CyberheistNews #16



CyberheistNews Vol 1, #16







Editor's Corner

KnowBe4


[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]cybercrime[/caption]

Why Do Security Training Programs Get Poor Marks?





This month is Cybersecurity Awareness Month, but few security pros are

happy with the state of security awareness training. The Dark Reading

e-zine quotes Alan Paller, director of research at the SANS institute:

"Security awareness has a bad reputation, and to be honest it deserves

it, most programs have been poorly planned or executed."







It's a known fact that many current awareness programs are not very

effective. And it's not that users are too dumb to understand all this,

it's that up to now it simply has been done wrong. IT Security people

assume that if you make users aware of the problems, they will get enough

motivation to change their behavior. Nothing is further from the truth.







The Dark Reading article puts the finger on the sore spot: "The security

world needs to take a page from the marketers’ playbook. "They focus on

small pieces of information that can infiltrate the human mind easily,"

Mike Murray, managing partner at MAD Security, says. "Whereas with

awareness training, we give someone 55 different topics in 15 minutes

of training and expect them to remember it and change something."







Allan Paller observed that: "Most users don’t need to know how security

systems work and are administered; they only need to know the rules

they should follow to keep data safe. Concepts should be continually

reinforced by constantly retraining and updating employees."







And obviously, getting them trained once a year for a short time is

not going to sink in, especially if the repercussions for violations

don't have teeth. Training needs to start with a baseline metric,

and continue to measure user performance after training. Combine

that with tracking and potential written warnings from HR, and now

you have a program that WORKS.







The article ended off with 5 steps to effective training:


1. Communicate small bits of information that users can easily grasp.


2. Focus on what users need to know.


3. Constantly reinforce concepts.


4. Have consequences for repeat offenders.


5. Use metrics to assess effectiveness.







And guess what? That is EXACTLY the program we created for you at

KnowBe4. Our customers see a 75% drop in Phish-prone percentage right

after the training, and after two months it is close to zero.

Security Awareness Training -can- be done right. And done that way,

cuts down risk in a significant way, giving excellent ROI.

Here is the Dark Reading article:




231900073/are-users-too-dumb-for-security-awareness-training.html">http://www.darkreading.com/insider-threat/167801100/security/news/

231900073/are-users-too-dumb-for-security-awareness-training.html










Quotes of the Week









"Right is right, even if everyone is against it; and wrong is wrong,

even if everyone is for it."
- William Penn, born 1644







"A bore is a person who opens his mouth and puts his feats in it." - Henry Ford







Please tell your friends about CyberheistNews! They can subscribe here:


http://www.knowbe4.com/about-us/cyberheist-news/



KnowBe4






How To Get Management Support For Security Awareness Training?







At KnowBe4 we have found that a successful approach to getting budget,

is in itself an awareness issue. You need to communicating to management

by showing them actual phishing attack emails that made it through the

filters of your organization into an end-user inbox. At that point they

will understand that the chance of one of your employees falling for

it is pretty high if you don't continually train and test them.





KnowBe4






Top Three Reasons Security Awareness Programs Are Effective







Lance Spitzner is a great resource over at SANS, and writes a blog

called Securing The Human. The recent posting was excellent and I'm

quoting it here in my newsletter, with the strong recommendation

you follow him on Twitter, Facebook or his RSS feed, Lance is truly

worth your time!







"When trying to communicate the value of security awareness programs to

management or other security professional, I find these three points a

good starting point.







"First, keep in mind that ultimately security awareness is nothing more

then another control. It reduces risk, it does not eliminate it.

Anti-virus does not detect all malware, firewalls do not prevent all

attacks, IDS does not report all exploits. The reason I bring this up

is sometimes people hold security awareness to a different standard.

A common example I see brought up is phishing, if you send enough

phishing emails in an organization someone will fall victim, thus

security awareness programs do not work. Yes it is true, awareness

cannot nor will it ever be able to change the behavior of all people.

In addition, sooner or later we can all be fooled (including me).

However this does not mean security awareness is a failure, this

simply means it is no different then any other control.







"Second, by reducing the common day to day human mistakes, you reduce

costs and allow your security team to focus on more key issues. Lets

take a look at the phishing example again. By reducing the number of

people that fall victim to phishing attacks, you reduce costs (just

ask your Incident Response team how often they are responding to

infected computers). This saves your organization not only response

costs, but in addition means more up time for your employees. Even

more important, reducing the number of basic or simple infections

allows your IR team to shift their focus from rogue anti-virus and

infected screensavers to more advanced and dangerous attacks. Stuff

your organization really needs to be worried about.







"Finally, and I feel most importantly, people forget that awareness

is not just about prevention. Awareness is part of the whole spectrum

of security. Once again, lets take phishing as an example. Yes, there

is a failure when ten employees click on links in phishing emails.

But what happens when one of those ten realizes that something was

wrong and then reports the incident to security. Within minutes of a

successful attack your security team is able to respond, allowing

them to not only mitigate the attack, but review and respond across

the entire organization. This can be especially effective in countering

more advanced threats, such as APT, which use the human as one of their

primary attack vectors.







"The reason I'm so excited about security awareness is so little has

been done to secure the HumanOS. I feel like we are back in the days

of NT or Windows XP SP1, just some basic steps can have tremendous

impact."







Here is the original article, with grateful acknowledgment to SANS and

Lance Spitzner. This man knows what he is talking about!




top-three-reasons-security-awareness-programs-are-effective">http://www.securingthehuman.org/blog/2011/10/12/

top-three-reasons-security-awareness-programs-are-effective






KnowBe4






Cyberheist 'FAVE' LINKS:







* This Week's Links We Like. Tips, Hints And Fun Stuff.





WOW: What 9/1000 of a second look like at Formula 1 racing. A side-by-side

comparison of Sebastian Vettel and Jenson Button at the Japanese Grand Prix:


http://www.flixxy.com/what-9-thousandths-of-a-second-look-like-at-f1-speed.htm






Zack Matere from Kenya uses Internet search to increase his knowledge

and to use it for a better life for himself and his neighbors:
http://www.flixxy.com/knowledge-through-search.htm





How a GPS works and why the satellite clocks have to be slowed down daily

by 38 microseconds due to the effects of Einstein's theory of relativity:
http://www.flixxy.com/how-a-gps-works-and-relativity.htm





Some penguins turn to a life of crime to build the perfect nest:
http://www.flixxy.com/penguin-heist.htm





"Hi, this is Michael - and this is Sven. And today we show the ultimate

trick."
http://www.flixxy.com/tablecloth-trick.htm




Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews