What are the three major steps to designing an awareness and training program?

Introduction

A security awareness program is a formal program with the goal of training users of the potential threats to an organization's information and how to avoid situations that might put the organization's data at risk.

The goals of the security awareness program are to lower the organization's attack surface, to empower users to take personal responsibility for protecting the organization's information, and to enforce the policies and procedures the organization has in place to protect its data. Policies and procedures might include but are not limited to computer use policies, Internet use policies, remote access policies, and other policies that aim to govern and protect the organization's data.

In information security, people are the weakest link. People want to be helpful. People want to do a good job. People want to give good customer service to their coworkers, clients, and vendors. People are curious. Social engineers seek to exploit these characteristics in humans. “Social Engineering is defined as the process of deceiving people into giving away access or confidential information” [1]. The only known defense for social engineering attacks is an effective security awareness program. Unless users understand the tactics and techniques of social engineers, they will fall prey and put the organization's data at risk.

A survey of recent breaches will reveal that a large majority of them took advantage of exploiting humans. One example is the RSA breach [2] where sophisticated attackers used targeted spear phishing to steal RSA SecurID authentication tokens that lead to a further breach at US defense contractor Lockheed Martin [3]. Another example is the “Aurora” attack against Google and other large software companies that used an attack that sent users to a website that infected users with a cutting-edge 0day exploit. The result was that a large amount of intellectual property including source code was stolen from companies including Google and Adobe [4].

Nowadays, online bad guys don't try to break in through the firewall. Bad guys go around the firewall. Organizations have spent billions of dollars developing layered defenses against online attackers. There are solutions such as antivirus, intrusion detection systems, intrusion prevention systems, and other technical solutions to protect information. With these sophisticated solutions in place, attackers are now turning to more targeted attacks focused on tricking users into clicking links or opening attachments.

Dave Kennedy's Social-Engineer Toolkit does an excellent job of modeling social engineer attacks such as website, attachment, human interface device (HID), and QR attacks for defenders to use to test their own environments [5]. This might sound simplistic, but what would most users do if they received an attachment that appears to come from the HR department that appears to be a spreadsheet of raises for everyone in the organization (Figure 1.1)? Curiosity might not just kill the cat; it might also put your data at risk.

While SET is a technical tool, its goal is to use nontechnical means to exploit humans who in turn exploit computers, which leads to data compromise [6]. SET can easily clone a website to an attacker's machine where exploits are then inserted into the website. At that point, the attacker will attempt to direct users to the cloned site. This might be accomplished by spear phishing, sending the user linked disguised by a link-shortening service or buying a domain to host the cloned site that looks legitimate. Once the user is on the cloned site, the attacker can use a number of different attack vectors to steal information or install backdoors to allow the attack to access the system as if the attacker was a legitimate user. SET also has the ability to encode these attacks, so they are not detected by antivirus and other software used to detect malware and intrusions. The credential harvester attack is accomplished through SET by cloning a site like Twitter, Facebook, or even a bank or credit card site with a username and password file. When the user attempts to log into the site, SET steals the username and password and logs the user into the legitimate website. We will discuss SET in more detail later in the book.

A security awareness program also is a building block of a mature security program. Policies and procedures are the first building blocks. The next layer is a security awareness program, also called user awareness training. Only when these two elements are in place do we then move to the next steps of patch management, log management, antivirus/HIDS, security appliances, and finally metrics. For years, organizations have thrown money at security, when that money would have been better spent training their users (Figure 1.2). The focus of this book is building a security awareness program step by step with the ultimate goal of building a mature security program.

Rewards/Gamification

A good security awareness program should provide incentives, a.k.a. rewards, to users exhibiting proper behaviors. We, however, want to specifically highlight rewards as something all organizations should consider. When an employee does something that saves the organization substantial resources, such as detecting and reporting a potential attack, the employee should be rewarded and his/her actions, including the reward, should be made known to all people within the organization. This not only highlights the importance of good security behaviors, but also encourages all people to perform similar actions.

Gamification is thoroughly covered in Chapter 11. Here, we want to stress that gamification is not creating a game for people to play, but a reward structure for performing the desired security behaviors. Although gamification programs are not appropriate for all organizations, it is a concept for security programs to consider.

Staying on Message

The CISCO security awareness program is still evolving. Its creators don’t claim it is the best. They point out that there are plenty of organizations out there that have been developing their programs for years.

Nevertheless, taking a look at the security awareness program developed by Cisco’s CSPO offers some invaluable insights, whether you have been tasked to launch a new effort or to reenergize an existing one.

On day one, the awareness component within CSPO had a zero budget; within three years it had $150,000 in annual funding.

It started off as a one-person operation. In year two, a project manager tasked to devote 50 percent of his workload to the program was added. In year three, a Web developer and a coordinator were allocated to the virtual team.

To develop the awareness program, Stewart brought in an “outsider” with strong communications skills yet no background in security. The choice reveals an understanding of the serious obstacles that confront any such awareness program in a sprawling, global technology company.

