1: Security & Risk Management
-
CIA triad
- confidentiality
- only authorized users have access to resources
- keeping secrets from prying eyes
- disclosure attacks undermine confidentiality
- confidentiality
-
integrity
- protect information from unauthorized changes
- alteration attacks undermine integrity
-
confidentiality
- ensure authorized users have access
- inability to access may impact business
- denial attacks undermine confidentiality
-
controls are aligned with the CIA triad
- access controls: restrict access to sensitive info w/o permission
- encryption
- protects info at rest or in transit
- plaintext → ciphertext
- encryption
- ensures that info doesn’t change w/o authorization
- sources of integrity failures
- intentional
- user error
- hardware/software errors
- acts of God
- controls:
- hashing:
- creates a message digest from a large file
- like a fingerprint
- indicates changes in a file
- digital signatures:
- authenticity: recipient can be confident that the message came from the recipient
- non-repudiation: recipient can prove to a third party that the message came from the recipient
- to use:
- sender:
- hashes message
- encrypts w/ private key
- recipient:
- decrypts signature w/ public key
- computes hash
- compares
- sender:
- hashing:
-
failure causes
- attackers
- component failures
- application failures
- utility failures
-
redundant controls
- protect against failures of a single part of a system
-
high availability
- protect services against a failure of a single server
-
fault tolerance
- protect services against disruption from small failures
-
OS and application patching act as a control against availability issues
- remember that security provides support services to the org
- security leaders
- act as SME on CIA for the org
- also act as business leader the understands the mission, goals, objectives of the org
- must balance security needs w/ business needs
- can be difficult
- watch for exam questions
-
need to justify time and money
-
need to balance security and business
-
need to achieve CIA
-
need to explain to management
-
admin tasks are also important to the business
- budgets
- meetings
- employee performance evals
- etc
- infosec must align w/ business functions and processes
-
information governance committee
-
risk management committee
-
board of directors
-
Integrating security governance
- ensure that governing bodies understand risk and controls
- inform the of security incidents
- review audits w/ them
-
find a security governance model that fits the org
- require integration of security controls
- security teams must come together to merge
- require a separation of controls
- ties should be cut between orgs
- differ between orgs
- usually the COO or similar position
- provides oversight
- funds
- ensures testing
- prioritizes business functions → criticality
- establish strategy / vision / framework
- sign off on policy, BIA, documents
- oversight of the infosec program
- liaison between
- management
- business
- IT
- infosec
- senior-most infosec leader
- may report to IT org or to the risk management leader
- leads a team or generalists and specialists
- functional management
- determines the “how”
- the customer
- determines data classification
- in the trenches
- evaluate controls and policies
- the audit determines compliance
exam tip
auditors should audit and report only! they should not go in and fix issues that they find.
- raise awareness
- create a security-positive environment
- teach the “why” of what we are doing
- fulfilling legal requirements and professional best practices
- taking reasonable measures to investigate security risks
- security controls must cover many different risks
- this is hard to do, can use security frameworks as a guide
- control frameworks guide security program design
-
business focused control framework
-
six principles
- Provide Stakeholder Value
- Holistic Approach
- Dynamic Governance System
- Governance Distinct from Management
- Tailored to Enterprise Needs
- End-to-End Governance System
-
contains important guidance
- ISO 27001: info systems controls objectives
- ISO 27002: info systems controls implementation
- ISO 27701: privacy controls
- ISO 31000: risk management programs
-
NIST SP 800-53
- security and privacy controls
- mandatory of government agencies
-
NIST CSF (Cybersecurity Framework)
-
provides common language for cybersecurity risk
-
helps identify and prioritize actions
-
aligns security actions across control types
-
five functions divided into categories
- Identify
- Protect
- Detect
- Respond
- Recover
-
different value for different orgs
- some use as a reference
- some follow more rigidly
-
- proof beyond a reasonable doubt – makes it hard to prove in a court
- can involve jailtime
- prepondernace of evidence – a bit easier to prove
- related to standards, governmental requirements
- usually monetary penalties
- protects “property of the mind” – ideas, designs, logos, etc.
