Presentation is loading. Please wait.

Presentation is loading. Please wait.

Awareness is the Key to Security

Published byBrook Snow Modified over 8 years ago

Similar presentations

Presentation on theme: "Awareness is the Key to Security"— Presentation transcript:

1 Awareness is the Key to Security
June 20, 2003 Krizi Trivisani Chief Security Officer Amy Hennings Systems Security Engineer Guy Jones Chief Technology Officer Copyright Krizi Trivisani, Amy Hennings This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Agenda Security Implementation Reliance What is security awareness?
Why is awareness important? The Security Landscape – The Violation Situation GW’s Awareness Program Cultural Impacts of Security Programs Questions

3 Security Implementation Relies On:
Systems must be built to technically adhere to policy Policies must be developed, communicated, maintained and enforced Process Technology People Processes must be developed that show how policies will be implemented People must understand their responsibilities regarding policy Policy implementation depends on processes being in place, technology being utilized to enforce policy, and users understanding the policy and how it relates to them (their responsibilities) We must set the policy, ensure compliance, enforce when out of compliance conditions are found, and utilize technology where ever possible to reduce reliance and burden on people Example of model – Policy on passwords, process on how to reset passwords, system developed to ensure passwords are 8 characters, users understand that they can not share their passwords

4 What is Security Awareness?
Security awareness is knowledge of potential threats. It is the advantage of knowing what types of security issues and incidents members of our organization may face in the day-to-day routine of their University functions. Technology alone cannot provide adequate information security. People, awareness and personal responsibility are critical to the success of any information security program.

5 Why is Awareness Important?
Security is only as strong as it’s weakest link. You can build the a strong firewall architecture but someone sharing their password can bypass the technology. You can install virus filters on systems, but unless users keep their desktop anti-virus software up-to-date, your systems are vulnerable. Technology is an important part of security. Equally important though is the reliance on people and making sure they are security aware. If people are ill-prepared, information is threatened by: Social engineering Abuse of privileges and trust Misuse of systems and network Password guessing Physical access to bypass controls Theft of laptops, storage media, and other technologies Accidental disclosure Financial fraud

6 Poor Awareness Exposed…
“It’s a frightening fact, but nine out of ten employees would unwittingly open or execute a dangerous virus-carrying attachment” “Two-thirds of security managers felt that the overall level of security awareness is either inadequate or dangerously inadequate” “Nine out of ten employees revealed their password on request in exchange for a free pen” These things don’t happen as a result of malicious intent, but rather a lack of awareness of security risks. Human Firewall campaign sponsored a recent security awareness survey ( Responses from more than 1,400 workers and nearly 600 organizations Nearly every industry falls in the “D” grade score of 60 – 69, with higher education falling under “other” with the lowest score of 61 GW intends to participate in the survey (Security Awareness Index) next year to find out: How do my organization’s security awareness practices compare with others in the world and in my industry? How do I measure and benchmark my own employee’s security awareness level and track progress in raising security awareness over time?

7 Top Ten Most Common Security Mistakes…
Passwords on Post-it Notes Leaving your computer on, unattended Opening attachments from strangers Poor password etiquette Laptops on the loose Blabber mouths Plug and play without protection Not reporting security violations Always behind the times (the patch procrastinator) Not knowing internal threats The study also revealed the Top Ten Most Common Security Mistakes made by people. Some of them are self explanatory like passwords on post-it notes. Number 2 is an issue here for us at the University, especially in public labs. Number 9 is also very relevant to us – keeping systems patched and up to date will greatly reduce the risk of infection by new viruses, worms, etc. JUST NOTES IN CASE!!!! Plug and Play without protection In the rush to get things going too many folks plug modems straight into servers, or servers straight into the Internet, bypassing routers with firewalls or other corporate security measures. Like calling the phone and cable company before you start digging holes in your backyard, check with your corporate security officer before you plug and play. Always behind the times (the patch procrastinator) One of the biggest vulnerabilities of any system is the failure to install updates and patches for deployed software. Updates often close any loopholes that may exist. Ignoring them or putting them off for another day could cost you and your company dearly. No knowing internal threats While most managers believe an information security breach will come from an outside intruder, they are wrong. The biggest risk comes from within. Disgruntled employees, laid-off employees, a less than ethical contractor, or a partner working both sides of the fence. Every employee has to be responsible for themselves and the behavior they observe in others. "Only you can prevent security incidents," says Smokey the anti-hacker.