Winter offers some further elucidation:

“Before I began I had no idea what information security might mean. However, I did have 20 years experience in external communications, public relations, media relations, and analyst relations. While I had never done internal communications or internal awareness before, I said, ‘OK, it is a different animal, but if we use those same principles from external communications and PR and move them into internal communications, we can make something happen.”

However, it is important to note that just as having world-class information security expertise and no communications and marketing skills is weakness for many programs, the opposite imbalance is just as self-defeating––having world-class communications and marketing skills with insufficient attention to the relevance, authenticity, and credibility of the content also results in failure. The substantive input and review of subject matter experts is essential to developing powerful content. In assessing awareness and education programs throughout the world, we have seen both sorts of imbalance.

The Cisco CSPO videos proved successful because they had both vital elements—sophisticated creative components (e.g., a strong script, professional actors, crisp editing, etc.) reflect the contribution of communications and marketing professionals, and the credible and compelling content reflects the input of information security subject matter experts.

Reputation and credibility are key ingredients––without them, people won’t listen.

The first six months of the effort to build a CSPO security awareness program focused on researching and understanding Cisco from the inside. There are many challenging complexities in a large-scale corporate environment. As in all corporations its size, there are different cultures within Cisco. There are different functional organizations with different agendas and different styles (e.g., Sales is completely different than Engineering). In most corporations, Sales and Engineering don’t necessarily communicate in the same manner. They have different mind-sets and, thus, have different touch points. And, of course, there are the corporate executives. They operate at a very different level. For them, everything is fast-paced. They need the facts distilled to the nitty-gritty. They need the facts immediately. They need the facts before you even talk to them.

Another challenge is that within a large corporation like Cisco, your audience is both static and dynamic: static in the sense that the bulk of the audience, engineers, and such have been around for some time; and dynamic in the sense that a large corporation like Cisco acquires new companies and people are going into divergent markets. Both the landscape and the headcount are constantly changing.

Researching Cisco from the inside meant a lot of engagement, and a lot of one-on-ones at all levels.

During this research, various functional groups and the key people inside those groups were identified. Those individuals who are influencers inside the group, the ones who could leverage CSPO’s communications message beyond or internally within their functional organization, also were identified.

During the first year, 50 different contacts throughout Cisco were established, including several on the Cisco Employee Connection team, an internal news portal for all Cisco employees formerly run by HR. These portals are theater specific: US/Canada, Asia-Pacific, Japan, Europe, Emerging Markets.

If you get a story or a video or some kind of communication piece placed there, it cascades to the other geographies, so your reach is greater.

By year three, the CSPO security awareness team had 160 contacts that could be called on within Cisco.

Taking advantage of internal corporate events is vital. What better way to reach all the executives? What better way to reach the global population? What better common denominator can you tap into? There were nine different, internal Cisco events CSPO could tap into. One of them was the Strategic Leadership Off-Site, which is a gathering of all the directors and higher positions within the company—about 2,000 executives of Cisco globally—and they attend the annual meeting. That’s where the CEO actually talks about the strategy, the vision, and the initiatives for the next full year, and unveils them.

Of course, CSPO is not the only group trying to impart vital training to the workforce. Unless these efforts are coordinated and complimentary, inefficiencies abound and cross-purposes arise.

There are other groups within Cisco that have compliance training that is required, so Winters sits on the compliance training working group, along with representatives from Legal, Safety and Security, and so on. This effort is managed by the Ethics group. Its goal is to get a compliance training suite that actually is required for all employees to take, and to be a part of that offering. Otherwise, it is very hard to get your training program socialized. You are all targeting the same audience, the same people, and you are hitting them at various times of the year, and it is not fair to the employee. The hope is that one functional group (e.g., HR or Legal) could take the training suite and deliver it to the employees, and then the awareness group could focus on creating rich content.

Summary

The subject of implementing an effective information security awareness program is something more than what can be included in a single chapter. The Internet affords us access to a lot of good information, and companies that can help you design and implement your program. Nothing, though, will do this better than your own spirit and desire to make such a program “world class.”

Specifically in reference to SCADAs, because that is what this book is primarily about, this chapter on awareness would not have been included if the lead author and publisher did not feel it was an appropriate and important topic to discuss. Awareness is communications. Awareness is understanding risks. Awareness is being proactive to those risks with sensible solutions. Each individual can significantly reduce the exposure of sensitive information by following simple behaviors and raising their hand with conviction when they see a potential or real risk. No one has all the answers, but collectively the risk can be addressed and reduced. Each company in America can significantly reduce the loss of sensitive information through an effective employee awareness program. There is no question about that. One lost laptop can be a devastating incident that very well may not have occurred if the employee clearly understood both the risk and their responsibility. The cost to implement an information security awareness program is incalculably far less than what it could cost you later without one.

Today's information risk pandemic should be treated like any other event that requires a disaster recovery plan. Prevention is an important key, and through it we just might bring the level of this risk down from pandemic status to that of a cold.