- WIPO – run by the UN
- licensing is a big failure related to intellectual law
- a resource that provides competitive value to an org ex. McDonald’s “secret sauce”
- must be obvious and unique
-
failure to execute due care / diligence by management can be negligence
- culpable negligence is often used to prove liability
-
prudent man rule
- perform duties that prudent people would do in a similar situation
-
due diligence
- doing the necessary research
-
due care
- taking the necessary actions
-
downstream liabilities
-
national, territorial and state laws and regsulations protect sensitive info
- can be tricky: depends on org location, customer location, cloud provider location, etc.
-
PCI DSS (Payment Card Industry Data Security Standard)
- self-regulatory, and applies worldwide to credit card transactions
-
work with legal department to resolve jurisdiction issues
-
orgs must protect info throughout the data lifecycle
-
PII (personally identifiable info)
- any info that can be traced back to an individual
-
PHI (protected health info)
- individually identifiable health records governed by HIPPA
-
GAPP (Generally Accepted Principles and Practices):
- developed by
- AICPA
- CICA
- ISACA
- IAA
- developed by
-
governed by ten principles:
- Management
- Notice
- Choice and Consent
- Collection
- Use, Retention and Disposal
- Access
- Disclosure to Third Parties
- Security
- Quality
- Monitoring and Enforcement
-
all ten ensure development of a comprehensive info privacy program
-
ISO 27018: PII in the cloud
-
privacy impact assessments should be done regularly by orgs
-
some infosec laws involve criminal penalties
-
CFAP
- makes hacking illegal
- prohibits:
- unauthorized access to computer systems
- malicious code creation
-
ECPA (Electronic Communications Privacy Act)
- restricts government interception of electronic communications
-
ITDA
- makes ID theft a federal crime
- software is important intellectual property
- it’s protected by software agreements
- different types based on use
- individual use
- amount of data use
- location of use
- number of servers in use
- agreement types
- negotiated contracts
- usually many rounds of back-and-forth between org and vendor
- click through agreements
- typically not read
- shrinkwrap agreements
- rarely used today
- negotiated contracts
- intellectual property must be protected from unauthorized use
- protects creative works
- automatically applied when work is created
- don’t necessarily have to apply
- 70 years beyond the creator’s death
- after 70 years, moves into the public domain
- protects words and symbols
- must register
- renewable every 10 years
- must be in active use, inactive use expires after 5 years of inactivity
- ™, ® after registered with the government
- protects inventions
- requirements
- novel: is it a new idea?
- useful: is it of value?
- non-obvious: you can’t patent the wheel!
- usually protects for 20 years after filing
- requires public disclosure (through filing documentation)
- enters into free-use after patent expires
- alternate to a patent
- no public disclosure
-
countries have restrictions on what can come into and out of the country
-
export controls: restrict the flow of goods and data
- ITAR (International Traffic in Arms Regulations)
- defense articles
- plans for defense articles
- ITAR (International Traffic in Arms Regulations)
-
EAR (Export Administration Regulations)
- covers “dual use” items
- lasers, GPS, naval equipment, etc.
* OFAC (Office of Foreign Assets Control)
- lasers, GPS, naval equipment, etc.
- covers restrictions of exports to sanctioned countries
- covers “dual use” items
- consequences
- reputation damage
- identity theft
- fines
- laws and regulations govern response to breaches
- industry specs.
- HIPPA
- SOX
- PCI DSS
- jurisdiction specs.
- states
- federal government
- GDPR
- industry specs.
