Guide to Implementing an Effective Security Education Awareness

Guide to Implementing an Effective Security Education & Awareness Program Presented by: Calvin Weeks, Director, OU Cyber Forensics Lab, University of Oklahoma Shirley Payne, Director, Security Coordination and Policy, University of Virginia Krizi Trivisani, Chief Security Officer, The George Washington University Copyright Calvin Weeks, Shirley Payne, Krizi Trivisani 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors. Overview This presentation will offer help in implementing a security awareness program that teaches physical and system security precautions, establishes realistic expectations, and decreases the overall cost of securing an enterprise network by teaching users to share best practices with peers and by improving security in the workplace and in home work environments. 2 Calvin Weeks Introduction and Definitions Audience Roles and Responsibilities 3 Shirley Payne Collaboration Institutional Culture 4 Krizi Trivisani Policies Key issues and Pitfalls Resources and Samples Measurement of Success 5 Introduction Security programs cannot be successful without good leadership from the very top of your organization down. Even with all the staff, technology, resources, and budget, a Chief Information Officer (CIO) or Chief Security Officer (CSO) will not and cannot secure an environment without the rest of the organization. Every person in your organization plays a very important role in the security of all physical and virtual assets. But, why would anyone be motivated to participate in security? What are the key issues and concerns for your organization, CIO, CSO, directors, staff, faculty, students, parents, system / network administrators, contractors, guests, and many other types of people internally and externally? How do these people know what their role or responsibilities are? 6 EDUCAUSE Security Awareness & Education Task Force Mission/Purpose: The Education and Awareness Initiative team will identify and take steps to implement and/or publicize various methods by which awareness of information technology security issues are raised amongst university and college computer and network users, administrators, and executives. 7 EDUCAUSE Security Awareness & Education Task Force Team Goals/ Expected Outcomes (Deliverables and Metrics): The team will: 1) Identify current projects and current materials and methods (primarily developed within the higher education and non-profit communities, but also vended products where they have been proven to be (or may be) particularly useful to universities and colleges. 2) Use existing methods available via EDUCAUSE to publicize identified offerings. 3) Where gaps may exist in available offerings, commission development of programs or materials as needed. 8 EDUCAUSE Security Awareness & Education Task Force Boundaries for the Team (Scope of Work & Authority): The team will concern itself with education and awareness of 1) end-users (essentially faculty, staff, and students) 2) technicians and administrators who maintain systems for campuses 3) executives. The team will not venture into the realm of educating security professionals, or into formal for-credit curriculum development. 9 EDUCAUSE Security Awareness & Education Task Force Team Leadership: Co-Chairs: Kelley Bogart, University of Arizona Mark Bruhn, Indiana University 10 Definition Webster’s New World Dictionary, Third College Edition Awareness – Knowing or realizing; conscious; informed. Training – the process or experience of being trained. [train] – to instruct so as to make proficient or qualified. Education – knowledge, ability, etc. thus developed. [develop] – to become larger, fuller, better, etc.; grow or evolve, esp. by natural processes. 11 Awareness “Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.” National Institute of Standards and Technology (NIST), Special Publication 800-50 12 Awareness What behavior are we wanting to influence? Examples: “Change your password every 60 days” “Sec-U-R-IT-y” “Secure-IT” “Time for a checkup: Patches, Virus definitions, passwords” 13 Awareness Links http://www.itsa.ufl.edu/posters/passwords.pdf http://www.itsa.ufl.edu/posters/10reasons.pdf http://www.asu.edu/it/security/s101/ https://www.itso.iu.edu/howto/ http://security.ou.edu/bestpractices/index.html 14 Bookmarks 15 Training “Training strives to produce relevant and needed security skills and competencies.” National Institute of Standards and Technology (NIST), Special Publication 800-50 16 Training What skills do we want to have learned? Examples: Professional development training Seminars Workshops Conferences Employment job duty performance 17 Sample Programs http://security.ou.edu/sec_catalog.htm http://www.it.ufl.edu/training/ http://register.perfectorder.com/it/2005/wor kshop.php http://sans.org/ 18 Education “Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge…and strives to produce IT security specialists and professionals capable of vision and proactive response.” National Institute of Standards and Technology (NIST), Special Publication 800-50 19 Education What knowledge do we have to share/collaborate? Examples: EduCause National Conference, College degree, 10 years experience, and 400 contact hours of training. 