – We know and we
practice
How do I protect information and assets?
Do I click the link in my email? Feeling suspicious…
Should I install this free software?
What is ransomeware?
What is Human Behaviour in Information Security?
• Reduce number of employee incidents • Malware • Social engineering attack • Phishing emails • Report Attacks/ Potential Anomalies • Tailgating • Handling Sensitive Data• Safe Social Networking• Personal and Data Privacy • Safe browsing practices• Portable Devices • Locking Screens
How to measure awareness ?
• Number of of people who fall victim to a phishing attack
• Number of people who detect and report a phishing attack
• Number of infected computers.
• Number of employees understand and following security policies, processes and standards
• Results of quiz and assessments
Expected Security Practices (ESP)
It’s not Stupid users!
• Security professional are busy with technical issues and policies.
• Users are busy with what they are hired to do.
• Users are not sure if they a victim of cyber crime.
• User not sure who to report to .
• Users don’t see the reward
• Users usually don’t fall victim
• It’s IT problem
• Management not bothered, not a business problem
Security Awareness is about creating a security culture…
• Heard it many times?…but
• It’s more about to get people to understand (aware) and carry out secure practices (behavior)
• Security Awareness is to strengthen security culture
• Must instill common knowledge and base actions
Why Security Awareness?
• Human Factor
• Technology can only do so much
• Completes the maturity of a security program
• Cost effective solution
• Required by standards and regulation
Problems with Security Awareness Programmes
• Check-box compliance requirements
• Varying content and quality
• 3 year cycle
• Poor security culture
• No support from management, department or users
• Not a job requirement
• People come and go
• People don’t take it seriously
• Lack of funds
Analyze this…
It’s our 10th anniversary & the
wife is so happy with the
diamond ring #habib
#anniversary #ilovemywife
Analyze this…
Are you aware of your surroundings when accessing company sensitive
information?
Analyze this…
How many passwords can you remember?
Analyze this…
Do you know where your documents are?
Analyze this…
Shred all papers that contain sensitive information before disposing
Analyze this…
Hi,
I run a Windows 2008 Server, Service
Pack 1.0, with MS SQL 2008 for my
external web apps. I am having a
problem with …… and I have installed patch 1.2.3. Can someone help me?
Andy Jones
Sys Admin
ACME Inc.
Behavioral Factors
Poor Security
Behaviour
Lack of Awareness
Inconvenience
Obedience / Fear
CuriositySelf
Preservation
Carelessness / Poor Attitude
Poor Infrastructure
Listen to the HR Manager
We use a spreadsheet to process salaries
and it is password protected. If this
password is not shared no one will get the
salaries including the CEO.
An IT Admin Answering the Manager’s Call
Excellent job on the system integration.
Can I have the admin login to verify
certain things myself…
Sure, the login credentials
are…
Manager Subordinate
Email from Bank
Dear Valued Customer,
We believe that someone wastrying to access your online banking
account without authorization.
Please click here to reset yourpassword.
Thank you,YOUR TRUSTED BANK
Oh no! I need to quickly click on the link to prevent my money from being stolen!
What your staff can give away?
The Secret Recipe What is my
annual revenue forecast?
Who is my raw materials supplier?
What is my annual revenue
forecast?
Where am I opening my next
shop?
What are my cost to deliver the
best nasi lemak in town?
Supplier A: at what price?
Supplier B: at what price?
How to Make End-Users Like & Follow
Information Security
10 Quick Tips
Move from “Attendance” to “Participation”
Attendance is just a number
Participation is “Involvement”
Are you doing an awareness program to satisfy the auditor or to tick a check-box?
1
Aim for “Sensitization” not “Memorization”
It’s your responsibility to read the policies
vs.
It’s OK if you get the SENSE and INTENT of IT Security
You can’t expect someone to know how an engine works to pass a driving license test.
2
Understand How People Make Security Decisions
Of these two, which terrifies you the most?
Obesity kills more people than sharks
3
What appears harmless may be more harmful…think phishing?
Engage the Audience, Visualize the Risks
The end-user is not a security expert
Engage them, Visualize the risks for them
“A picture is worth a 1000 words” (or)
A poster has more impact than a security policy
4
Go Beyond Awareness
Awareness Behaviour Culture
Goal: Responsible Information Security Culture
5
When majority of the workforce handles Information responsibly, you can say that you have a “Responsible Information Security Culture”
A Little Bit of Fun is OK
Security is so much jargon…
Lighten it a bit
6
What the heart accepts, the mind understands and the hands implement…If you can get the end-user to smile, you have won their heart…
Think Drip IrrigationSmall doses, but more frequent
…keeps your workforce Security Healthy
7
Spread your security awareness program around the year….10 minutes a month is 120 minutes of security awareness session a year…
Target the Workforce, not just the Employees
Who has access to Information Assets?
Employees, Freelance, Contractors, Guards….
8
Is your security guard and janitor part of the security awareness program?
Measure… Manage… Improve…
What you cannot measure, you cannot manage…
What you cannot manage, you cannot improve…
9
Assess “Awareness” and “Behaviour” Independently
LOW AWARENESS
MEDIUM AWARENESS
HIGH AWARENESS
Awareness score is 87%
Competence score is 65%
LOW COMPETENCE
MEDIUM COMPETENCE
HIGH COMPETENCE
Stop Instructing, Start Dialogues
Instruction is always one-way
Dialogues are two-way…
10
When you have dialogues, it shows that you are listening to the end-user. That shows RESPECT
…you will receive it back.
“An Information Security Awareness Program is not
about just educating your workforce & checking a
compliance tickbox afterwards, but rather about
making your people participate wholeheartedly in
Information Security Management”
Sivanathan Subramaniam
Founder & CEO of Cyber Intelligence Sdn Bhd
Cyber Intelligence Sdn. Bhd.C-1-2A, SME2 Cyberjaya,2260 Jalan Usahawan 1,63000 Cyberjaya, Selangor, Malaysia.
[email protected]+603 8322 4622+603 8322 4622cyberintelligence@my_CISB