8 The Security Landscape – The Violation Situation 2001
Total Violations went from 354 to 5526 – an increase of 1,560% Minor Violations Minor scans – consecutive attempts to find out information about 10 or less different IP addresses Minor hack – attempts to exploit specific vulnerabilities – BLOCKED Incidents of suspicious activity – activity that is tracked but not necessarily believed to be persistent or deliberate; for example trying to telnet to the same box three times Severe Violations External Attempted Hacks - planned, strategic, malicious activity originating from outside the University; for example attempting to gain access to a specific box by exploiting known vulnerabilities - BLOCKED Outgoing Hacking Attempts - activity originating from University IP space which resulted in notification from non-University system administrators Compromised Boxes - Specific Infections - Severe infections, such as Code Red, Nimda, or new infections Compromised Boxes - Virus Infections - infections other then the specific that are tracked for trends Violations - violations of the University's policy; for example internal spam, inappropriate usage, etc. SPAM Complaints - complaints sent from GW users Severe SPAM - involves blocking of addresses, IP's, or domains False Alarms - security cases that were investigated and determined the issue was not a security violation Security Cases - security violations that fall outside normal categories/policies

9 The Security Landscape – The Violation Situation 2002
Average number of violations per month in 2002 is 7197

10 The Security Landscape – The Violation Situation 2003
Average number of violations (so far!) per month in 2003 is 9438

11 The Violation Situation Continued Email Viruses Filtered
22,271 in December of 2001 increased to 97,660 in May of 2003

12 GW’s Security Awareness Program www.gwu.edu/~infosec
Features: Hourly feed from CERT with the most up to date security alerts Links to policies, GW sites, and external security sites A security glossary Information on: What is Information Security? The Information Security Office Reporting Security Incidents Risk Assessment Security Awareness **Please note that our security web pages are only available to our on campus users So what is GW doing to address gaps in security awareness? The Information Security Office is rolling-out a formal Security Awareness Program which includes both online and printed material. The Goals of GW's Security Awareness Program are: To educate members of the University community To identify and address risk and To promote and encourage good security habits Security awareness is not a one-shot effort. An effective program requires security concepts to be reinforced through ongoing education. Our audience for the first roll-out is the general University community. Topics are non-technical and relevant to the average user. The first resource I would like to demo is the security awareness web site. GO TO I would like to point out - For security, as well as copyright reasons, the Information Security web pages will currently only be available to users on GW IP space. Users off campus can access the web pages via the GW Proxy (LDAP authentication required). Some features of the site are: On the main page, there is a link to alerts from CERT. We receive hourly updates on the latest security alerts. MAIN PAGE CLICK ON A SAMPLE CERT ALERT AND GO BACK TO THE MAIN PAGE Along the left side of the page, you will see a link to the University’s Policy Center where security policies are published CLICK ON SECURITY POLICY LINK AND GO BACK You will also see links to other GW and external Security Sites CLICK ON LINKS AND PAUSE If you have a GW site that you would like linked from the security pages, please contact me GO BACK TO MAIN PAGE Other links off the main page include: What is Information Security The Information Security Office and Staff Reporting Security Incidents and Risk Assessment CLICK ON RISK ASSESSMENT AND SCROLL TO THE BOTTOM OF THE PAGE Under this link you will find a presentation on understanding and managing risk CLICK PRESENTATION AND CLICK THROUGH A SLIDE OR TWO AND GO BACK TO MAIN PAGE Now, let’s go back to the presentation and talk about the additional print and online media available for security awareness. GO BACK TO THE PRESENTATION AND GO TO SLIDE 7

