The Future of Information Security Awareness Kelley Archer: Facilitator - Director Information Security, AIMIA Inc. Aaron Cohen: Managing Partner, MAD Security Ira Winkler: President, Information Systems Security Association

Who wants YOUR information? 2

Agenda In the last year the effectiveness of information security awareness has been the subject of vigorous debate. In this panel, leading experts will discuss the causes for dissatisfaction with historical awareness techniques and how awareness has evolved in the last decade. Topics such as metrics, surrogate outcomes and the latest research will all be discussed. Each Panel member will respond to questions presented by the facilitator as well as from the audience. In the last year the effectiveness of information security awareness has been the subject of vigorous debate. In this panel, leading experts will discuss the causes for dissatisfaction with historical awareness techniques and how awareness has evolved in the last decade. Topics such as metrics, surrogate outcomes and the latest research will all be discussed. Each Panel member will respond to questions presented by the facilitator as well as from the audience. 3

Type of questions to be addressed How do you see Information Security Awareness being implemented in the next 5-6 years? What methods will become predominate and which ones currently in use will fall by the wayside? What new issues/struggles with obtaining executive buy in are expected? What will be the best way to reason with users of the future to ensure they are retaining the necessary messages and including them into their everyday behavior? Is it really all about changing behavior or is their some secret that we're all missing? The focus here being on the "I'm entitled" generation. How will we better equip our users to habitually be aware of threats, both virtual and physical? What and where will the metrics be found? There has to be something better than a pass or fail rating on a quiz which is what's traditionally seen in awareness programs. How will we mitigate targeted attacks, like spear phishing? People want freedom, but we obviously know this comes at a cost. How will a company best draw the line between enforcing security in a mobile environment? How will organizations measure how their security awareness programs are working? Can this even be done? Is this really something that can be done with a once a year program? What is more successful, a one time hit with training, or more spread out training? Lets talk about the C-Level executive. How do we educate the executive? Do we need to treat them differently? How do you see Information Security Awareness being implemented in the next 5-6 years? What methods will become predominate and which ones currently in use will fall by the wayside? What new issues/struggles with obtaining executive buy in are expected? What will be the best way to reason with users of the future to ensure they are retaining the necessary messages and including them into their everyday behavior? Is it really all about changing behavior or is their some secret that we're all missing? The focus here being on the "I'm entitled" generation. How will we better equip our users to habitually be aware of threats, both virtual and physical? What and where will the metrics be found? There has to be something better than a pass or fail rating on a quiz which is what's traditionally seen in awareness programs. How will we mitigate targeted attacks, like spear phishing? People want freedom, but we obviously know this comes at a cost. How will a company best draw the line between enforcing security in a mobile environment? How will organizations measure how their security awareness programs are working? Can this even be done? Is this really something that can be done with a once a year program? What is more successful, a one time hit with training, or more spread out training? Lets talk about the C-Level executive. How do we educate the executive? Do we need to treat them differently? 4

5

6

7

How they get your information 8 High Tech methods –Credit/Debit Card theft –Skimming – device under apron or at gas pumps –Pretexting – a form of social engineering –Man-in-the-Middle – intercept of communication –Phishing – Most common methods Pharming – tamper w/web site, redirect user Vishing – voice phishing/robo calls Search Engine Phishing – Too good to be true offer on web site SMiShing – Spam text message posing as legitimate org. Malware Based Phishing – attach a harmful program Phishing through Spam – also known as spammer, sends offers Spear Phishing – phishing focused at businesses, e.g. IT Tech support High Tech methods –Credit/Debit Card theft –Skimming – device under apron or at gas pumps –Pretexting – a form of social engineering –Man-in-the-Middle – intercept of communication –Phishing – Most common methods Pharming – tamper w/web site, redirect user Vishing – voice phishing/robo calls Search Engine Phishing – Too good to be true offer on web site SMiShing – Spam text message posing as legitimate org. Malware Based Phishing – attach a harmful program Phishing through Spam – also known as spammer, sends offers Spear Phishing – phishing focused at businesses, e.g. IT Tech support

Example Phishing s 9 Dear Customer:: For your security, access to Online Banking has been locked because the number of attempts to sign in exceeded the number allowed. To regain access to your internet banking, Please update and select the Reset Account link. below. We will review the activity on your account with you and upon verification, we will remove any restrictions placed on your account. To access and activate your account, simply click the link below. The entire activation should take only 5 minutes of your time. Please complete the activation by now. Thank you for using Online Banking. Bank Of Ameria Alerts If you no longer wish to receive these s, please click on this link:

QUESTIONS????? 10