Maximizing ROI through Security Training (for Developers)

Maximizing
ROI
through
Security

Training

Who
am
I?

• VP
/
Co-‐Founder
of
Symosis,
10+
years
in

informaFon
security
consulFng
&
Training,

USC,
Foundstone,
McAfee,
Accuvant,
C-‐Level

security,
etc

• Invited
speaker,
author
and
educator

• MBA,
MS
Comp
Sc,
CISM,
CISA,
CISSP

Table
of
Contents

• Business
case
for
security

• Evolving
threats

• How
to
build
an
eﬀecFve
training
program?

• Case
Studies

The
Business
Case
for
Security

Proper
security
enables
a

company
to
meet
its
business

objec-ve
by
providing
a
safe
and

secure
environment

Impact
of
Security
Breaches

Loss
of
Revenue
Damage
to
ReputaFon

Loss
or
Compromise
of

Data

Damage
to
Investor

Conﬁdence

Legal
Consequences

InterrupFon
of
Business

Processes

Damage
to
Customer

Conﬁdence

Dollar
Amount
Of
Loss

The
cost
of
implemenFng
security
measures
is
not
trivial;

however,
it
is
a
fracFon
of
the
cost
of
miFgaFng
security

compromises

*
CSI
2006

Cost
of
Security
Breach

*
Aberdeen
Group
August
2010

Security
Breach
Example
Costs

Cost
of
Recent
Customer
Records
Breach

• $6.5
Million:
DSW
Warehouse
Costs
from
Data
Thea

• $5.7
Million:
BJ’s
Wholesale
Club
from
Data
Breach

AddiFonal
impact/cost
due
to
lost
customers

• 20%
of
customers
have
ended
a
relaFonship
with
a

company
aaer
being
noFﬁed
of
a
breach
(Ponemon

InsFtute)

• 58%
said
the
breach
decreased
their
sense
of
trust
and

conﬁdence
in
the
organizaFon
reporFng
the
incident

TOC

• Business
case
for
security

• Evolving
threats

• How
to
build
an
eﬀecFve
training
program?

• Case
Studies

Emerging
Threats
-‐
Aiack
Methods

*
SANS
2010

Emerging
Threats
-‐
ApplicaFon

Weaknesses

*
SANS
2010

Emerging
Threats

GLOBAL
Infrastructure
Impact
REGIONAL
Networks
MULTIPLE
Networks
INDIVIDUAL
Networks
INDIVIDUAL
Computer
Target and Scope
of Damage
Rapidly Escalating Threat to Businesses
First Gen
 Boot
viruses
Weeks
Second Gen
 Macro
viruses
 Denial of
Service
Days
Third Gen
 Distributed
Denial of
Service
 Application
threats
 Malware
Minutes
Next Gen
 Flash
threats
 Massive
“bot”-driven
DDoS
 Damaging
payload
worms
Seconds
1980s 1990s Today Future

13

Emerging
Threats
Categories

Malware
Botnets
Threats to VOIP and
mobile convergence
Cyber warfare
Data thefts

Threats becoming increasingly difficult to detect and mitigate
THREATSEVERITY
1990 1995 2000 2005 WHAT’S NEXT?
FINANCIAL
Theft & Damage
FAME
Viruses and Malware
TESTING THE WATERS
Basic Intrusions and Viruses

TOC

• Business
case
for
security

• Evolving
threats

• How
to
build
an
eﬀec-ve
training
program?

• Case
Studies

Why
Security
Training

• Reduce accidental security breaches
• Improve employee behaviour
• Enable organization to hold employees
accountable for their actions
• Build in-depth knowledge to design,
implement, or operate security programs for
organizations & systems
• Develop skills & knowledge so that computer
users can perform their jobs while using IT
systems more securely

Why
Security
Training?

• Dissemination & enforcement of policy
become easier when training & awareness
programs are in place
• Demonstrating due care & diligence can
help indemnify the institution against
lawsuits
• By improving awareness of the need to
protect system resources

How
is
InformaFon
Security

JusFﬁed?

PWC
security
survey
2011

Step
1:
Deﬁne
Training
ObjecFves

• Compliance,
RegulaFons
and
Governance

• Client
/
Partner
requirements

• Increase
the
general
level
of
security
awareness

• Reduce
the
incidences
of
computer
fraud,
waste

and
abuse

• Create
a
more
security
savvy
workforce

• Design,
develop
and
maintain
secure
IT

infrastructure
and
applicaFons

PCI
Compliance

All
service
providers
with
which
cardholder

data
is
shared
must
adhere
to
the
PCI
DSS

requirements
and
must
sign
an
agreement

acknowledging
that
the
service
provider
is

responsible
for
the
security
of
cardholder
data

the
provider
possesses.