13 GW’s Security Awareness Program - Materials
Monthly posters focusing on a specific awareness topic Monthly article in GW Technology Today Brochures available for: New students (Colonial Inauguration) New employees (Orientation) Training programs Free security screen saver Online security tutorial – S.T.A.R.T. Sample password tester Animated security awareness banners In Pilot – “Protect IT” Security Awareness Workshop Next phase – Online quizzes Partnered with Security Awareness Incorporated which is endorsed by: CERT® Computer Emergency Response team CERIAS Center for Education and Research in Information Assurance and Security CIAC Computer Incident Advisory Capability CRSC Computer Security Resource Clearinghouse FedCIRC Federal Computer Incident Response Capability FIRST Forum of Incident Response and Security Teams IBM ERS IBM Emergency Response Service ISSA Information Systems Security Association, Inc. SANS System Administration, Networking and Security Information Security Magazine “Project IT” – A presentation and workshop designed for classroom-based awareness training Includes: PowerPoint Presentation Speaker Notes Quiz We also hold our quarterly Security Forum to communicate security information.

14 GW’s Security Awareness Program - Materials
Online materials - Free security screen saver Online security tutorial – S.T.A.R.T. Sample password tester Animated security awareness banners Electronic version of monthly awareness posters AWARENESS IS THE KEY TO SECURITY. Let’s move on to the online awareness materials available by going back to the security web site GO TO Under the security awareness tab CLICK ON SECURIY AWARENESS you will see: Animated security awareness banners located on the top of the screen. Every time you refresh, you will see a different tip. CLICK REFRESH Also on the site you will find: General awareness information SCROLL DOWN SCREEN A link back to the hourly CERT alerts During breakfast you may have noticed the security screen saver we had running. This free screen saver will be available for download around July 19th. We will be running the screen saver again during the break. CLICK ON THE SAMPLE PASSWORD CHECKER What is the most commonly used unsecure password? Password! TYPE PASSWORD AND CHECK That is a pretty weak, easily guessed password. So what can we do to make a better password? Use a combination of 8 or more letters – upper and lower case, special characters, and numbers. Let’s check one of the passwords on our “biker” poster TYPE 2#gluvsHelp AND CHECK Again, this is just a sample password checker – we don’t recommend typing in your actual password unless you are going to immediately change it to one that is more secure. GO BACK TO MAIN AWARENESS PAGE There is also an online security tutorial CLICK ON TUTORIAL START Security Training, Awareness and Reference Tool Topics covered by this security tutorial include: password construction, password management, internet usage, telephone fraud, usage, viruses, PC security, software licensing, backups, physical security social engineering, and data confidentiality. Your opinion is important to us! Please take a look at the new web pages and give us your feedback. GO BACK TO THE PRESENTATION

15 Awareness Requires a Change in Culture Analogy - Seatbelts
"Culture does not change because we desire to change it. Culture changes when the organization is transformed; the culture reflects the realities of people working together every day." — Frances Hesselbein Key to Cultural Transformation “ It should be noted that it took many years to get the seatbelt usage up to its present level, and it takes a heavy hand from the police to persuade the stupid to do the obvious.” — Peter N. Wadham Research shows that states with primary enforcement laws, which permit police to stop and ticket for failing to wear a seat belt, yield an average of 15 percentage points higher seat belt use than states with secondary enforcement laws. Legislation, Enforcement, Public Information and Education, and Partnerships: MI – 1998 – 2000 "Out at sea it takes 30 miles for an oil tanker to reverse its direction. It takes time and commitment to change, based on foundational values, principles and quality relationships to positively affect your company's culture -- its way of doing things. " — The Freeman Institute Changing  the  Culture  of  Your Organization 

16 Awareness is the Key to Security
As a student, faculty, staff or contractor of The George Washington University, it is your responsibility to help in the protection and proper use of our information and technology resources. WE ARE COUNTING ON YOU! Every member of the GW University Community has a responsibility in keeping our information and resources secure. Effective security relies on people. Remember – Awareness is the key to security. If you have questions about the awareness program, please do not hesitate to contact me. GO TO LAST SLIDE

17 Questions and Presentation Wrap-up
Recommended information sources Special Thanks to Security Awareness Incorporated!!!

Download ppt "Awareness is the Key to Security"

Similar presentations

Culture Change: What IT Takes to Create a Quality Customer Service Environment Presented By: Anne Agee, Executive Director, Division of Instructional and.

