Security Awareness For Dummies. Ira Winkler

Чтение книги онлайн.

Читать онлайн книгу Security Awareness For Dummies - Ira Winkler страница 14

Security Awareness For Dummies - Ira  Winkler

Скачать книгу

be good at what they do, social engineers essentially know how to be good liars. They know how to perform transactional influence. They manipulate a user to do a one-time act that they should not otherwise do.

      Social engineering requires a skillset that’s completely different from the one for awareness. A social engineer has to find one trick of influence at one given point in time to succeed. An awareness professional, however, has to create consistent behaviors on the part of users with whom they may never have a personal interaction. A social engineer might find holes that need to be fixed, but using an analogy, fixing a hole in a dam doesn’t strengthen the dam as a whole.

      Providing information showing that the threat is possible makes the information a bit more memorable, so users can remember it for a few more weeks. This can be valuable to increasing the Forgetting Curve, which is discussed in Chapter 3.

      

Though social engineers don’t necessarily have transferrable skills for designing an awareness program, social engineering tests can be a useful way to gather metrics. Social engineering, when performed properly, can determine how people will actually perform when faced with a potential attack. However, don’t fall into the trap of believing that social engineers are competent awareness professionals by default. Awareness is much more than telling people what tricks not to fall for. It’s telling people how to behave properly on a consistent basis.

      “Hackers are unstoppable geniuses.”

      “There may be computer crimes, but it won’t happen to me.”

      “I am too unimportant to be a target.”

      These statements represent common mental models that I deal with in security awareness programs, and these mental models are both harmful and wrong.

      People’s mental models regarding cybersecurity are both inconsistent and frequently wrong. This causes them to make bad decisions. Most computer criminals are opportunists who take advantage of bad cyberhygiene (basic computer practices), such as not installing antimalware software or not performing backups.

      Your goal is first to understand the current mental models that serve as a barrier to positive security behaviors within your user base. Then you must create correct mental models to replace them with. You need to instill strong security practices as a habit.

      If your users believe that hackers are unstoppable geniuses, you need to talk about how they are frequently caught and how someone in your organization thwarted attacks by practicing what you preach. If they believe it will never happen to them, talk about how the organization suffered attacks. Show people how theoretically unimportant targets were used to gain access to other parties. You need to understand and dispel the harmful mental models, not try to adopt them to your needs.

      Chapter 5 discusses getting to know the users, which includes how they perceive security concerns. When you can understand how mental models are failing security awareness efforts, you can start to address them head-on and begin to change perceptions.

      Perhaps the greatest form of self-sabotage you can commit as a security awareness professional is to overpromise what your program can deliver. For example, telling management to expect a human firewall to work — that your users will be both your first and last line of defense — sets you up for failure.

      In the first place, nobody will believe you. Because no experienced security professional would expect perfection, you lose at least some of the credibility you may have had from the start. Then, the first time you have an inevitable security incident, the occurrence chips away at your remaining credibility.

      As I discuss in Chapter 3, the goal of a security program is risk management. A competent CISO doesn’t promise perfect security. They say that they’re working to manage the organization’s risk by implementing a security program. They don’t promise to defeat bad people. They don’t promise that incidents will never happen. They essentially say that they will reduce loss.

Focus any and all claims you might make to be reasonable and based on the potential for risk reduction. To perform risk reduction, you must gather data and make reasonable and defensible claims of potential loss reduction.

      You should always collect metrics before you start rolling out an awareness program. These metrics are commonly referred to as Day 0 metrics, and serve to show the value you create.

      Even if you want to strive for perfection, you need to figure out where you are beginning. Too many awareness practitioners start their programs without figuring out how to judge their success. With awareness, it’s easy to see failure — but almost impossible to see success without proactively looking for it.

      With all business processes, there has to be definition of success — and that is in the form of some metrics. I talk about various types of metrics in Chapter 8, but for now you need to understand that without knowing where you’re starting from, you may never know the level of success you have.

      

Even in the absence of perfection, by collecting metrics throughout the lifecycle of your program, you can demonstrate the real value you return.

      When people think of security awareness programs, often the first things that come to mind are computer-based training (CBT) and phishing simulations. When implementing a program, the person responsible for a security awareness program typically chooses a vendor and then determines which of the vendor’s products to use. Awareness programs should be a strategy for effectively addressing the risk associated with user actions. Products are potential tactics, which may or may not address a piece of a strategy. Though some tactics are common, they are not a strategy to address user risk. If you want a program instead of a product, there has to be more than just a choice of which products to roll out.

      Consider what you would say, when asked about a technical security program, if a security engineer said they were buying a firewall and antimalware. Clearly, both of those products are required, but they don’t make for a complete security program, because attackers can bypass these products or find flaws in the implementation of the products. They leave too many

Скачать книгу