Playing the long game changing security culture in usg

321 views
232 views

Published on

Keynote presentation to USG Security Conference in 2011.

Published in: Business, Sports
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
321
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Playing the long game changing security culture in usg

  1. 1. Playing the Long Game: Changing Security Culture in USG Dr. Curtis A. Carver Jr. Vice Chancellor and Chief Information Officer University System of GeorgiaGALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  2. 2. What to Take from this Presentation • What is organizational culture? • Why should I build a security culture? • How do I build an organizational security culture?GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  3. 3. What is Organizational Culture? Organizational culture is the personality of the organization. Culture is comprised of the assumptions, values, norms, and tangible signs (artifacts) of organizational members and their behaviors. “How do things get done around here?”GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL http://managementhelp.org/org_thry/culture/culture.htm PeachNet USG123
  4. 4. Types of Organizational Cultures Academy Culture: Employees are highly skilled and tend to stay in the organization, while working their way up the ranks. The organization provides a stable environment in which employees can development and exercise their skills. Examples are universities, hospitals, large corporations, etc.GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  5. 5. Types of Organizational Cultures Baseball Team Culture: Employees are "free agents" who have highly prized skills. They are in high demand and can rather easily get jobs elsewhere. This type of culture exists in fast- paced, high-risk organizations, such as investment banking, advertising, etc.GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  6. 6. Types of Organizational Cultures Club Culture: The most important requirement for employees in this culture is to fit into the group. Usually employees start at the bottom and stay with the organization. The organization promotes from within and highly values seniority. Examples are the military, some law firms, etc.GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  7. 7. Types of Organizational Cultures Fortress Culture: Employees dont know if theyll be laid off or not. These organizations often undergo massive reorganization. There are many opportunities for those with timely, specialized skills. Examples are savings and loans, large car companies, etc.GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  8. 8. Types of Organizational Cultures The Tough-Guy Macho Culture. Feedback is quick and the rewards are high. This often applies to fast moving financial activities such as brokerage, but could also apply to policemen or women, or athletes competing in team sports. This can be a very stressful culture in which to operate.GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  9. 9. Types of Organizational Cultures The Work Hard/Play Hard Culture is characterized by few risks being taken, all with rapid feedback. This is typical in large organizations, which strive for high quality customer service. It is often characterized by team meetings, jargon and buzzwords.GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  10. 10. Types of Organizational Cultures The Bet your Company Culture, where big stakes decisions are taken, but it may be years before the results are known. Typically, these might involve development or exploration projects, which take years to come to fruition, such as oil prospecting or military aviation.GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  11. 11. Types of Organizational Cultures The Process Culture occurs in organizations where there is little or no feedback. People become bogged down with how things are done not with what is to be achieved. This is often associated with bureaucracies. Whilst it is easy to criticize these cultures for being over cautious or bogged down in red tape, they do produce consistent results, which is ideal in, for example, public services. .GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  12. 12. What is the Culture at Your Organization? • Academy • Baseball Team • Club • Fortress • Tough Guy/Macho • Work Hard, Play Hard • Bet Your Company • ProcessGALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  13. 13. Why Should I Build a Security Culture? • The situation is getting worst. • Perimeter defenses and centralized management are not working. • Passive approaches to awareness and training are not working.GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  14. 14. GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  15. 15. The Situation is Getting Worst • Increasing number of attacks • Increasing complexity of attacks • Decreasing interval between patch release and attack exploitationGALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  16. 16. Increasing Attacks 140000 800000 120000 700000 100000 Number Incidents This is about600000 point that the CERT Email 80000 500000 60000 Bloodhound.Exploit.45 400000 40000 attacked my computer. 300000 20000 200000 0 1988 1990 1992 1994 1996 1998 2000 2002 100000 0 1988 1994 2000GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  17. 17. How could I be Attacked! • Antivirus on perimeter. • Antivirus updates 14 times a day. • Anti-spam updated automatically. • Windows patches update automatically. • Firewalls on computer and on perimeter. • Was working over an encrypted VPN channel. Attacked occurred at 8:37PM. Patches released 6:00 PM.GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  18. 18. Remedial Action • Check for updates to anti-virus and anti-spam (didn’t work). • Ran anti-virus (didn’t work), ran anti-spam (didn’t work), ran windows update (worked!) • Set anti-virus to run at reboot. Reboot (worked!).GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  19. 19. Changing Environment (Speed of Attack) • Morris Internet Worm (1988 - Over 72 hours affected 6,000 computers taking 90 minutes to bring a system down). • Melissa Virus (May 1999 – Over 72 hours affected 100,000 computers. One site received 32,000 Melissa email messages in 45 minutes.) • Code Red (July 2001 approx. 250,000 computers in 20 hours)GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  20. 20. Slammer The World January 25, 2003 Slammer penetration 30 minutes after release. 4/7/2013 12:29 PM http://www.cs.berkeley.edu/~nweaver/sapphire/ 20GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  21. 