SlideShare a Scribd company logo

Think like a hacker for better security awareness

C
COMSATS
1 of 2
Download to read offline
Think Like a Hacker for Better Security Awareness They say “it takes one to know one.” After 15 years in the And the cycle continues. You are exposed to new threats every day. Foreign hackers are perched at information security industry, I have to agree. Even though I have their screens around the clock probing spent my career focused on helping organizations design, develop your defenses. They are organized, and implement security awareness programs, I still mishandle highly skilled and well-funded. Staying my passwords, click on links I shouldn’t and am far too trusting ahead of these threats takes effort in general. What can I say, I am an early adopter, I believe in but, just like vulnerabilities, all too the Internet as the great provider and I want instant access to often we don’t focus enough on the information. So, for all of you out there who have made the same human aspects. A recent survey at mistakes I have, we are in this together. BlackHat 2012 revealed that “unwitting employees” are the highest security Security awareness is mostly about concern of information security professionals. common sense, but like other security precautions. It’s easy to let down Helping your organization stay ahead does take effort. But our guard. I browse the Web, check remember, it “takes one to know one.” You need to think like email, use mobile devices and share the bad guys. What are the assets that are valuable? How would information countless times a day. you go after them? Learning about common attack methods With all that connectivity, it’s hard to and commonly attacked assets makes you realize that hackers stay vigilant and very easy to cop an know that the way to valuable data is through the people that “I’m just going around the corner” handle the data. Read the technology section of your daily paper, attitude. But where the car reminds me subscribe to security blog sites, rely on your partners and peers, to put my seatbelt on, I don’t have a warning tone on my laptop and use common sense. reminding me not to click a link. How Do I Convince Others to Pay Attention? Reminding others to do the right thing never makes you popular You have to commit to being “that guy.” Planning and either. No one wants to be “that guy.” Even worse, there are those implementing security awareness programs will not make you people who remind you that wearing a seatbelt will not guarantee popular. But the key question to ask everyone is: can we afford your safety. This is the information security equivalent to telling the risk? Data breaches are more than just embarrassing. Service you that companies get breached even though they have security interruption, fines and incremental costs associated with the awareness programs. So what does all this mean? Should you breach, loss of customers, and permanent brand damage can give up on seatbelts and security awareness? be very hard to overcome. Do everything you can to prevent a breach, starting with your people. Make Well, would you disable the seatbelt buzzer on your car? Safety your security posture about more than precautions never come with guarantees, but individuals and process and technology. businesses 52% of enterprises have seen an increase of still practice A Ponemon Survey conducted in malware infections due to employees’ use of safety every 2012 found that “negligent insiders day. Creating social media. a culture are the highest ranking threat to an organization’s payment data.” This of security survey data is backed by Trustwave’s awareness is just one of the many things you must do to protect forensics experience and extensive your assets. Employees, entry-level and experienced, are spending analysis of more than two million more and more time interacting and exchanging information business passwords. The Trustwave 2012 Global Security Report electronically at work and at home. Arming your staff with the states that the skills to practice safe Internet usage is good for them, and good most common The most common corporate password is for your organization. It is common sense. password global businesses use Password1 because it just barely meets How Do I Stay On Top of It? the minimum complexity requirements of is “Password1.” Vulnerabilities appear in your environment every day. For example, The bad guys active directory for length, capitalization everyone wants to use their tablet or smart phone to conduct make a point of and numerical figures. business. And it makes sense: phones are portable, powerful and preying on weak connected. Then there are the “put it in the cloud” chants, which credentials: 80% also make sense, as the cloud is everywhere making information of breaches are the result of compromised administrator accounts always accessible. New technology equals new threats. Which because we make it easy for them to log in. leads to the purchase of more technology to protect that technology. TOTKO
