www.cyberintelligence.my

Human Risk in Information SecurityAITRI Seminar on New Technology Risk and Cyber Security

Raj Kumar (raj@cyberintelligence.my)Principal Security Consultant

Threat Landscape

Threat landscape

More than 91% of all phishing attacks in 2016 targeted five industries:

• Financial institutions• Cloud storage/file hosting services, • Webmail/online services,• Payment services• Ecommerce companies.

The total number ofphishing attacks increased for each

of these five industries by an averageof 33%. – PhishLabs, 2017

Threat Landscape

Source: APWG 2015-16 Quarterly Report

Security Practice

Is your security awarenessprogram effective in training

end-‐users?

Do your end-‐users fall for phishing messages?

Are your email and spam filters failing to block phishing

messages?How vulnerable are your end-

‐users against phishing attacks?

Phishing Attacks Are On The Rise Because They Work

0

50

100

150

200

250

2009 2010 2011 2012 2013

Phishing Threat Actions Power (Phishing Threat Actions)

What Makes Phishing Works?

• Phishing uses tactics that motivate a response - greed, fear, ambition, curiosity

• Sometimes simple is dangerous - shipping notifications, funny pictures

• Employees don’t really know better

• Deception is key - look-alike URLs, obfuscated file attachment names

• Includes a “call to action” (e.g. “Open this now!”, “Click herenow!”)

• Employees are conditioned to both trust email and be responsive

Lack of real world condition

simulated attack based training

programs

Lack of cyber security

behaviour changing solution

Lack of affordable &

simplified infosec risk management

solution

Lack of highly trained & skilled cyber defenders

People – the weakest link

Awareness vs Behaviour

11

Problem Statement

.

Awareness –Something I

know

Behaviour (Competence) –Something I do

Culture – We know and we

practice

How do I protect information and assets?

Do I click the link in my email? Feeling suspicious…

Should I install this free software?

What is ransomeware?

What is Human Behaviour in Information Security?

• Reduce number of employee incidents • Malware • Social engineering attack • Phishing emails • Report Attacks/ Potential Anomalies • Tailgating • Handling Sensitive Data• Safe Social Networking• Personal and Data Privacy • Safe browsing practices• Portable Devices • Locking Screens

How to measure awareness ?

• Number of of people who fall victim to a phishing attack

• Number of people who detect and report a phishing attack

• Number of infected computers.

• Number of employees understand and following security policies, processes and standards

• Results of quiz and assessments

Expected Security Practices (ESP)

It’s not Stupid users!

• Security professional are busy with technical issues and policies.

• Users are busy with what they are hired to do.

• Users are not sure if they a victim of cyber crime.

• User not sure who to report to .

• Users don’t see the reward

• Users usually don’t fall victim

• It’s IT problem

• Management not bothered, not a business problem

Security Awareness is about creating a security culture…

• Heard it many times?…but

• It’s more about to get people to understand (aware) and carry out secure practices (behavior)

• Security Awareness is to strengthen security culture

• Must instill common knowledge and base actions

Why Security Awareness?

• Human Factor

• Technology can only do so much

• Completes the maturity of a security program

• Cost effective solution

• Required by standards and regulation

Problems with Security Awareness Programmes

• Check-box compliance requirements

• Varying content and quality

• 3 year cycle

• Poor security culture

• No support from management, department or users

• Not a job requirement

• People come and go

• People don’t take it seriously

• Lack of funds

Analyze this…

It’s our 10th anniversary & the

wife is so happy with the

diamond ring #habib

#anniversary #ilovemywife

Analyze this…

Are you aware of your surroundings when accessing company sensitive

information?

Analyze this…

How many passwords can you remember?

Analyze this…

Do you know where your documents are?

Analyze this…

Shred all papers that contain sensitive information before disposing

Analyze this…

Hi,

I run a Windows 2008 Server, Service

Pack 1.0, with MS SQL 2008 for my

external web apps. I am having a

problem with …… and I have installed patch 1.2.3. Can someone help me?

