SlideShare a Scribd company logo
1 of 12
Download to read offline
The Human Factor 
k m ar@b aleo.be 
(c) Copyright 2005. Koen Maris
Table of contents 
Table of contents............................................................................................................ 2 
Abstract .......................................................................................................................... 3 
Introduction.................................................................................................................... 4 
Today ......................................................................................................................... 4 
The public domain ..................................................................................................... 4 
Target audience .............................................................................................................. 5 
Management............................................................................................................... 5 
Mid management ....................................................................................................... 5 
Staff:........................................................................................................................... 5 
Technical staff............................................................................................................ 5 
Definitions...................................................................................................................... 6 
The human factor (layer 8) ............................................................................................ 6 
The design issues ....................................................................................................... 6 
The technology problem ............................................................................................ 6 
Cultural behavior ....................................................................................................... 7 
Social engineering...................................................................................................... 7 
The exploits............................................................................................................ 7 
Human based social engineering ........................................................................... 8 
Technology based social engineering .................................................................... 8 
Countermeasures............................................................................................................ 9 
Seven steps to build your human firewall .................................................................. 9 
1. Convince your top management .................................................................... 9 
2. Assign and clarify roles and responsibilities ................................................. 9 
3. Define an action plan linked to a budget ..................................................... 10 
4. Develop and update the policy framework .................................................. 10 
5. Develop a security awareness/education program ....................................... 10 
6. Measure the progress of your security awareness efforts ............................ 10 
7. Develop security incident response team and plan ...................................... 11 
Information .................................................................................................................. 12 
Resources ..................................................................................................................... 12
Abstract 
Business today contains an important number of security risks. In most cases, the 
employees deal with issues according to their knowledge. The importance of a 
transparent security strategy is often neglected, this results in only the techies having 
the know how of the security and the strategy. Transparency is necessary so security 
does not become an obstacle in the business processes. 
If Top Management is not aware about the strategy, they might take a different 
direction, if the employees are not aware they might impede your efforts hence 
security awareness. 
Often business relies blindly on technology to eliminate a maximum of the risks they 
have in their work environment. Technology has a gap; it is first of all made by 
humans, administered by humans and the output interpreted by humans. Deemed to 
end with the biggest security issue “the human factor”. 
This said it should be clear that security cannot solely lie within IT if the size of the 
organization allows it. Security awareness can be obtained by training your employees 
with security issues that they can reflect to their environment and their private lives. 
A security awareness program gives a company the ability to highlight risks, 
improvement made on security, how to use the security department etc… 
Your employees often think that you security department is a bunch of techies and/or 
freaks that like to have control. Profiling your department as a point of contact where 
security issues can be discussed enhances overall security. 
The key factor, educate your staff by an awareness program, a quiz, posters, e-mail 
messages or reminders, intranet information etc… 
Repetition is determent to success; humans only retain information by repeating it 
over and over and using a more relaxed approach instead of an academic one will 
loosen up people resulting in more interaction with the security management and its 
staff.
Introduction 
Our technology-oriented civilization tends to solve problems with technology-based 
solutions. This paper lays out the importance of the human aspects in information 
security in relation with technology used to mitigate the risk. 
Statistics show that as many as 75 percent of the security incidents are caused by 
human error or ignorance. Whilst technology solutions can never be the panacea in 
information security one can increase the effectiveness by implementing a well-designed 
security awareness strategy. 
Convince your management and launch your ideas in a comprehensive language for 
your target audience! 
Today 
Today employee’s have little idea about the security improvement efforts made by the 
employers. Nevertheless, all these efforts can be easily bypassed by mistake, 
configuration error, misinterpretation or intentionally actions. 
All people take action according to what they know, what they have seen in the past 
or on the information given at the very moment when the action is required. This 
behavior is baleful for the security no matter how much investment in technology is 
made. Due to the rapid changing techniques in order to gain financial 
benefit technology only cannot cope. The key factor is informing all your employee’s 
and all-hierarchical levels. By repeating the message, constant reminding with little 
notes, posters, mails and/or intranet is an effective way to keep up with the new breed 
of attacks. 
The public domain 
In our day-to-day lives, we are overwhelmed by security awareness campaigns. 
Government, law enforcement, state security and many others inform us with many 
issues that need public awareness. The information spreads over any medium 
available and able to reach the mass. Important factor is catching the attention, one-liners, 
funny or shocking pictures are still the number one strategy. 
In fact, the public domain has plenty of examples to guide you through an effective 
campaign that improves your security strategy. 
Ex.: During the Christmas period a lot of countries put in a lot of effort to make 
drivers conscious about the risks of drinking and driving. It is clear that the 
opportunity (Christmas) is exploited to have a better attention from the audience. In 
most countries, it is a big annual event but focus is kept through the year by different 
campaigns with a mutual interest. 
Imagine marketing only works on one big event a year; you will not get a good sales 
cycle outside your marketing periods.
Target audience 
In security awareness, you have not one specific audience focus. If possible, split the 
audience in relation to function they withhold in the company. Splitting your audience 
in to target groups allows you talk in the specific language of the group. 
Management: To attract Senior Management members your presentation has 
to be focused on key elements only. For them it is more interesting to know at 
what risk level they are, what loss expectancy they have in case of an event and 
more important what can they gain with spending cash for security improvement. 
A numerical or statistical approach will improve the level of understanding of the 
complex issues; also, examples from real life will raise their attention. If the 
company would loose assets, what would be the financials loss or what is the loss 
