Issa Charlotte 2009 Patching Your Users


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Issa Charlotte 2009 Patching Your Users

  1. 1. Patching Your Users Defending against the Social Engineering Threat © 2009 – Foreground Security. All rights reserved
  2. 2. Pareto had it right: 20% of our efforts will produce 80% of our results. 2
  3. 3. Numerous Studies: Human error and internal threat responsible for more than 80% of Information Security breaches BUT Only 29% of organizations consider security training as a crucial requirement in preventing security breaches within organizations. 3
  4. 4. Agenda • The Changing Threat Environment • Social Engineering • Your Security Awareness Sucks • Making it really work. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  5. 5. A History Lesson....
  6. 6. The Vulnerability Cycle Human / Network Organization Service / Client Server Application 6
  7. 7. The History of Security Commercial Vulnerability Assessment Sasser Nimda Commercial Blaster Loveletter Firewalls Slammer Commercial Data Leakage Kevin Vulnerability Management Prevention Mitnick Snort Melissa Spyware Code Red SATAN Commercial Commercial Morris IDS Anti-Spyware Nessus Worm Phishing Kevin IPS & UTM Commercial Poulsen SIM/SEM You Are Here 1985 1995 2005 Human Network Server Web App Client Organization 7
  8. 8. The Early Years • Those were the days – Software Vulnerabilities weren’t significant - most based on configuration weakness – Only a handful of people understood how to exploit technologies – Small Target Surface - Few internet-connected computers – Focus was on phone phreaking and academia • Social Engineering reigned supreme – Most successful attacks involved social engineering – Unsophisticated controls environments – Few understood the jargon – Policies encouraged trust over security © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  9. 9. The Kevins 9 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  10. 10. The Internet Era • Two Vital Dates – October 13, 1994 • Mosaic Netscape 0.9 released • The web becomes easy to navigate – August 24, 1995 • Windows 95 Released • Home computer use proliferates massively • The Internet Experiences exponential growth – Money starts to change hands – Internet connected computers become a viable target • This creates a target rich environment... 10 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  11. 11. Attacking Computers Directly • Phrack 49 - November 8, 1996. – Aleph1 - Smashing the Stack for Fun and Profit • Readily available exploit code actually makes breaking in to computers easier – The “golden age” of server hacking begins. • 1996-2003 - More of the same – Memory attacks become more sophisticated – Polymorphic shell-code designed to evade detective controls – More advanced use of memory spaces (format strings, integer exploits) 11 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  12. 12. August 4, 2004 • Windows XP Service Pack 2 Appears – Microsoft finally hardens their operating systems – The world changes overnight – Security is now baked in to the computer. • Server based vulnerabilities disappear – As massive server-based vulnerabilities disappear, client interaction becomes key – The number of issues continues to increase but the type of issues starts to change radically © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  13. 13. Difficulty of Exploitation Human Vulnerabilities Difficulty of Exploit Technical Vulnerabilities 1985 1995 2005
  14. 14. The New Vulnerable Element • Since 2005 – No major direct-exploitation worm outbreaks – Less than a handful of “remote root” direct exploitation vulnerabilities • Major Classes of Attacks – Drive-by Download – Exploitation through Email, Web and Social Networking Sites – Phishing / Pharming / Spear-Phishing • What’s the similarity? – If you said “human interaction”, you get a gold star. 14 © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  15. 15. The human/organization are the main exploit targets again.
  16. 16. Social Engineering • Defined (by Wikipedia): – “The practice of obtaining confidential information by manipulating users.” • The Art of Exploiting Human Weakness – Humans are social creatures – Human nature makes us vulnerable to each other – Social engineers exploit weaknesses in human nature to obtain information or access to computer systems. – A Confidence Trick - Social Engineering is the age-old art of the “Confidence Man” • The bad guys are exploiting your people © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  17. 17. Only two things are infinite: the universe and human stupidity. And I'm not sure about the former. - Albert Einstein 1 7
  18. 18. There is no patch for human stupidity. This was the slogan on a T-shirt a couple of years ago.
