Maximizing ROI through Security Training (for Developers)


Published on

How can a company implement an effective security training program with limited budget and scarce resources? The first step is to assess needs and define training objectives. Then comes the challenging and often perplexing decision of build versus buy, instructor led versus CBT (computer based training), and generic versus customized training which references internal security standards, development policies, and secure coding guidelines. Finally how does the company define success and measure results? How does the company ensure developers retain and apply the skills they learn to develop secure software?

Kartik Trivedi, Symosis

Kartik is a senior information security, technology, and business professional, renowned speaker and cofounder of Symosis. Symosis is a boutique hi-tech information security consulting firm specializing in software security with focus on delivering solutions for organizations coping with the broad spectrum of security threats, risks, infrastructure needs, and regulatory compliance requirements. Kartik has a decade of experience selling and managing the delivery of services to the Fortune 500. He is a solutions-driven, collaborative leader known for consistently driving profitability and client satisfaction in rapidly growing and evolving organizations.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Maximizing ROI through Security Training (for Developers)

  1. 1. Maximizing  ROI  through  Security   Training  
  2. 2. Who  am  I?   •  VP  /  Co-­‐Founder  of  Symosis,  10+  years  in   informaFon  security  consulFng  &  Training,   USC,  Foundstone,  McAfee,  Accuvant,  C-­‐Level   security,  etc   •  Invited  speaker,  author  and  educator   •  MBA,  MS  Comp  Sc,  CISM,  CISA,  CISSP  
  3. 3. Table  of  Contents   •  Business  case  for  security   •  Evolving  threats   •  How  to  build  an  effecFve  training  program?   •  Case  Studies  
  4. 4. The  Business  Case  for  Security         Proper  security  enables  a   company  to  meet  its  business   objec-ve  by  providing  a  safe  and   secure  environment  
  5. 5. Impact  of  Security  Breaches   Loss  of  Revenue   Damage  to  ReputaFon   Loss  or  Compromise  of   Data   Damage  to  Investor   Confidence   Legal  Consequences   InterrupFon  of  Business   Processes   Damage  to  Customer   Confidence  
  6. 6. Dollar  Amount  Of  Loss     The  cost  of  implemenFng  security  measures  is  not  trivial;   however,  it  is  a  fracFon  of  the  cost  of  miFgaFng  security   compromises   *  CSI  2006  
  7. 7. Cost  of  Security  Breach   *  Aberdeen  Group  August  2010  
  8. 8. Security  Breach  Example  Costs   Cost  of  Recent  Customer  Records  Breach   •  $6.5  Million:  DSW  Warehouse  Costs  from  Data  Thea   •  $5.7  Million:  BJ’s  Wholesale  Club  from  Data  Breach   AddiFonal  impact/cost  due  to  lost  customers   •  20%  of  customers  have  ended  a  relaFonship  with  a   company  aaer  being  noFfied  of  a  breach  (Ponemon   InsFtute)   •  58%  said  the  breach  decreased  their  sense  of  trust  and   confidence  in  the  organizaFon  reporFng  the  incident  
  9. 9. TOC   •  Business  case  for  security   •  Evolving  threats   •  How  to  build  an  effecFve  training  program?   •  Case  Studies  
  10. 10. Emerging  Threats  -­‐  Aiack  Methods   *  SANS  2010  
  11. 11. Emerging  Threats  -­‐  ApplicaFon   Weaknesses   *  SANS  2010  
  12. 12. Emerging  Threats   GLOBAL Infrastructure Impact REGIONAL Networks MULTIPLE Networks INDIVIDUAL Networks INDIVIDUAL Computer Target and Scope of Damage Rapidly Escalating Threat to Businesses First Gen  Boot viruses Weeks Second Gen  Macro viruses  Denial of Service Days Third Gen  Distributed Denial of Service  Application threats  Malware Minutes Next Gen  Flash threats  Massive “bot”-driven DDoS  Damaging payload worms Seconds 1980s 1990s Today Future
