Security Awareness An effective computer security-awareness and training program
ID: 3886210 • Letter: S
Question
Security Awareness
An effective computer security-awareness and training program requires proper planning, implementation, maintenance, and periodic evaluation. In general, a computer security-awareness and training program should encompass the following seven steps:
Step 1. Identify program scope, goals, and objectives.
The scope of the program should provide training to all types of people who interact with IT systems. Because users need training that relates directly to their use of particular systems, you need to supplement a large, organization-wide program with more system-specific programs.
Step 2. Identify training staff.
It is important that trainers have sufficient knowledge of computer security issues, principles, and techniques. It is also vital that they know how to communicate information and ideas effectively.
Step 3. Identify target audiences.
Not everyone needs the same degree or type of computer security information to do his or her job. A computer security-awareness and training program that distinguishes between groups of people, presents only the information that is needed by the particular audience, and omits irrelevant information will have the best results.
Step 4. Motivate management and employees.
To successfully implement an awareness and training program, it is important to gain the support of management and employees. Consider using motivational techniques to show management and employees how their participation in a computer security and awareness program will benefit the organization.
Step 5. Administer the program.
Several important considerations for administering the program include visibility, selection of appropriate training methods, topics, and materials, and presentation techniques.
Step 6. Maintain the program.
You should make an effort to keep abreast of changes in computer technology and security requirements. A training program that meets the needs of an organization today may become ineffective when the organization starts to use a new application or changes its environment, such as by connecting to the Internet.
Step 7. Evaluate the program.
An evaluation should attempt to ascertain how much information is retained, to what extent computer security procedures are being followed, and the general attitudes toward computer security.
A successful IT security program consists of the following:
Developing IT security policy that reflects business needs tempered by known risks.
Informing users of their IT security responsibilities, as documented in agency security policy and procedures.
Establishing processes for monitoring and reviewing the program.
You should focus security awareness and training on the entire user population of the organization. Management should set the example for proper IT security behavior within an organization. An awareness program should begin with an effort that you can deploy and implement in various ways and be aimed at all levels of the organization, including senior and executive managers. The effectiveness of this effort usually determines the effectiveness of the awareness and training program and how successful the IT security program will be.
Secure Network Life Cycle
By framing security within the context of IT governance, compliance, and risk management, and by building it with a sound security architecture at its core, the result is usually a less expensive and more effective process. Including security early in the information process within the system design life cycle (SDLC) usually results in less-expensive and more-effective security when compared to adding it to an operational system.
A general SDLC includes five phases:
Initiation
Acquisition and development
Implementation
Operations and maintenance
Disposition
Initiation Phase
The initiation phase of the SDLC includes the following:
Security categorization: This step defines three levels (low, moderate, and high) of potential impact on organizations or individuals should a breach of security occur (a loss of confidentiality, integrity, or availability). Security categorization standards help organizations make the appropriate selection of security controls for their information systems.
Preliminary risk assessment: This step results in an initial description of the basic security needs of the system. A preliminary risk assessment should define the threat environment in which the system will operate.
Acquisition and Development Phase
The acquisition and development phase of the SDLC includes the following:
Risk assessment: This step is an analysis that identifies the protection requirements for the system through a formal risk-assessment process. This analysis builds on the initial risk assessment that was performed during the initiation phase, but is more in depth and specific.
Security functional requirements analysis: This step is an analysis of requirements and can include the following components: system security environment, such as the enterprise information security policy and enterprise security architecture, and security functional requirements.
Security assurance requirements analysis: This step is an analysis of the requirements that address the developmental activities required and the assurance evidence needed to produce the desired level of confidence that the information security will work correctly and effectively. The analysis, based on legal and functional security requirements, is used as the basis for determining how much and what kinds of assurance are required.
Cost considerations and reporting: This step determines how much of the development cost you can attribute to information security over the life cycle of the system. These costs include hardware, software, personnel, and training.