in case the reputation is damaged. Important to know is that if you like them to 
support your strategy they have to find themselves in the proposals. If they are not 
in line with your thoughts, you will have a hard job to convince them. 
Remember the goal of security awareness, changing behavior. Hard but necessary 
is to pin point the day to day risks in their work environment. After all Senior 
Management is less comfortable with the fact somebody will tell them how to 
work and handle things. 
If everyone is compliant to the password policy and Senior Management is not, 
the company could loose its valuable reputation very quick and easy. 
Mid management: Mostly responsible to transmit the message to 
department heads. A more granular explanation of the policies, standards, 
procedures and guidelines is mandatory, as they are responsible to map it to 
different department heads. If the messages transmission fails, the pyramid 
structure will not work. Crucial factor is full understanding and acceptance by mid 
management. Their support determines the overall acceptance downwards in the 
pyramid. 
Staff: Convincing your staff is the biggest obstacle, and it is only a start as your 
goal is to change behavior. You can convince them but that will not guarantee 
success. To change behavior you need repetition and to get repetition you need 
time, money and support from your management. Splitting staff in to groups that 
are job related increases the effectiveness of your security awareness. Pointing out 
the importance of the person behind the job and his/her security related issues will 
more likely improve the response to your efforts. Make your staff feel involved is 
the key message to a successful security aware staff. 
Technical staff: Special care is required because convincing technical staff in 
how they should approach some parts of their job will not be easy going. 
Technical staff tends to get things up and running and applies security afterwards. 
Security integration should start at the beginning of each project or somewhere in 
the initializing phase. Appending security at the end of project will be expensive, 
difficult and results in less restrictive security integration as originally planned.
Definitions 
Often the words training and awareness are used in the wrong context. To avoid this 
misunderstanding a short explanation based on the NIST-800-50 document. 
Awareness: 
Awareness is not training. The purpose of awareness presentations is simply to focus 
attention on security. Awareness presentations are intended to allow individuals to 
recognize IT security concerns and respond accordingly. 
Training: 
Training strives to produce relevant and needed security skills and competencies. 
The human factor (layer 8) 
Layer 8 complex layer with fuzzy logic making random decisions and unpredictable 
behavior. The topic is around for quite some time and business does need to address it 
as never before. Often layer 8 is the cause of scandal where social engineering attacks 
are successful. This type of attack will rise in the future and we are standing on the 
edge, technology is keeping us from falling but will it in the future? 
. 
The design issues 
Designing a secure harbor for the business is a difficult task, as not every business 
unit has its own view on what should be offered. Techies often design to their needs 
and are less focused on the business requirements. If the design does not incorporate 
the requirements of the business, it will be subject of a lot of resistance. A solution 
cannot be successful in security if the people are opposed to it from the very 
beginning. User-friendly design will improve security due to the reduced error rate. 
The technology problem 
Often companies see the technology solution as the way to go. Heavily armored with 
firewalls, IDS/IPS, VPN, PKI, Anti-virus etc… the security officer considers himself 
as secured to the bone with a good understanding of its benefits and limitations of the 
products. However, all this technology remains a valuable tool to protect against 
malicious attacks but one has to consider the drawbacks in this tech savvy world. 
Technology is not perfect. Vulnerabilities, unchecked buffers and backdoors 
are still found in commercial and non-commercial software despite the efforts 
of your software engineering teams. The best approach to mitigate such risks 
is using a multilayered solution even though history proofs that the best 
security can be compromised one way or another. 
Often big institutions do not understand the complex security issues in 
sufficient detail to ensure an appropriate solution. Such an approach results in 
choices that are often only an answer to one of the problems occurring. A 
firewall can be very good in filtering traffic but could be a nightmare in 
handling reporting and alerting. 
A technical solution is an expensive purchase and costly to keep it running. 
The off-the-shelf products are often an answer to few of the requirements and 
add little competitive advantage.
External consultants/engineers integrate the products in your infrastructure; 
this is a huge opportunity to have intrusion or data leakage. 
Cultural behavior 
Discipline! Discipline varies around the world. In some countries everything is 
regulated and executed as written in the books. The cultural behavior is important 
when designing a campaign. It does not make sense developing strict rules if they 
cannot be enforced. 
E.g.: 
Japan: Due to construction works near the server room it became inevitable to make 
a huge hole in the wall leading to the server room. Although the hole was big, enough 
to walk through it but the staff still used the mantrap to enter the server room and 
advised consultants to do so. A good example on how culture can have an impact on 
your security strategy. 
Social engineering 
Probably the biggest concern today is social engineering, because it is spread 
throughout all layers of your company and any department could be subject of it. In 
the most companies a robust policy structure guards against it but control of the 
compliancy is mandatory, as policies are useless if not applied. 
What is social engineering? 
It is an art of deception or persuasion to gain information that would be hidden to the 
attacker. Despite all efforts and policy integration, any human is subject to emotion 
that is one of the key elements to misuse by an attacker. Aquiring information or 
access privileges based on false thrust relationship build between the attacker and its 
victim. 
The exploits 
Diffusion of responsibility – If the victim is convinced the responsibility 
does not lie solely in his/her hand they are more likely to grant the attackers 
request. 
Trust Relationships – The attacker tries to expend more time into its attack 
to develop a relationship with the goal to gain trust. Exploiting the trust is 
done by provoking a series of interactions that were positive. Once the 
attacker is confident, he/she will then try his luck on a bigger move. 
Moral duty – The attacker encourages the target to act out of a sense of 
moral duty. Convincing the target that the policy is not stroking with 
common moral issues will increase the chance to gather information. The 
target assumes detection will be unlikely. 
Guilt – Psychodrama, manipulate empathy, create sympathy and touching 
the heartstrings all these factors are mastered by social engineers. Believe 
in the innocence of the requestor and the having faith in the story often 
leads to granting access of giving information to avoid being left with guilt. 
request.
Desire to be helpful – Relying on people’s helpfulness is one of the key 
aspects used by social engineers. Social engineers do notice rather quickly 
if people are not assertive and not confident in refusing. 
Cooperation – Avoiding situations of conflict, speaking with a voice of 
reason rather than shouting or barking. Social engineers would be just that 
guy that would understand your difficult situation. 
Human based social engineering 
Impersonation: The most common attack, the attacker says he is someone 
from the company having trouble to gain access. The attacker will have some 
names that he will abuse to retrieve the necessary information. 
The VIP approach: An attacker claims to be a senior member or any other 
important employee that could have a higher level of access and that creates a 
certain ambiance of fear at the victim’s side. 
Shoulder surfing: The attacker tries to capture information you type, 
keystrokes when password is asked, usernames appearing on your screen 
etc… 
Dumpster diving: Valuable information can be found in the waste bins. This 
has been reduced by using a shredder but shredding in one direction only 
could be insufficient to prevent a determent attacker from finding information. 
Piggy backing: Slip into a building by hiding into a group of allowed people. 
The mass of people is your disguise. 
Third-party approach: The attacker may know someone in the company and 
