SlideShare uma empresa Scribd logo

The Difference Between the Reality and Feeling of Security by Thomas Kurian

ClubHack
ClubHack

The paper shall focus on the following: The paper shall focus on the following: 1) Introduction to the problem: Focus on “security awareness”, not “behavior” 2) Real life case study of why a US$100, 000 “security awareness” project failed a. Identifying the human component in information security risks b. Addressing the human component using “awareness” and “behavior” strategies 4) Sample real-life case studies where quantifiable change has been observed Original research and Publications The talk is modeled on the methodology HIMIS (Human Impact Management for Information Security) authored by Anup Narayanan and published under “Creative Commons,

1 de 42
Baixar para ler offline
She looks I’m gonna steal trustworthy your toys The difference between the “Reality” and “Feeling” of Security Human Perception and it’s influence on Information Security
The 3 pieces that makes up information security Technology (Firewall) Information People Process Technology and processes are only as good as the people that use them 2
Focus of the talk • The Human Factor in Information Security • The difference between “Awareness and Competence” • The power of perception • Solution Model + Examples 3
Awareness I know the traffic rules…. 4
Competence? Does it guarantee that I am a good driver? 5
….even in Information Security!!!! Don’t tell anyone, Security my password is….. Policy Never share passwords 6
Awareness >> Behaviour >> Culture Awareness Behaviour Culture (Competence) • I know • I do • We know and do Aim for a responsible security culture 7
What organizations need? A system that periodically shows the current Security Awareness and Competence Levels Awareness score is 87% LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Competence score is 65% MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE A smart attacker will always try to influence the perception of the employee 8
The power of perception Why do people make security mistakes?
Imagine… APJ Abdul Kalam walks into this room right now and offers you this glass of water…. 10
Now, imagine this… This man walks into this room right now and offers you this glass of water…. 11
Question Which water did you accept? Why? 12
Analysis Were you checking the water or the person serving the water? People decide what is good and what is bad based on “trust” Perception is influenced by Trust 13
How people make security decisions? Influence of perception 14
Analysis Of these two, which terrifies you the most? More people die of heart attacks than by getting eaten by sharks You may feel safe when you are actually not 15
Analysis Of these two, which terrifies you the most? Adrenoleukodistrophy More kids die choking on french fries than due to Adrenoleukodistrophy People exaggerate risks that are uncommon 16
I hope now it is clear that we must address the human factor…. Let us summarize… 17
Reason 1: Security is both a “Reality” and “Feeling” For security practitioners security is a “Reality” based on the mathematical probability of risks For the end user security is a “feeling” Success lies in influencing the “feeling” of security 18
RSA Attack 19
The Incident In March 2011, RSA, one of the foremost security companies in the world disclosed that cyber-attacks had penetrated its internal networks and extracted information from its systems. The consequences were • Financial Loss • Reputational Loss
Attack Employee clicked on the attachment of the mail The embedded component exploited the vulnerability
Analysis: Why did the attack happen?
You may wonder… RSA must be having best-in-class firewalls, anti-viruses and other security systems. So, how did this attack happen? Failed to address the Human Factor
Reason 2: Technology…yes, but humans…of course! Aircrafts have become more advanced, but does it mean that pilot training requirements have reduced? Medical technology has become more advanced, but will you choose a hospital for it’s machines or the doctors? 24
The Solution Model Security Awareness and Competence Management
The solution is based on HIMIS • HIMIS – Human Impact Management for Information Security • Released under Creative Commons License • Free for Non-Commercial Use http://www.isqworld.com/himis 26
HIMIS Implementation Model Define Strategize Deliver Verify Responsible Information Security Behavior 27
Define • Choose the ESPs • Review and approval of ESPs 28
Strategize For awareness management • Coverage • Format & visibility: Verbal, Paper and Electronic • Frequency • Quality of content • Retention measurement.(surveys,quiz) For behavior management • Motivational strategies • Enfoncement/ disciplinary stratégies 29
Deliver • Define tolerable deviation • Efficiency • Collection of feedback • Confirmation of receipt 30
Verify • Audit strategy • Selection of ESP’s • Define sample size • Audit methods For awareness: Interviews, Surveys, Quizzes, For behavior: Observation, Review of incident reports, Social engineering? 31
Examples • Deploy false emails seeking information • Tailgating into the facility • Placing media labeled with ‘confidential information’ in cafeteria or other places 32
Reporting model Organization’s awareness score was 87% LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Organization’s competence score was 65% MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE 33
HIMIS Focus
1. Differentiate between Awareness Vs. Competence Consider both “Awareness” and “Competence” independently Awareness Assess, ESP Improve, Re- assess Behaviour (Competence) ESP – Expected Security Practice 35
2. Visualize ….and influence perception 36
3. Scenario based training (Make people solve challenges) 37
Example Video (PLAY) 38
4. Remember drip irrigation Which is more effective – Drip irrigation or spraying a lot of water once a day? Small doses, more frequent 39
5.Re-measure frequently Organization’s awareness score was 87% ? LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Organization’s competence score was 65% ? MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE 40
Summary “A smart user in front of the computer is a good security control and is not that expensive.” 41
Let’s switch ON the Human Layer of Information Security Defence Thank You http://www.isqworld.com/himis