Security planning: This step ensures that you fully document any agreed upon security controls, whether they are just planned or in place. The security plan also provides a complete characterization or description of the information system and attachments of or references to key documents that support the information security program of the agency. Examples of documents that support the information security program include a configuration management plan, a contingency plan, an incident response plan, a security awareness and training plan, rules of behavior, a risk assessment, a security test and evaluation results, system interconnection agreements, security authorizations and accreditations, and a plan of action and milestones.
Security control development: This step ensures that the security controls that the respective security plans describe are designed, developed, and implemented. The security plans for information systems that are currently in operation may call for the development of additional security controls to supplement the controls that are already in place or the modification of selected controls that are deemed less than effective.
Developmental security test and evaluation: This step ensures that security controls that you develop for a new information system are working properly and are effective. Some types of security controls, primarily those controls of a nontechnical nature, cannot be tested and evaluated until the information system is deployed. These controls are typically management and operational controls.
Other planning components: This step ensures that you consider all the necessary components of the development process when you incorporate security into the network life cycle. These components include the selection of the appropriate contract type, the participation by all the necessary functional groups within an organization, the participation by the certifier and accreditor, and the development and execution of the necessary contracting plans and processes.
Implementation Phase
The implementation phase of the SDLC includes the following:
Inspection and acceptance: This step ensures that the organization validates and verifies that the functionality that the specification describes is included in the deliverables.
System integration: This step ensures that the system is integrated at the operational site where you will deploy the information system for operation. You enable the security control settings and switches in accordance with the vendor instructions and the available security implementation guidance.
Security certification: This step ensures that you effectively implement the controls through established verification techniques and procedures. This step gives organization officials confidence that the appropriate safeguards and countermeasures are in place to protect the information system of the organization. Security certification also uncovers and describes the known vulnerabilities in the information system.
Security accreditation: This step provides the necessary security authorization of an information system to process, store, or transmit information that is required. This authorization is granted by a senior organization official and is based on the verified effectiveness of security controls to some agreed upon level of assurance and an identified residual risk to agency assets or operations.
Operations and Maintenance Phase
The operations and maintenance phase of the SDLC includes the following:
Configuration management and control: This step ensures that there is adequate consideration of the potential security impacts due to specific changes to an information system or its surrounding environment. Configuration management and configuration control procedures are critical to establishing an initial baseline of hardware, software, and firmware components for the information system and subsequently controlling and maintaining an accurate inventory of any changes to the system.
Continuous monitoring: This step ensures that controls continue to be effective in their application through periodic testing and evaluation. Security control monitoring, such as verifying the continued effectiveness of those controls over time, and reporting the security status of the information system to appropriate agency officials are essential activities of a comprehensive information security program.
Disposition Phase
The disposition phase of the SDLC includes the following:
Information preservation: This step ensures that you retain information, as necessary, to conform to current legal requirements and to accommodate future technology changes that can render the retrieval method of the information obsolete.
Media sanitization: This step ensures that you delete, erase, and write over data as necessary.
Hardware and software disposal: This step ensures that you dispose of hardware and software as directed by the information system security officer.
Models and Frameworks
The five-phase approach of the SDLC gives context to the process of designing, creating, and maintaining security architectures. It is based on NIST Publication 800-64 revision 2. Other frameworks and models exist, providing similar guidance to your security architecture:
The ISO 27000 series is a comprehensive set of controls comprising best practices in information security. It is about information security, not IT security. It is also an internationally recognized information security standard, broad in scope and generic in applicability. It focuses on risk identification, assessment, and management. It is aligned with common business goals:
Ensure business continuity
Minimize business damage
Maximize return on investments
Control Objectives for Information and Related Technology (COBIT) provides good practices across a domain and process framework and presents activities in a manageable and logical structure. The good practices provided by COBIT represent the consensus of experts. These good practices are strongly focused more on control and less on execution.
These practices will help optimize IT-enabled investments, ensure service delivery, and provide a measure against which to judge when things do go wrong. COBIT is generally considered complementary to ISO/IEC 27001 and 27002.
The Information Technology Infrastructure Library (ITIL) was developed under the supervision of the Central Computer and Telecommunications Agency in the UK. ITIL is a set of eight practice guidebooks covering most aspects of IT service management. The fourth service management set is Security Management. ITIL Security Management is based on the code of practice in ISO 27002.