What Should I Teach Them? compliance enforcement is not about individual rights but a Don’t overwhelm staff with security matter of public safety. Fines and penalties increase adherence, awareness training that is irrelevant so consider using them. to them. Not everyone has the same exposure to sensitive and private Online learning delivery methods provide the advantage information. Focus on the people of automatic completion tracking. And since all learning that are exposed to this information management systems (LMS) provide the reports you need to and arm them with best practice monitor your program in real-time, you can stay on top of the behaviors to minimize the risk that they groups that are lagging. become a source of a leak. Help them understand the behavior that makes them more vulnerable to But don’t rely on just your learning management system. Use attacks. Teach staff what they need to know in their everyday work as many delivery methods as you can to support the program. and use language they understand. This means potentially providing online training, classroom training, email reminders, posters, mentoring and access to daily Content and courses often include examples of the latest viruses, information security news. If staff cannot access online learning, phishing ploys and social engineering scams. Examples are only then use print. The adage the something is better than nothing good as long as applies here. Print-based programs don’t have the advantage of automated tracking and reporting, but there are simple ways to Users trained in avoiding phishing and they are examples and not intended provide auditable evidence of completion. Make print brochures scam emails fell for these malicious readily available and ask managers to ensure they are read and to present an emails 42% less than those without exhaustive list of applied to the workplace. training. what to watch for. Provide staff Make security awareness learning inevitable by ingraining it in with the skills to recognize all threats by teaching them the the workplace. Add security awareness to your new hire training, characteristics of a threat, and how their behaviors can open them reinforce it through online learning and leverage existing events to up to risks and vulnerabilities. reinforce the security awareness program. Teach them skills that will help them recognize tomorrow’s threat. Remember, if you want them to pay attention, make sure you and Teach them that the stakes are high. Teach them that their actions your management do as well. Lead by example and complete the can play an active role in reducing risks and even preventing an training. It takes one to know one! Make your boss complete the incident. Teach you staff “how to fish” not just how to avoid a training and make your boss’s boss complete the training. Then specific phish. share progress results with everyone. This level of transparency will help build In many respects the difference in approach is the difference trust with your staff as well 27% of IT organizations have top between training and education. Training is an event that teaches specific skills and behaviors. Education is about laying a founda- as show that executives or privileged users who have tion of knowledge that will lead to future insight, and will get your the program is fallen for malicious email attacks. staff involved with mitigating future risks. Institute security aware- important. ness education not just security awareness training. Making your program universal reinforces the notion that security Having a partner can really help here, especially a partner that is everyone’s responsibility. Whether you are a cashier at a grocery is involved on a daily basis with tracking security threats and chain, a store manager, a corporate accountant, a customer vulnerabilities. support specialist or the CEO, you play a role in securing sensitive information. We should all take that responsibility seriously and do If I Build It, Will They Come? their part to learn how to protect this information and the people we serve. Breaches happen every day around the world. Breaches cost money. Breaches have the potential to expose private information About Roy Lamond, M.Ed. to misuse. Don’t let your staff become complacent about these Roy has spent the last 15 years in the security industry being “that guy.” concerns. Insist that they stay vigilant. About Trustwave Security awareness education is not an option. It should be Trustwave is a leading provider of compliance, Web, application, network mandatory and ubiquitous, and include both short and long term and data security solutions delivered through the cloud, managed security learning outcomes. Measure completion and administer testing services, software and appliances. For organizations faced with today’s challenging data security and compliance environment, Trustwave provides if you are serious about transferring skills to everyday tasks. Let a unique approach with comprehensive solutions that include its Trust- people know they are being measured. Have consequences or Keeper® portal and other proprietary security solutions. Trustwave has incentives that motivate people to comply. We may not agree helped hundreds of thousands of organizations--ranging from Fortune 500 that observation of speed limits should be mandated or that businesses and large financial institutions to small and medium-sized re- you should be fined for not buckling up, but recognize that tailers--manage compliance and secure their network infrastructures, data communications and critical information assets. Trustwave is headquartered in Chicago with offices worldwide. For more information, visit https://www.trustwave.com. TOTKO

