Bringing It All Together - Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats, First Edition (2014)

Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats, First Edition (2014)

CHAPTER 12. Bringing It All Together

Valerie Thomas Securicon, Lorton, VA, USA

Abstract

This chapter combines the topics, techniques, delivery options, and schedule discussed in previous chapters into three sample plans. Based on low, moderate, and high budget amounts, these plans serve as a foundation for organizations to build from. Additional awareness activities are reviewed that are applicable to any budget. Lastly, guidelines are provided for promoting the awareness program to the general employee population.

Keywords

Planning

Budget

Cost

Promotion

National Cyber Security Awareness Month (NCSAM)

We've covered the building blocks of an awareness program in the previous chapters. Now, we'll explore some examples of using those building blocks to construct a complete program. The sample plans discussed are meant to provide you with a program baseline and can be tailored to fit the needs of your organization.

Create a Security Awareness Website

This website should be the face of your awareness program. It should provide employees with a trusted resource for up-to-date information. Nobody wants to search through their e-mail for policies or procedures, especially when the website provides them with all of the resources they need [1]. At a minimum, content should include

■ e-mail address and phone number for reporting suspicious activity

■ training and reference material

■ alerts for recently received phishing e-mails or phone calls

■ corporate policies on computer use and physical security

■ antivirus information for their home computer

■ security tip of the day

■ links to external articles on popular topics, such as identity theft

In addition to containing useful information, the awareness website also needs to be engaging to encourage employees to visit. Attention-grabbing headlines, topics, and graphics hold the reader's attention to the topic at hand [2]. Including short security videos [3] or cartoons [4] create an attractive and education website. Work with your marketing and web development teams to streamline the visitor's experience. Most importantly, website content must be current to entice employees to visit frequently. Although you will want the website to be full of useful content, do not overload with extraneous material, as some employees will not be able to distinguish useful information from general information.

Sample Plans

Low Budget

This plan is best suited for an organization with a limited budget. If divisions are geographically dispersed, the in-person training portions can either be presented by a local security contact or be recorded from a presentation at the main corporate office.

New Hire Training

■ In-person lecture style to cover corporate policies of the following:

■ Data classification

■ Authorized computer use

■ Physical entry and exit procedures

■ Handling sensitive information

■ Reporting suspicious e-mails or activities

■ Regulatory-specific requires (if applicable)

■ Computer-based training (CBT), web-based training (WBT), or video training for the following:

■ Computer/laptop safety

■ Phishing awareness and prevention basics

■ Good security habits

■ Safe web browsing

■ Choosing effective passwords

■ Social engineering

Many free sources exist for CBT, WBT, and video training. See Chapter 8 for examples of free and commercial training products. One form of CBT can also be a slideshow produced by your security team. If you select a solution without progress tracking, ensure that a method for tracking when each employee has completed training is determined.

Biannual Training

The majority of biannual training reiterates the fundamentals covered in new hire training, but with a few additional topics.

Use the CBT, WBT, or video training modules from new hire training. Content should also be added to include

■ security-related policy or procedure changes

■ review of physical security basics, such as tailgating

■ visitor policy

■ reporting procedures of suspicious e-mails and/or activities

■ handling of sensitive information

■ removable media safety

■ new security-related software, such as a password safe

Continual Training

Posters are one of the least expensive awareness resources available. The two largest factors in successfully utilizing posters are location and content. Place poster in high-traffic areas where they have the most visibility. Also, rotate the posters, both content and location placement to ensure that staff is continually reviewing the material. In doing this, you have a greater chance of staff members retaining the information on the posters. Additional information on posters is available in Chapter 8. Other methods of keeping information fresh for staff member are to continually update the security awareness website and publish a monthly or quarterly newsletter on various security-related topics. These are effective ways of keeping security on the minds of employees.

A homemade video campaign is another low-cost training option. Videos should be informal—think more YouTube and less Hollywood—and only a minute or two long. Featuring employees in the video encourages everyone to participate. Introducing some humor in your videos can also encourage staff often to look forward to watching them, as it inspires camaraderie and helps staff relate to a topic. Also include a “suggestion box” e-mail account for employees to submit ideas for future content.

Many no-cost options exist for lunch and learn sessions. Security team or other staff members (under guidance and approval from the security team) can author session content for presentations. Speaking at these events is also a good way for those who wish to improve their public speaking skills. Another option is to watch a short video and hold a group discussion afterward. Begin with quarterly sessions, and add sessions based on popularity and volunteer presenters. Some examples of lunch and learn topics can be found in Chapter 8.

Phishing Assessment

Organizations should aim to complete a minimum of two phishing assessments per year. Open-source software is the cheapest option for implementing your own phishing assessment. The Social Engineering Toolkit (SET), as discussed in Chapter 10, is a free tool for performing your own phishing assessment. SET requires basic Linux and Apache knowledge, so this task is best assigned to a technically skilled member of the security team. Ensure that results are stored in a spreadsheet or similar format for long-term tracking and comparison.