  19. 19. Security Awareness Training • The solution for social engineering – Train your users on security topics – Use case-study training and scenarios so that users understand. – Ensure that users complete at least one multiple-choice test per quarter – Make sure that users pass, and they are now “aware”. • Two step process – Decide what we want the user to know – Find ways to “train” them on those things. • This is how most corporations are approaching user protection © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  20. 20. The Security Awareness Process What do we want the users to know? Move to Next Goal Determine ways to teach users and deliver those messages 20
  21. 21. Unfortunately… • We recently surveyed a number of security pros in orgs with security awareness programs: – “If you could wake up tomorrow and the users understood 3 things about security, what would they be?” • We heard answers like: – Separation of duties / Principle of Least privilege – Seeing the big picture of enterprise security – Password Hygiene – Internet Hygiene – How to do business WHILE following policy – That security is their responsibility. – That there really are bad people who are out to get them. – Infosec isn’t there to stop you from doing your job.
  22. 22. So… Why Don’t They Know Those Things Already?
  23. 23. Typical CISO/CIO/General Counsel Response: We Trained Them!!! They should have “Security Awareness”!!!
  24. 24. Explanation #1 “Users are stupid.”* *Amrit Williams said this on his blog at one point.
  25. 25. Training Doesn’t Work • People aren’t puppies – Requires significant funding – Low uptake level – most users ignore or go through the motions. – The only way to “rub their noses in it” is through an incident • Training is the first thing to cut – When cutting costs, training is viewed as a luxury. – More importantly, ROI is generally not measured – “Success” is nebulous at best • “Training” is the wrong model 25
  26. 26. Solving the Problem • We have two main issues in getting users on-board – Users view security as a braking (breaking?) function – Users believe security is solved by the Information Security Department and that it’s not their responsibility. • The biggest problem: –NEITHER OF THESE ARE TRUE! • These are both perception issues • How do other industries solve perception issues? 26
  27. 27. Explanation #2 “Your marketing sucks.” Mark Stevens 2
  28. 28. The Marketing Process What do we want the users to know? Measure: How many people already know that? Yes – move Determine ways to teach to next goal users and deliver those messages Measure: How many people know that now? No Did we achieve our goals? 28
  29. 29. Measurement Is Key • Good Marketers Measure their Impact – This involves understanding how their messages impact their targets • Goals need to be set based on measurability – Define your goals based on how you will measure them • You Need a Baseline – Measure before you start your “Awareness” efforts – This lets you know how many of your users are already aware • Measure at the End – This gives you an idea of the success of your efforts – This is called “ROI”.
  30. 30. Perception and Reality • Positioning is the art of changing reality. – The technique by which marketers try to create an image or identity in the minds of their target market for its product, brand, or organization. (Wikipedia) • The key question is: How are we positioned? – Strong positioning is the key to strong marketing – What is the position of the following brands? • Rolls Royce • Ferrari • Chevy • Information Security within Your Organization? • What position do you want to have? – What would make you think that? 30
  31. 31. Delivering Your Message • Caveat: It’s far easier to say it than to do it. – They have a say in this process too. – Positioning is a dance between what the users think and what you say • This means you have to say it often. – Rule of thumb: a user has to see your message at least 7 times before your message has ANY effect – This is the main reason that “awareness training” doesn’t work!!! • Breaking the “Awareness Shield” – Users are marketed to repeatedly – We need to break through their “awareness shield”.
  32. 32. The Tool-kit • Marketing – The art of creating favorable impressions in your target audience • 3 Tools of Marketing – PR – Advertising – Direct Interaction • Does this work internally??? 32
  33. 33. 7 Steps to Extreme Marketing 1. Marketing is an integrated process 2. Identify innovative initiatives that can command the attention of the marketplace 3. Integrate all the elements of your marketing program 4. Do not engage in any initiatives that fail to produce positive ROI 5. Pick the low hanging fruit first 6. Don’t be linear 7. Be persistent, relentless, inventive, counterintuitive, challenging, combative, strategic and tactical. (Source: Mark Stevens, Your Marketing Sucks) 33
  34. 34. Case Study: Strong Passwords • Goal – Client wants to teach their users to select strong passwords where password controls are not enforceable (e.g. cloud services) • Security Awareness Plan – Send emails telling people to choose strong passwords – Ask users to take multiple choice test that confirms that they know to create strong passwords. 34
  35. 35. Case Study: Strong Passwords • Security Marketing Campaign – Step 1: Measure strength of passwords chosen for baseline • Tools: survey random set of users, create application and test strength, etc. – Step 2: Create Marketing Campaign • Send emails to users – both instructional and examples that offer resources • Use multiple choice tests • Newsletters, articles, etc. • Repeat messages over short period of time – Step 3: Measure strength of passwords, look for changes. • Use SAME measurement technique as baseline – Did we get results? If no, repeat step 2 with different tactics. 35
  36. 36. Questions? Feel free to email: