Security Awareness ? Many Audiences, Many Messages (Part 2)
Last month, I posted a diary titled "The Many Paths to Security Awareness", which discussed various job positions, what motivates people in those jobs, and what messages you might use to take advantage of those motivators. The end goal is that, when faced with a security-related decision, you see a move in the positive direction. As a security professional, you want people in your organization or your customers' organizations to "make the right choice" when they're put on the spot.
First of all, I'd like to thank everyone very much for participating in the survey that was part of the original story. I used the survey results, along with interviews and my own experience to write a paper on this topic (one of my last requirements for my sans.edu masters degree ! ). You can find the paper here ==> http://www.sans.edu/resources/student_projects/ , along with a presentation that summarizes the information. The presentation got posted as a PDF, so the nifty powerpoint animations don't work, but the message is all there.
There were lots of things in the results that you'd expect - for instance, CEO's are motivated by regulatory compliance, avoiding lawsuits and shareholder value, but some of the results were a bit of suprise:
When I started this, I had thought that protection of Intellectual Property (IP) would be of primary concern to Engineers and others that actually create said IP. However, what I found was that, more and more the value of IP is being given a real dollar value, and any compromise of IP is being worked into corporate risk assessments. So protection of IP is now on the radar of lots of CEO's, and protection of IP can be used to influence security decisions at that level.
Folks in a Helpdesk role are motivated by uptime of Corporate Systems, compliance with Corporate Policies and personal financial incentives, but more overtime does NOT count as a financial incentive ! Also, personal workstation downtime almost didn't register as a motivator (this one kind of surprised me).
Something that we all live with is that IT groups are still taking the lead in developing, monitoring and enforcing security policies. However, what is FINALLY happening is that HR is now starting to take the lead in some of this. In many organizations, things like reports from the content filter that monitors and enforces web usage policies are now the responsibility of HR, with IT there to provide the service and act as an expert consultant. This is a good thing to see, because HR is actually placed to do real enforcement of policies like AUP's (Acceptable Use Policy) and Web Surfing Policies, where in many companies IT could only watch and shake their heads.
What didn't work across the board was any security task that people couldn't immediately see value in on their own (without a lesson from security school). So, for instance, if you want to implement password complexity where it hasn't existed before, it's probably worth a bit of an awareness message ahead of time or no-one is going to be buying into it.
Again, the full results are in the paper, the power point covers the high points.
Anything you'd like to add to the list is welcome, by all means use the comment form to add to this story !
================== update 05/11/2010 ==================
I've had a few requests for the original Powerpoint presentation for the paper (the posting on the sans.edu page is a PDF). You can find it here ==> diaryimages/RVANDENBRINK - MGT438 Presentation - 0425.zip
=============== Rob VandenBrink, Metafore ===============
Stock market "wipe out" may be due to computer error
A number of stocks lost about all their market value yesterday in the span of 5 minutes, leading to the fastest ever drop in the Dow Jones index. Luckily, most of the value was recovered, but the index overall was still substantially lower. It is not clear yet what exactly happened, but computer issues are cites as a possible reason. One report suggested a data entry error (entering "B" for "Billion" instead of "M" for "Million"). But several stocks where affected. These company's stocks went from as high s $59 to a couple of cents in a few minutes.
Again, the investigation is just starting. But this overall reminded me of a scenario we put forward a few years back. John Bambenek published a nice diary [1] in September of 2005 estimating that $24 Billion worth of assets are under the control of bot herders at the time in the form of brokerage accounts owned by infected users. This number is of course just a guess, but it does support the scenario of a bot control "Market DoS". The scenario we put forward back then was that a botnet could cause economic mayhem if such a sell-off would be timed right to coincide with real world events that would cause "market jitters". Right now, the economic crisis in Greece and the oil spill in the gulf of Mexico can be seen as such events.
How do we protect ourself? Sadly, as typical in our approach to software security, incident handling and forensics will have to come first. Maybe then, we will learn what should have considered int he first place: How to write more secure software, how to put the controls in place to prevent these errors.
[1] http://isc.sans.org/diary.html?storyid=712
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
=====================================================
More thoughts on this - - if you want to a large financial influence (for instance in a cyber-war scenario), you don't need to control 24B in household assets through malware, you need to control one trader's workstation at a major firm. Yesterday's event shows us just how vulnerable we are - one bad trade, and all the lemmings follow the leader over the cliff! Fund managers would be good targets as well. Through a lever like this, your control is multiplied potentially hundreds of times.
Looking for targets like that? I just searched linkedin for "hedge fund" (36,000 results) or "fund manager" for targets (12,000 results) - all nicely searchable by city, company etc.
A targeted phish campaign against a narrowly defined audience like that ... hmmmm ....
============== Rob VandenBrink, Metafore ================
Comments