- common PII elements that can be breached
- SSN
- driver’s license
- bank account #
- orgs must notify victims and the government
- encryption can protect the org
- many notification laws/requirements have an exemption for breached encrypted data
- infosec professionals are bound by codes of ethics
- org code
- (ISC)²
- Preamble
- The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
- Therefore, strict adherence to this Code is a condition of certification.
- Code of Ethics Canons:
- Protect society, the common good, necessary public trust and confidence, and the infrastructure.
- Act honorably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to principals.
- Advance and protect the profession.
important
(ISC)² members must report violations of code of ethics.
- written guidance is crucial to security
-
foundation of security program
-
compliance is mandatory of all employees
-
approved by highest level of the org
-
not specific — must be able to stand test of time
- example: “must encrypt all sensitive data,” not “all sensitive data must be encrypted by 3DES”
-
three types:
- corporate/organization
- management’s intent
- system-specific
- usually for a specific system (i.e. a domain controller)
- issue-specific
- change management
- how to make and track changes. only approved changes are made
- acceptable use
- how employees can can use company resources
- privacy
- expected by employees. if infringed, must be notified.
notification is vital and best practice.
- expected by employees. if infringed, must be notified.
- data/system ownership
- making clear who owns the system and who owns the data
- separation of duties
- no one individual has too much power.
- forces collusion. if more parties are involved, they are less likely to succeed
- mandatory vacations
- detective control. can detect a bad employee - perform an audit while they are out
- job rotation
- detective control. similar concept to mandatory vacations. also provides redundancy.
- least privilege
- action
- need-to-know
- data
- dual control
- two people are needed to perform an action
- M of N control
- similar concept to dual control but more people. m and n are variables. ex. 4 of 15 admins needed to make a change.
- change management
- corporate/organization
- specific details of security controls
- derive authority from policy
- less vigorous approval process
- compliance is mandatory of all employees
- often draw on benchmarks
- CIS benchmarks
- vendor guidelines
- security advice to the org
- follow industry best practices
- not mandatory for all employees
- “should” not “shall”
- step-by-step processes for activities
- mandatory or optional
exam tip
policies and standards are mandatory.
guidelines are optional.
procedures can be either mandatory or optional.
- crucial component of cybersec.
- foundational authority for data security efforts
- sets clear expectations for data security responsibility
- guidance for requiring access to data
- process for granting exceptions to policy
- appropriate storage locations
- access control requirements
- encryption requirements
- what data can be transferred
- transport encryption requirements
- acceptable transfer mechanisms
-
Data Retention Policy
- minimum/maximum periods that org will retain different data
- keep data as long as needed, but no longer
- minimum/maximum periods that org will retain different data
-
Data Disposal Policy
- proper techniques for disposing of data
- what data can be moved / stored in the cloud
- how the org approves cloud use
- core responsibility of cybersec professionals
- controls are designed to keep business running in the face of adversity
- sometimes called COOP (continuity of operations plan)
- primary control for maintaining availability
- what business activities should be covered?
- what systems should be covered?
- what controls should be considered?
-
goal
- identify and prioritize risk
-
results
- list of risks and ALE
-
BCP in the cloud is a partnership between the org and cloud provider
-
redundancy protects against a failure of a single component
-
single point of failure (SPOF) analysis
- identifies and removes SPOF
- examples:
- web server → replace w/ cluster
- firewall → add another for high availability pair
- examples:
- continues until cost of addressing risk outweighs benefits of implementing fix
- analysis should consider multiple risks
- remember to perform succession planning for staff as well
- who would replace someone if they left?
- identifies and removes SPOF
- multiple systems protect against a service failure
- protect services against disruption from small failures
- spreads demand across systems
- power supplies
- moving parts (fans, etc.)