Network Security Posture
By assessing all aspects of the networked business environment, it is possible to determine the ability of the organization to detect, defend against, and respond to network attacks. The following are the key activities:
Security posture assessment (also known as vulnerability assessment): The first step in planning network security requires an evaluation of the network security posture of the organization. The security posture assessment provides a snapshot of the security state of the network by conducting a thorough assessment of the network devices, servers, desktops, and databases. The effectiveness of the network security is analyzed against recognized industry best practices to identify the relative strengths and weaknesses of the environment and document specific vulnerabilities that could threaten the business.
Internal assessment: With so much attention devoted to threats and incidents by hackers, administrators may overlook the security of the internal, trusted network. The internal assessment is a controlled network attack simulation that is used to gauge the exposure present on internal systems, applications, and network devices. The assessment identifies the steps that are needed to thwart intentional attacks or unintentional mistakes from trusted insiders to effectively secure valuable information assets. To go beyond automated detection of vulnerabilities, you could simulate a real intruder in a controlled, safe manner to confirm vulnerabilities manually. The assessment provides a more structured approach to identifying vulnerabilities that may go undetected.
External assessment: The goal of an external assessment is to quantify the security risk that is associated with Internet-connected systems. After researching and confirming the registration of Internet devices, assessors scan the device for external visibility. Because most services have inherent and well-known vulnerabilities, it must be determined whether the services offered are potentially vulnerable.
Wireless assessment: The wireless assessment provides an evaluation of the security posture of the wireless network within the organization and identifies risks and exposures that are associated with a wireless deployment. Assessors analyze the wireless technology architecture and configurations to identify authorized and unauthorized access points and to recommend solutions to strengthen the security of the wireless infrastructure. Assessors also check outside customer buildings to find wireless network traffic leaking from the buildings.
Security posture assessment analysis and documentation: This assessment quantifies the security posture of the organization network by using metrics and graphs. The report should also provide technical details, including analysis of each IP address, an explanation of methods that are used to compromise network devices and systems, and a description of the likelihood that an attacker will use that same approach. The report then prioritizes the vulnerabilities, recommends actions to correct the security risks, and details remediation steps that will prevent future exploitation.
Network Security Testing
Security testing provides insight into the other SDLC activities, such as risk analysis and contingency planning. You should document security testing and make the documentation available for staff involved in other IT and security-related areas. Typically, you conduct network security testing during the implementation and operational stages, after the system has been developed, installed, and integrated.
During the implementation stage, you should conduct security testing and evaluation on specific parts of the system and on the entire system as a whole. Security test and evaluation (ST&E) is an examination or analysis of the protective measures that are placed on an information system after it is fully integrated and operational. The following are the objectives of the ST&E:
Uncover design, implementation, and operational flaws that could allow the violation of the security policy
Determine the adequacy of security mechanisms, assurances, and other properties to enforce the security policy
Assess the degree of consistency between the system documentation and its implementation
Security Testing Techniques
You can use security testing results in the following ways:
As a reference point for corrective action
To define mitigation activities to address identified vulnerabilities
As a benchmark to trace the progress of an organization in meeting security requirements
To assess the implementation status of system security requirements
To conduct cost and benefit analysis for improvements to system security
To enhance other lifecycle activities, such as risk assessments, certification and authorization (C&A), and performance-improvement efforts
There are several different types of security testing. Some testing techniques are predominantly manual, and other tests are highly automated. Regardless of the type of testing, the staff that sets up and conducts the security testing should have significant security and networking knowledge, including significant expertise in the following areas: network security, firewalls, IPSs, operating systems, programming, and networking protocols, such as TCP/IP.
Many testing techniques are available, including the following:
Network scanning
Vulnerability scanning
Password cracking
Log review
Integrity checkers
Virus detection
War dialing
War driving (802.11 or wireless LAN testing)
Penetration testing
Common Testing Tools
Many testing tools are available in the modern marketplace that you can use to test the security of your systems and networks. The following list is a collection of tools that are quite popular; some of the tools are freeware, some are not:
Nmap
GFI LanGuard
Tripwire
Nessus
Metasploit
SuperScan by Foundstone, a division of McAfee
Incident Response
Risk cannot be completely eliminated in some business environments.