PCI
Compliance

Payment
Card
Industry
(PCI)
Data
Security

Standard
mandates
security
awareness

program
that

12.6.1:
Educate
employees
upon
hire
and
at

least
annually

12.6.2:
Require
employees
to
annually

acknowledge
in
wriFng
that
they
have
read

and
understood
the
company's
security
policy

and
procedure

HIPAA
Compliance

The
Health
Insurance
Portability
and

Accountability
Act
of
1996
(HIPAA)
mandates
that

Covered
EnFFes,
which
includes
health
plans,

healthcare
clearinghouses,
and
most
healthcare

providers,
may
not
use
or
disclose
individuals’

health
informaFon
for
purposes
unrelated
to

providing
health-‐
care,
managing
their

organizaFon,
or
meeFng
their
obligaFons
under

state
and
federal
law,
unless
individuals

speciﬁcally
authorize
them
to
do
so.

HIPAA
Compliance

Ensuring
all
employees

including

management,
agents
and
contractors
in
an

organizaFon
understand
and
uphold
these

rules
is
no
easy
task
and
is,
to
a
large
degree,
a

training
and
management
problem.
This
is

why
the
Department
of
Health
and
Human

Services
(HHS)
has
mandated
annual
privacy

and
security
training,
as
well
as
regular

reminders
for
all
employees.

HIPAA
Compliance

• Upper
Management
Training

• Security
Awareness
Day

• Security
Awareness
and
Ongoing
Training
for

all
staff

• Computer
Users’
Supervisor
Training

• Security
“MarkeFng”
Efforts

• Annual
System-‐specific
training

• Professional
EducaFon
Training

GLBA
Compliance

Gramm-‐Leach-‐Bliley
Act
of
1999
Employee

Training
Requirements
mandates
IT
Security

Awareness
Training
for
all
employees
of
ﬁnancial

service
providers
(FSPs)
covered
by
the
GLB
act,

which
includes
all
companies
"engaging
in

ﬁnancial
acFviFes.”

GLBA
Compliance

• Examples
of
organizaFons
who
are
affected
by

these
rules
include

– insurance
agencies

– tax
preparers

– finance
companies

– collecFons
agencies

– leasing
agencies

– travel
agencies

– financial
advisors

ISO
27002

• ISO
27002
is
an
internaFonally
recognized

standard
published
by
the
InternaFonal

OrganizaFon
for
StandardizaFon
covering

informaFon
security
best
pracFces.
Many
global

organizaFons
use
this
comprehensive
standard
to

gauge
their
informaFon
security
programs.

• Provide
an
adequate
level
of
security
educaFon

and
training
to
your
organizaFon’s
employees,

contractors
and
third
party
users

FISMA

• Federal
InformaFon
Security
Management
Act

(FISMA)
is
Title
III
of
the
E-‐Government
ACT,

which
requires
federal
agencies
to
develop,

document,
and
implement
a
comprehensive

agency-‐wide
informaFon
security
program.

• Part
of
such
a
program
is
security
training

program
that
educates
personnel,
including

contractors
and
other
users,
of
their

responsibiliFes
in
maintaining
informaFon

security,
complying
with
organizaFonal
policies

and
procedures,
and
reducing
the
risks
associated

with
their
acFviFes

Red
Flag
Thea
PrevenFon

• Under
the
new
Red
Flag
regulaFons,
financial

insFtuFons
and
creditors
must
develop
a
wriien

program
that
idenFfies
and
detects
the
relevant

warning
signs
(Red
Flags)
of
idenFty
thea,
such
as

unusual
account
acFvity,
fraud
alerts
on
a

consumer
report,
or
aiempted
use
of
suspicious

account
applicaFon
documents,

• Includes
appropriate
staff
training
and
oversight

of
any
service
providers

SOX
(Sarbanes
Oxley)

• Sarbanes
Oxley
requires
the
CEO
and
CFO
of

publicly
traded
companies
to
be
held
accountable

for
financial
statements
filed
with
the
SecuriFes

and
Exchange
Commission
and
includes
criminal

penalFes
for
false
cerFficaFon

• Top
management
must
ensure
that
there
are

adequate
'internal
controls'
to
ensure
reliable

financial
reporFng
and
protect
financial
data
that

resides
in
informaFon
systems

Step
2:
Assess
Needs

• IdenFfy
training
administrator

– Primary
responsibility
lies
with
Chief
InformaFon

Security
Oﬃcer,
top
management
and
security

team

Assess
Needs

• Who
needs
to
be
trained
and
on
what?

– All
stakeholders:
Security
Awareness
Training,

Compliance

– Program
Managers
–
Architecture
&
Design

– Architects
&
Developers
–
Threats,
coding

mistakes,
secure
soaware
development

– Testers
/
QA
–
Security
Test
Cases

Assess
Needs
FuncFonal

Background

General
User

Managerial

User

Technical

User

Skill
Level

Novice

Intermediate

Expert

Using wrong training
methods can:
 Hinder transfer of
knowledge
 Lead to unnecessary
expense
& frustrated, poorly
trained employees

Step
3:
Key
Factors

• Build
vs.
Buy

• Classroom
/
Instructor
Led

• CBT
/
Web
Based

• Generic
vs.
Customized

• HosFng

Build
vs.
Buy

• Business
needs
are
unique

• Internal
capability
available

• Proprietary
informaFon
or

data
needs
to
be
protected;