20 Why? HIPAA FERPA GLBA Sarbanes Oxley Act Grant requirements Compliance other local state and federal regulations. 21 Does it make a difference? RPC vulnerability and the Welchia/Nachia attacks – users aware SQL Slammer attacks – technical education SoBIG.F e-mail attacks – users aware and technical training 22 Centers of Academic Excellence The Centers of Academic Excellence in Information Assurance Education (CAEIAE) program, established in November 1998, helps NSA partner with colleges and universities across the nation to promote higher education in information assurance (IA). This program is an outreach effort that was designed and is operated in the spirit of Presidential Decision Directive 63 (PDD 63), the Clinton Administration's Policy on Critical Infrastructure Protection, dated May 1998. The program is now jointly sponsored by the NSA and Department of Homeland Security (DHS) in support of the President's National Strategy to Secure Cyberspace, February 2003. The goal of the program is to reduce vulnerability in our national information infrastructure by promoting higher education in information assurance (IA), and producing a growing number of professionals with IA expertise in various disciplines. 59 Centers throughout the US. 23 Who is our Audience? Faculty Staff Students Parents Contractors Visitors Community/industry partners - outreach 24 Target your Audience! General Technical/non-technical Local/remote Faculty/researchers/professors Management/staff System/network administrators/support staff Students/parents Home/travel users HIPAA, FERPA, GLBA, Sarbanes Oxley Contractors/new employees 25 Roles President or Head CIO/CSO Information System Security Officer  Security T.E.A. Program Manager Directors/managers Faculty/staff/students/Users 26 T.E.A. Manager Training, Education, and Awareness (T.E.A.) Program/Curriculum development Course and Instructor coordination Program promotions Measure expectations/requirements vs. outcomes/results. 27 Questions? 28 When I Go To U.Va…. http://www.itc.virginia.edu/pubs/docs/RespComp/videos/when-I-go-to-UVA-lg.mov 29 Collaboration Or, Great Security Education and Awareness With A Little Help From Your Friends! IT Security Staffing Landscape What percent of surveyed institutions have a chief IT security officer? What is the average number of full-time security staff at surveyed doctoral institutions? At baccalaureate institutions? What percent of surveyed institutions have no formal awareness programs for students, faculty and staff? From 2003 EDUCAUSE Center for Applied Research Survey 31 Typical Responsibilities of Security Officers Strategic Planning Awareness, Education & Technical Training Technical Communications (Alerts) Policy Development Compliance Risk Assessment & Business Continuity Incident Detection & Response 32 These Responsibilities Require Many Roles To Be Filled Strategic Planner Champion Communications Expert Teacher Technical Expert Policy Writer Lawyer Enforcer Watch Dog Incident Responder Etc., etc., etc. 33 Which Roles Suffer First? Strategic Planner Champion Communications Expert Teacher Technical Expert Policy Writer Lawyer Enforcer Watch Dog Incident Responder Etc., etc., etc. 34 Collaborations Make All The Difference! New ideas Access to others' competencies Expanded scope of influence Shared labor and cost 35 Executives Examples: Boards of Trustees Presidents Vice Presidents & Provosts Deans & Department Heads Chiefs of Staff Potential Gains: Policy approval Funding and staffing approval Influence (directives, reviews, role-models) Appropriate expectations 36 Testimonial http://security.gmu.edu/HennesseyResponse.mpg Tom Hennessey, Chief of Staff, George Mason University 37 Shown with permission from the producer Cathy Hubbs, IT Security Coordinator, George Mason University Faculty, Staff, & Student Leaders Examples: Chief of Human Resources Faculty Senate Chair Dean of Students Student Council Dorm Resident Advisors Student Honor Committee Potential Gains: Input on security awareness plans New champions Peer-to-peer influence 38 Central IT Staff Examples: Network and System Engineers User Support Staff, e.g. Help Desk Potential Gains: Identification of problem areas, emerging threats, and priorities Security alerts Security awareness tool development 39 Departmental Staff Examples: System Administrators Office Managers Potential Gains: Input on security awareness needs and priorities Input on guidelines and