Summary

The design and implementation of an effective information security awareness program is far more complicated than what can be included in a single chapter. An additional source of information is the Internet. But be cautious. Not everything you read is good, solid information. There are individuals, associations, and companies available to help you design and implement your program. Fortunately, I had the opportunity to design and implement an Information Security Awareness Program at one of the largest companies in America and, for that matter, the world. So, I bring you real world experience and not theory. Nothing, however, is better than your own spirit, enthusiasm, and desire to create a viable awareness program for your company. Again, do not underestimate yourself!

Keep in mind that AWARENESS IS UNDERSTANDING RISK. Awareness is being proactive to those risks with sensible solutions, right behaviors. Each employee can significantly reduce the exposure of sensitive information by following simple behaviors and raising their hand with conviction when they see a potential or real risk. It is the same concept adopted by Homeland Security's “If You See Something, Say SomethingTM” campaign. It's your responsibility to create a program that effectively embraces employee attention with guidance on how to safeguard sensitive information properly. Over time, your program will change the culture to one that not only understands the importance of but also exhibits the right safeguarding sensitive information properly behaviors at your company. Let every employee at your company become a security officer because your employees are your most valuable countermeasure.

If employees are not made aware of their responsibilities, they cannot be held accountable. Each company in America can significantly reduce the loss of sensitive information, and thereby the exposure to the financial risks, through an effective employee awareness program. Make it happen at yours!

And finally, thank you for reading this chapter, as it is one more touch point in my mission to help others become more today than they were yesterday through presentation and awareness.

We fully acknowledge use of Chapter 4, “Developing an Effective Security Awareness Program,” from Techno Security's™ Guide to Securing SCADA: A Comprehensive Handbook on Protecting the Critical Infrastructure (ISBN: 978-1-59749-282-9, Syngress).

Multiple Choice

1.

One of the techniques used to deliver an engaging security awareness program includes?

Username

Password

Validations

Security systems

Computer-based training

Regardless of the techniques chosen to deliver the material, which feature is maintained throughout each of the methods or techniques implemented?

Attack

Choking

Ease of use

Security

Questionnaire

What platform allows administrators to measure and monitor the delivery of emails to users and can be used to craft fake phishing emails that can be customized by department or region?

Devices

ThreatSIM

Data

Backups

All of the above

What concept is required by information security personnel that requires higher education to be competent for their positions and to achieve a common body of knowledge that prepares them to enter the workforce?

Security education

Private plan

Secure plan

Virtual plan

All of the above

What gets the word out to all personnel and helps everyone focus on building a security culture and a mature information security practice?

Monitoring

Securing

Governing

Security awareness

All of the above

Counting Incidents

Counting incidents is one way that we can use to measure the effectiveness of our security awareness program. Logically, when we increase the level of training for how to respond to security incidents in our user population, and increase the level of awareness for such incidents existing in the first place, we would expect to see the number of reported security incidents go down, if not go down rather sharply. After all, our well-trained cadre of users should now be out making a more secure workplace as they carry out their appointed tasks, should they not? Unfortunately, or perhaps fortunately, no.

For example, what we can expect to see, when we have rolled out our awareness program in full force, is a sharp uptick in reported security incidents. Why would this be? For several reasons.

First, we have drawn awareness to security incidents existing. Although some subset of our users would have previously been both technically savvy enough and security aware enough to spot such incidents before our training, the general user population would not. We have given them a new set of tools and exhorted them to make use of them in the course of their daily activities. This means that we have now increased the likelihood that security issues will be detected and reported through the proper channels.

Second, we have greatly sensitized our users to the potential for security incidents to exist, whether they actually exist or not. For some period of time, we will likely see an uptick in jumping at shadows as relates to information security. We will get reports about every odd looking email, strange soliciting phone call, USB drive found in the hallway, and a wide variety of other such “incidents.” This will calm down over time and as the idea of security awareness becomes less of a brand new thing.

Ultimately, we are likely to see sharp uptick in incidents, subsiding to a somewhat lesser level over time, but ultimately at a higher level than before we started the program. This is both a normal and a healthy expected result.

Publisher Summary

This chapter describes assessing security awareness and knowledge of policy. It explains what is needed to ensure the success of a security awareness program. It is crucial to understand that awareness is not training or education. Rather, awareness is the first stage in developing a culture of security within the organization. A security awareness program should be an ongoing program as training tends to be forgotten over time. Security awareness allows people to understand their role within the organization from an information security perspective. Awareness helps people realize the need for further training and education. In planning the development of awareness, training, and education programs, it is essential to first understand the each of these are a separate stage that builds upon the next. Initially, security awareness sessions help users improve their behavior from an information security perspective. Awareness sessions allow users to become knowledgeable in their responsibilities as they are taught correct practice within the organization. Development of awareness across all users helps improve accountability, one of the key tenements of creating a secure environment.

GSLC

Part of the management track, the GSLC is intended for “Security Professionals with managerial or supervisory responsibility for information security staff” (Global Information Assurance Certification [GIAC]). The knowledge for this certification does not extend very deep into technical aspects and covers many of the same areas of knowledge as ISACA and (ISC)² management certifications. The list of topics related to the GSLC can be found in Table 3.1 (GIAC).

Table 3.1. GSLC Topics