Earlier I mentioned that a way to deal with risk is to reduce it by investing in security measures. The concept of diminishing returns applies to those security investments. However, also notice that each additional security investment yields a lower additional risk reduction than the previous investment. In economics, this is what is called diminishing returns. Also, notice that regardless of how many resources you dedicate toward mitigating a risk, you can never reduce it to zero. There will always be residual risk. If that residual risk is unacceptable for your organization, you could consider buying insurance against it. Buying insurance against a risk would be considered transferring the risk.
One way to eliminate risk is to simply withdraw from doing business at all, an unlikely scenario. For this reason, incident response has become an important component of the secure network life cycle. The breadth and sophistication of threat vectors in information security has increased exponentiallyIt is, then, almost required to implement an incident response capability to streamline the incident detection capabilities, contain the impact of those incidents to minimize loss and destruction, reduce the scope of weaknesses, and restore services within the parameters of the organization.
Implementing an incident response plan effectively can be challenging because of the amount and scope of the resources needed. The first critical step is to deploy an effective intrusion detection and prevention capability. Even if the incident response plan is not in place, incident detection and prevention can provide a first line of response. However, incident response is not completely effective without framing it within an incident response plan. Assessing the current and potential business impact of incidents is critical. Other crucial factors include the implementation of effective methods of collecting, analyzing, and reporting data. Also, it is important to define the framework of communication between the teams involved (for example, technical teams, human resources, legal) and between the organization and external entities (such as other incident response teams and law enforcement).
Disaster Recovery and Business Continuity Planning
Business continuity planning and disaster recovery procedures address the continuing operations of an organization in the event of a disaster or prolonged service interruption that affects the mission of the organization. Such plans should address an emergency response phase, a recovery phase, and a return to normal operation phase. You should identify the responsibilities of personnel during an incident and the resources that are available to them.
In reality, contingency and disaster recovery plans do not address every possible scenario or assumption. Rather, they focus on the events most likely to occur and they identify an acceptable method of recovery. Periodically, you should exercise the plans and procedures to ensure that they are effective and well understood.
Business continuity planning provides a short- to medium-term framework to continue the organizational operations. The following are objectives of business continuity planning:
Moving or relocating critical business components and people to a remote location while the original location is being repaired
Using different channels of communication to deal with customers, shareholders, and partners until operations return to normal
Disaster recovery is the process of regaining access to the data, hardware, and software necessary to resume critical business operations after a natural or human-induced disaster. A disaster recovery plan should also include plans for coping with the unexpected or sudden loss of key personnel. A disaster recovery plan is part of a larger process known as business continuity planning.
Based on this article,please answer in your own words-
- what do you think should be done to improve not only the secure quality of coding that an employee might be involved in but also the deployment of that code into the "live" production environment -- so as to avoid risk? a summary of 3 pages
Explanation / Answer
Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization. Many organizations require formal security awareness training for all workers when they join the organization and periodically thereafter, usually annually
Topics covered in security awareness training include:
Being security aware means you understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within a company's computer systems and throughout its organization. Therefore, it would be prudent to support the assets of the institution (information, physical, and personal) by trying to stop that from happening.
According to the European Network and Information Security Agency, 'Awareness of the risks and available safeguards is the first line of defence for the security of information systems and networks.'
'The focus of Security Awareness consultancy should be to achieve a long term shift in the attitude of employees towards security, whilst promoting a cultural and behavioural change within an organisation. Security policies should be viewed as key enablers for the organisation, not as a series of rules restricting the efficient working of your business.
Security awareness training is a formal process for educating employees about computer security.
A good security awareness program should educate employees about corporate policies and procedures for working with information technology (IT). Employees should receive information about who to contact if they discover a security threat and be taught that data as a valuable corporate asset. Regular training is particularly necessary in organizations with high turnover rates and those that rely heavily on contract or temporary staff. Confirming how well the awareness program is working can be difficult. The most common metric looks for a downward trend in the number of incidents over time.
or in another way
Security awareness is a formal process for training and educating employees about IT protection. It involves:
Obviously, the first bullet point is the main component of a security awareness program, but it’s just as important that employees are held accountable and steps are taken to gauge the effectiveness of an organization’s security measures.