• Complexity
of
interface
with

company's
LMS

• No
COTS
products
or
too

costly

Build

• Reduce
and
control
operaFng

costs

• Free
internal
resources

• Gain
access
to
external

capabiliFes

• Resources
constraints

• Improve
company
focus

• Share
risks

Buy

Key
consideraFons
-‐
cost,
quality,
and
timeline

Costs

• “How
to
Spend
a
Dollar
on
Security”
recommends
that

out
of
every
security
dollar
you
spend:

– 15
cents:
Policy

– 40
cents:
Awareness

– 10
cents:
Risk
Assessment

– 20
cents:
Technology

– 15
cents:
Process

• We
have
seen
it
done
from
anywhere
between
$5K
to

$5M
annual
costs

Patrick
McBride
–
ComputerWorld

Classroom
/
Instructor
Led

• Study
away
from
the
oﬃce
at
another
locaFon

with
Fme
set
aside
dedicated
to
learning
a
new

course
(and
in
some
cases,
for
cerFﬁcaFon,
siyng

of
an
exam)

• Costs
are
more
expensive
as
it
involves
the
course

fees,
travel,
accommodaFon
and
other
expenses

• Access
to
a
trainer
for
the
duraFon
of
the
course

(and
someFmes
for
a
limited
period
aaer
the

course)

• Access
to
other
students
during
the
course
and
as

a
potenFal
networking
group
aaer
the
course

Computer
/
Web
Based

• Individuals
can
study
at
their
own
Fme
and
pace
thereby

learning
at
a
rate
that
they
are
comfortable
with

• Lower
costs
–
CBT
is
much
more
cost
eﬀecFve
than

classroom
training.
MulF-‐user
opFon
allow
a
company
to

train
more
than
one
person
with
the
same
budget
or
less

than
sending
on
a
classroom
course

• Combines
the
“best
bits
of
classroom
training”
such
as
the

video
clips
of
instructor
sessions
with
the
“best
bits
of

reference
material”
such
as
technical
informaFon
and

pracFce
quesFons
to
provide
a
great
all
round
training

experience
which
is
beneﬁcial
to
both
student
and

employer
at
the
best
price
available.

Generic
vs.
Customized

• Generic
training
is
cost
eﬀecFve
and
focuses

on
core
security
issues,
OWASP
Top
10
threats,

etc

• CustomizaFon
provides
training
that
matches

speciﬁc
needs
for
content,
compleFon

requirements,
quiz,
policies,
and
even

employee
responsibility
acknowledgment.

HosFng

• Web
based
training
could
be
hosted
internally

or
provided
as
soaware
as
a
service
(SAAS)

• Internal
hosFng
provides
greater
control
but

could
be
resource
and
cost
intensive

• SAAS
service
is
oaen
turn
key
but
may
limit

scalability
and
usage

Step
4:
Metrics

• Quiz
and
survey
results

• Content

• People

Metrics
-‐
Quiz
and
survey
results

• Score
Results:
How
did
people
score?

• Answer
Breakdown:
How
did
people
answer?

• Aiempt
Detail:
How
did
a
user
answer?

Metrics
-‐
Content

• AcFvity:
What
was
the
acFvity
for
a
content

item?

• Traﬃc:
How
oaen
was
an
item
viewed?

• Progress:
How
many
slides
did
people
view?

• Popular
Content:
Which
content
was
viewed

the
most?

Metrics
-‐
People

• Group
AcFvity:
What
content
did
a
group

view?

• User
AcFvity:
What
content
did
a
user
view?

• AcFve
Groups:
Who
were
my
most
acFve

groups?

• AcFve
Users:
Who
were
my
most
acFve
users?

• Guestbook
Responses:
What
were
the

responses
to
a
guestbook?

Case
Study
1
-‐
Project
management

and
custom
soaware
company

• Challenge:

– Ensure
secure
coding
elements
have
been
taught

– Prevent
top
10
threats
and
miFgaFon
techniques

– Meet
a
Fme
sensiFve
requirement
under
a
DoD

contract

• SoluFon:

– Implement
best
pracFces
soaware
security
training

for
Java

– Provide
access
to
training
on
demand
from
a
SaaS

model

• Challenge

– Improve
soaware
quality
by
eliminaFng
common

mistakes

– Provide
foundaFon
for
everyone
to
‘own’
security

• SoluFon

– Create
custom
course
based
on
previously
idenFﬁed

risk
and
miFgaFon

– Integrate
security
cases
into
QA
lifecycle

– Measure
year
over
year
declines
in
security
related

CRs

• Challenge:

– Meet
PCI
compliance
for
integraFng
secure
coding

pracFces

• SoluFon

– Implement
JAVA/.NET
secure
coding
pracFces

– Address
PCI
Cardholder
Data
requirements
within

applicaFon
development

Thanks
for
listening…

QuesFons?

Try
out
free
Symosis
training
at
hip://
www.symosis.com

Maximizing ROI through Security Training (for Developers)

More Related Content

What's hot

Viewers also liked

Similar to Maximizing ROI through Security Training (for Developers)

More from Rochester Security Summit

Recently uploaded

Maximizing ROI through Security Training (for Developers)