Moderate Budget

This plan is best suited for an organization with a moderate budget and assumes that locations are geographically dispersed. The focus of this plan is to utilize funding in areas with the greatest benefit of process automation and content. The in-person training portions can either be presented by a local security contact or be recorded from a presentation at the main corporate office. The in-person training portions of the program are designed to put a face to the security group or local contact in the organization.

New Hire Training

■ In-person lecture style to cover corporate policies of the following:

■ Data classification

■ Authorized computer use

■ Physical entry and exit procedures

■ Handling sensitive information

■ Reporting suspicious e-mails or activities

■ Regulatory-specific requires (if applicable)

■ CBT, WBT, or video training for the following:

■ Computer/laptop safety

■ Phishing awareness and prevention basics

■ Good security habits

■ Safe web browsing

■ Choosing effective passwords

■ Social engineering

For moderate budgets, the best option is a commercial solution WBT that has stand-alone training modules, phishing assessment capabilities, training modules that can be combined with a failed phishing assessment, and progress tracking. Progress tracking should include when employees have taken the required training and results from phishing assessments.

Biannual Training

The majority of biannual training reiterates the fundamentals covered in new hire training, but with a few additional topics. Utilize the WBT modules from new hire training. Content should also be added to include

■ security-related policy or procedure changes

■ review of physical security basics, such as tailgating

■ visitor policy

■ reporting procedures of suspicious e-mails and/or activities

■ handling sensitive information

■ removable of media safety

■ new security-related software, such as a password safe

Keep in mind that biannual training sessions are not required to use the same delivery method. For instance, the first training session of the year could be WBT, and the second training session could be an in-person presentation. Changing delivery methods is often a good way to aid staff in data retention and overall awareness.

Continual Training

The first priority of funds should be for a robust commercial solution that integrates training, phishing, and tracking abilities. If additional funding is available, consider adding a commercial video campaign to your awareness program. Restricted Intelligence offers a comedy-based approach with a video series that teaches security basics with an entertaining twist. The campaign takes an approach similar to a television series where videos are released one at a time. Packages include posters, teaser video clips, and other resources to advertise the video series. More information can be found at http://www.restrictedintelligence.co.uk/.

Posters are one of the most popular and least expensive awareness resources available. The two largest factors in successfully utilizing posters are location and content. Place poster in high-traffic areas where they have the most visibility. Also, rotate the posters, both content and location placement to ensure that staff is continually reviewing the material. In doing this, you have a greater chance of staff members retaining the information on the posters. Additional information on posters is available in Chapter 8. Other methods of keeping information fresh for staff member are to continually update the security awareness website and publish a monthly or quarterly newsletter on various security-related topics. These are effective way of keeping security on the minds of employees.

Lunch and learn sessions can also be incorporated into your awareness program, but should not use much of the annual program budget. Many no-cost and low-cost options exist for lunch and learn sessions. Security team or other staff members (under guidance and approval from the security team) can author session content for presentations. Speaking at these events is also a good way for those who wish to improve their public speaking skills. Some examples of lunch and learn topics can be found in Chapter 8.

Phishing Assessment

If you've invested in a robust commercial solution that includes phishing assessment capability along with training, phishing assessments should be completed quarterly. Develop an assessment schedule for each quarter to review with the contact list as discussed inChapter 10. If your organization is small to medium, it may be possible to perform phishing assessments on a monthly basis. By including training for those who fail the phishing assessment, you're delivering a year-round training program that reinforces material delivered in the biannual training sessions.

Large Budget

If your organization is fortunate enough to have a large budget, the following plan should serve as a baseline for minimal activities. The plan assumes the organization has a large number of employees that are geographically dispersed and must meet regulatory training requirements. The focus of this plan is to utilize funding in areas with the greatest benefit of process automation and content. While in-person training portions work well for some organizations, more technology-based delivery solutions may fit best for a large number of employees.

New Hire Training

■ CBT, WBT, or video training for the following:

■ Data classification

■ Authorized computer use

■ Physical entry and exit procedures

■ Handling of sensitive information

■ Reporting procedures of suspicious e-mails and/or activities

■ Regulatory-specific requires (if applicable)

■ Computer/laptop safety

■ Phishing awareness and prevention basics

■ Good security habits

■ Safe web browsing

■ Choosing effective passwords

■ Social engineering

For organization-specific topics, a custom WBT solution is optimal. Custom WBT solutions with long-term support enable you to specify required content with the ability to update the material over time. Due to the potentially sensitive material, it is best to host the WBT inside your environment. When selecting a commercial product, ensure that the content can be hosted in your environment.

For the general security topics, invest in a WBT that has stand-alone training modules, phishing assessment capabilities, training modules that can be combined with a failed phishing assessment, and progress tracking. Progress tracking should include when employees have taken the required training and results from phishing assessments.

