maximizing roi through security training (for developers)

Maximizing ROI through Security Training

Who am I?

• VP / Co-‐Founder of Symosis, 10+ years in informaFon security consulFng & Training, USC, Foundstone, McAfee, Accuvant, C-‐Level security, etc

• Invited speaker, author and educator

• MBA, MS Comp Sc, CISM, CISA, CISSP

Table of Contents

• Business case for security • Evolving threats • How to build an effecFve training program?

• Case Studies

The Business Case for Security

Proper security enables a company to meet its business objec-ve by providing a safe and secure environment

Impact of Security Breaches

Loss of Revenue Damage to ReputaFon

Loss or Compromise of Data

Damage to Investor Confidence

Legal Consequences

InterrupFon of Business Processes

Damage to Customer Confidence

Dollar Amount Of Loss The cost of implemenFng security measures is not trivial;

however, it is a fracFon of the cost of miFgaFng security compromises

* CSI 2006

Cost of Security Breach

* Aberdeen Group August 2010

Security Breach Example Costs

Cost of Recent Customer Records Breach • $6.5 Million: DSW Warehouse Costs from Data Thea • $5.7 Million: BJ’s Wholesale Club from Data Breach

AddiFonal impact/cost due to lost customers • 20% of customers have ended a relaFonship with a company aaer being noFfied of a breach (Ponemon InsFtute)

• 58% said the breach decreased their sense of trust and confidence in the organizaFon reporFng the incident

TOC


• Case Studies

Emerging Threats -‐ Aiack Methods

* SANS 2010

Emerging Threats -‐ ApplicaFon Weaknesses

* SANS 2010

Emerging Threats

GLOBAL Infrastructure

Impact

REGIONAL Networks

MULTIPLE Networks

INDIVIDUAL Networks

INDIVIDUAL Computer

Target and Scope of Damage

Rapidly Escalating Threat to Businesses

First Gen Boot

viruses

Weeks Second Gen Macro

viruses Denial of

Service

Days Third Gen Distributed

Denial of Service

Application threats

Malware

Minutes

Next Gen Flash

threats Massive

“bot”-driven DDoS

Damaging payload worms

Seconds

1980s 1990s Today Future

13

Emerging Threats Categories

Malware

Botnets

Threats to VOIP and mobile convergence Cyber warfare

Data thefts

Threats becoming increasingly difficult to detect and mitigate

THR

EAT

SE

VE

RIT

Y

1990 1995 2000 2005 WHAT’S NEXT?

FINANCIAL Theft & Damage

FAME Viruses and Malware

TESTING THE WATERS Basic Intrusions and Viruses

TOC

• Business case for security • Evolving threats • How to build an effec-ve training program?

• Case Studies

Why Security Training

• Reduce accidental security breaches • Improve employee behaviour • Enable organization to hold employees

accountable for their actions • Build in-depth knowledge to design,

implement, or operate security programs for organizations & systems

• Develop skills & knowledge so that computer users can perform their jobs while using IT systems more securely

Why Security Training?

• Dissemination & enforcement of policy become easier when training & awareness programs are in place

• Demonstrating due care & diligence can help indemnify the institution against lawsuits

• By improving awareness of the need to protect system resources

How is InformaFon Security JusFfied?

PWC security survey 2011

Step 1: Define Training ObjecFves

• Compliance, RegulaFons and Governance

• Client / Partner requirements

• Increase the general level of security awareness • Reduce the incidences of computer fraud, waste and abuse

• Create a more security savvy workforce

• Design, develop and maintain secure IT infrastructure and applicaFons

PCI Compliance

All service providers with which cardholder data is shared must adhere to the PCI DSS requirements and must sign an agreement acknowledging that the service provider is responsible for the security of cardholder data the provider possesses.

PCI Compliance

Payment Card Industry (PCI) Data Security Standard mandates security awareness program that

12.6.1: Educate employees upon hire and at least annually

12.6.2: Require employees to annually acknowledge in wriFng that they have read and understood the company's security policy and procedure

HIPAA Compliance

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that Covered EnFFes, which includes health plans, healthcare clearinghouses, and most healthcare providers, may not use or disclose individuals’ health informaFon for purposes unrelated to providing health-‐ care, managing their organizaFon, or meeFng their obligaFons under state and federal law, unless individuals specifically authorize them to do so.

HIPAA Compliance

Ensuring all employees including management, agents and contractors in an organizaFon understand and uphold these rules is no easy task and is, to a large degree, a training and management problem. This is why the Department of Health and Human Services (HHS) has mandated annual privacy and security training, as well as regular reminders for all employees.

HIPAA Compliance

• Upper Management Training • Security Awareness Day • Security Awareness and Ongoing Training for all staff

• Computer Users’ Supervisor Training • Security “MarkeFng” Efforts • Annual System-‐specific training • Professional EducaFon Training

GLBA Compliance

Gramm-‐Leach-‐Bliley Act of 1999 Employee Training Requirements mandates IT Security Awareness Training for all employees of financial service providers (FSPs) covered by the GLB act, which includes all companies "engaging in financial acFviFes.”

GLBA Compliance

• Examples of organizaFons who are affected by these rules include – insurance agencies – tax preparers – finance companies – collecFons agencies – leasing agencies – travel agencies – financial advisors

ISO 27002

• ISO 27002 is an internaFonally recognized standard published by the InternaFonal OrganizaFon for StandardizaFon covering informaFon security best pracFces. Many global organizaFons use this comprehensive standard to gauge their informaFon security programs.