- high failure rates
- can be redundant
- two PSUs on one server
- data centers can use multiple power suppliers
- storage
- RAID
- RAID-1: stores same data on two disks
- RAID-5 data striping with parity, 3+ disks
- RAID provides fault tolerance, it is not a backup plan
- RAID
- networking
- multiple ISPs
- NIC teaming
- redundant networking
- multi-path networking (especially storage)
- use diverse…
- technologies
- vendors
- cryptography
- security controls
- important part of the foundation of security
- security program should be built around it
- handle security policy violations carefully
- never handle alone w/o HR, legal, management
- question to ask: what personal use of org resources are acceptable on the org network w/ org data?
- education is the best defense against social engineering attacks
- insider threats are significant
- 25% of data breaches are from an insider
- defense
- background investigation
- monitoring
- manager training
- data loss prevention
- hiring is an important decision
- poses a significant threat to the org re: insider threats
- pre-employment screening new employees prior to hiring
- criminal record check
- sex offender registry
- reference checks
- education and employment history verification
- credit check
- will need candidate consent
- should include an NDA
- should include provisions for asset return
- include security policy in new hire training and orientation
- ensure that vendors / contractors / consultants are subject to similar rigorous personnel security program
- should be trained on new security requirements of new position
- old privileges should be revoked
- all employees will leave
- voluntarily
- retirement
- firings
- exit interviews are a good tool for gathering info and to debrief employees
- remind them of their NDA
- access should be revoked promptly… but not prematurely
- voluntary/retirement: end of their last day
- involuntary
- too soon: show your hand and they will know that they are getting canned
- too late: disgruntled employee will still have access
- retrieving property — do so as quickly as possible, likely not to get items back after they are gone
- keys
- access badge
- laptop
- papers / electronic documents
- orgs collect sensitive info about employees
- sensitive personal info:
- background check results
- SSN
- salary and pay details
- health / benefits info
- sensitive personal info:
- orgs have a legal and ethical responsibility to protect that info
- protection is acheived by:
-
minimization
- collect the minimal amount of info about an employee
- keep that info for the shortest amount of time needed
-
limited access
- as few employees as possible should have access to sensitive employee info
-
encryption
-
masking
- removing portions of sensitive data
-
- social media can be a valuable business tool
- outreach
- advertising
- recruiting
- many attacks target legitimate accounts
- accounts should be protected
- use MFA
-
offer post approval flow
-
can schedule posts
-
offer comment management and moderation
-
stats on engagement
-
orgs should evaluate social media carefully
- treat like a cloud service
-
orgs should adopt a social media policy
- cover personal use
- official stances
- security professionals often conduct investigations
- seek to resolve technical issues
- seek to restore normal operations
- have a low standard of evidence
- should end with a root cause analysis
- look into possible crimes
- involve fines / jail time
- use the “beyond a reasonable doubt” standard
- resolve issues between two parties
- no fines / jail time
- use the “preponderance of evidence” standard
-
conducted by government or industy regulators
-
may be civil or criminal in nature
-
interviews are a valuable tool for investigations
- should always be voluntary
- involuntary interviews are an interrogation — this should be left to law enforcement
Identify…
- assets
- threats
- existing controls
- vulnerabilities
- consequences
feeds ↓ into
risk assessment process
- look!
- risk docuementation
- incident reports
- SMEs
- media
- need to understand the business
- risk is measured by the business, not the IT system
- risk context – every org is different
- risk management framework/strategy is universal throughout the org!