Biannual Training

The majority of biannual training reiterates the fundamentals covered in new hire training, but with a few additional topics. Utilize the WBT modules from new hire training. Content should also be added to include

■ security-related policy or procedure changes

■ review of physical security basics, such as tailgating

■ visitor policy

■ reporting procedures of suspicious e-mails and/or activities

■ handling of sensitive information

■ removable media safety

■ new security-related software, such as a password safe

Keep in mind that biannual training sessions are not required to use the same delivery method. For instance, the first training session of the year could be WBT, and the second training session could be an in-person presentation. While recording an in-person presentation for remote locations is an option, for maximum effect, the local on-site security manager should present the material. This provides employees the opportunity to ask questions in person and become familiar with the local security team.

Continual Training

The first priority of funds should be for a robust commercial solution that integrates training, phishing, and tracking abilities. If additional funding is available, consider adding a commercial video campaign to your awareness program. Commercial video campaigns are ideal for large organizations because they provide continual security awareness. Restricted Intelligence offers a comedy-based approach with a video series that teaches security basics with an entertaining twist. The campaign takes an approach similar to a television series where videos are released one at a time. Packages include posters, teaser video clips, and other resources to advertise the video series. More information can be found at http://www.restrictedintelligence.co.uk/.

Even though posters are considered a low-cost awareness resource, they should still be incorporated into your awareness program. In large organizations, it's unlikely that employees will have day-to-day interaction with the security team. Posters are used to provide employees with subtle reminders of best security practices. If you invest in a commercial video campaign, posters are often included in the purchase price. Additional information on posters is available in Chapter 8. In addition to updating the security awareness website, publishing a monthly or quarterly newsletter on various security-related topics is an effective way of keeping security on the minds of employees.

For large organizations, lunch and learn sessions can be logistically challenging, but not impossible. Sessions that are hosted at the headquarters facility can be recorded or broadcast live with video teleconference software. Additionally, remote locations can host local sessions. Security team or other staff members (under guidance and approval from the security team) can author session content for presentations. Speaking at these events is also a good way for those who wish to improve their public speaking skills. If the budget allows, consider hiring a popular speaking figure to encourage attendance. Examples of lunch and learn topics can be found in Chapter 8.

Phishing Assessment

Phishing assessments should be completed quarterly with a robust commercial solution that includes phishing assessment capability along with training. Develop an assessment schedule for each quarter to review with the contact list as discussed in Chapter 10. By including training for those who fail the phishing assessment, you're delivering a year-round training program that reinforces material delivered in the biannual training sessions.

Promoting Your Awareness Program

All awareness programs need to be promoted in order to be successful. However, getting employees involved isn't always an easy task. It may often require marketing your program internally, also known as social engineering your own (staff). Not only are you promoting an awareness program, but also you're influencing a security-aware culture. Here are some activities to get you started.

Contests and Prizes

People are competitive by nature, and even more so when some type of prize is involved. Contests are a great way to get everyone's attention and participation. Here are some examples to get you started:

■ Prizes for correct answers to security questions based on procedure, compliance, or any other presented material

■ Security poster contest

■ Prize or recognition for those with perfect phishing assessment scores

■ Homemade awareness video contest

■ Monthly drawing for those who report potential phishing

Prizes can vary in accordance with your budget. However, prizes don't always need to be expensive to effective. Some popular options are

■ gift cards

■ movie passes

■ event tickets

■ reserved parking space

■ cash

■ small electronic devices, such as MP3 players

Announcements

Implementing a monthly security e-mail campaign can keep your employees up-to-date and increase traffic to your security awareness website. Short, monthly e-mails should contain one key message. Also include links to new material on the security awareness website. Positive public recognition can be a powerful tool for employee motivation. Consider featuring an employee who reported suspicious activity or other security-conscience behavior.

National Cyber Security Awareness Month

Created by the US Department of Homeland Security and the National Cyber Security Alliance, National Cyber Security Awareness Month (NCSAM) is observed in October. NCSAM is designed to create a safe cyber environment across government and civilian organizations [5]. NCSAM can be used to reinforce previously taught material, as well as introduce new content. It is common to declare a theme for each week, but is not required. Some sample themes include the following:

■ Security: A shared responsibility

■ Mobile security

■ Identity theft

■ Dangers of social media

■ Keeping children safe online

■ Cyber crime

NCSAM events can vary from special edition desktop backgrounds to a cyber security fair with presentations and activities. Many universities and organizations provide free material for NCSAM planning and coordination. Information is also available athttp://www.staysafeonline.org/ncsam/.

Notes

[1] Security Awareness Quick Start Guide https://wiki.internet2.edu/confluence/display/itsg2/Security+Awareness+Quick+Start+Guide [accessed on 3.16.2014].

[2] Developing Your Campus Information Security Website https://wiki.internet2.edu/confluence/display/itsg2/Developing+Your+Campus+Information+Security+Website [accessed on 3.16.2014].

[3] Federal Trade Commission Consumer Information http://www.consumer.ftc.gov/media [accessed on 3.16.2014].

[4] Security Cartoons http://www.securitycartoon.com/ [accessed on 3.16.2014].

[5] Nation Cyber Security Awareness Month http://www.dhs.gov/national-cyber-security-awareness-month [accessed on 3.22.2014].