Before we begin describing the various types of security awareness, let’s take a look at the history that has brought us to this current point.
A Brief History of Security Awareness
The history of cyber security goes back almost as far as the Internet itself. Indeed, from the very beginning of the World Wide Web becoming a mainstream resource, criminals have been using it to their advantage.
One of the very first examples of this particular type of crime occurred in the early 1980s. A group known as the 414s (named after their Milwaukee area code) was arrested for breaking into roughly 60 different computers. These included devices in the Memorial Sloan-Kettering Cancer Center all the way up to ones located in the Los Alamos National Laboratory.
The government was quick to respond to this new threat. Laws like the Computer Fraud and Abuse Act were passed in order to prevent and punish attempts by these malicious parties. The Computer Emergency Response Team was also formed in an effort to investigate the growing number of hacks and potential methods of protection.
The decade would end with the first recognized version of a worm. Robert Morris was the hacker behind the attack and, even in the beginning, these self-propagating viruses were capable of massive amounts of destruction. In fact, it shut down almost the entire World Wide Web at the time. Morris’ virus was also the first version of a widespread DoS (Denial of Service) attack.
This and subsequent attacks are of interest because they were the impetus for much of what we think of as cyber security today. CERTs (computer emergency response teams) were created as a result. With this attack, companies began realizing how vulnerable they truly were. An adage we now hear all the time in the cyber security community, “Prevention is better than a cure,” was coined around this time.
Through much of the 1990s, hackers continued their assaults, though most of the victims were government agencies and huge multinational corporations. After all, the Internet wasn’t a widespread tool at this point.
One of the first examples of hacking that affected the mainstream public took place in 1997. The search engine, Yahoo!, was the target. Hackers claimed that a “logic bomb” would be detonated on any PC using Yahoo! on Christmas Day if famous hacker Kevin Mitnick wasn’t released from prison.
The claim was a bluff.
Another example occurred in 1998; the Bureau of Labor Statistics became the victim of one of the first versions of spamming when it received hundreds of thousands of information requests.
As a result of these and other cyber attacks, the U.S. Justice Department introduced the National Infrastructure Protection Center. Its mission was to safeguard the country’s telecommunications, transportation and technology systems from hackers.
The Rise of Modern Hacking
It was really in the early to late 2000s that hacking evolved into the widespread problem that we know today. Again, much of this goes back to the proportional increase in targets (e.g., more and more people using the Internet).
At the same time, hacking was becoming much simpler. Gone were the days when the only people who were able to execute these attacks had technical skills equal to or better than the foremost programmers in the world.
There was also a proliferation of information about how to hack. Someone who had never even attempted a cyber attack could become a real threat in under a month.
In 2005, a hacker named Albert Gonzalez used his abilities to create a criminal ring of hackers – digital organized crime, if you will – to steal the information from more than 45 million payment cards issued by TJX, a U.S. retailer that owns TJ Maxx and the UK version, TK Maxx.
Before being caught and sentenced to 20 years in prison, Gonzalez’s squad would be responsible for $265 million in damage.
Aside from the obvious scope of the crime, this incident is remarkable because of the effect it had on businesses. The nature of the stolen data was regulated, so each incident required that the authorities be notified. Furthermore, these companies needed to set aside money to compensate the victims.
This was a landmark example because it immediately became clear to the business world that hacking was far, far more than just some nuisance.
Modern-Day Security Awareness
As you’re probably well aware, cyber attacks have not slowed down. In 2013, the breach of Target’s security measures was another shocking reminder to the world of just how vulnerable even the largest corporations were. Some 40 million customers spent the days following Thanksgiving checking their accounts to see if they had money stolen.
The other reason the Target attack is being brought up here is because the level of sophistication used is another milestone in the history of cyber security. As opposed to the direct attack on TJX, the criminals who succeeded with Target knew the importance of a direct approach.