- there are three lines of defense:
- senior management
- users
- audit
- orgs face a wide variety of cybersecurity risks
- addressing these risks takes time and money
- risk assessment identifies and priorizes risks to make best use of time and money
- asset
- anything of value to the organization
- threat
- external force that jeopardizes security
- out of the org’s control
- threat agent
- an actor who carries out an attack
- exploit
- an instance of compromise
- threat vector
- way that an external force gains access to a system
- vulnerability
- weakness in a security control
- a lack of a safeguard
- org can control
- risk
- a combination of a vulnerability and a corresponding threat
- the probability/likelihood of a threat occurring
- total risk
- risk before any controls
- residual risk
- leftover risk after controls are implemented
- secondary risk
- when one risk response triggers another
- controls
- physical, administrative or technical protections against a threat
- safeguard
- proactive
- countermeasure
- reactive
- safeguard
- incident
- a risk event that has happened
risk should be prioritized by likelihood and impact:
- likelihood
- probability that a risk will occur
- impact
- amount of damage expected
- qualitative
- subjective judgement to evaluate risk likelihood and impact
- quantitative
- objective numberic value
- subjective analysis to help prioritize probability and impact of risk
- can use the Delphi technique to measure
- Delphi technique
- using anonymous surveys
- Delphi technique
- uses terms like: high, medium, low
- inexpensive / quick way to begin prioritization of risks
- aids in data-driven decision making
- perform quantitative risk assessment for a single risk and asset
- dollar value of an asset
- techniques for determining
- original cost
- depreciated cost (an accounting favorite)
- replacement cost (a risk manager’s favorite)
- expected percentage damage to an asset
- expected dollar loss if a risk materializes one time
- SLE = AV × EF
- number of times a risk is expected to occur each year
- can be a decimal if not expected annually
- ex.: once every 20 years = 0.05 ARO
- expected dollar loss of any given year
- ALE = SLE × ARO
- time to restore a service depends on whether a component is repairable
mean time to failure (MTTF)
- average time a non-repairable component will last
mean time between failures (MTBF)
- average time gap between failures of a repairable component
mean time to repair (MTTR)
- average time to return a repairable component to service
- risk management and treatment
-
systematic analysis of potential responses to each risk
-
implementing strategies to control those risks
-
risk profile
- the full set of risks facing an org
-
inherent, residual and control risk
- inherent → control applied → residual + control
-
risk appetite
- how much risk an org is willing to accept
- control + residual risk ≤ risk appetite
-
- lessen the probability or the impact of risk
- may require several controls
- reducing risk to zero is avoiding the risk
- shift the impact of risk to another org
- insurance policy
- SLAs and contracts determine how much risk is transferred
- can’t transfer risk completely
remember:
you can’t transfer liability!
- reduce the likelihood or impact of a risk
- accept risk w/o taking further action
- no mitigation
- after cost/benefit analysis, cost of the control is determined to be more than the cost of the potential loss
- sometimes this is the only choice
- due diligence is still used, we can show that good business decisions were made
- risk levels and impacts are changing – regular reviews are needed on accepted risk
- only after thoughtful analysis
- not acceptable
- ignoring the problem… putting your head in the sand
- risk response is based on a risk assessment at a set point in time
- risk is everchanging
- controls can become less effective
- there are new threats, technology, vulnerabilities
- monitoring is needed
- early warning
- backwards-looking view on risk events
- documentation and analysis of trends
- indicates risk appetite / tolerance
- increase likelihood of achieving strategic objectives
- assist in risk governance
- KRIs support:
- risk appetite
- risk identification
- risk mitigation
- risk culture of the org
- risk measurement / reporting
- regulatory compliance
Risk must be managed because it can’t be eliminated!
-
security controls
- procedures and mechanisms that an org uses to manage security risks
-
defense-in-depth
- multiple controls for one objective
-
controls can be categorized by purpose or mechanism of action
- purpose
-
preventative controls
- stop a security issue from stopping in the first place
- ex. fences, gates, firewalls
- detective controls
- identify a potential security issue that has already happened
- ex. log reviews, CCTV reviews
- corrective controls
- remediate a security issue that has occured
- ex. AV software
-
mechanism of action
-
technical controls
- use technology to achieve security control objectives
-
operational controls
- human-driven procedures to manage technology in a secure manner
exam tip
technical controls are implemented by technology.