Recommended

Dont Let Data And Business Assets Slip Out The Back Door Cm101243
Dont Let Data And Business Assets Slip Out The Back Door Cm101243Dont Let Data And Business Assets Slip Out The Back Door Cm101243
Dont Let Data And Business Assets Slip Out The Back Door Cm101243Erik Ginalick
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook SecurityRogers Communications
 
Issa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your UsersIssa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your UsersMike Murray
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover StoryTorrid Networks Private Limited
 
7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information SecurityCindy Kim
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletterDominic Vogel
 
Ten Security Essentials for CIOs
Ten Security Essentials for CIOsTen Security Essentials for CIOs
Ten Security Essentials for CIOsIBM Security
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 

Recommended

Dont Let Data And Business Assets Slip Out The Back Door Cm101243
Dont Let Data And Business Assets Slip Out The Back Door Cm101243Dont Let Data And Business Assets Slip Out The Back Door Cm101243
Dont Let Data And Business Assets Slip Out The Back Door Cm101243Erik Ginalick
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook SecurityRogers Communications
 
Issa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your UsersIssa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your UsersMike Murray
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover StoryTorrid Networks Private Limited
 
7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information SecurityCindy Kim
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletterDominic Vogel
 
Ten Security Essentials for CIOs
Ten Security Essentials for CIOsTen Security Essentials for CIOs
Ten Security Essentials for CIOsIBM Security
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Devendra kashyap
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human errorAnup Narayanan
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelKoen Maris
 
Issa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social EngineeringIssa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social EngineeringMike Murray
 
2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging ThreatsLumension
 
Security Awareness Program
Security Awareness ProgramSecurity Awareness Program
Security Awareness ProgramDavid Wigton
 
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentSivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentVinoth Sivasubramanan
 
Women in security_ Is the tide turning_ - Print Article - SC Magazine UK
Women in security_ Is the tide turning_ - Print Article - SC Magazine UKWomen in security_ Is the tide turning_ - Print Article - SC Magazine UK
Women in security_ Is the tide turning_ - Print Article - SC Magazine UKCaroline Rivett
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-MaligecChristine Maligec, CRM-E, CRIS
 
Security Threats for SMBs
Security Threats for SMBsSecurity Threats for SMBs
Security Threats for SMBsGFI Software
 
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...GFI Software
 
White Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceWhite Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceCourtland Smith
 
Carbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityCarbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityMighty Guides, Inc.
 
Business Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revBusiness Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revShanker Sareen
 
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemDarktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemAustin Eppstein
 
EnterpriseImmuneSystem
EnterpriseImmuneSystemEnterpriseImmuneSystem
EnterpriseImmuneSystemAdam Toth-Fejel
 
Raise The Cybersecurity Curtain! Be The Voice!
Raise The Cybersecurity Curtain! Be The Voice!Raise The Cybersecurity Curtain! Be The Voice!
Raise The Cybersecurity Curtain! Be The Voice!Ludmila Morozova-Buss
 
Hybrid Technology
Hybrid TechnologyHybrid Technology
Hybrid TechnologyGFI Software
 
VIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareVIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareGFI Software
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
Robust Software Solutions.pptx
Robust Software Solutions.pptxRobust Software Solutions.pptx
Robust Software Solutions.pptxBusiness Thrust Pte. Ltd. (BThrust)
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapDominic Vogel
 

More Related Content

What's hot

Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Devendra kashyap
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human errorAnup Narayanan
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelKoen Maris
 
Issa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social EngineeringIssa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social EngineeringMike Murray
 
2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging ThreatsLumension
 
Security Awareness Program
Security Awareness ProgramSecurity Awareness Program
Security Awareness ProgramDavid Wigton
 
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentSivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentVinoth Sivasubramanan
 
Women in security_ Is the tide turning_ - Print Article - SC Magazine UK
Women in security_ Is the tide turning_ - Print Article - SC Magazine UKWomen in security_ Is the tide turning_ - Print Article - SC Magazine UK
Women in security_ Is the tide turning_ - Print Article - SC Magazine UKCaroline Rivett
 
Security Threats for SMBs
Security Threats for SMBsSecurity Threats for SMBs
Security Threats for SMBsGFI Software
 
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...GFI Software
 
White Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceWhite Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceCourtland Smith
 
Carbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityCarbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityMighty Guides, Inc.
 
