Lance Spitzner [email protected] @securethehuman.
-
Upload
jacob-hicks -
Category
Documents
-
view
224 -
download
4
Transcript of Lance Spitzner [email protected] @securethehuman.
![Page 1: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/1.jpg)
Human Metrics: Measuring Behavior
Lance Spitznerwww.securingthehuman.org/[email protected]@securethehuman
![Page 2: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/2.jpg)
Non-Existent
Compliance Focused
Promoting Awareness & Change
Long Term Sustainment
Metrics
Security Awareness Maturity Model
![Page 3: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/3.jpg)
Useful Metrics
Focus on just a few, high-value metrics.– A metric that measures a human risk or
behavior that you care about– A metric that is actionable– A metric that is low cost/automated– A metric that repeatable
![Page 4: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/4.jpg)
2 Types of Awareness Metrics
• Metrics that measure the deployment of your awareness program. Are you compliant?
• Metrics that measure the impact of your awareness program. Are you changing behavior?
![Page 5: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/5.jpg)
![Page 6: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/6.jpg)
Key Points• Computers do not have feelings, but
people do.• Announce and explain your metrics
program ahead of time, then start slow & simple
• Do not embarrass people nor release names of those who fail to management. Only notify management of repeat offenders.
• Focus on real-world risks, do not ‘trick’ people.
![Page 7: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/7.jpg)
Example Metric - Phishing
Recreate the very same attacks that the bad guys are launching. Excellent way to measure change in behavior.
– Measures a top human risk– Simple, low-cost and easy to automate– Repeatable and quantifiable
measurements– Actionable
![Page 8: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/8.jpg)
Get Approval• Before conducting any type of
assessment, make sure you have appropriate approvals.
• If you can’t get approval, try a test run against the blockers (HR, Legal).
• Make sure security team knows ahead of time. Let them know each time you do it and whom to contact when things go wrong.
![Page 9: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/9.jpg)
Example
![Page 10: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/10.jpg)
Click Results
If an end user falls victim to an email assessment, you have two general options
– Error message/no feedback– Immediate feedback that explains this
was a test, what they did wrong and how to protect themselves
![Page 11: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/11.jpg)
![Page 12: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/12.jpg)
Follow-up• Send results of test to all employees
24 hours later.• Explain the results, how they could
have detected phishing email and what to look for in the future. Include an image of phishing email.
• Include your monthly security awareness newsletter.
![Page 13: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/13.jpg)
Violations• First violation: Employee is notified and
given additional or follow-up training.• Second violation: Employee is notified
and manager is copied.• Third violation: Manager is required to
have meeting with employee and report results to security.
• Fourth violation: Employee reported to HR.
![Page 14: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/14.jpg)
The Impact• First phish: 30-60% fall victim.• 6-12 months later: As low as 5%.• The more often the assessments, the more
effective the impact.– Quarterly: 19%– Every other month: 12%– Monthly: 05%
• Over time, you will most likely have to increase the difficulty of the tests.
![Page 15: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/15.jpg)
Human Sensors• Another valuable metric is how many
reported the attack.• At some point, you may need to
develop a policy on what to report. For example:– Do not report when you know you have a
phish. Simply delete.– Report if you don’t know (think APT).– Report if you fell victim.
![Page 16: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/16.jpg)
How To Phish• URL Shorteners• Email Marketing Solutions• Cloud Phishing Services• Pen Testing Software
![Page 17: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/17.jpg)
![Page 18: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/18.jpg)
The Attack
![Page 19: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/19.jpg)
![Page 20: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/20.jpg)
Are People Updating Devices?
![Page 21: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/21.jpg)
Physical Security Behaviors• See if an unauthorized person can
enter or walk around facilities without an ID badge.
• Check desktops to make sure computer screens are locked and there is no sensitive information left on desks.
• Check parked cars for mobile devices left in the open.
![Page 22: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/22.jpg)
Number of Infected Computers• Track the number of infected
computers on monthly a basis.• As most infections are the result of
human behavior, the number should go down over time.
• One Defense Industry organization had such a dramatic drop in infections they could free up half a FTE (Full-Time Employee).
![Page 23: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/23.jpg)
Visualizing Your Measurements
![Page 24: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/24.jpg)
Next Generation Awareness• 3rd Generation STH will be about understanding
and measuring User Risk – security and compliance TOGETHER. Measurable metrics to understand whether you’re winning or losing.
• SANS Security Awareness Summit will have a focus around this initiative – 10 September 2014 in Dallas.
• Interested in being involved in the development of this new approach? - John Fitzgerald ([email protected]).
![Page 25: Lance Spitzner lspitzner@sans.org @securethehuman.](https://reader034.fdocuments.us/reader034/viewer/2022051516/56649cca5503460f94992cc8/html5/thumbnails/25.jpg)
Summary
Metrics are a powerful way to both measure and reinforce your awareness program.
securingthehuman.org/resources/metrics
sans.org/mgt433