operational controls are implemented by people -
management controls
- improve the security of the risk management program itself
-
- purpose
-
false positives and negatives
- false positive
- control inadvertently triggers when it shouldn’t
- reduces confidence in the control
- false negative
- control fails to trigger when it should
- gives admins a false sense of confidence
- false positive
-
risk control assessments only look at a single point in time
-
control assessments test controls effectiveness
-
ways to measure control effectiveness
- compromised end-user accounts
- vulnerabilities in public-facing systems
- critical findings in web application scans
- number of data breaches requiring notification
-
assesses the state of a risk management program
-
five levels of maturity
- Ad hoc
- Initial
- Repeatable
- Managed
- Leadership
-
security programs should embrace continuous improvement
- provide proven, time-tested techniques
- risk mangagement framework
- inputs:
- architectural description
- organizational inputs
- steps:
- categorize the info system
- select security controls
- implement security controls
- assess security controls
- authorize info system
- monitor security controls
- orgs need to document and track risk over time
-
tracks risk information
- can be organization-wide or system-specific
- contains the nature and status of risk
-
contents
- description
- category
- probability / impact
- risk rating
- risk management actions taken
-
sources
- audit findings
- team members
- threat intelligence
-
threat intel
- sharing of risk info
- may be used strategically or operationally
-
risk matrices / heatmaps
- used to provide easily deigestable information to sr. mangement
- set of activities that an org takes to…
- educate itself about the threat landscape
- adapt security controls to threats
- allows the security team to stay current on cybersec threats
- uses publicly available info from various open sources
- security websites
- vulnerability databases
- news media
- social media
- darkweb
- info sharing centers
- file repos
- code repos
- security researchers
- many security companies offer proprietary threat intel solutions
- these solutions may feed into firewalls, proxy servers, IDSs, etc.
- criteria for evaluating these solutions
- timeliness
- accuracy
- reliability
- use TAXII, STIX, CybOX
- functions supported by intelligence:
- incidence response
- vulnerability management
- risk management
- security engineering
- detection and monitoring
- Information Sharing and Analysis Centers
- bring together teams from competing businesses to share intelligence
- usually non-profit organizations
- threat modeling identifies and prioritizes threats
- use a structured approach for identification
- asset-focsued
- use asset inventory for basis
- threat-focused
- identify specific threats that may affect each info system
- service-focused
- identify impact of threats on a specific service
- asset-focsued
-
cybersec used to see role as building an impenetrable defense
-
that’s a naïve approach
- need to make the “assumption of compromise”
-
threat hunting
- organized systemic approach to seeking out indicators of compromise using expertise and analytic techniques
- threat hunters must think like attacker
- develop a hypothosis, then go hunting
-
indicators of a compromose
- unusual binary files
- unexpected processes running or system consumption (CPU, RAM)
- deviation in network traffic
- unexplained log entries
- unapproved configuration changes
-
vendors play crucial role in the IT supply chain
-
business partner due diligence
- security professionals should pay attention to business partnerships to protect CIA
- ensure that vendors’ security policies are at least on par with the org’s
-
Vendor selection
- may be formal (using an RFP)
- may be informal
- should include…
- security requirements
- assessment of vendor’s risk management policies
-
Vendor onboarding
- verify contract details
- arrange for secure data transfer
- establish incident procedures
-
Vendor monitoring
- conduct site visits
- review independent audits
- handle security incidents
-
Vendor offboarding
- destroy confidential info
- unwind business relationship
-
may start process again w/ same or different vendor
-
ISO 27036: infosec for supplier relationships
-
help facilitate vendor relationships
-
NDAs protect confidential info
-
service level requirements (SLRs)
- describe requirements of vendor’s services
- examples:
- response time
- availability
- data preservation
- SLRs should be documented in an SLA
-
other agreement types
- MOU: memorandum of understanding
- BPA: business partnership agreement
- ISA: interconnection service agreement
- MSA: master service agreement
- SOW: statement of work
- document security and compliance requirements
- facilitate customer monitoring of compliance
- ensure the right of audit and assessment
- agreements should contain clear data ownership language
- customer should retain uninhibited ownership of their data
- vendor’s right to data use should be limited to…
- activities performed on behalf of the customer
- activities performed with the customer’s consent
- agreements should
- limit data sharing with third parties
- include data protection provisions
-
verify that security controls function properly
-
evaluates security controls
-
provides a report
-
should always begin with a planning process
- outlines scope of engagement
- timeline for completion
- expected deliverables
- reduces the likelihood of misunderstandings later
-
assessments vs. audits
- assessment
- usually requested internally
- IT staff, management, etc.