Business Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revBusiness Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revShanker Sareen
 
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemDarktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemAustin Eppstein
 
Raise The Cybersecurity Curtain! Be The Voice!
Raise The Cybersecurity Curtain! Be The Voice!Raise The Cybersecurity Curtain! Be The Voice!
Raise The Cybersecurity Curtain! Be The Voice!Ludmila Morozova-Buss
 
VIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareVIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareGFI Software
 

What's hot (19)

Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human error
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive Level
 
Issa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social EngineeringIssa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social Engineering
 
2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats
 
Security Awareness Program
Security Awareness ProgramSecurity Awareness Program
Security Awareness Program
 
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentSivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 Environment
 
Women in security_ Is the tide turning_ - Print Article - SC Magazine UK
Women in security_ Is the tide turning_ - Print Article - SC Magazine UKWomen in security_ Is the tide turning_ - Print Article - SC Magazine UK
Women in security_ Is the tide turning_ - Print Article - SC Magazine UK
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec
 
Security Threats for SMBs
Security Threats for SMBsSecurity Threats for SMBs
Security Threats for SMBs
 
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
 
White Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceWhite Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic Workforce
 
Carbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityCarbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint Security
 
Business Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revBusiness Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_rev
 
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemDarktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystem
 
EnterpriseImmuneSystem
EnterpriseImmuneSystemEnterpriseImmuneSystem
EnterpriseImmuneSystem
 
Raise The Cybersecurity Curtain! Be The Voice!
Raise The Cybersecurity Curtain! Be The Voice!Raise The Cybersecurity Curtain! Be The Voice!
Raise The Cybersecurity Curtain! Be The Voice!
 
Hybrid Technology
Hybrid TechnologyHybrid Technology
Hybrid Technology
 
VIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareVIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of Bloatware
 

Similar to Think like a hacker for better security awareness

Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapDominic Vogel
 
Cyber threat Intelligence Dubai - Ahad.pptx
Cyber threat Intelligence Dubai - Ahad.pptxCyber threat Intelligence Dubai - Ahad.pptx
Cyber threat Intelligence Dubai - Ahad.pptxAhad
 
The Unconventional Guide to Cyber Threat Intelligence - Ahad.pdf
The Unconventional Guide to Cyber Threat Intelligence - Ahad.pdfThe Unconventional Guide to Cyber Threat Intelligence - Ahad.pdf
The Unconventional Guide to Cyber Threat Intelligence - Ahad.pdfAhad
 
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...Dana Gardner
 
Security Transformation
Security TransformationSecurity Transformation
Security TransformationFaisal Yahya
 
Why managed detection and response is more important now than ever
Why managed detection and response is more important now than everWhy managed detection and response is more important now than ever
Why managed detection and response is more important now than everG’SECURE LABS
 
The Unconventional Guide to Cyber Threat Intelligence
The Unconventional Guide to Cyber Threat IntelligenceThe Unconventional Guide to Cyber Threat Intelligence
The Unconventional Guide to Cyber Threat IntelligenceAhad
 
Security White Paper
Security White PaperSecurity White Paper
Security White PaperMobiWee
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of SecurityKarina Elise
 
10 Components of Business Cyber Security
10 Components of Business Cyber Security10 Components of Business Cyber Security
10 Components of Business Cyber SecurityComodo SSL Store
 
How to Catch a Wolf in Sheep's Clothing
How to Catch a Wolf in Sheep's ClothingHow to Catch a Wolf in Sheep's Clothing
How to Catch a Wolf in Sheep's ClothingThinAir
 
Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015anpapathanasiou
 
Why Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemWhy Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemBernard Marr
 
Pci compliance training agents
Pci compliance training agentsPci compliance training agents
Pci compliance training agentsocinc
 
Influential Business Leaders in Security services | CIO Look
Influential Business Leaders in Security services | CIO LookInfluential Business Leaders in Security services | CIO Look
Influential Business Leaders in Security services | CIO LookCIO Look Magazine
 
The significance of the 7 Colors of Information Security
The significance of the 7 Colors of Information SecurityThe significance of the 7 Colors of Information Security
The significance of the 7 Colors of Information Securitylearntransformation0
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badbanerjeea
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Rishi Singh
 

Similar to Think like a hacker for better security awareness (20)

Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
 
Robust Software Solutions.pptx
Robust Software Solutions.pptxRobust Software Solutions.pptx
Robust Software Solutions.pptx
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
 