They chose a third-party company that supplied Target with heating and ventilation solutions.
The hackers also realized there was a precise moment when they’d have to strike. Credit card numbers were present and unencrypted in the memory of the system for just a short time.
Again, this also showed the business world that the fallout from such an attack would send ripples in every direction. Cyber security is now a board-level concern as, in the wake of the theft, the CEO of Target actually stepped down.
Types of Security Awareness
With the above in mind, it should be very clear that companies must take security awareness seriously. There is, of course, a place for digital security and the professionals who are able to install and run it.
However, more and more, hackers are succeeding because of phishing attacks and similar versions that rely on companies’ employees to open the door for them.
The Top-down Approach
One very important feature of security awareness is that it can’t simply be the duty of the employees to learn the measures they need to take and apply them. That’s important and we’ll cover that in more detail in a moment, but it should be obvious that a top-down approach is required.
Again, the Target attack made this abundantly clear when the company’s CEO actually fell on his sword as a result of the breach.
For one thing, anyone from a manager up to an executive is going to be an easy target if they are not aware of the potential for attacks and how they can be successful.
This knowledge, though, must also carry over to ensuring that each and every employee is also aware and also capable of keeping the company safe.
Budgeting for Security Awareness
One good indication of whether or not a company is taking security awareness seriously can be found in their budget. How are they treating security awareness as a priority? How does it measure up to other ways funds are allocated?
If your company’s idea of security awareness consists of an email every now and then to remind people of the possibility of an attack, you have to expect that you’ll soon be a victim.
To be clear, security awareness is just one piece of a viable protection plan. Other pieces would include:
Creating a security policy
Assessing your company’s vulnerabilities
Investing in security technology
However, nothing is more important than security awareness. Companies should be spending as much on this investment as they do on the software and other forms of security tech. None of that will be remotely helpful if your people are easy targets for phishing attacks.
An Organizational Structure Dedicated to Security Awareness
This type of security awareness is vital because it affects everyone in the company. Much like the top-down approach, having an organizational structure built around security will make everyone’s job simpler.
If at all possible, you should have a team of people who are responsible for implementing your security awareness program. At the very least, an individual at your organization must take this job.
Otherwise, security awareness becomes a chore that gets passed around, but no one takes it seriously. The team or person responsible for ensuring that the opposite happens must have the full support of the executive team.
Create a Plan and Related Documentation
The plan for every company is going to be a little different, but this is an important type of security awareness that deserves some attention here. Features of your plan should include some version of the following:
Again, these will differ slightly by company, but some version should be present. You can’t afford to make the mistake of thinking that your organization somehow won’t be affected by cyber criminals.
Using Different Forms of Media to Reinforce the Message
We’ve touched on reminder emails about security awareness a couple of times. That’s not to say that emails are a bad thing. They’re perfectly fine and everyone needs reminder from time to time.
That being said, you should use multiple forms of media to make sure your company’s messages about security awareness never go ignored.
For example, your calendar of events should involve a security expert at your company getting up in front of people and explaining important topics. Videos can be sent out over email, as well. Tests can be used. Physical reminders around the office may work. The list goes on and on, but the point is not to become complacent about how you deliver the messages about security awareness.
Highlight Recent Attacks in the News
This is an extremely important form of security awareness. However, make sure you’re highlighting all kinds of attacks, not just the ones that make national news. The goal with this approach is to show your employees how prevalent these attacks are, how easily one could succeed with your company, and what the fallout entails.
For this reason, don’t simply highlight the stories that make national news. It’s all too easy for an employee to think, “Yeah, but we’re not Target. No one would bother with us.”
Find the stories about companies your size and/or in your industry. Sadly, it doesn’t look like there is going to be any lack of these incidents going forward.
Seek the Services of a Professional
If you have absolutely no security awareness measures in place at the moment, it’s worth thinking about taking on the services of a professional. They’ll help you get up and running and make sure you quickly make up for lost time.
Even if you have invested in a security awareness policy and other measures, it’s still not a bad idea to bring on an independent consultant from time to time to see if there are areas where you can improve.