Culture Change: What IT Takes to Create a Quality Customer Service Environment Presented By: Anne Agee, Executive Director, Division of Instructional and.
Copyright Policy Copyright Cathy O’Bryan 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared.

Copyright Policy Copyright Cathy O’Bryan This work is the intellectual property of the author. Permission is granted for this material to be shared.
Crisis Communications for Security Issues: A Nightmare You Can Manage Marilu Goodyear Donna Liss Allison Rose Lopez Jenny Mehmedovic The University of.

Crisis Communications for Security Issues: A Nightmare You Can Manage Marilu Goodyear Donna Liss Allison Rose Lopez Jenny Mehmedovic The University of.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Copyright Princeton University 2004. This work is the intellectual property of Princeton University. Permission is granted for this material to be shared.

Copyright Princeton University This work is the intellectual property of Princeton University. Permission is granted for this material to be shared.
The Collaboration Imperative – Lessons Learned & Next Steps April 29, 2011 AMICAL Conference Beirut, Lebanon Gene SpencerSabrina Pape Gene Spencer ConsultingVassar.

The Collaboration Imperative – Lessons Learned & Next Steps April 29, 2011 AMICAL Conference Beirut, Lebanon Gene SpencerSabrina Pape Gene Spencer ConsultingVassar.
Evaluating a Mass Notification Service for Campus Wide Communication Lori Sundal Georgia Institute of Technology EDUCAUSE Southeast Regional Conference.

Evaluating a Mass Notification Service for Campus Wide Communication Lori Sundal Georgia Institute of Technology EDUCAUSE Southeast Regional Conference.
Copyright Donald E. Harris 2002. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Donald E. Harris This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Seeing the Forest and the Acorns in the Decision Tree Sandy Burke Computing Center HelpDesk Manager Copyright Sandy Burke, 2003. This work is the intellectual.

Seeing the Forest and the Acorns in the Decision Tree Sandy Burke Computing Center HelpDesk Manager Copyright Sandy Burke, This work is the intellectual.
Worcester Polytechnic Institute 1 Providing Technology Orientation for New Faculty and Staff Copyright © 2005 Worcester Polytechnic Institute This work.

Worcester Polytechnic Institute 1 Providing Technology Orientation for New Faculty and Staff Copyright © 2005 Worcester Polytechnic Institute This work.
Andrea Eastman-Mullins Information & Technology Coordinator University of North Carolina, Office of the President Teaching and Learning with Technology.

Andrea Eastman-Mullins Information & Technology Coordinator University of North Carolina, Office of the President Teaching and Learning with Technology.
Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.

Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.
Campus Approaches to Improving Cyber Security Awareness Presented by: Krizi Trivisani, Chief Security Officer The George Washington University EDUCAUSE.

Campus Approaches to Improving Cyber Security Awareness Presented by: Krizi Trivisani, Chief Security Officer The George Washington University EDUCAUSE.
Copyright Jill M. Forrester 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,

Copyright Jill M. Forrester This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, 2007. This work is the intellectual property of the author.

UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, This work is the intellectual property of the author.
Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College Copyright Penn State University-2008. This work is the intellectual.

Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College "Copyright Penn State University This work is the intellectual.
Chatham College Community and Computers Pervasive Computing at a Liberal Arts College Charlotte E. Lott, Ph. D. Lynda Barner West, Ed. D. Copyright Charlotte.

Chatham College Community and Computers Pervasive Computing at a Liberal Arts College Charlotte E. Lott, Ph. D. Lynda Barner West, Ed. D. Copyright Charlotte.
Providing Scalable 24/7 Support Track 3: Harborside Ballroom E Tuesday, January 15 th 2:30 to 3:15 pm Ronald Ardron, Jr., Manager of Technical Support.

Providing Scalable 24/7 Support Track 3: Harborside Ballroom E Tuesday, January 15 th 2:30 to 3:15 pm Ronald Ardron, Jr., Manager of Technical Support.
National Research Agenda to Support Transformation National Learning Infrastructure Initiative Focus Session June, 2003 Copyright Jillian Kinzie, 2003.

National Research Agenda to Support Transformation National Learning Infrastructure Initiative Focus Session June, 2003 Copyright Jillian Kinzie, 2003.

Similar presentations

Ads by Google