Cyber threat Intelligence Dubai - Ahad.pptx
Cyber threat Intelligence Dubai - Ahad.pptxCyber threat Intelligence Dubai - Ahad.pptx
Cyber threat Intelligence Dubai - Ahad.pptx
 
The Unconventional Guide to Cyber Threat Intelligence - Ahad.pdf
The Unconventional Guide to Cyber Threat Intelligence - Ahad.pdfThe Unconventional Guide to Cyber Threat Intelligence - Ahad.pdf
The Unconventional Guide to Cyber Threat Intelligence - Ahad.pdf
 
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
 
Security Transformation
Security TransformationSecurity Transformation
Security Transformation
 
Why managed detection and response is more important now than ever
Why managed detection and response is more important now than everWhy managed detection and response is more important now than ever
Why managed detection and response is more important now than ever
 
The Unconventional Guide to Cyber Threat Intelligence
The Unconventional Guide to Cyber Threat IntelligenceThe Unconventional Guide to Cyber Threat Intelligence
The Unconventional Guide to Cyber Threat Intelligence
 
Security White Paper
Security White PaperSecurity White Paper
Security White Paper
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of Security
 
10 Components of Business Cyber Security
10 Components of Business Cyber Security10 Components of Business Cyber Security
10 Components of Business Cyber Security
 
How to Catch a Wolf in Sheep's Clothing
How to Catch a Wolf in Sheep's ClothingHow to Catch a Wolf in Sheep's Clothing
How to Catch a Wolf in Sheep's Clothing
 
Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015
 
Why Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemWhy Cybersecurity is a Data Problem
Why Cybersecurity is a Data Problem
 
Pci compliance training agents
Pci compliance training agentsPci compliance training agents
Pci compliance training agents
 
Influential Business Leaders in Security services | CIO Look
Influential Business Leaders in Security services | CIO LookInfluential Business Leaders in Security services | CIO Look
Influential Business Leaders in Security services | CIO Look
 
The significance of the 7 Colors of Information Security
The significance of the 7 Colors of Information SecurityThe significance of the 7 Colors of Information Security
The significance of the 7 Colors of Information Security
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-bad
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
 

More from COMSATS

Windows keyboard shortcuts
Windows keyboard shortcutsWindows keyboard shortcuts
Windows keyboard shortcutsCOMSATS
 
Unix linux command reference
Unix linux command referenceUnix linux command reference
Unix linux command referenceCOMSATS
 
Ubuntu an absolute beginners guide
Ubuntu an absolute beginners guideUbuntu an absolute beginners guide
Ubuntu an absolute beginners guideCOMSATS
 
Talash by mumtaz mufti urdunovelist.blogspot.com
Talash by mumtaz mufti urdunovelist.blogspot.comTalash by mumtaz mufti urdunovelist.blogspot.com
Talash by mumtaz mufti urdunovelist.blogspot.comCOMSATS
 
Ram deen part 2 by mumtaz mufti
Ram deen part 2 by mumtaz muftiRam deen part 2 by mumtaz mufti
Ram deen part 2 by mumtaz muftiCOMSATS
 
Ram deen part 1 by mumtaz mufti
Ram deen part 1 by mumtaz muftiRam deen part 1 by mumtaz mufti
Ram deen part 1 by mumtaz muftiCOMSATS
 
Open network architecture e book
Open network architecture e bookOpen network architecture e book
Open network architecture e bookCOMSATS
 
How to print out a list of all files in a folder
How to print out a list of all files in a folderHow to print out a list of all files in a folder
How to print out a list of all files in a folderCOMSATS
 
How to mount and unmount filesystem
How to mount and unmount filesystemHow to mount and unmount filesystem
How to mount and unmount filesystemCOMSATS
 
How to change the uuid on a vdi file
How to change the uuid on a vdi fileHow to change the uuid on a vdi file
How to change the uuid on a vdi fileCOMSATS
 
Configuring the boot menu in ubuntu
Configuring the boot menu in ubuntuConfiguring the boot menu in ubuntu
Configuring the boot menu in ubuntuCOMSATS
 