Recomendados

The difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityThe difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityAnup Narayanan
 
Mas teams slides_final
Mas teams slides_finalMas teams slides_final
Mas teams slides_finalJohn Turner
 
Usable security it isn't secure if people can't use it mwux 2 jun2012
Usable security it isn't secure if people can't use it mwux 2 jun2012Usable security it isn't secure if people can't use it mwux 2 jun2012
Usable security it isn't secure if people can't use it mwux 2 jun2012Darren Kall
 
Usable security- It isn't secure if people can't use it. O-ISC conference 14m...
Usable security- It isn't secure if people can't use it. O-ISC conference 14m...Usable security- It isn't secure if people can't use it. O-ISC conference 14m...
Usable security- It isn't secure if people can't use it. O-ISC conference 14m...Darren Kall
 
The Psychology Behind Security - ISSA Journal Abril 2010
The Psychology Behind Security - ISSA Journal Abril 2010The Psychology Behind Security - ISSA Journal Abril 2010
The Psychology Behind Security - ISSA Journal Abril 2010Spark Security
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human errorAnup Narayanan
 
Human Impact on Information Security - Computer Society of India Conference, ...
Human Impact on Information Security - Computer Society of India Conference, ...Human Impact on Information Security - Computer Society of India Conference, ...
Human Impact on Information Security - Computer Society of India Conference, ...Anup Narayanan
 
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...Anup Narayanan
 

Recomendados

The difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityThe difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityAnup Narayanan
 
Mas teams slides_final
Mas teams slides_finalMas teams slides_final
Mas teams slides_finalJohn Turner
 
Usable security it isn't secure if people can't use it mwux 2 jun2012
Usable security it isn't secure if people can't use it mwux 2 jun2012Usable security it isn't secure if people can't use it mwux 2 jun2012
Usable security it isn't secure if people can't use it mwux 2 jun2012Darren Kall
 
Usable security- It isn't secure if people can't use it. O-ISC conference 14m...
Usable security- It isn't secure if people can't use it. O-ISC conference 14m...Usable security- It isn't secure if people can't use it. O-ISC conference 14m...
Usable security- It isn't secure if people can't use it. O-ISC conference 14m...Darren Kall
 
The Psychology Behind Security - ISSA Journal Abril 2010
The Psychology Behind Security - ISSA Journal Abril 2010The Psychology Behind Security - ISSA Journal Abril 2010
The Psychology Behind Security - ISSA Journal Abril 2010Spark Security
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human errorAnup Narayanan
 
Human Impact on Information Security - Computer Society of India Conference, ...
Human Impact on Information Security - Computer Society of India Conference, ...Human Impact on Information Security - Computer Society of India Conference, ...
Human Impact on Information Security - Computer Society of India Conference, ...Anup Narayanan
 
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...Anup Narayanan
 
Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Kelly Shortridge
 
Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...
Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...
Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...Mashauri Limited
 
Secure360 on Risk
Secure360 on RiskSecure360 on Risk
Secure360 on RiskAlexander Hutton
 
Seductive security - Art of seduction
Seductive security - Art of seductionSeductive security - Art of seduction
Seductive security - Art of seductionb coatesworth
 
Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligenceguest08b1e6
 
A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai
A Model for Reducing Security Risks due to Human Error - iSafe 2010, DubaiA Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai
A Model for Reducing Security Risks due to Human Error - iSafe 2010, DubaiAnup Narayanan
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat MitigationRoger Johnston
 
Psychological Security: Introducing the PsySec Field
Psychological Security: Introducing the PsySec FieldPsychological Security: Introducing the PsySec Field
Psychological Security: Introducing the PsySec FieldZach(ary) Eikenberry
 
ISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureCraig McGill
 
Principles Of Presentation Delivery Understanding You And Your Audience
Principles Of Presentation Delivery Understanding You And Your AudiencePrinciples Of Presentation Delivery Understanding You And Your Audience
Principles Of Presentation Delivery Understanding You And Your AudienceJohn Fallon
 
4 b. thomas whipp presentation
4 b. thomas whipp presentation4 b. thomas whipp presentation
4 b. thomas whipp presentationCFG
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SIntegrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SEdgevalue
 