  13. 13. 13   Emerging  Threats  Categories   Malware Botnets Threats to VOIP and mobile convergence Cyber warfare Data thefts
  14. 14. Threats becoming increasingly difficult to detect and mitigate THREATSEVERITY 1990 1995 2000 2005 WHAT’S NEXT? FINANCIAL Theft & Damage FAME Viruses and Malware TESTING THE WATERS Basic Intrusions and Viruses
  15. 15. TOC   •  Business  case  for  security   •  Evolving  threats   •  How  to  build  an  effec-ve  training  program?   •  Case  Studies  
  16. 16. Why  Security  Training   •  Reduce accidental security breaches •  Improve employee behaviour •  Enable organization to hold employees accountable for their actions •  Build in-depth knowledge to design, implement, or operate security programs for organizations & systems •  Develop skills & knowledge so that computer users can perform their jobs while using IT systems more securely
  17. 17. Why  Security  Training?   •  Dissemination & enforcement of policy become easier when training & awareness programs are in place •  Demonstrating due care & diligence can help indemnify the institution against lawsuits •  By improving awareness of the need to protect system resources
  18. 18. How  is  InformaFon  Security   JusFfied?   PWC  security  survey  2011  
  19. 19. Step  1:  Define  Training  ObjecFves   •  Compliance,  RegulaFons  and  Governance   •  Client  /  Partner  requirements   •  Increase  the  general  level  of  security  awareness   •  Reduce  the  incidences  of  computer  fraud,  waste   and  abuse   •  Create  a  more  security  savvy  workforce     •  Design,  develop  and  maintain  secure  IT   infrastructure  and  applicaFons  
  20. 20. PCI  Compliance     All  service  providers  with  which  cardholder   data  is  shared  must  adhere  to  the  PCI  DSS   requirements  and  must  sign  an  agreement   acknowledging  that  the  service  provider  is   responsible  for  the  security  of  cardholder  data   the  provider  possesses.  
  21. 21. PCI  Compliance   Payment  Card  Industry  (PCI)  Data  Security   Standard  mandates  security  awareness   program  that     12.6.1:  Educate  employees  upon  hire  and  at   least  annually       12.6.2:  Require  employees  to  annually   acknowledge  in  wriFng  that  they  have  read   and  understood  the  company's  security  policy   and  procedure    
  22. 22. HIPAA  Compliance     The  Health  Insurance  Portability  and   Accountability  Act  of  1996  (HIPAA)  mandates  that   Covered  EnFFes,  which  includes  health  plans,   healthcare  clearinghouses,  and  most  healthcare   providers,  may  not  use  or  disclose  individuals’   health  informaFon  for  purposes  unrelated  to   providing  health-­‐  care,  managing  their   organizaFon,  or  meeFng  their  obligaFons  under   state  and  federal  law,  unless  individuals   specifically  authorize  them  to  do  so.    
  23. 23. HIPAA  Compliance     Ensuring  all  employees    including   management,  agents  and  contractors  in  an   organizaFon  understand  and  uphold  these   rules  is  no  easy  task  and  is,  to  a  large  degree,  a   training  and  management  problem.  This  is   why  the  Department  of  Health  and  Human   Services  (HHS)  has  mandated  annual  privacy   and  security  training,  as  well  as  regular   reminders  for  all  employees.  
  24. 24. HIPAA  Compliance   •  Upper  Management  Training   •  Security  Awareness  Day   •  Security  Awareness  and  Ongoing  Training  for   all  staff   •  Computer  Users’  Supervisor  Training   •  Security  “MarkeFng”  Efforts   •  Annual  System-­‐specific  training   •  Professional  EducaFon  Training  
  25. 25. GLBA  Compliance     Gramm-­‐Leach-­‐Bliley  Act  of  1999  Employee   Training  Requirements  mandates  IT  Security   Awareness  Training  for  all  employees  of  financial   service  providers  (FSPs)  covered  by  the  GLB  act,   which  includes  all  companies  "engaging  in   financial  acFviFes.”  
  26. 26. GLBA  Compliance   •  Examples  of  organizaFons  who  are  affected  by   these  rules  include     – insurance  agencies     – tax  preparers     – finance  companies   – collecFons  agencies   – leasing  agencies     – travel  agencies     – financial  advisors    
  27. 27. ISO  27002   •  ISO  27002  is  an  internaFonally  recognized   standard  published  by  the  InternaFonal   OrganizaFon  for  StandardizaFon  covering   informaFon  security  best  pracFces.  Many  global   organizaFons  use  this  comprehensive  standard  to   gauge  their  informaFon  security  programs.     •  Provide  an  adequate  level  of  security  educaFon     and  training  to  your  organizaFon’s  employees,   contractors  and  third  party  users  
  28. 28. FISMA     •  Federal  InformaFon  Security  Management  Act   (FISMA)  is  Title  III  of  the  E-­‐Government  ACT,   which  requires  federal  agencies  to  develop,   document,  and  implement  a  comprehensive   agency-­‐wide  informaFon  security  program.     •  Part  of  such  a  program  is  security  training   program  that  educates  personnel,  including   contractors  and  other  users,  of  their   responsibiliFes  in  maintaining  informaFon   security,  complying  with  organizaFonal  policies   and  procedures,  and  reducing  the  risks  associated   with  their  acFviFes    
  29. 29. Red  Flag  Thea  PrevenFon   •  Under  the  new  Red  Flag  regulaFons,  financial   insFtuFons  and  creditors  must  develop  a  wriien   program  that  idenFfies  and  detects  the  relevant   warning  signs  (Red  Flags)  of  idenFty  thea,  such  as   unusual  account  acFvity,  fraud  alerts  on  a   consumer  report,  or  aiempted  use  of  suspicious   account  applicaFon  documents,   •  Includes  appropriate  staff  training  and  oversight   of  any  service  providers  
  30. 30. SOX  (Sarbanes  Oxley)   •  Sarbanes  Oxley  requires  the  CEO  and  CFO  of   publicly  traded  companies  to  be  held  accountable   for  financial  statements  filed  with  the  SecuriFes   and  Exchange  Commission  and  includes  criminal   penalFes  for  false  cerFficaFon     •  Top  management  must  ensure  that  there  are   adequate  'internal  controls'  to  ensure  reliable   financial  reporFng  and  protect  financial  data  that   resides  in  informaFon  systems  
  31. 31. Step  2:  Assess  Needs   •  IdenFfy  training  administrator     – Primary  responsibility  lies  with  Chief  InformaFon   Security  Officer,  top  management  and  security   team  
  32. 32. Assess  Needs   •  Who  needs  to  be  trained  and  on  what?     – All  stakeholders:  Security  Awareness  Training,   Compliance   – Program  Managers  –  Architecture  &  Design     – Architects  &  Developers  –  Threats,  coding   mistakes,  secure  soaware  development     – Testers  /  QA  –  Security  Test  Cases    
  33. 33. Assess  Needs FuncFonal   Background   General  User   Managerial   User   Technical   User   Skill  Level   Novice   Intermediate   Expert   Using wrong training methods can:  Hinder transfer of knowledge  Lead to unnecessary expense & frustrated, poorly trained employees
  34. 34. Step  3:  Key  Factors   •  Build  vs.  Buy   •  Classroom  /  Instructor  Led   •  CBT  /  Web  Based   •  Generic  vs.  Customized   •  HosFng  
  35. 35. Build  vs.  Buy   • Business  needs  are  unique   • Internal  capability  available   • Proprietary  informaFon  or   data  needs  to  be  protected;   • Complexity  of  interface  with   company's  LMS     • No  COTS  products  or  too   costly   Build   • Reduce  and  control  operaFng   costs   • Free  internal  resources     • Gain  access  to  external   capabiliFes   • Resources  constraints   • Improve  company  focus   • Share  risks   Buy   Key  consideraFons  -­‐  cost,  quality,  and  timeline  
  36. 36. Costs   •  “How  to  Spend  a  Dollar  on  Security”  recommends  that   out  of  every  security  dollar  you  spend:   – 15  cents:  Policy   – 40  cents:  Awareness   – 10  cents:  Risk  Assessment     – 20  cents:  Technology     – 15  cents:  Process   •  We  have  seen  it  done  from  anywhere  between  $5K  to   $5M  annual  costs   Patrick  McBride  –  ComputerWorld    
  37. 37. Classroom  /  Instructor  Led   •  Study  away  from  the  office  at  another  locaFon   with  Fme  set  aside  dedicated  to  learning  a  new   course  (and  in  some  cases,  for  cerFficaFon,  siyng   of  an  exam)   •  Costs  are  more  expensive  as  it  involves  the  course   fees,  travel,  accommodaFon  and  other  expenses   •  Access  to  a  trainer  for  the  duraFon  of  the  course   (and  someFmes  for  a  limited  period  aaer  the   course)   •  Access  to  other  students  during  the  course  and  as   a  potenFal  networking  group  aaer  the  course  
  38. 38. Computer  /  Web  Based   •  Individuals  can  study  at  their  own  Fme  and  pace  thereby   learning  at  a  rate  that  they  are  comfortable  with   •  Lower  costs  –  CBT  is  much  more  cost  effecFve  than   classroom  training.  MulF-­‐user  opFon  allow  a  company  to   train  more  than  one  person  with  the  same  budget  or  less   than  sending  on  a  classroom  course     •  Combines  the  “best  bits  of  classroom  training”  such  as  the   video  clips  of  instructor  sessions  with  the  “best  bits  of   reference  material”  such  as  technical  informaFon  and   pracFce  quesFons  to  provide  a  great  all  round  training   experience  which  is  beneficial  to  both  student  and   employer  at  the  best  price  available.  