this person would have given the authorization. To the victim the third party 
will be most of the time a senior staff member. 
Technology based social engineering 
Popup windows: A small window popups prompting the user to reenter 
information, often a username/password but could also be an email address for 
spam purposes. Once this is done the information is send by email or over web 
(http) to the attacker. 
Mail attachments: An email is the ideal disguise to hide malicious programs 
using a fake file types. Distributing spam, viruses, Trojan horses or any other 
program that can automatically spread itself and gather information for the 
attacker. History has proven that users tend to click on the attachments 
whether the sender is known or not. 
Spam, chain emails and hoaxes: These do not have a direct threat to the 
company or the person but they rely on social engineering and gather 
information such as email addresses to be sold afterwards. 
Websites: A common ploy is to offer something for free or a chance to win. 
Often you have to enter personal information, which could be used for identity 
theft. Or one has to pay a fee to be able to receive the price, after the fee is 
paid you never hear from them again.
Countermeasures 
A typical question from management would be: “How can we get full protection 
against it and what will be the cost?” 
The answer is fairly simple, no full security against it exists and the costs are 
recurrent. No matter how much technology integration at some point, the human 
factor is involved. The human factor can be influenced either political, cultural or a 
social event. As with any threat, there are always possibilities to mitigate the risk thus 
reducing the success rate of the malicious event. 
Seven steps to build your human firewall 
1. Convince your top management 
Every project in your organization it requires support from management. The top 
down approach proves to be the best in convincing the employees of the seriousness 
of the project and the need for the change. 
Getting your management over the line is definitely the hardest part and an external 
expert in “human firewall” could be a major help. A key factor to get the management 
at your side is to prove that security is a business enabler and not a continuous 
expense. Psychology would be your instrument to achieve this step. 
According to Gartner Group there are three major questions that executives and board 
of directors need to answer when confronting information security issues: 
Is our security policy enforced fairly, consistently and legally across 
the organization? 
Would our employees, contractors and partners know if a security 
violation was being committed? 
Would they know what to do about it if they did recognize a security 
violation? 
2. Assign and clarify roles and responsibilities 
The biggest obstacle in improving your security is a lack of clear-cut roles and 
responsibilities. Defining which business units are critical and including the key 
people in the task force may be one of your goals to set. 
Security functions are not necessarily limited to one person; separation of duties is 
often applied. However, rarely all people have the time and the authority to carry out 
business wide security awareness initiatives. Nevertheless some functions may have 
overlapping duties or be combined by one person. 
In his new book Information Security Roles & Responsibilities Made Easy, 
information security consultant and Human Firewall Council member, Charles 
Cresson Wood, writes that unfortunately "management at many organizations has 
never clearly stated its intentions about the work it wanted an information security 
function to perform. It's hard to do a 'good job,' if you don't know what your job is 
supposed to be. As perverse as this situation may sound, many information security 
specialists have been asked to do just that. When things go wrong, they often get 
blamed even though they didn't know these same things were important."
3. Define an action plan linked to a budget 
An action plan, start with an assessment of the relative value of information assets. A 
risk management approach is key to define values and risks. Prioritizing asset values 
are the corner stones of your plan and simplify the budgeting to address the most 
important information assets your organization has. 
The budget planning demands care and a strategic view, convincing it can enable 
business instead of writing it off, as simple cost might be the key differentiator to get 
management over the finish. Often the human side of security is neglected, to increase 
your success rate you have to involve the technical people into your program. Both 
need to grow together instead of handling it as two separate issues. 
4. Develop and update the policy framework 
The policy framework defines the internal rules of your company. As in real life the 
law is subject to changes as the civilisation progresses this is the same in your 
organisation. Policies have to be read and understood by everyone in the organisation. 
The policies alignment with business goals is key to success. Policies that are 
constraining or contradictory with business are pushed in the forgotten list. Your 
ultimate goal is to weave in information security practices as an essential to 
conducting business safely and securely. 
5. Develop a security awareness/education program 
Security awareness builds human firewalls. It is probably the best tool to inform your 
staff of day-to-day business risks. It is key that your awareness campaign adapts to 
business but also to the risk change. Events throughout the world define the campaign 
agenda partly. Conducting these campaigns should be done on a regular basis, 
repetition is determent for the success and the increase of security as a result. 
As a first step conducting a survey gives you the opportunity to retrieve information 
about the weaker and the stronger domains. This gives you the ability to focus your 
campaign on weaker points. The campaign should not be limited to a one shot 
presentation, posters, quizzes, intranet or emails can keep your staff up-to-date. 
6. Measure the progress of your security awareness efforts 
Quizzes are an excellent tool to measure the status of your efforts when it comes to 
security awareness. A website with a “test your security awareness” or a quiz after the 
lunch brake where people have to find 10 security errors in an insecure working 
environment give you a good view where your staff is today. 
It allows you to detect the weak spots, work on those factors, and integrate new items 
to stay on track with the evolution. 
The outcome of your test phase should be integrated into report for top management. 
Help reassure management that you have made progress in answering the key 
questions posed at the beginning of this blueprint: 
Is our security policy enforced fairly, consistently and legally across 
the organization? 
Would our employees, contractors and partners know if a security 
violation was being committed? 
Would they know what to do about it if they did recognize a security 
violation?
7. Develop security incident response team and plan 
Disaster recovery is mandatory to survive in the business jungle. It is important that 
business can recover in a quick and efficient way but more important is that damage 
can be reduced from the very beginning of an event. The most important asset to 
protect is your staff, people first.
Information 
Author : Koen Maris @ Belgium – Luxemburg 
Employer : Secaron Sà r.l. - Grevenmacher 
Biography : Started with software development for small business to end with 
managing large corporate networks and their systems. In the early 
internet era in Europe my attention was caught by the insecurity of 
most connected business. This launched me into the complex matter of 
IT security which switched to a more general term Information 
Security. Today I am an active member in w w w .i s sa.o r g and 
w w w . i s c2.o r g . 
Presentations : In the late 90’s I have done several presentations about the impact of 
internet and the security risks. This was in larger perspective initiated 
by Cisco. 
My first of many perhaps! 
Why : Experience showed that the human factor is often neglected. 
Implementing a techie solution for the problem and handing the real 
issues over to the administrator often leads to frustration of the staff. 
The hopes of making a difference through a more human approach 
should be considered and are keen in developing a concrete security 
strategy. 
Resources htt p ://w w w . n i s t . g ov 
htt p ://w w w.i w a r .o r g.uk/c o m s ec/ r eso ur ce s /sa - to o l s / i nd e x . ht m 
w w w . i s sa.o r g 
CISSP Certification All-in-One Exam Guide, 2nd Edition ISBN: 0072229667 
w w w .sans.o r g 
w ww .its ecur ity .co m 
Thanks to 
Melissa Guenther m gu enthe r@ cox . net 
Clement Depuis cdup u i s @ c c c u r e.o r g