• Provide an adequate level of security educaFon and training to your organizaFon’s employees, contractors and third party users

FISMA

• Federal InformaFon Security Management Act (FISMA) is Title III of the E-‐Government ACT, which requires federal agencies to develop, document, and implement a comprehensive agency-‐wide informaFon security program.

• Part of such a program is security training program that educates personnel, including contractors and other users, of their responsibiliFes in maintaining informaFon security, complying with organizaFonal policies and procedures, and reducing the risks associated with their acFviFes

Red Flag Thea PrevenFon

• Under the new Red Flag regulaFons, financial insFtuFons and creditors must develop a wriien program that idenFfies and detects the relevant warning signs (Red Flags) of idenFty thea, such as unusual account acFvity, fraud alerts on a consumer report, or aiempted use of suspicious account applicaFon documents,

• Includes appropriate staff training and oversight of any service providers

SOX (Sarbanes Oxley)

• Sarbanes Oxley requires the CEO and CFO of publicly traded companies to be held accountable for financial statements filed with the SecuriFes and Exchange Commission and includes criminal penalFes for false cerFficaFon

• Top management must ensure that there are adequate 'internal controls' to ensure reliable financial reporFng and protect financial data that resides in informaFon systems

Step 2: Assess Needs

• IdenFfy training administrator – Primary responsibility lies with Chief InformaFon Security Officer, top management and security team

Assess Needs

• Who needs to be trained and on what? – All stakeholders: Security Awareness Training, Compliance

– Program Managers – Architecture & Design

– Architects & Developers – Threats, coding mistakes, secure soaware development

– Testers / QA – Security Test Cases

Assess Needs

FuncFonal Background

General User

Managerial User

Technical User

Skill Level

Novice

Intermediate

Expert

Using wrong training methods can:

Hinder transfer of knowledge

Lead to unnecessary expense

& frustrated, poorly trained employees

Step 3: Key Factors

• Build vs. Buy • Classroom / Instructor Led

• CBT / Web Based

• Generic vs. Customized

• HosFng

Build vs. Buy

• Business needs are unique • Internal capability available • Proprietary informaFon or data needs to be protected;

• Complexity of interface with company's LMS

• No COTS products or too costly

Build

• Reduce and control operaFng costs

• Free internal resources • Gain access to external capabiliFes

• Resources constraints • Improve company focus • Share risks

Buy

Key consideraFons -‐ cost, quality, and timeline

Costs

• “How to Spend a Dollar on Security” recommends that out of every security dollar you spend: – 15 cents: Policy – 40 cents: Awareness – 10 cents: Risk Assessment – 20 cents: Technology – 15 cents: Process

• We have seen it done from anywhere between $5K to $5M annual costs

Patrick McBride – ComputerWorld

Classroom / Instructor Led

• Study away from the office at another locaFon with Fme set aside dedicated to learning a new course (and in some cases, for cerFficaFon, siyng of an exam)

• Costs are more expensive as it involves the course fees, travel, accommodaFon and other expenses

• Access to a trainer for the duraFon of the course (and someFmes for a limited period aaer the course)

• Access to other students during the course and as a potenFal networking group aaer the course

Computer / Web Based

• Individuals can study at their own Fme and pace thereby learning at a rate that they are comfortable with

• Lower costs – CBT is much more cost effecFve than classroom training. MulF-‐user opFon allow a company to train more than one person with the same budget or less than sending on a classroom course

• Combines the “best bits of classroom training” such as the video clips of instructor sessions with the “best bits of reference material” such as technical informaFon and pracFce quesFons to provide a great all round training experience which is beneficial to both student and employer at the best price available.

Generic vs. Customized

• Generic training is cost effecFve and focuses on core security issues, OWASP Top 10 threats, etc

• CustomizaFon provides training that matches specific needs for content, compleFon requirements, quiz, policies, and even employee responsibility acknowledgment.

HosFng

• Web based training could be hosted internally or provided as soaware as a service (SAAS)

• Internal hosFng provides greater control but could be resource and cost intensive

• SAAS service is oaen turn key but may limit scalability and usage

Step 4: Metrics

• Quiz and survey results • Content • People

Metrics -‐ Quiz and survey results

• Score Results: How did people score? • Answer Breakdown: How did people answer? • Aiempt Detail: How did a user answer?

Metrics -‐ Content

• AcFvity: What was the acFvity for a content item?

• Traffic: How oaen was an item viewed?

• Progress: How many slides did people view?

• Popular Content: Which content was viewed the most?

Metrics -‐ People

• Group AcFvity: What content did a group view?

• User AcFvity: What content did a user view?

• AcFve Groups: Who were my most acFve groups?

• AcFve Users: Who were my most acFve users?

• Guestbook Responses: What were the responses to a guestbook?

TOC


• Case Studies

Case Study 1 -‐ Project management and custom soaware company

• Challenge: – Ensure secure coding elements have been taught – Prevent top 10 threats and miFgaFon techniques – Meet a Fme sensiFve requirement under a DoD contract

• SoluFon: – Implement best pracFces soaware security training for Java

– Provide access to training on demand from a SaaS model

• Challenge – Improve soaware quality by eliminaFng common mistakes

– Provide foundaFon for everyone to ‘own’ security

• SoluFon – Create custom course based on previously idenFfied risk and miFgaFon

– Integrate security cases into QA lifecycle – Measure year over year declines in security related CRs

• Challenge: – Meet PCI compliance for integraFng secure coding pracFces

• SoluFon – Implement JAVA/.NET secure coding pracFces – Address PCI Cardholder Data requirements within applicaFon development

Thanks for listening…

QuesFons?

Try out free Symosis training at hip://www.symosis.com