21. Increasing Complexity Slammer – Sapphire contains a simple, fast scanner in a small worm with a total size of only 376 bytes. – In the first minute, the infected population doubled every 8.5 seconds. – Achieved full scanning rate in less than 3 minutes. Full scanning rate was 55 million scans per second. – The scanning rate was limited because significant portions of the internet ran out of bandwidth. – Sapphire spread nearly two orders of magnitude faster than Code Red. http://www.cs.berkeley.edu/~nweaver/sapphire/GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  22. 22. Perimeter Defenses are not Working (Necessary but not Sufficient) • Anti-virus, anti-spam, firewall, intrusion detection, and intrusion prevention systems are all necessary but not sufficient. • Why? My Projector is attacking my network! – Mobile worker population is out there working hard to pick up new and exotic attacks. – Insider threat much greater than outside threat. – New computing devices are coming in all shapes and sizes.GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  23. 23. Centralized Management is not Working (Necessary but not Sufficient) • Anti-virus and software update servers are necessary but not sufficient. Active directory helps with authentication and authorization but is not enough. • Why? – Mobile work force – Time between release of patch and release of an attack tool, “flash to bang”, is rapidly shrinking. – As you hardened the perimeter and central management, attackers attempt to bypass these defenses through social engineering attacks.GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  24. 24. How can someone at Yale post email Who is Joo- messages in hwan Lee is your and why is department he sending Does not really go and you you email? to this website. cannot? In this case, the attacker is trying to trick you into clicking on the embedded link. The link does not go to an webserver in the department but instead opens an invisible frame and launches a program embedded in another part of the email message.GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  25. 25. Institution can The institution does not automatically update use non-personal software – no need to accounts such as ask permission. staff@usma.edu to send security announcements. An email from the The institution will not “usma.edu team” sounds refer to you as “Dear suspicious member of usma.edu” – it will refer to you by name. Does not really go there. As you might imagine, the virus creators were not thrilled about their viruses being deleted by the corporate virus checkers so they tried another approach. They encrypted the virus to disguise it, gave the user the password to decrypt it and install it, and hide it behind a familiar looking web address that did not go to the website but launched the virus.GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  26. 26. Legitimate email to all users. Illegitimate email to all users 28 days later. The attack contained in the zipped file is new and host anti-virus software cannot protect the computer. The computer must be reimaged.GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  27. 27. Passive Approaches to Awareness and Training are not working • Attacks are bypassing perimeter defenses. • Sophistication of attacks is increasing. • Every user is an attack point. • Every user is a vulnerability. • Even one user fails, insider attack occurs and it will spread very rapidly.GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  28. 28. Passive to Active • Users remember: – 30% of what they hear – 40% of what they see and hear – 70% of what they do. • We have to get the users actively involved in learning. We have to change culture.GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  29. 29. Study or Be Killed 80 Hard Questions Provided in Advance Teams of Four StudentsLast level is an exact copy ofthe Department of Electrical Answer IncorrectlyEngineering and ComputerScience at West Point exceptthe faculty are now monsters Answer Correctly – more aid kits, armor, and weaponsGALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  30. 30. 3 Waves of Information Security • Technical Wave – Authentication and access control • Management Wave – Policies, procedures – CISO and separate security staff • Institutionalization Wave – Information Security Awareness – Information Security Culture • Norms • Community • LeadershipGALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Von Solms (2000)
  31. 31. Comparative Framework Awareness Training Education Attribute What How Why Level Information Knowledge Insight Learning Recognition & Skill Understanding Objective Retention Example Media Practical Instruction Theoretical Instruction Teaching Method -Videos -Lecture and/or demo -Seminar and discussion -Newsletters -Case study -Reading and study -Posters -Hands-on practice -Research Test Measure True/False Problem Solving Essay Multiple Choice Recognition & Resolution (apply learning) (identify learning) (interpret learning) Impact Short-Term Intermediate Long-Term Timeframe “The Human Factor in Training Strategies” by Dorothea de Zafra, Nov. 1991 as quoted in NIST SP 800- 16GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  32. 32. Changing Security Culture 1. Understand the current security culture. 2. Get leadership involved. 3. Plan for success. 4. Offer active awareness, training, and education opportunities. 5. Build norms and community. 6. Ensure everyone can answer two questions. i. What is normal in my organization? ii. What should I do if I detect abnormal activity? 7. Annually review and revise your plan.GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  33. 33. Understand the Current Security Culture • Type: academy, baseball team, club, fortress, tough guy/macho, work hard/play hard, bet your company, process? • Assumptions, values, norms, and behaviors? – Security is someone else’s job. – I am too busy to bother with security. – It is too complicated to understand. • Sense of Community?GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  34. 34. Get Leadership Involved • Changing organizational security culture is HARD and requires lots of resources. • If your leadership is not going to set the example and be actively involved, stop now and save everyone a lot of time and effort.GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  35. 35. Two Questions • What is normal for my organization? • What should I do if I detect abnormal activity?GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123
  36. 36. QUESTIONS, COMMENTS, A CONVERSATIONGALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123

×