Chup by mumtaz mufti
Chup by mumtaz muftiChup by mumtaz mufti
Chup by mumtaz muftiCOMSATS
 
Alipur ka ailee (part 3) by mumtaz mufti
Alipur ka ailee (part 3) by mumtaz muftiAlipur ka ailee (part 3) by mumtaz mufti
Alipur ka ailee (part 3) by mumtaz muftiCOMSATS
 
Windows 7 guide
Windows 7 guideWindows 7 guide
Windows 7 guideCOMSATS
 
Alipur ka ailee (part 2) by mumtaz mufti
Alipur ka ailee (part 2) by mumtaz muftiAlipur ka ailee (part 2) by mumtaz mufti
Alipur ka ailee (part 2) by mumtaz muftiCOMSATS
 
Alipur ka ailee (part 1) by mumtaz mufti
Alipur ka ailee (part 1) by mumtaz muftiAlipur ka ailee (part 1) by mumtaz mufti
Alipur ka ailee (part 1) by mumtaz muftiCOMSATS
 
Ali pur ka aili by mumtaz mufti
Ali pur ka aili by mumtaz muftiAli pur ka aili by mumtaz mufti
Ali pur ka aili by mumtaz muftiCOMSATS
 
Alakh nagri by mumtaz mufti
Alakh nagri by mumtaz muftiAlakh nagri by mumtaz mufti
Alakh nagri by mumtaz muftiCOMSATS
 
Windows speed up
Windows speed upWindows speed up
Windows speed upCOMSATS
 

More from COMSATS (19)

Windows keyboard shortcuts
Windows keyboard shortcutsWindows keyboard shortcuts
Windows keyboard shortcuts
 
Unix linux command reference
Unix linux command referenceUnix linux command reference
Unix linux command reference
 
Ubuntu an absolute beginners guide
Ubuntu an absolute beginners guideUbuntu an absolute beginners guide
Ubuntu an absolute beginners guide
 
Talash by mumtaz mufti urdunovelist.blogspot.com
Talash by mumtaz mufti urdunovelist.blogspot.comTalash by mumtaz mufti urdunovelist.blogspot.com
Talash by mumtaz mufti urdunovelist.blogspot.com
 
Ram deen part 2 by mumtaz mufti
Ram deen part 2 by mumtaz muftiRam deen part 2 by mumtaz mufti
Ram deen part 2 by mumtaz mufti
 
Ram deen part 1 by mumtaz mufti
Ram deen part 1 by mumtaz muftiRam deen part 1 by mumtaz mufti
Ram deen part 1 by mumtaz mufti
 
Open network architecture e book
Open network architecture e bookOpen network architecture e book
Open network architecture e book
 
How to print out a list of all files in a folder
How to print out a list of all files in a folderHow to print out a list of all files in a folder
How to print out a list of all files in a folder
 
How to mount and unmount filesystem
How to mount and unmount filesystemHow to mount and unmount filesystem
How to mount and unmount filesystem
 
How to change the uuid on a vdi file
How to change the uuid on a vdi fileHow to change the uuid on a vdi file
How to change the uuid on a vdi file
 
Configuring the boot menu in ubuntu
Configuring the boot menu in ubuntuConfiguring the boot menu in ubuntu
Configuring the boot menu in ubuntu
 
Chup by mumtaz mufti
Chup by mumtaz muftiChup by mumtaz mufti
Chup by mumtaz mufti
 
Alipur ka ailee (part 3) by mumtaz mufti
Alipur ka ailee (part 3) by mumtaz muftiAlipur ka ailee (part 3) by mumtaz mufti
Alipur ka ailee (part 3) by mumtaz mufti
 
Windows 7 guide
Windows 7 guideWindows 7 guide
Windows 7 guide
 
Alipur ka ailee (part 2) by mumtaz mufti
Alipur ka ailee (part 2) by mumtaz muftiAlipur ka ailee (part 2) by mumtaz mufti
Alipur ka ailee (part 2) by mumtaz mufti
 
Alipur ka ailee (part 1) by mumtaz mufti
Alipur ka ailee (part 1) by mumtaz muftiAlipur ka ailee (part 1) by mumtaz mufti
Alipur ka ailee (part 1) by mumtaz mufti
 
