Awareness is the Key to Security June 20, 2003 Krizi Trivisani Chief Security Officer Amy Hennings Systems Security Engineer Copyright Krizi Trivisani, Amy Hennings 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Guy Jones Chief Technology Officer Agenda •Security Implementation Reliance •What is security awareness? •Why is awareness important? •The Security Landscape – The Violation Situation •GW’s Awareness Program •Cultural Impacts of Security Programs •Questions Security Implementation Relies On: Policies must be developed, communicated, maintained and enforced Processes must be developed that show how policies will be implemented Systems must be built to technically adhere to policy Process Technology People People must understand their responsibilities regarding policy What is Security Awareness? Security awareness is knowledge of potential threats. It is the advantage of knowing what types of security issues and incidents members of our organization may face in the day-to-day routine of their University functions. Technology alone cannot provide adequate information security. People, awareness and personal responsibility are critical to the success of any information security program. Why is Awareness Important? Poor Awareness Exposed… “It’s a frightening fact, but nine out of ten employees would unwittingly open or execute a dangerous virus-carrying email attachment” “Two-thirds of security managers felt that the overall level of security awareness is either inadequate or dangerously inadequate” “Nine out of ten employees revealed their password on request in exchange for a free pen” These things don’t happen as a result of malicious intent, but rather a lack of awareness of security risks. Top Ten Most Common Security Mistakes… Passwords on Post-it Notes 2. Leaving your computer on, unattended 3. Opening e-mail attachments from strangers 4. Poor password etiquette 5. Laptops on the loose 6. Blabber mouths 7. Plug and play without protection 8. Not reporting security violations 9. Always behind the times (the patch procrastinator) 10. Not knowing internal threats 1. The Security Landscape – The Violation Situation 2001 Total Violations went from 354 to 5526 – an increase of 1,560% Number of Violations Security Metrics Comparison 2001 10000 8000 6000 4000 2000 0 Total Minor Violations Total Severe Violations Month and Total Violations Total Violations by Month January February March April May June July August September October November December The Security Landscape – The Violation Situation 2002 Average number of violations per month in 2002 is 7197 Number of Violations Security Metrics Comparison 2002 November December January '02 8000 7000 6000 5000 4000 3000 2000 1000 0 February '02 March '02 April '02 May '02 June '02 July '02 Total Minor Violations Total Severe Violations Total Violations by Month Month and Total Violations August '02 September '02 October '02 November '02 The Security Landscape – The Violation Situation 2003 Average number of violations (so far!) per month in 2003 is 9438 Number of Violations Security Metrics Comparison 14000 12000 10000 8000 6000 4000 2000 0 Total Minor Violations Total Severe Violations Total Violations by Month Month and Total Violations May '02 June '02 July '02 August '02 September '02 October '02 November '02 December '02 January '03 February '03 March '03 April '03 May '03 The Violation Situation Continued Email Viruses Filtered 22,271 in December of 2001 increased to 97,660 in May of 2003 Number of Violations Trend Virus Filter Monthly Comparison 200,000 150,000 100,000 50,000 0 Month and Total Viruses June '02 July '02 August '02 September '02 October '02 November '02 December '02 January '03 February '03 March '03 April '03 May '03 GW’s Security Awareness Program www.gwu.edu/~infosec Features: Hourly feed from CERT with the most up to date security alerts Links to policies, GW sites, and external security sites A security glossary Information on: What is Information Security? The Information Security Office Reporting Security Incidents Risk Assessment Security Awareness **Please note that our security web pages are only available to our on campus users GW’s Security Awareness Program - Materials Program materials Monthly posters focusing on a specific awareness topic Monthly article in GW Technology Today Brochures available for: New students (Colonial Inauguration) New employees (Orientation) Training programs Free security screen saver Online security tutorial – S.T.A.R.T. Sample password tester Animated security awareness banners In Pilot – “Protect IT” Security Awareness Workshop Next phase – Online quizzes GW’s Security Awareness Program - Materials Online materials - www.gwu.edu/~infosec Free security screen saver Online security tutorial – S.T.A.R.T. Sample password tester Animated security awareness banners Electronic version of monthly awareness posters AWARENESS IS THE KEY TO SECURITY. Awareness Requires a Change in Culture Analogy - Seatbelts "Culture does not change because we desire to change it. Culture changes when the organization is transformed; the culture reflects the realities of people working together every day." “ It should be noted that it took many years to get the seatbelt usage up to its present level, and it takes a heavy hand from the police to persuade the stupid to do the obvious.” — Peter N. Wadham — Frances Hesselbein Key to Cultural Transformation "Out at sea it takes 30 miles for an oil tanker to reverse its direction. It takes time and commitment to change, based on foundational values, principles and quality relationships to positively affect your company's culture -- its way of doing things. " — The Freeman Institute Changing the Culture of Your Organization Awareness is the Key to Security As a student, faculty, staff or contractor of The George Washington University, it is your responsibility to help in the protection and proper use of our information and technology resources. WE ARE COUNTING ON YOU! Questions and Presentation Wrap-up • Recommended information sources • • • • • http://www.securityawareness.com/ http://www.humanfirewall.org/ http://cs-www.ncsl.nist.gov/ http://www.educause.edu/security/ http://www.nipc.gov/ Special Thanks to Security Awareness Incorporated!!!
© Copyright 2024 Paperzz