policies Security champions in their departments Dissemination of security alerts within their departments 40 Departments with Security Interests Examples: Audit Department Legal Council Campus Police Potential Gains: Participation in awareness events Input on awareness priorities Contribution to development of guidelines and policies 41 Interested Faculty & Students Examples: Instructors Student class projects Potential Gains: Participation in awareness events Input on awareness tool design Tool development 42 Communications Experts Examples: Public Relations Office Campus and Community Press Potential Gains: Design of professional literature Development of creative marketing tools that deliver the security message in unique and innovative ways Communication of alerts, events and other information 43 Security Experts & Organizations Examples: EDUCAUSE http://www.educause.edu/security Virginia Alliance for Secure Computing & Networking http://vascan.org Others •SANS Institute http://www.sans.org •CERT Coordination Center http://www.cert.org •CERIAS http://www.cerias.purdue.edu •NIST Computer Security Resource Center http://csrc.nist.gov •and many more Potential Gains: Multiple perspectives Fresh ideas Eliminates wheel reinvention 44 Back to that U.Va. video… Collaborators:  Concept and story board – IT Publications staff  Video production – School of Continuing & Professional Studies  Actors: children of IT staff  Closed captioning – local commercial firm Cost was less that $3,000 45 Making Collaborations Work Choose Long-term Collaborators Carefully Should have common goals Should be recognized benefits on both sides Should be based upon mutual trust 47 Manage the Collaborations Set realistic expectations Communicate well Resolve issues quickly Periodically review collaboration health Recognize their contributions 48 Institutional Culture Or, When in Rome…. What Defines Culture? Strategic Planning and Decision-Making  Examples: • Top-down • Bottom-up • Consensus-based Institutional Values  Examples: • • • • Student honor code Strong faculty influence Emphasis on accountability at all levels of institution High bond rating 50 What Defines Culture? Control of Operational Functions  Examples: • Centralized • Decentralized Long-term Institutional Priorities  Examples: • Increase research • Increase community outreach Other influences on culture? 51 Ideas For Using Culture Decentralized Control Over Computing Formalize and leverage network of departmental system administrators How? Some Examples: University of Virginia LSP Program http://www.itc.virginia.edu/dcs/lsp George Mason University SALT Group http://itu.gmu.edu/security/sysadmin/salt-description.html 52 Ideas For Using Culture Increasing Emphasis on Compliance Spotlight Federal Regulations Related to Security & Privacy How? Some Examples: IT Security for Higher Education: A Legal Perspective http://www.educause.edu/ir/library/pdf/csd2746.pdf Family Educational Rights & Privacy Act http://www.ed.gov/policy/gen/guid/fpcp/ferpa/index.html Gramm Leach Bliley Act http://www.ftc.gov/privacy/glbact/index.html Health Insurance Portability & Accountability Act http://www.hhs.gov/ocr.hipaa 53 Ideas For Using Culture Strong Leadership at the Top Make Executive-level Awareness a Top Priority How? ACE Letter to Presidents Regarding Cybersecurity http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm Information Security: A Difficult Balance http://www.educause.edu/pub/er/erm04/erm0456.asp Gaining the President’s Support for IT Initiatives at Small Colleges http://www.educause.edu/apps/eq/eqm04/eqm0417.asp Presidential Leadership for Information Technology http://www.educause.edu/ir/library/pdf/erm0332.pdf 54 Changing Culture Awareness, education, and training change attitudes Changing attitudes can force change in institutional culture. Also, major security incidents should initiate examination of cultural influences and possible need for change 55 Changing Culture Real Life Example (real name changed to protect the guilty) 56 Changing Culture I hear and I forget. I see and I remember. I do and I understand. Chinese Proverb 57 Exercise Divide into groups Assign target audience to each group:       Executives Administrative staff Students Faculty Researchers IT professionals Brainstorm ideas for building awareness  8 minutes  Prepare bulleted list  Select spokesperson Share results 58 Cool Examples! Policies Key issues and Pitfalls Resources and Samples Measurement of Success Let’s Play! I’ve Got Email is an educational form of bingo that incorporates IT security related words and phrases. This is a good activity for a security or IT department. Play it as a normal bingo game but when someone gets five in a row (or four corners, etc) they shout “I’ve Got Email!” To add an additional educational affect to it, you might ask them to explain each of the terms