measuring human risk - sans human risk...the challenge technical security (firewalls, vpns, av, ......
TRANSCRIPT
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
Michigan Tech Facts
• Public University
• Total Enrollment: 6,957
• Graduate Enrollment: 1,484
• 50 Majors
• Carnegie Foundation Doctoral II status
• 400 Faculty, 1000 staff
• Ranked programs in Environmental, Mechanical, and Metallurgical Engineering
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
Overall IT, InfoSec and Compliance Structure
“Normal” IT Stuff
Infrastructure
Telecommunications
IT Services
Operations
User Services
Media Technology
Enterprise Computing
Also
IT Project Management
IT Budget Management
CISO – “Technical” Security
CICO – “Information” Security
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
Constant InfoSec Context • Compliance needs (FERPA, GLBA, HIPAA, PCI…)
• Risk assessments
• News (especially of peers)
• Case studies
Remember: Don’t bring problems, bring solutions
Easy on the FUD!
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
The Challenge
Technical security (firewalls, VPNs, AV, etc.) is justified, specified and PURCHASED.
Operational security (patching, CM, coding) is proceduralized, centralized and MANDATED.
User security (behavior) is encouraged , coaxed, and “hoped for”.
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
The BIG Deal…
User security depends on user behavior; not on compliance, or training, or awareness.
If behavior does not change the awareness has no real value.
If this change is real it must be measured.
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
The Plan
Develop comprehensive training and assessment system which will:
#1 - Improve Behavior
#2 - Apply training appropriately
#3 - Develop metrics and analytics
#4 - Find and fill gaps (process, not event)
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
TARR System (Train, Audit, Review, Remediate)
Combine HR, people, and security survey data
Score risk: per person, department, division
Target training where appropriate
Rinse / repeat (2010, 2012, 2014,…)
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
• What do you handle?
• Where do you get it?
• Where do you keep it?
• What do you do with it?
Survey Construction
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
Security Score
Each “usage” type has a score and a risk value
Scoring:
add 1 for low-risk answer
add 100 for medium-risk answer
add 10000 for high-risk answer
Sum by Group (CC/PIFI/HCI), Risk level, or score
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
Yikes! Not another Survey
Average survey time: 4 Minutes
2014 Participation Rates by Group
Group Surveyed Responded Pct
Custodial 176 102 58%
Faculty 480 338 70%
Staff 1140 779 68%
Student Employees 2069 1072 52%
Grand Total 3865 2291 59%
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
Survey Part 1: What do you handle?
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
Survey Part 2: Where do you get it?
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
Survey Part 3: Where do you keep it?
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
Survey Part 4: What do you do with it?
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
Example Score Calculation: PIFI
Sally’s PIFI Score Gets PIFI from 1 low risk place Stores PIFI in 1 low risk place Transmits via 3 ways (1 high risk, 2 low risk) Score is thus 10004 (1x10000+4)
Sally Mnumber
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
Code Tracked Information
PIFI PI Financial Information
HCI PI Healthcare Information
SSN Social Security Numbers
DIR Directory Information
Crim Criminal History
GovID Government Issued ID
Photo Photographic or Biometrics
CC Credit Card Information
VclID Vehicle ID
Mnum University ID Number
Scores Calculated for “In Scope” Data
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
Training Directed by REAL Access
Estimated campus-wide training: $2,000/Minute
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
Finally!
• Training is directed by access (by department/unit)
• Audits are directed by risk (not reputation)
• Reviews and remediation can be swift
• Risk can be accessed at person, department, division levels
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
Measured Multi-Year Effect Change in Overall PCI Risk Distribution
0
20
40
60
80
100
120
140
0
20
40
60
80
100
2010 2012 2014
Change in Overall PCI Risk Distribution
High Medium Low Risk Population
15% 20% 18%
15%17% 24%
70% 63% 58%
0%
25%
50%
75%
100%
2010 2012 2014
Change in Overall PCI Risk Distribution
Low Medium High
Year-by-Year Risk Path High High High
101 58 43
Medium Medium Medium
22 16 18
Low Low Low
21 18 18
No Risk* No Risk* No Risk*
117 65 57
2010 2012 2014
7
2
2
8
2
3
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
Average Score by Area
5,000
10,000
15,000
20,000
25,000
2010 2012 2014
Average Security Score for Human Resources Staff
SSN PIFI HCI
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
Individualized Trend/Training Data
Name: Sally Happyworker
Job Title: IT Analyst/Programmer
Department: IT Business Systems
Division: OIT
Supervisor: Steve Smith
Code Sensitive Data Type
2010
Score
Training
Completed
2012
Score
Training
Completed
2014
Score
SSN Social Security Data 10,003 No 10,003 Yes 3
PCI-DSS Credit Card Data 10,102 Yes 0 Yes 0
PIFI Personally Identifiable Finacial Data 10,003 No 10,003 Yes 3
HCI Health Care Information 10,003 No 10,003 Yes 3
Total 40,111 30,009 9
Risk (High/Medium/Low) 4/1/11 3/0/9 0/0/9
InfoSec Score/Training Data Sheet
SANS Security Awareness Summit Dallas, TX | Mon Sep 8 - Wed Sep 17, 2014
Overall Effect of Training
End User Risk Pool End User Risk Pool
Questions? Dan deBeaubien – [email protected]
Ashley Sudderth – [email protected]