Ali pur ka aili by mumtaz mufti
Ali pur ka aili by mumtaz muftiAli pur ka aili by mumtaz mufti
Ali pur ka aili by mumtaz mufti
 
Alakh nagri by mumtaz mufti
Alakh nagri by mumtaz muftiAlakh nagri by mumtaz mufti
Alakh nagri by mumtaz mufti
 
Windows speed up
Windows speed upWindows speed up
Windows speed up
 

Think like a hacker for better security awareness

  • 1. Think Like a Hacker for Better Security Awareness They say “it takes one to know one.” After 15 years in the And the cycle continues. You are exposed to new threats every day. Foreign hackers are perched at information security industry, I have to agree. Even though I have their screens around the clock probing spent my career focused on helping organizations design, develop your defenses. They are organized, and implement security awareness programs, I still mishandle highly skilled and well-funded. Staying my passwords, click on links I shouldn’t and am far too trusting ahead of these threats takes effort in general. What can I say, I am an early adopter, I believe in but, just like vulnerabilities, all too the Internet as the great provider and I want instant access to often we don’t focus enough on the information. So, for all of you out there who have made the same human aspects. A recent survey at mistakes I have, we are in this together. BlackHat 2012 revealed that “unwitting employees” are the highest security Security awareness is mostly about concern of information security professionals. common sense, but like other security precautions. It’s easy to let down Helping your organization stay ahead does take effort. But our guard. I browse the Web, check remember, it “takes one to know one.” You need to think like email, use mobile devices and share the bad guys. What are the assets that are valuable? How would information countless times a day. you go after them? Learning about common attack methods With all that connectivity, it’s hard to and commonly attacked assets makes you realize that hackers stay vigilant and very easy to cop an know that the way to valuable data is through the people that “I’m just going around the corner” handle the data. Read the technology section of your daily paper, attitude. But where the car reminds me subscribe to security blog sites, rely on your partners and peers, to put my seatbelt on, I don’t have a warning tone on my laptop and use common sense. reminding me not to click a link. How Do I Convince Others to Pay Attention? Reminding others to do the right thing never makes you popular You have to commit to being “that guy.” Planning and either. No one wants to be “that guy.” Even worse, there are those implementing security awareness programs will not make you people who remind you that wearing a seatbelt will not guarantee popular. But the key question to ask everyone is: can we afford your safety. This is the information security equivalent to telling the risk? Data breaches are more than just embarrassing. Service you that companies get breached even though they have security interruption, fines and incremental costs associated with the awareness programs. So what does all this mean? Should you breach, loss of customers, and permanent brand damage can give up on seatbelts and security awareness? be very hard to overcome. Do everything you can to prevent a breach, starting with your people. Make Well, would you disable the seatbelt buzzer on your car? Safety your security posture about more than precautions never come with guarantees, but individuals and process and technology. businesses 52% of enterprises have seen an increase of still practice A Ponemon Survey conducted in malware infections due to employees’ use of safety every 2012 found that “negligent insiders day. Creating social media. a culture are the highest ranking threat to an organization’s payment data.” This of security survey data is backed by Trustwave’s awareness is just one of the many things you must do to protect forensics experience and extensive your assets. Employees, entry-level and experienced, are spending analysis of more than two million more and more time interacting and exchanging information business passwords. The Trustwave 2012 Global Security Report electronically at work and at home. Arming your staff with the states that the skills to practice safe Internet usage is good for them, and good most common The most common corporate password is for your organization. It is common sense. password global businesses use Password1 because it just barely meets How Do I Stay On Top of It? the minimum complexity requirements of is “Password1.” Vulnerabilities appear in your environment every day. For example, The bad guys active directory for length, capitalization everyone wants to use their tablet or smart phone to conduct make a point of and numerical figures. business. And it makes sense: phones are portable, powerful and preying on weak connected. Then there are the “put it in the cloud” chants, which credentials: 80% also make sense, as the cloud is everywhere making information of breaches are the result of compromised administrator accounts always accessible. New technology equals new threats. Which because we make it easy for them to log in. leads to the purchase of more technology to protect that technology. TOTKO