More Related Content

What's hot

Risk & Risk Management Ideas, Thoughts & Perspectives for new CEOs CIOs CTOs...
Risk & Risk Management Ideas, Thoughts &  Perspectives for new CEOs CIOs CTOs...Risk & Risk Management Ideas, Thoughts &  Perspectives for new CEOs CIOs CTOs...
Risk & Risk Management Ideas, Thoughts & Perspectives for new CEOs CIOs CTOs...Patrick A.
 
Amalfi Core Business Continuity Poll Oct09
Amalfi Core Business Continuity Poll Oct09Amalfi Core Business Continuity Poll Oct09
Amalfi Core Business Continuity Poll Oct09AmalfiCORE, LLC
 
Crisis Communications Polls Feb10
Crisis Communications Polls Feb10Crisis Communications Polls Feb10
Crisis Communications Polls Feb10AmalfiCORE, LLC
 
Business Continuity Detailed Plan
Business Continuity Detailed PlanBusiness Continuity Detailed Plan
Business Continuity Detailed PlanWissam Abdel Baki
 
Curso Crisis Management - 2011 - versão inglês
Curso Crisis Management - 2011 - versão inglêsCurso Crisis Management - 2011 - versão inglês
Curso Crisis Management - 2011 - versão inglêsMilton R. Almeida
 
Managing Uncertainty - 2011
Managing Uncertainty - 2011Managing Uncertainty - 2011
Managing Uncertainty - 2011RiskShare
 
Risk management 4th in a series
Risk management 4th in a seriesRisk management 4th in a series
Risk management 4th in a seriesGlen Alleman
 

What's hot (7)

Risk & Risk Management Ideas, Thoughts & Perspectives for new CEOs CIOs CTOs...
Risk & Risk Management Ideas, Thoughts &  Perspectives for new CEOs CIOs CTOs...Risk & Risk Management Ideas, Thoughts &  Perspectives for new CEOs CIOs CTOs...
Risk & Risk Management Ideas, Thoughts & Perspectives for new CEOs CIOs CTOs...
 
Amalfi Core Business Continuity Poll Oct09
Amalfi Core Business Continuity Poll Oct09Amalfi Core Business Continuity Poll Oct09
Amalfi Core Business Continuity Poll Oct09
 
Crisis Communications Polls Feb10
Crisis Communications Polls Feb10Crisis Communications Polls Feb10
Crisis Communications Polls Feb10
 
Business Continuity Detailed Plan
Business Continuity Detailed PlanBusiness Continuity Detailed Plan
Business Continuity Detailed Plan
 
Curso Crisis Management - 2011 - versão inglês
Curso Crisis Management - 2011 - versão inglêsCurso Crisis Management - 2011 - versão inglês
Curso Crisis Management - 2011 - versão inglês
 
Managing Uncertainty - 2011
Managing Uncertainty - 2011Managing Uncertainty - 2011
Managing Uncertainty - 2011
 
Risk management 4th in a series
Risk management 4th in a seriesRisk management 4th in a series
Risk management 4th in a series
 

Viewers also liked

Gray Stone Advisors NBAA Leadership 2012 ppt
Gray Stone Advisors NBAA Leadership 2012 pptGray Stone Advisors NBAA Leadership 2012 ppt
Gray Stone Advisors NBAA Leadership 2012 pptGray Stone Advisors
 
โครงงานไวรัสคอมพิวเตอร์ 5.4
โครงงานไวรัสคอมพิวเตอร์ 5.4โครงงานไวรัสคอมพิวเตอร์ 5.4
โครงงานไวรัสคอมพิวเตอร์ 5.4somjaibio003
 
Jak być interaktywnym? Pozytywnie o agencjach
Jak być interaktywnym? Pozytywnie o agencjach Jak być interaktywnym? Pozytywnie o agencjach
Jak być interaktywnym? Pozytywnie o agencjach Positive Power Sp. z o.o
 
Sensible defence
Sensible defenceSensible defence
Sensible defenceKoen Maris
 
Kerala honeymoon,Cheap Kerala honeymoon
Kerala honeymoon,Cheap Kerala honeymoonKerala honeymoon,Cheap Kerala honeymoon
Kerala honeymoon,Cheap Kerala honeymoonJusteat India
 
Cánh hoa duyên kiếp
Cánh hoa duyên kiếpCánh hoa duyên kiếp
Cánh hoa duyên kiếpsteppe91
 
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-Delhi
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-DelhiHoneymoon in nainital | Honeymoon in Nainital From Mumbai-Delhi
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-DelhiJusteat India
 

Viewers also liked (20)

Gray Stone Advisors NBAA Leadership 2012 ppt
Gray Stone Advisors NBAA Leadership 2012 pptGray Stone Advisors NBAA Leadership 2012 ppt
Gray Stone Advisors NBAA Leadership 2012 ppt
 
