Most organization’s Security Awareness Programs suck. They involved ‘canned’ video presentations or someone is HR explaining computer use policies. Others are extremely expensive and beyond the reach of the budgets of smaller organizations. This talk will show you how to build a Security Awareness Program from scratch for little or no money, and how to engage your users so that they get the most out of the program.

1. Building an Information Security Awareness Program
Bill Gardner
Assistant Professor
Department of Integrated Science & Technology
Digital Forensics and Information Assurance Program
Marshall University

3. Hack3rcon.org

4. appyide.org

5. hackersforcharity.org

6. Image Source: http://blog.rucker.ca/2009/02/youre-doing-it-wrong.html

7. Image Source: http://www.agilemodeling.com/artifacts/networkDiagram.htm

8. Metrics
Security
Appliances
Anti-Virus/HIDs
Log Management
Patch Management
User Awareness Training
Policies and Procedures
Copyright 2014 Bill Gardner and Frank Hackett

9. What is Security Awareness
and Training

10. Why Security Awareness and
Training?
Image Source: http://www.thewindowsclub.com/social-engineering-techniques

11. Getting Management Buy-in
Image Source: https://supportforums.cisco.com/blog/150946/building-strong-security-policies

12. Getting Management Buy-in
Image Source: https://www.chromeriver.com/postcards/

13. Getting Management Buy-in
Image Source: https://www.facebook.com/thesfglobe/photos/a.581802245240710.1073741828.578850155535919/601831693237765/?type=1&theater

14. Getting Management Buy-in
Image Source: http://www.european-coatings.com/Markets-Companies/CPS-Color-increases-colorant-production

15. Targeted
Image Source: http://theasggroup.com/2012/05/tools-for-salespeople/

16. Targeted
Image Source: http://www.processmakerblog.com/bpm-2/secrets-automating-department/

17. Targeted
Image Source: http://www.innovationmanagement.se/2011/05/19/how-to-foster-greater-collaboration-between-innovators-and-the-it-department/

18. How Often
Image Source: http://integrityhr.com/top-10-violations-investigated-by-the-dol-and-how-to-avoid-them/

19. How Often
Image Source: http://cheezburger.com/1904315136

20. How Often
Image Source: http://www.theproducersperspective.com/my_weblog/2012/11/broadways-2012-quarter-2-report.html/i_love_quarterly_reports_mug-p168055427806712929enw9p_400

21. How Often
Image Source: http://micronarratives.blogspot.com/2010/08/continual-improvement-cycle-quality.html

22. User Awareness Training Must
Be Engaging
Image Source: http://jansimson.com/2011/10/29/omg-that-class-is-so-boring/

23. User Awareness Training Must
Be Engaging
Image Source: https://www.pjrc.com/teensy/projects.html

24. User Awareness Training Must
Be Engaging
Image Source: http://www.cedia.org/in-person-training

25. User Awareness Training Must
Be Engaging
Image Source: https://www.facebook.com/efm.lk/photos/a.132867908531.105751.75172638531/10153169793713532/?type=1&theater

26. User Awareness Training Must
Be Engaging
Image Source: http://pictures.4ever.eu/tag/23829/lot-of-money?pg=2

27. The First Step of User Awareness
Training is Explaining Risk
Image Source: https://www.facebook.com/photo.php?fbid=1415938958687951&set=a.1384739928474521.1073741828.100008155802751&type=1&theater

28. Cost of A Data Breach
Image Source: https://www.facebook.com/photo.php?fbid=10152535939267845&set=a.130149082844.132252.90859152844&type=1&theater

29. Why Hack?
• Money – Identity Theft, Credit Card Theft
• Industrial Espionage - Trade Secrets
• Hacktivism
• Cyber War
• Bragging Rights
Image Source: https://nuestropensar.wordpress.com/2010/12/

30. Threats
• Russian Business Network
• Chinese Hackers
• Hacktivism
• Cyberwar
Image Source: http://feministmormonhousewivespodcast.org/category/threats/

31. Russian Business Network
• Commonly
abbreviated as RBN
• Multi-faceted
cybercrime
organization
• Specializes in
personal identity theft
for resale. Image Source: http://jeffreycarr.blogspot.com/2013/01/rbn-connection-to-kasperskys-red.html

32. Chinese Hackers
• Hack for nationalistic
reasons.
• Some appear to be state
sponsored or a unofficial
part of the Chinese Army.
• GhostNet
• Google Hack
• APT – Advanced
Persistent Threat

33. Hacktivism
"the nonviolent use of illegal
or legally ambiguous digital
tools in pursuit of political
ends. These tools include
web site defacements,
redirects, denial-of-service
attacks, information theft..."Image Source: http://www.anonymousartofrevolution.com/2013/08/hacktivism-self-defense-for.html

34. Cyberwar
• Cyberwarfare is used to
refer to politically motivated
hacking to conduct
sabotage and espionage.
• Is state sponsored.
• In the 2007 Russia waged
cyberwar against Estonia.
Image Source: http://www.wired.com/2011/07/make-love-not-cyber-war/

35. Most Attacks Are Targeted
• Targeted threats are a
class of malware destined
for one specific
organization or industry
• Targeted attacks may
include threats delivered
via e-mail, port attacks,
zero day exploits or
phishing messages.

43. Who is responsible for security?
Image Source: http://www.caltrate.co.za/everybody-needs-calcium

44. Image Source: https://blog.lookout.com/blog/2013/11/12/security-alert-adobe-password-breach/

45. Passwords

46. Locking Computers

47. Attachments
 Be cautious of e-mail claiming to contain pictures in attached files, as
the files may contain viruses. Only open attachments from known
senders.

48. Phishing

49. Social Engineering
• Not all security breaches are the result of technical
attacks.
• In computer and network security people are the
weakest link.
• As he outlines in this book “The Art of Deception”,
convicted computer hacker Kevin Mitnick
penetrated computer networks by tricking people
into giving him passwords and other confidential
information.

50. No Tech Hacking
• Dumpster Diving – Sometimes confidential document
can be found in the trash.
• Tailgating – Following someone through a locked door.
• Shoulder Surfing – Getting passwords or other
confidential information by looking over someone’s
shoulder.
• Google Hacking – Finding passwords or other
confidential information by using Google searches.
• P2P Hacking – Finding passwords or other confidential
information on peer-to-peer networks.

51. No Tech Hacking

52. Insecure third-party software
• P2P file sharing – Some people share entire hard drive
• Instant Messaging- IM is insecure because it was not designed with
security in mind

53. Adware
 Adware or advertising-supported software is any software package
which automatically plays, displays, or downloads advertisements to a
computer after the software is installed or while the application is
being used.

55. Spyware
 Some types of adware are also spyware and can be classified as
software that steals personal information when you enter it into
legitimate programs or websites, or logs your keystrokes to steal your
passwords or other personal information.

56. Web Attacks
• IFrame attacks
• Cross site scripting
• Doesn’t require the user to click on anything
• Simply visiting the site will cause an infection

57. Two Examples of Web Attacks
• WV State Bar website: http://www.wvbar.org/
• The WV record: http://www.wvrecord.com/

60. Metadata Awareness

68. Redlining/Track Changes

79. Estimated Publish Date August 18th, 2014

80. Questions?

81. Contact Information
• Facebook : https://www.facebook.com/oncee
• Twitter: @oncee
• Linkedin: http://www.linkedin.com/in/304blogs