  39. 39. Generic  vs.  Customized   •  Generic  training  is  cost  effecFve  and  focuses   on  core  security  issues,  OWASP  Top  10  threats,   etc   •  CustomizaFon  provides  training  that  matches   specific  needs  for  content,  compleFon   requirements,  quiz,  policies,  and  even   employee  responsibility  acknowledgment.  
  40. 40. HosFng   •  Web  based  training  could  be  hosted  internally   or  provided  as  soaware  as  a  service  (SAAS)     •  Internal  hosFng  provides  greater  control  but   could  be  resource  and  cost  intensive   •  SAAS  service  is  oaen  turn  key  but  may  limit   scalability  and  usage  
  41. 41. Step  4:  Metrics   •  Quiz  and  survey  results   •  Content   •  People  
  42. 42. Metrics  -­‐  Quiz  and  survey  results   •  Score  Results:  How  did  people  score?   •  Answer  Breakdown:  How  did  people  answer?   •  Aiempt  Detail:  How  did  a  user  answer?  
  43. 43. Metrics  -­‐  Content   •  AcFvity:  What  was  the  acFvity  for  a  content   item?   •  Traffic:  How  oaen  was  an  item  viewed?   •  Progress:  How  many  slides  did  people  view?   •  Popular  Content:  Which  content  was  viewed   the  most?  
  44. 44. Metrics  -­‐  People   •  Group  AcFvity:  What  content  did  a  group   view?   •  User  AcFvity:  What  content  did  a  user  view?   •  AcFve  Groups:  Who  were  my  most  acFve   groups?   •  AcFve  Users:  Who  were  my  most  acFve  users?   •  Guestbook  Responses:  What  were  the   responses  to  a  guestbook?  
  45. 45. TOC   •  Business  case  for  security   •  Evolving  threats   •  How  to  build  an  effecFve  training  program?   •  Case  Studies  
  46. 46. Case  Study  1  -­‐  Project  management   and  custom  soaware  company   •  Challenge:     – Ensure  secure  coding  elements  have  been  taught     – Prevent  top  10  threats  and  miFgaFon  techniques   – Meet  a  Fme  sensiFve  requirement  under  a  DoD   contract     •  SoluFon:       – Implement  best  pracFces  soaware  security  training   for  Java   – Provide  access  to  training  on  demand  from  a  SaaS   model  
  47. 47. •  Challenge   – Improve  soaware  quality  by  eliminaFng  common   mistakes   – Provide  foundaFon  for  everyone  to  ‘own’  security   •  SoluFon   – Create  custom  course  based  on  previously  idenFfied   risk  and  miFgaFon   – Integrate  security  cases  into  QA  lifecycle   – Measure  year  over  year  declines  in  security  related   CRs  
  48. 48. •  Challenge:     – Meet  PCI  compliance  for  integraFng  secure  coding   pracFces   •  SoluFon   – Implement  JAVA/.NET  secure  coding  pracFces   – Address  PCI  Cardholder  Data  requirements  within   applicaFon  development  
  49. 49. Thanks  for  listening…   QuesFons?   Try  out  free  Symosis  training  at  hip://