design of a cyber security awareness campaign for internet cafés users in rural areas wa...
TRANSCRIPT
Design of a cyber security awareness campaign for Internet Cafés users in
rural areasWA Labuschagne, MM Eloff, N Veerasamy, L Leenen, M Mujinga
CSIR / UNISA
IST Africa12 May 2011
Internet Usage in Africa
• Africa has the lowest number of Internet users• 5.6% of total world users• 2000% growth in last decade• Possible causes:
• Lack of infrastructure– High cost– Low bandwidth
• Lack of equipment
© CSIR 2011
Lack of Infrastructure
• Development of infrastructure with deployment of:• Seacom (2009)• EASSY (2010)• TEAMS (2009)
• Improvement in bandwidth and lower costs to access Internet
© CSIR 2011
Lack of Equipment
• Not have computer to access Internet due to cost• Internet Café provides equipment to access the Internet
© CSIR 2011
Background
• More Internet Cafés in less affluent areas • Repeat users • High demand for training • Use for business activities, search for employment,
communication and establish business contacts • Access resources, if employed, not allowed to access at work
© CSIR 2011
Problem
• Security measures implemented by the establishment (No control)
• Knowledge & Skill set of the Internet users (Address with Security Awareness)
© CSIR 2011
Corporate Environment vs Other Users
• Companies protected by expensive complex security system (IDS, Firewalls, Anti-Virus, etc.)
• Security is delegated to specialized teams• Users are only provided access to enough functionality to
perform responsibilities• Security awareness programs are usually part of training
provided within companies• Security is automatically applied by systems at no cost to the
user
Case Study of Internet Cafés to determine security weaknesses
© CSIR 2011
Feedback on Observation
• Use of outdated Web browsers• Use outdated 3rd party applications for example Acrobat
Reader, Flash Player• Most Not using latest Service Packs (Most using SP2)• Allow user to install application (Administrative privileges)• Can access and edit the registry• No security awareness• Using Microsoft Windows XP• Autorun is enabled• No Anti-malware installed
© CSIR 2011
Need Identified
© CSIR 2011
What is Security Awareness?
• Awareness - Focus attention on a set of security issues• Training – Teach skills to allow person to perform a
specific function• Education – Aims to produce IT security specialists
capable of proactive responses
© CSIR 2011
NIST Special Publication (800-50)
National Institute of Standards and Technology 800 Series reports on the Information Technology Laboratory
(ITL): Research Guidance Outreach efforts in computer security Collaborative activities with industry, government, and
academic organizations Building an Information Technology Security Awareness and
Training Program
© CSIR 2011
Steps in NIST (800-50) Life Cycle
© CSIR 2011
Design Awareness
Program
Implement Awareness
Program
Post-Implementa
tion
Develop Awareness
Material
© CSIR 2011
Design Awareness
Program
Implement Awareness
Program
Post-Implementa
tion
Develop Awareness
Material
Conduct needs
assessment
Develop awareness
Material· Select Topic· Sources of
Material
Techniques for
delivering awareness
material
Evaluation and
Feedback
· Determine organisation’s awareness needs.
· Understanding of security issues helps shape design of IT security awareness program.
· Develop material considering: “What behavior should be reinforced?”
· Material can address specific issue.
· Dependant on resources and message(s).
· Based on ease of use, scalability, accountability, and industry support.
· Ensure relevance and compliance with overall objectives.
· For continuous improvement need good sense of how existing program is working.
Design Step
• Needs assessment• Identify most threats at
Internet Café• Identify critical topics that
form part of security awareness program addressing threats at Internet Cafés
© CSIR 2011
Design Awareness
Program
Develop Awareness
Material
Conduct needs
assessment
Develop awareness
Material· Select Topic· Sources of
Material
Internet Use Classification
© CSIR 2011
Type of Use Classification
Seeking information Information
Email Communications
Chatting Entertainment
Reading online news Information
Research Information
Computer games Entertainment
Downloading software for professional use Business
Downloading software for amusement Entertainment
Downloading music Entertainment
Visiting pornographic sites Entertainment
Doing business Business
e-shopping Financial
Gambling Financial
Social networks Communications
Internet Uses to Threats (1)
© CSIR 2011
UseThreat Info Entertain-
ment Financial Business Comms
Spam
DOS
Phishing P P
Malware
Virus
Spyware
Password/Info stealer
Backdoor
Downloader
Dropper
Rootkit
Internet Uses to Threats (2)
© CSIR 2011
UseThreat Info Entertain-
ment Financial Business Comms
Browser Based
Firefox
IE
Hacking(Exploit)
Social engineering X
Inherent software vulnerabilities
Patch management
Online scams P
Physical harm X X X
Cyber bullying X X X
Identity Theft X P P
Selection Process
© CSIR 2011
Development Step
• Critical Topics for Internet Café• Social Engineering• Scams• Cyber Bullying• Physical Harm• Identity Theft• Social Networking• Email• Phishing
© CSIR 2011
Design Awareness
Program
Implement Awareness
Program
Develop Awareness
Material
Conduct needs
assessment
Develop awareness
Material· Select Topic· Sources of
Material
Techniques for
delivering awareness
material
Implementation Step
• Material can be delivered:• Interactive video training - Applicable• Web-based training (Passive) - Applicable• Instructor-led training• Placement of awareness messages (posters, screen
savers, email) - Applicable• Discussion Groups
© CSIR 2011
Post Implementation
• Interviews• Questionnaires• Analysis of Internet usage
© CSIR 2011
What about..
• Mobile phone adoption vs Internet Café• Decline in Internet Café • Lessons learned could be used with personal computer
at home • Other frameworks• Other tools to deliver content• e-Awareness Model
© CSIR 2011
Conclusions
• The NIST (800-50) Framework is feasible solution to design a cyber security awareness program.
• A need has been identified to address threats at Internet Cafés in rural areas.
• Email, social engineering, phishing, social networking, scams, cyber bullying and identity theft are prominent threats at Internet Cafés.
© CSIR 2011
Q&A
© CSIR 2011