Andy Jones

Sys Admin

ACME Inc.

Behavioral Factors

Poor Security

Behaviour

Lack of Awareness

Inconvenience

Obedience / Fear

CuriositySelf

Preservation

Carelessness / Poor Attitude

Poor Infrastructure

Listen to the HR Manager

We use a spreadsheet to process salaries

and it is password protected. If this

password is not shared no one will get the

salaries including the CEO.

An IT Admin Answering the Manager’s Call

Excellent job on the system integration.

Can I have the admin login to verify

certain things myself…

Sure, the login credentials

are…

Manager Subordinate

Email from Bank

Dear Valued Customer,

We believe that someone wastrying to access your online banking

account without authorization.

Please click here to reset yourpassword.

Thank you,YOUR TRUSTED BANK

Oh no! I need to quickly click on the link to prevent my money from being stolen!

What your staff can give away?

The Secret Recipe What is my

annual revenue forecast?

Who is my raw materials supplier?

What is my annual revenue

forecast?

Where am I opening my next

shop?

What are my cost to deliver the

best nasi lemak in town?

Supplier A: at what price?

Supplier B: at what price?

How to Make End-Users Like & Follow

Information Security

10 Quick Tips

Move from “Attendance” to “Participation”

Attendance is just a number

Participation is “Involvement”

Are you doing an awareness program to satisfy the auditor or to tick a check-box?

1

Aim for “Sensitization” not “Memorization”

It’s your responsibility to read the policies

vs.

It’s OK if you get the SENSE and INTENT of IT Security

You can’t expect someone to know how an engine works to pass a driving license test.

2

Understand How People Make Security Decisions

Of these two, which terrifies you the most?

Obesity kills more people than sharks

3

What appears harmless may be more harmful…think phishing?

Engage the Audience, Visualize the Risks

The end-user is not a security expert

Engage them, Visualize the risks for them

“A picture is worth a 1000 words” (or)

A poster has more impact than a security policy

4

Go Beyond Awareness

Awareness Behaviour Culture

Goal: Responsible Information Security Culture

5

When majority of the workforce handles Information responsibly, you can say that you have a “Responsible Information Security Culture”

A Little Bit of Fun is OK

Security is so much jargon…

Lighten it a bit

6

What the heart accepts, the mind understands and the hands implement…If you can get the end-user to smile, you have won their heart…

Think Drip IrrigationSmall doses, but more frequent

…keeps your workforce Security Healthy

7

Spread your security awareness program around the year….10 minutes a month is 120 minutes of security awareness session a year…

Target the Workforce, not just the Employees

Who has access to Information Assets?

Employees, Freelance, Contractors, Guards….

8

Is your security guard and janitor part of the security awareness program?

Measure… Manage… Improve…

What you cannot measure, you cannot manage…

What you cannot manage, you cannot improve…

9

Assess “Awareness” and “Behaviour” Independently

LOW AWARENESS

MEDIUM AWARENESS

HIGH AWARENESS

Awareness score is 87%

Competence score is 65%

LOW COMPETENCE

MEDIUM COMPETENCE

HIGH COMPETENCE

Stop Instructing, Start Dialogues

Instruction is always one-way

Dialogues are two-way…

10

When you have dialogues, it shows that you are listening to the end-user. That shows RESPECT

…you will receive it back.

“An Information Security Awareness Program is not

about just educating your workforce & checking a

compliance tickbox afterwards, but rather about

making your people participate wholeheartedly in

Information Security Management”

Sivanathan Subramaniam

Founder & CEO of Cyber Intelligence Sdn Bhd

Cyber Intelligence Sdn. Bhd.C-1-2A, SME2 Cyberjaya,2260 Jalan Usahawan 1,63000 Cyberjaya, Selangor, Malaysia.

contactus@cyberintelligence.my+603 8322 4622+603 8322 4622cyberintelligence@my_CISB