in the winning row. I’ve Got EMAIL www.securityawareness.com E Virus M Phishing A Privacy I L Password Alert Router Certification Interface Solution Monitor Standards User ID FREE 1 Detection Modules Risk Reliability Authorization Architecture Firewall Information Warfare Linux Sniffer Technology Policies Copyright 2000-2004 Security Awareness, Inc - All Rights Reserved 60 Security Implementation Relies On: Policies must be developed, communicated, maintained and enforced Processes must be developed that show how policies will be implemented Systems must be built to technically adhere to policy Process Technology People People must understand their responsibilities regarding policy 61 Policies The cornerstone of an effective information security architecture is a wellwritten policy statement. This is the source from which all other directives, standards, procedures, guidelines and other supporting documents will spring. As with any foundation, it is important to establish a strong footing. 62 Why Implement a Security Policy? In the absence of an established policy, the University’s current and past activities become the de facto policy. Since there is no formal policy with which to be defended, the University may be in greater danger of a breach of security, loss of competitive advantage, customer confidence and government interference. By implementing policies, the University takes control of its destiny. 63 Why Implement a Security Policy? The goal of an information security policy is to maintain the integrity, confidentiality and availability of the information resources. The basic threats that may prevent the University from reaching this goal are unauthorized access, modification, disclosure or destruction - whether deliberate or accidental of the information or the systems and applications that process the information. 64 Why Implement a Security Policy? When developing the policy, there is as much danger in saying too much as there is in saying too little. The policy should provide the direction required by the University while maintaining business unit management discretion in the actual implementation of the policy. The more intricate and detailed the policy, the more frequent the update requirements and the more complicated the training process for users. 65 Policy Structure Laws, Regulations, and Requirements Policy Standards Procedures, Practices Guidelines 66 Awareness and Training on the Security Policy Now you have a policy… but has anyone read it? Or better yet… do they understand it? Policy resources: http://www.educause.edu/CampusPolicyInitiatives/332 67 Key Issues and Pitfalls Make sure your Implementation Plan for the Security Policy includes training! Make sure your training materials and policy are not in conflict. Know your audience and adjust your training as appropriate by keeping their needs in mind. Get feedback! BUDGET for training and awareness. Utilize free resources and solicit volunteers, interns, and partnerships with departments and other Universities. 68 Resources The Education & Awareness Working Group of the EDUCAUSE/Internet2 Security Task Force compiled cyber security awareness resources that will be distributed on a CD. The resources were collected to showcase the variety of security awareness efforts underway at institutions of higher education and to provide resources for colleges and universities that are looking to jump-start a program for their organization. 69 What’s on the CD? Book Marks Brochures Checklists Flyers Games Government Resources Handouts Post Cards Presentations Pamphlets Links to School’s Security Web Page(s) Videos Security Awareness Documents Security Cards Security Quizzes Scripts Surveys Security Tools 70 Measurement of Success Surveys Quizzes Password Cracking Reduction/Increase in infections Audits – baseline then monitor progress Metrics (and yes, color graphics are worth it when presenting to management) Incentives and recognition to most improved and others actively working to increase security in their departments Lather, rinse, repeat! 71 Measurement of Success Did you meet the goals of your awareness program? Did you set goals? Samples:  To reduce risk by implementing best practice information security programs while balancing academic freedom What are the Goals of GW's Security Awareness Program?  To educate members of the University community  To identify and address risk  To promote and encourage good security habits 72 Exercise Divide into groups You are planning your first Cyber Security Awareness Day for your campus.  What are your goals?  What will the event involve?  How will you make it interesting for your audience? Brainstorm ideas  8 minutes  Prepare bulleted list  Select spokesperson Share results 73 Questions? Contacts  Calvin Weeks cweeks@ou.edu  Shirley Payne payne@virginia.edu  Krizi Trivisani krizi@gwu.edu 74