ALEJE.IT z Positive Power
ALEJE.IT z Positive PowerALEJE.IT z Positive Power
ALEJE.IT z Positive Power
 
ปก
ปกปก
ปก
 
โครงงานไวรัสคอมพิวเตอร์ 5.4
โครงงานไวรัสคอมพิวเตอร์ 5.4โครงงานไวรัสคอมพิวเตอร์ 5.4
โครงงานไวรัสคอมพิวเตอร์ 5.4
 
Positive Power na Boss Festiwalu
Positive Power na Boss FestiwaluPositive Power na Boss Festiwalu
Positive Power na Boss Festiwalu
 
Rafael Moucka na konferencji InternetASAP
Rafael Moucka na konferencji InternetASAPRafael Moucka na konferencji InternetASAP
Rafael Moucka na konferencji InternetASAP
 
Jak być interaktywnym? Pozytywnie o agencjach
Jak być interaktywnym? Pozytywnie o agencjach Jak być interaktywnym? Pozytywnie o agencjach
Jak być interaktywnym? Pozytywnie o agencjach
 
Css
CssCss
Css
 
Basketball
BasketballBasketball
Basketball
 
Rafael Moucka na konferencji PARP
Rafael Moucka na konferencji PARPRafael Moucka na konferencji PARP
Rafael Moucka na konferencji PARP
 
Sensible defence
Sensible defenceSensible defence
Sensible defence
 
บทที่ 5
บทที่ 5บทที่ 5
บทที่ 5
 
Kerala honeymoon,Cheap Kerala honeymoon
Kerala honeymoon,Cheap Kerala honeymoonKerala honeymoon,Cheap Kerala honeymoon
Kerala honeymoon,Cheap Kerala honeymoon
 
Company Presentation
Company PresentationCompany Presentation
Company Presentation
 
Cánh hoa duyên kiếp
Cánh hoa duyên kiếpCánh hoa duyên kiếp
Cánh hoa duyên kiếp
 
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-Delhi
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-DelhiHoneymoon in nainital | Honeymoon in Nainital From Mumbai-Delhi
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-Delhi
 
RWD: przyszłością m.commerce?
RWD: przyszłością m.commerce?RWD: przyszłością m.commerce?
RWD: przyszłością m.commerce?
 
บทที่ 2
บทที่ 2บทที่ 2
บทที่ 2
 
Lks pengukuran
Lks pengukuranLks pengukuran
Lks pengukuran
 
R.moucka ecommerce standard
R.moucka   ecommerce standardR.moucka   ecommerce standard
R.moucka ecommerce standard
 

Similar to The human factor

1.5 Pages are requiredYou have been hired .docx
1.5 Pages are requiredYou have been hired .docx1.5 Pages are requiredYou have been hired .docx
1.5 Pages are requiredYou have been hired .docxchristiandean12115
 
Cybersecurity Training For Humans!
Cybersecurity Training For Humans!Cybersecurity Training For Humans!
Cybersecurity Training For Humans!InnesGerrard
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10David X Martin
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelKoen Maris
 
Risk assessment is the process which - identify hazards, analyzes an.pdf
Risk assessment is the process which - identify hazards, analyzes an.pdfRisk assessment is the process which - identify hazards, analyzes an.pdf
Risk assessment is the process which - identify hazards, analyzes an.pdfharihelectronicspune
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementMighty Guides, Inc.
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapDominic Vogel
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Brunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Group
 
Safety Productivity Multiplier_ How to Turn Workplace Safety into a Competiti...
Safety Productivity Multiplier_ How to Turn Workplace Safety into a Competiti...Safety Productivity Multiplier_ How to Turn Workplace Safety into a Competiti...
Safety Productivity Multiplier_ How to Turn Workplace Safety into a Competiti...Sue Antonoplos
 
Transforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamTransforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamEMC
 
Technology Implementation Paper
Technology Implementation PaperTechnology Implementation Paper
Technology Implementation PaperDeb Birch
 
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdfStephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdfStéphane Nappo
 
Cultivate a stronger corporate culture to enhance cybersecurity
Cultivate a stronger corporate culture to enhance cybersecurityCultivate a stronger corporate culture to enhance cybersecurity
Cultivate a stronger corporate culture to enhance cybersecurityDavid X Martin
 
Why Worker Safety Trainings are unique?
Why Worker Safety Trainings are unique?Why Worker Safety Trainings are unique?
Why Worker Safety Trainings are unique?Consultivo
 
Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Devendra kashyap
 

Similar to The human factor (20)

1.5 Pages are requiredYou have been hired .docx
1.5 Pages are requiredYou have been hired .docx1.5 Pages are requiredYou have been hired .docx
1.5 Pages are requiredYou have been hired .docx
 
Cybersecurity Training For Humans!
Cybersecurity Training For Humans!Cybersecurity Training For Humans!
Cybersecurity Training For Humans!
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive Level
 
Executive Breach Response Playbook
Executive Breach Response PlaybookExecutive Breach Response Playbook
Executive Breach Response Playbook
 
Wisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LGWisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LG
 
Risk assessment is the process which - identify hazards, analyzes an.pdf
Risk assessment is the process which - identify hazards, analyzes an.pdfRisk assessment is the process which - identify hazards, analyzes an.pdf
Risk assessment is the process which - identify hazards, analyzes an.pdf
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability Management
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
Brunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attack
 
Safety Productivity Multiplier_ How to Turn Workplace Safety into a Competiti...
Safety Productivity Multiplier_ How to Turn Workplace Safety into a Competiti...Safety Productivity Multiplier_ How to Turn Workplace Safety into a Competiti...
Safety Productivity Multiplier_ How to Turn Workplace Safety into a Competiti...
 
Transforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamTransforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended Team
 
Technology Implementation Paper
Technology Implementation PaperTechnology Implementation Paper
Technology Implementation Paper
 
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdfStephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf
 
Awareness is only the first step
Awareness is only the first stepAwareness is only the first step
Awareness is only the first step
 
Cultivate a stronger corporate culture to enhance cybersecurity
Cultivate a stronger corporate culture to enhance cybersecurityCultivate a stronger corporate culture to enhance cybersecurity
Cultivate a stronger corporate culture to enhance cybersecurity
 
knowledge management document
knowledge management documentknowledge management document
knowledge management document
 
Why Worker Safety Trainings are unique?
Why Worker Safety Trainings are unique?Why Worker Safety Trainings are unique?
Why Worker Safety Trainings are unique?
 
Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland
 

Recently uploaded

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesSanjay Willie
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 

Recently uploaded (20)

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 

The human factor

  • 1. The Human Factor k m ar@b aleo.be (c) Copyright 2005. Koen Maris
  • 2. Table of contents Table of contents............................................................................................................ 2 Abstract .......................................................................................................................... 3 Introduction.................................................................................................................... 4 Today ......................................................................................................................... 4 The public domain ..................................................................................................... 4 Target audience .............................................................................................................. 5 Management............................................................................................................... 5 Mid management ....................................................................................................... 5 Staff:........................................................................................................................... 5 Technical staff............................................................................................................ 5 Definitions...................................................................................................................... 6 The human factor (layer 8) ............................................................................................ 6 The design issues ....................................................................................................... 6 The technology problem ............................................................................................ 6 Cultural behavior ....................................................................................................... 7 Social engineering...................................................................................................... 7 The exploits............................................................................................................ 7 Human based social engineering ........................................................................... 8 Technology based social engineering .................................................................... 8 Countermeasures............................................................................................................ 9 Seven steps to build your human firewall .................................................................. 9 1. Convince your top management .................................................................... 9 2. Assign and clarify roles and responsibilities ................................................. 9 3. Define an action plan linked to a budget ..................................................... 10 4. Develop and update the policy framework .................................................. 10 5. Develop a security awareness/education program ....................................... 10 6. Measure the progress of your security awareness efforts ............................ 10 7. Develop security incident response team and plan ...................................... 11 Information .................................................................................................................. 12 Resources ..................................................................................................................... 12
  • 3. Abstract Business today contains an important number of security risks. In most cases, the employees deal with issues according to their knowledge. The importance of a transparent security strategy is often neglected, this results in only the techies having the know how of the security and the strategy. Transparency is necessary so security does not become an obstacle in the business processes. If Top Management is not aware about the strategy, they might take a different direction, if the employees are not aware they might impede your efforts hence security awareness. Often business relies blindly on technology to eliminate a maximum of the risks they have in their work environment. Technology has a gap; it is first of all made by humans, administered by humans and the output interpreted by humans. Deemed to end with the biggest security issue “the human factor”. This said it should be clear that security cannot solely lie within IT if the size of the organization allows it. Security awareness can be obtained by training your employees with security issues that they can reflect to their environment and their private lives. A security awareness program gives a company the ability to highlight risks, improvement made on security, how to use the security department etc… Your employees often think that you security department is a bunch of techies and/or freaks that like to have control. Profiling your department as a point of contact where security issues can be discussed enhances overall security. The key factor, educate your staff by an awareness program, a quiz, posters, e-mail messages or reminders, intranet information etc… Repetition is determent to success; humans only retain information by repeating it over and over and using a more relaxed approach instead of an academic one will loosen up people resulting in more interaction with the security management and its staff.
  • 4. Introduction Our technology-oriented civilization tends to solve problems with technology-based solutions. This paper lays out the importance of the human aspects in information security in relation with technology used to mitigate the risk. Statistics show that as many as 75 percent of the security incidents are caused by human error or ignorance. Whilst technology solutions can never be the panacea in information security one can increase the effectiveness by implementing a well-designed security awareness strategy. Convince your management and launch your ideas in a comprehensive language for your target audience! Today Today employee’s have little idea about the security improvement efforts made by the employers. Nevertheless, all these efforts can be easily bypassed by mistake, configuration error, misinterpretation or intentionally actions. All people take action according to what they know, what they have seen in the past or on the information given at the very moment when the action is required. This behavior is baleful for the security no matter how much investment in technology is made. Due to the rapid changing techniques in order to gain financial benefit technology only cannot cope. The key factor is informing all your employee’s and all-hierarchical levels. By repeating the message, constant reminding with little notes, posters, mails and/or intranet is an effective way to keep up with the new breed of attacks. The public domain In our day-to-day lives, we are overwhelmed by security awareness campaigns. Government, law enforcement, state security and many others inform us with many issues that need public awareness. The information spreads over any medium available and able to reach the mass. Important factor is catching the attention, one-liners, funny or shocking pictures are still the number one strategy. In fact, the public domain has plenty of examples to guide you through an effective campaign that improves your security strategy. Ex.: During the Christmas period a lot of countries put in a lot of effort to make drivers conscious about the risks of drinking and driving. It is clear that the opportunity (Christmas) is exploited to have a better attention from the audience. In most countries, it is a big annual event but focus is kept through the year by different campaigns with a mutual interest. Imagine marketing only works on one big event a year; you will not get a good sales cycle outside your marketing periods.