  • 2. What Should I Teach Them? compliance enforcement is not about individual rights but a Don’t overwhelm staff with security matter of public safety. Fines and penalties increase adherence, awareness training that is irrelevant so consider using them. to them. Not everyone has the same exposure to sensitive and private Online learning delivery methods provide the advantage information. Focus on the people of automatic completion tracking. And since all learning that are exposed to this information management systems (LMS) provide the reports you need to and arm them with best practice monitor your program in real-time, you can stay on top of the behaviors to minimize the risk that they groups that are lagging. become a source of a leak. Help them understand the behavior that makes them more vulnerable to But don’t rely on just your learning management system. Use attacks. Teach staff what they need to know in their everyday work as many delivery methods as you can to support the program. and use language they understand. This means potentially providing online training, classroom training, email reminders, posters, mentoring and access to daily Content and courses often include examples of the latest viruses, information security news. If staff cannot access online learning, phishing ploys and social engineering scams. Examples are only then use print. The adage the something is better than nothing good as long as applies here. Print-based programs don’t have the advantage of automated tracking and reporting, but there are simple ways to Users trained in avoiding phishing and they are examples and not intended provide auditable evidence of completion. Make print brochures scam emails fell for these malicious readily available and ask managers to ensure they are read and to present an emails 42% less than those without exhaustive list of applied to the workplace. training. what to watch for. Provide staff Make security awareness learning inevitable by ingraining it in with the skills to recognize all threats by teaching them the the workplace. Add security awareness to your new hire training, characteristics of a threat, and how their behaviors can open them reinforce it through online learning and leverage existing events to up to risks and vulnerabilities. reinforce the security awareness program. Teach them skills that will help them recognize tomorrow’s threat. Remember, if you want them to pay attention, make sure you and Teach them that the stakes are high. Teach them that their actions your management do as well. Lead by example and complete the can play an active role in reducing risks and even preventing an training. It takes one to know one! Make your boss complete the incident. Teach you staff “how to fish” not just how to avoid a training and make your boss’s boss complete the training. Then specific phish. share progress results with everyone. This level of transparency will help build In many respects the difference in approach is the difference trust with your staff as well 27% of IT organizations have top between training and education. Training is an event that teaches specific skills and behaviors. Education is about laying a founda- as show that executives or privileged users who have tion of knowledge that will lead to future insight, and will get your the program is fallen for malicious email attacks. staff involved with mitigating future risks. Institute security aware- important. ness education not just security awareness training. Making your program universal reinforces the notion that security Having a partner can really help here, especially a partner that is everyone’s responsibility. Whether you are a cashier at a grocery is involved on a daily basis with tracking security threats and chain, a store manager, a corporate accountant, a customer vulnerabilities. support specialist or the CEO, you play a role in securing sensitive information. We should all take that responsibility seriously and do If I Build It, Will They Come? their part to learn how to protect this information and the people we serve. Breaches happen every day around the world. Breaches cost money. Breaches have the potential to expose private information About Roy Lamond, M.Ed. to misuse. Don’t let your staff become complacent about these Roy has spent the last 15 years in the security industry being “that guy.” concerns. Insist that they stay vigilant. About Trustwave Security awareness education is not an option. It should be Trustwave is a leading provider of compliance, Web, application, network mandatory and ubiquitous, and include both short and long term and data security solutions delivered through the cloud, managed security learning outcomes. Measure completion and administer testing services, software and appliances. For organizations faced with today’s challenging data security and compliance environment, Trustwave provides if you are serious about transferring skills to everyday tasks. Let a unique approach with comprehensive solutions that include its Trust- people know they are being measured. Have consequences or Keeper® portal and other proprietary security solutions. Trustwave has incentives that motivate people to comply. We may not agree helped hundreds of thousands of organizations--ranging from Fortune 500 that observation of speed limits should be mandated or that businesses and large financial institutions to small and medium-sized re- you should be fined for not buckling up, but recognize that tailers--manage compliance and secure their network infrastructures, data communications and critical information assets. Trustwave is headquartered in Chicago with offices worldwide. For more information, visit https://www.trustwave.com. TOTKO