- usually requested internally
- audit
- often imposed by external requirements
- board of directors, regulators, etc.
- often imposed by external requirements
- assessment
-
internal vs. external auditors
- internal auditors
- work for the org
- report independently from area being audited
- work at the request of org leadership
- external auditors
- independent firms
- work at the request of external groups (board, regulators)
- internal auditors
-
audits should always have clearly defined scopes
-
user access reviews
- validate rights and permissions of users’ accounts
-
gap analysis
- provides a roadmap of future work
- provides a list of controls that are missing or not functioning
- cloud service use adds complexity to audits and assessments
- use of cloud services expands audit scope
- not possible to physically do
- can’t visit every location that a cloud provider maintains
- cloud providers couldn’t keep up with audit requests from all of their customers
- must rely on SOC reports
- not possible to physically do
- system and org controls
SOC 1 | SOC 2 | SOC 3 |
---|---|---|
assurance required for customer financial audits | detailed assurance of CIA controls | high-level public reporting of CIA controls |
Type I | Type II |
---|---|
describes controls that are in place and the suitability of those controls | describes controls that are in place and the suitability of those controls, and results of control testing by the auditor |
- covered by SSAE 18 in the US
- covered by ISAE 3402 internationally
- offer managed IT services to customers
- offer managed IT security services to customers
- if used, must be carefully monitored and documented
- examples of services offered
- management of entire security infrastructure
- monitoring of system logs
- management of firewalls and network security
- performance of IAM
exam tip
MSSPs may also be referred to as security as a service (SECaaS)
- add a third party security layer between an org and their cloud service provider
- network-based CASBs
- intercepts network traffic between the org and cloud
- monitors traffic for security issues
- can block access if issue discovered
- network-based CASBs
- API-based CSABs
- queries cloud service by API and monitors
- may be limited by API access and what information is available from API
- train your people
- … through awareness, training and education
- the goal is to modify employee behavior
- security training programs help educate users about risks
- users can’t follow procedures and rules if they don’t know about them
- can increase reporting after training… because users now have knowledge of procedures and how to report issues
-
provides users with detailed info about how to protect the org’s info
-
security training methods
- in-person classes
- integration into orientation and onboarding
- online learning
- vendor-provided classroom training
-
should use a diversity of training techniques
- phishing simulations
- gamification
- capture-the-flag events
- security champions that share cybersec messages w/ peers
- training should be customized based on user roles
-
training frequency
- initial training during onboarding
- updated training when users change roles
- annual refreshers
- awareness campaigns during the year
-
remember to review training materials periodically to ensure relevancy
- reminders of lessons learned to keep training in mind
-
orgs often face external requirements to implement security controls
-
complaince programs
- ensure that org’s infosec controls are consistant w/ laws/regs/standards that govern the org
-
compliance obligations should be a part of security training
-
begin compliance efforts with gap analysis
- security training should educate users on good security practices
- secure password practices
- clean desk polices
- data handling practices
- reminders of NDA terms
- physical security
- reminders about tailgating
- BYOD policy
- acceptable use
- security policy
- acceptable use policy
- violations
- social media policies
- peer-to-peer network policies
- should measure the effectiveness of security training/awareness efforts
- simulated phishing
- directly measures user awareness
- simulated phishing
- security awareness surveys
- measures awareness over time
- can use results to change training and tactics as needed