  • 5. Target audience In security awareness, you have not one specific audience focus. If possible, split the audience in relation to function they withhold in the company. Splitting your audience in to target groups allows you talk in the specific language of the group. Management: To attract Senior Management members your presentation has to be focused on key elements only. For them it is more interesting to know at what risk level they are, what loss expectancy they have in case of an event and more important what can they gain with spending cash for security improvement. A numerical or statistical approach will improve the level of understanding of the complex issues; also, examples from real life will raise their attention. If the company would loose assets, what would be the financials loss or what is the loss in case the reputation is damaged. Important to know is that if you like them to support your strategy they have to find themselves in the proposals. If they are not in line with your thoughts, you will have a hard job to convince them. Remember the goal of security awareness, changing behavior. Hard but necessary is to pin point the day to day risks in their work environment. After all Senior Management is less comfortable with the fact somebody will tell them how to work and handle things. If everyone is compliant to the password policy and Senior Management is not, the company could loose its valuable reputation very quick and easy. Mid management: Mostly responsible to transmit the message to department heads. A more granular explanation of the policies, standards, procedures and guidelines is mandatory, as they are responsible to map it to different department heads. If the messages transmission fails, the pyramid structure will not work. Crucial factor is full understanding and acceptance by mid management. Their support determines the overall acceptance downwards in the pyramid. Staff: Convincing your staff is the biggest obstacle, and it is only a start as your goal is to change behavior. You can convince them but that will not guarantee success. To change behavior you need repetition and to get repetition you need time, money and support from your management. Splitting staff in to groups that are job related increases the effectiveness of your security awareness. Pointing out the importance of the person behind the job and his/her security related issues will more likely improve the response to your efforts. Make your staff feel involved is the key message to a successful security aware staff. Technical staff: Special care is required because convincing technical staff in how they should approach some parts of their job will not be easy going. Technical staff tends to get things up and running and applies security afterwards. Security integration should start at the beginning of each project or somewhere in the initializing phase. Appending security at the end of project will be expensive, difficult and results in less restrictive security integration as originally planned.
  • 6. Definitions Often the words training and awareness are used in the wrong context. To avoid this misunderstanding a short explanation based on the NIST-800-50 document. Awareness: Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. Training: Training strives to produce relevant and needed security skills and competencies. The human factor (layer 8) Layer 8 complex layer with fuzzy logic making random decisions and unpredictable behavior. The topic is around for quite some time and business does need to address it as never before. Often layer 8 is the cause of scandal where social engineering attacks are successful. This type of attack will rise in the future and we are standing on the edge, technology is keeping us from falling but will it in the future? . The design issues Designing a secure harbor for the business is a difficult task, as not every business unit has its own view on what should be offered. Techies often design to their needs and are less focused on the business requirements. If the design does not incorporate the requirements of the business, it will be subject of a lot of resistance. A solution cannot be successful in security if the people are opposed to it from the very beginning. User-friendly design will improve security due to the reduced error rate. The technology problem Often companies see the technology solution as the way to go. Heavily armored with firewalls, IDS/IPS, VPN, PKI, Anti-virus etc… the security officer considers himself as secured to the bone with a good understanding of its benefits and limitations of the products. However, all this technology remains a valuable tool to protect against malicious attacks but one has to consider the drawbacks in this tech savvy world. Technology is not perfect. Vulnerabilities, unchecked buffers and backdoors are still found in commercial and non-commercial software despite the efforts of your software engineering teams. The best approach to mitigate such risks is using a multilayered solution even though history proofs that the best security can be compromised one way or another. Often big institutions do not understand the complex security issues in sufficient detail to ensure an appropriate solution. Such an approach results in choices that are often only an answer to one of the problems occurring. A firewall can be very good in filtering traffic but could be a nightmare in handling reporting and alerting. A technical solution is an expensive purchase and costly to keep it running. The off-the-shelf products are often an answer to few of the requirements and add little competitive advantage.
  • 7. External consultants/engineers integrate the products in your infrastructure; this is a huge opportunity to have intrusion or data leakage. Cultural behavior Discipline! Discipline varies around the world. In some countries everything is regulated and executed as written in the books. The cultural behavior is important when designing a campaign. It does not make sense developing strict rules if they cannot be enforced. E.g.: Japan: Due to construction works near the server room it became inevitable to make a huge hole in the wall leading to the server room. Although the hole was big, enough to walk through it but the staff still used the mantrap to enter the server room and advised consultants to do so. A good example on how culture can have an impact on your security strategy. Social engineering Probably the biggest concern today is social engineering, because it is spread throughout all layers of your company and any department could be subject of it. In the most companies a robust policy structure guards against it but control of the compliancy is mandatory, as policies are useless if not applied. What is social engineering? It is an art of deception or persuasion to gain information that would be hidden to the attacker. Despite all efforts and policy integration, any human is subject to emotion that is one of the key elements to misuse by an attacker. Aquiring information or access privileges based on false thrust relationship build between the attacker and its victim. The exploits Diffusion of responsibility – If the victim is convinced the responsibility does not lie solely in his/her hand they are more likely to grant the attackers request. Trust Relationships – The attacker tries to expend more time into its attack to develop a relationship with the goal to gain trust. Exploiting the trust is done by provoking a series of interactions that were positive. Once the attacker is confident, he/she will then try his luck on a bigger move. Moral duty – The attacker encourages the target to act out of a sense of moral duty. Convincing the target that the policy is not stroking with common moral issues will increase the chance to gather information. The target assumes detection will be unlikely. Guilt – Psychodrama, manipulate empathy, create sympathy and touching the heartstrings all these factors are mastered by social engineers. Believe in the innocence of the requestor and the having faith in the story often leads to granting access of giving information to avoid being left with guilt. request.
