CircleCityCon 2017 - Security Training: Making your weakest link the strongest

Transcript

1. Security Training Making your weakest link the strongest

2. Senior security researcher, Security Compass Aaron Hnatiw Twitter: @insp3ctre •

   Software developer • College professor • Security consultant • System administrator • Web developer

3. What is this talk about?

4. None
5. None

6. Question: “What’s the biggest security vulnerability in any organization?”

7. Answer: The employees

8. Vulnerable to... •Phishing •Social engineering •Clicking any links on the

   internet •Sharing trade secrets •Insider threats

9. How are these vulnerabilities addressed?

10. Client-side security controls •Antivirus •Imaging software •DLP (data loss prevention)

    •Host-based IPS (intrusion prevention systems) •Host-based firewalls

11. Employee security training

12. How are employees usually trained on security in their organization?

13. 1. Not at all •Formal training often ends after the

    first week •Security is not a component of the training •Security is not present anywhere in the employee handbook

14. This makes the security team’s job impossible.

15. 2. Computer-based Advantages: •Self-paced •Less expensive •Easy metrics •Easy distribution

    across large organizations Disadvantages: •Poor retention* •Often no support without extra costs •Usually not tied back to relevant projects

16. 3. Instructor-led Advantages: •Interactive environment •Better retention •More customized •Can

    be more fun Disadvantages: •More expensive •Easy to do poorly

17. Training your employees- how to do it right

18. Know your audience •General staff •Management •Technical operations

19. General staff •Security Basics •Forward suspicious emails to IT •Don’t

    enable Office macros •You should never be solicited for your password •When in doubt, report to IT •Lock your computer (pro tip: WIN + L) •Password management •Security policies & culture (e.g. if person does not have a badge out, request to see it)

20. Management •Security Basics •Phishing & spear phishing awareness •Beware of

    attachments •You will never be solicited for your password •Policies around financial transfer sign-off & processes •Again- when in doubt, report to IT/Security

21. Technical Operations •Security Basics •Platform-specific vulnerabilities •OWASP Top 10 •Secrets

    management (locally and in code) •Encryption & hashing •When to use one over the other •Don't roll your own •Salting •Trust, but validate •Recommended algorithms (referencing an organizational standard/policy) •Input validation •Output encoding •Where to learn more

22. How to make it fun

23. Hands-on hacking demos and labs •WebGoat •Metasploitable •Mutillidae •Old, unpatched

    operating systems (a use for XP!) •Hack This Site •RaceTheWeb.io •CTF events •https://ctftime.org/event/list/upcoming

24. Theoretical scenarios •Tabletop scenarios •Provide minimal detail, force audience to

    ask clarifying & probing questions •Phishing email vs. real email •Developers: what happens when x happens in y application? •Reference real situations, where possible •Not full threat modelling. Goal is to get employees thinking about security.

25. Other tips •Change environments •Tie material back to specific roles

    and projects

26. Timelines: How often should your employees be trained?

27. General staff •Onboarding •Tested annually •Written exam •Scenarios •Random audits

    •Phishing •Red team

28. Management •Onboarding •Random audits •Phishing •Red team

29. Technical operations •Onboarding •Training annually (more, if possible) •Random audits

    •Phishing •Red team •Incident response

30. Final exam: How to know if your employees have retained

    the material

31. Testing retention •Test understanding throughout •Situation-based scenarios •Written tests (more

    quantifiable) •Exam at the end of the course •BONUS if there is a certification •Regular security audits of employees •Phishing & social engineering •Red team exercises •Questionnaires in performance reviews

32. How do you know it’s worth it?

33. Trick question!

34. Story time

35. With the right training, you can make your employees your

    greatest security asset.

36. Final message

37. Thank you Aaron Hnatiw Twitter: @insp3ctre SecurityCompass.com