Episode 4 – Creating an Effective Awareness Program

Happy Monday Everybody!
I am really happy with the way this one turned out. I learned quite a bit about creating and improving security awareness programs, and I think you will as well. 
Don’t forget to subscribe on your favorite podcast app to make sure you get them as soon as they are released (Sundays at 10PM Eastern)

In this episode we’re gonna cover security awareness programs, culture, insider threat training requirements for federal contractors, and more! Don’t touch that dial!
Welcome back! This is episode 4 of The Insider Threat podcast, for the week of June 5th, 2017. As a quick update, I am working on a segment or two about unlikely insiders, which was inspired by a story that one of you gave me. Please keep those up. It lets me know of actual issues out there in your organizations and lets me use this as a medium to share the information to a large audience. As I said before, I’ll be sure to anonymize the stories to keep everyone out of deep water.
It’s time for your Infosec Question of the Week, where Google is king and the prize is nonexistent!
The question last week was “In the early 1970s, John Draper discovered that he could make free long distance calls by sending a certain tone through the phone. What did he use and where did he get it?”
The answer was that he used a whistle that he found in a box of cereal. This later earned him the nickname “Captain Crunch”.

Congratulations to: 
Brady from Milwaukee
Harlan from the UK
Annetta from Jersey City
Isaac from Washington State
And Bob from Jacksonville for getting the correct answer.

Here’s your question for this week: In 1997, a hacker group was angry about hackers being falsely accused of electronically stalking a Canadian family. They broke into the Canadian Broadcasting Corporation’s web site and left a message saying: “The media are liars.” The family’s own 15-year-old son was eventually identified as the stalking culprit. What was the name of this group?
Send your response to InfosecAnswer@gmail.com. Be sure to include your first name, location, and the hashtag “notreallybacon”.
Our first article this week is related to an insider threat training requirement for federal contractors
This isn’t anything new, since the requirement took effect at the end of last November, but it essentially means that all cleared federal contractors had to go through insider threat training before the first of this month.
Seeing as how it is probably too late now, I hope you were able to get it done if this applies to you. I’ve heard those clearances aren’t easy to get

Our next article comes from Kai Roer at Infosecurity-magazine.com A Culture of Security, Not of Blame
I really liked the general idea of this one and there were some good nuggets to take from it
“Technology continuously introduces huge amounts of security challenges and risk factors, which we keep blaming employees for not handling correctly. Blaming people for not handling poor technology correctly is – in my opinion – simply wrong. In fact, by blaming the employee for clicking on a phishing link, or opening an attachment, is similar to building a car with poor brakes, and then blaming the driver when the car crashes. Guess what, with cars the manufacturer does not get away with blaming the weakest link or the stupid driver.”
There are quite a few things I can agree with in here, to include the note about not blaming users for doing the wrong thing. I think he could have taken it further by saying that it is our fault – as security professionals – for not training them in a way that makes an impact. Instead of taking the time to do that, we write off our users as lost causes and invest in more technology to compensate.
The author appears to be anti-awareness and pro-culture. I guess my argument would be that awareness programs can be an instrumental part of building that culture.
What do you think? I’d love to get your opinion on this one in particular, so please let me know.
Instructional Segment
Speaking of awareness programs, today I want to try a segment that provides some actionable steps for improving your organization right away. I asked some folks on LinkedIn and Twitter some questions related to information security awareness programs, and this is a compilation of sorts of the responses that I received.
What goes into effective information security awareness training?

Why does the organization have the program?
You can mention compliance requirements here, but I would make it subtle
What business functions and their associated systems need to be protected?
Do’s and don’ts when using information systems, and why?
Acceptable Use Policy
Account Management Policy
Data Retention or Encryption Policies
Cater to the applicable policies for the audience
Description of the threat
Start with a question about the most important parts of their job and what IT assets are critical for their success in accomplishing them
Now talk about the critical systems for the organization as a whole, such as payroll, benefits, timekeeping, shipping, estimating, email and other communications, or whatever else the organization relies on for business
“If we didn’t have , the organization would come crumbling down”
The loss of those systems defines the threat, from stopping a single employee from being able to do their work to the entire organization being unable to accomplish its mission
Examples of the threat
Here you can talk about any stories you have, as well as anything that the audience members can share
Something like “that time that Tom got a virus and had to try to work without a computer for 3 days. He thought he would get fired”
Examples of real incidents
Popular breaches, like Target, Home Depot, and Chipotle
The suspicion that other countries are trying to impact election outcomes
Bring it home (both the family and the firm)
What if a hacker was able to get your bank account information?
What if they could see your children through your computer’s webcam?
What if they were able to hack into your alarm system to break into your home without setting off any bells?
Responses to incidents
This is where you tie in your own organization’s policies and procedures to actionable responses to suspected security events
The members of the audience are the ones that have to use these systems every day.
I had a user in the past that reported a suspected virus on their system…
Sent an email to them afterword expressly thanking them for their contribution to the security program

What makes an effective information security awareness program?

Give them information that will actually apply to their work and home lives
One idea I had recently was to start at the very basics for securing their home networks. Even if employees don’t care about the information security program for the company, they should be concerned about protecting their personal lives.
Maybe start with teaching them how to secure their social media accounts, and home wifi or computers and go from there
The basics are the same and it greases the wheels in a way that will let you segue to organizational security later
Get them involved
This applies to any type of training. If you just stand at the front of the room and lecture them, they will fall asleep
Get them to ask and answer questions
Who knows, they might think of something that you didn’t when you were putting your speaking points together
Break them up into groups for further discussion and exercises
You could give them some symptoms of a potential security issue and have them come up with the proper reporting procedures, based on how your organization does it
Most are annual
Might be different for your organization, depending on any compliance requirements
One organization I heard of had a security question pop up whenever an employee logged in for the day
Even if they cheat, it still gets them talking
Their participation could even be used for annual performance evaluations or keep them from having to do the formal annual awareness exam
The key is to get them thinking about security all the time, not just the 20 minutes a year they are taking a test or sitting in a classroom
Most important
Management support for the information security program
If the CEO or general manager walks into the class and just says something like “Pay attention to this. It’s very important.”

Bottom line: the most effective awareness program is one that works best for YOUR organization.

Thought of the Week Segment
Our thought of the week comes from Bruce Schneier, who said “if you think you can solve the security problems with technology, you don’t know technology”

Thank you for listening to episode 4 of The Insider Threat podcast. Please remember to subscribe and review in your favorite podcast app, and also share with everyone you know! Those reviews are key to building this out and improving for later episodes, so please feel free to leave suggestions.
You can contact me on twitter @stevehigdon or email me at theinsiderthreatpodcast@gmail.com.
Thanks again and I’ll see you folks next time!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s