  • 8. Desire to be helpful – Relying on people’s helpfulness is one of the key aspects used by social engineers. Social engineers do notice rather quickly if people are not assertive and not confident in refusing. Cooperation – Avoiding situations of conflict, speaking with a voice of reason rather than shouting or barking. Social engineers would be just that guy that would understand your difficult situation. Human based social engineering Impersonation: The most common attack, the attacker says he is someone from the company having trouble to gain access. The attacker will have some names that he will abuse to retrieve the necessary information. The VIP approach: An attacker claims to be a senior member or any other important employee that could have a higher level of access and that creates a certain ambiance of fear at the victim’s side. Shoulder surfing: The attacker tries to capture information you type, keystrokes when password is asked, usernames appearing on your screen etc… Dumpster diving: Valuable information can be found in the waste bins. This has been reduced by using a shredder but shredding in one direction only could be insufficient to prevent a determent attacker from finding information. Piggy backing: Slip into a building by hiding into a group of allowed people. The mass of people is your disguise. Third-party approach: The attacker may know someone in the company and this person would have given the authorization. To the victim the third party will be most of the time a senior staff member. Technology based social engineering Popup windows: A small window popups prompting the user to reenter information, often a username/password but could also be an email address for spam purposes. Once this is done the information is send by email or over web (http) to the attacker. Mail attachments: An email is the ideal disguise to hide malicious programs using a fake file types. Distributing spam, viruses, Trojan horses or any other program that can automatically spread itself and gather information for the attacker. History has proven that users tend to click on the attachments whether the sender is known or not. Spam, chain emails and hoaxes: These do not have a direct threat to the company or the person but they rely on social engineering and gather information such as email addresses to be sold afterwards. Websites: A common ploy is to offer something for free or a chance to win. Often you have to enter personal information, which could be used for identity theft. Or one has to pay a fee to be able to receive the price, after the fee is paid you never hear from them again.
  • 9. Countermeasures A typical question from management would be: “How can we get full protection against it and what will be the cost?” The answer is fairly simple, no full security against it exists and the costs are recurrent. No matter how much technology integration at some point, the human factor is involved. The human factor can be influenced either political, cultural or a social event. As with any threat, there are always possibilities to mitigate the risk thus reducing the success rate of the malicious event. Seven steps to build your human firewall 1. Convince your top management Every project in your organization it requires support from management. The top down approach proves to be the best in convincing the employees of the seriousness of the project and the need for the change. Getting your management over the line is definitely the hardest part and an external expert in “human firewall” could be a major help. A key factor to get the management at your side is to prove that security is a business enabler and not a continuous expense. Psychology would be your instrument to achieve this step. According to Gartner Group there are three major questions that executives and board of directors need to answer when confronting information security issues: Is our security policy enforced fairly, consistently and legally across the organization? Would our employees, contractors and partners know if a security violation was being committed? Would they know what to do about it if they did recognize a security violation? 2. Assign and clarify roles and responsibilities The biggest obstacle in improving your security is a lack of clear-cut roles and responsibilities. Defining which business units are critical and including the key people in the task force may be one of your goals to set. Security functions are not necessarily limited to one person; separation of duties is often applied. However, rarely all people have the time and the authority to carry out business wide security awareness initiatives. Nevertheless some functions may have overlapping duties or be combined by one person. In his new book Information Security Roles & Responsibilities Made Easy, information security consultant and Human Firewall Council member, Charles Cresson Wood, writes that unfortunately "management at many organizations has never clearly stated its intentions about the work it wanted an information security function to perform. It's hard to do a 'good job,' if you don't know what your job is supposed to be. As perverse as this situation may sound, many information security specialists have been asked to do just that. When things go wrong, they often get blamed even though they didn't know these same things were important."
  • 10. 3. Define an action plan linked to a budget An action plan, start with an assessment of the relative value of information assets. A risk management approach is key to define values and risks. Prioritizing asset values are the corner stones of your plan and simplify the budgeting to address the most important information assets your organization has. The budget planning demands care and a strategic view, convincing it can enable business instead of writing it off, as simple cost might be the key differentiator to get management over the finish. Often the human side of security is neglected, to increase your success rate you have to involve the technical people into your program. Both need to grow together instead of handling it as two separate issues. 4. Develop and update the policy framework The policy framework defines the internal rules of your company. As in real life the law is subject to changes as the civilisation progresses this is the same in your organisation. Policies have to be read and understood by everyone in the organisation. The policies alignment with business goals is key to success. Policies that are constraining or contradictory with business are pushed in the forgotten list. Your ultimate goal is to weave in information security practices as an essential to conducting business safely and securely. 5. Develop a security awareness/education program Security awareness builds human firewalls. It is probably the best tool to inform your staff of day-to-day business risks. It is key that your awareness campaign adapts to business but also to the risk change. Events throughout the world define the campaign agenda partly. Conducting these campaigns should be done on a regular basis, repetition is determent for the success and the increase of security as a result. As a first step conducting a survey gives you the opportunity to retrieve information about the weaker and the stronger domains. This gives you the ability to focus your campaign on weaker points. The campaign should not be limited to a one shot presentation, posters, quizzes, intranet or emails can keep your staff up-to-date. 6. Measure the progress of your security awareness efforts Quizzes are an excellent tool to measure the status of your efforts when it comes to security awareness. A website with a “test your security awareness” or a quiz after the lunch brake where people have to find 10 security errors in an insecure working environment give you a good view where your staff is today. It allows you to detect the weak spots, work on those factors, and integrate new items to stay on track with the evolution. The outcome of your test phase should be integrated into report for top management. Help reassure management that you have made progress in answering the key questions posed at the beginning of this blueprint: Is our security policy enforced fairly, consistently and legally across the organization? Would our employees, contractors and partners know if a security violation was being committed? Would they know what to do about it if they did recognize a security violation?
  • 11. 7. Develop security incident response team and plan Disaster recovery is mandatory to survive in the business jungle. It is important that business can recover in a quick and efficient way but more important is that damage can be reduced from the very beginning of an event. The most important asset to protect is your staff, people first.
  • 12. Information Author : Koen Maris @ Belgium – Luxemburg Employer : Secaron Sà r.l. - Grevenmacher Biography : Started with software development for small business to end with managing large corporate networks and their systems. In the early internet era in Europe my attention was caught by the insecurity of most connected business. This launched me into the complex matter of IT security which switched to a more general term Information Security. Today I am an active member in w w w .i s sa.o r g and w w w . i s c2.o r g . Presentations : In the late 90’s I have done several presentations about the impact of internet and the security risks. This was in larger perspective initiated by Cisco. My first of many perhaps! Why : Experience showed that the human factor is often neglected. Implementing a techie solution for the problem and handing the real issues over to the administrator often leads to frustration of the staff. The hopes of making a difference through a more human approach should be considered and are keen in developing a concrete security strategy. Resources htt p ://w w w . n i s t . g ov htt p ://w w w.i w a r .o r g.uk/c o m s ec/ r eso ur ce s /sa - to o l s / i nd e x . ht m w w w . i s sa.o r g CISSP Certification All-in-One Exam Guide, 2nd Edition ISBN: 0072229667 w w w .sans.o r g w ww .its ecur ity .co m Thanks to Melissa Guenther m gu enthe r@ cox . net Clement Depuis cdup u i s @ c c c u r e.o r g