Practical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated WorkforcePractical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated WorkforceKeyaan Williams
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013Adrian Wright
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Raffael Marty
 
Role of Sentiment Analysis in Cybersecurity
Role of Sentiment Analysis in CybersecurityRole of Sentiment Analysis in Cybersecurity
Role of Sentiment Analysis in CybersecurityRachit Shah
 
Questioning Assumptions - A Simple Path
Questioning Assumptions - A Simple PathQuestioning Assumptions - A Simple Path
Questioning Assumptions - A Simple PathWilliam Killgallon
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
PINAR AKKAYA - The Human Dimension
PINAR AKKAYA - The Human DimensionPINAR AKKAYA - The Human Dimension
PINAR AKKAYA - The Human DimensionPinar AKKAYA
 
Human_Factors_KA_webinar_-_slides.pptx
Human_Factors_KA_webinar_-_slides.pptxHuman_Factors_KA_webinar_-_slides.pptx
Human_Factors_KA_webinar_-_slides.pptxMuddasarahmed5
 
India legal 31 october 2014
India legal 31 october 2014India legal 31 october 2014
India legal 31 october 2014ClubHack
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreCyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreClubHack
 

Mais conteúdo relacionado

Semelhante a The Difference Between the Reality and Feeling of Security by Thomas Kurian

Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Kelly Shortridge
 
Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...
Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...
Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...Mashauri Limited
 
Seductive security - Art of seduction
Seductive security - Art of seductionSeductive security - Art of seduction
Seductive security - Art of seductionb coatesworth
 
Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligenceguest08b1e6
 
A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai
A Model for Reducing Security Risks due to Human Error - iSafe 2010, DubaiA Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai
A Model for Reducing Security Risks due to Human Error - iSafe 2010, DubaiAnup Narayanan
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat MitigationRoger Johnston
 
Psychological Security: Introducing the PsySec Field
Psychological Security: Introducing the PsySec FieldPsychological Security: Introducing the PsySec Field
Psychological Security: Introducing the PsySec FieldZach(ary) Eikenberry
 
ISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureCraig McGill
 
Principles Of Presentation Delivery Understanding You And Your Audience
Principles Of Presentation Delivery Understanding You And Your AudiencePrinciples Of Presentation Delivery Understanding You And Your Audience
Principles Of Presentation Delivery Understanding You And Your AudienceJohn Fallon
 
4 b. thomas whipp presentation
4 b. thomas whipp presentation4 b. thomas whipp presentation
4 b. thomas whipp presentationCFG
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SIntegrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SEdgevalue
 
Practical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated WorkforcePractical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated WorkforceKeyaan Williams
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013Adrian Wright
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Raffael Marty
 
Role of Sentiment Analysis in Cybersecurity
Role of Sentiment Analysis in CybersecurityRole of Sentiment Analysis in Cybersecurity
Role of Sentiment Analysis in CybersecurityRachit Shah
 
Questioning Assumptions - A Simple Path
Questioning Assumptions - A Simple PathQuestioning Assumptions - A Simple Path
Questioning Assumptions - A Simple PathWilliam Killgallon
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
PINAR AKKAYA - The Human Dimension
PINAR AKKAYA - The Human DimensionPINAR AKKAYA - The Human Dimension
PINAR AKKAYA - The Human DimensionPinar AKKAYA
 
Human_Factors_KA_webinar_-_slides.pptx
Human_Factors_KA_webinar_-_slides.pptxHuman_Factors_KA_webinar_-_slides.pptx
Human_Factors_KA_webinar_-_slides.pptxMuddasarahmed5
 

Semelhante a The Difference Between the Reality and Feeling of Security by Thomas Kurian (20)

Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...
 
Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...
Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...
Habit 2 actively manage knowledge; from the 7 habits of effective decision ma...
 
Secure360 on Risk
Secure360 on RiskSecure360 on Risk
Secure360 on Risk
 
Seductive security - Art of seduction
Seductive security - Art of seductionSeductive security - Art of seduction
Seductive security - Art of seduction
 
Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligence
 
A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai
A Model for Reducing Security Risks due to Human Error - iSafe 2010, DubaiA Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai
A Model for Reducing Security Risks due to Human Error - iSafe 2010, Dubai
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat Mitigation
 
Psychological Security: Introducing the PsySec Field
Psychological Security: Introducing the PsySec FieldPsychological Security: Introducing the PsySec Field
Psychological Security: Introducing the PsySec Field
 
ISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security culture
 
Principles Of Presentation Delivery Understanding You And Your Audience
Principles Of Presentation Delivery Understanding You And Your AudiencePrinciples Of Presentation Delivery Understanding You And Your Audience
Principles Of Presentation Delivery Understanding You And Your Audience
 
4 b. thomas whipp presentation
4 b. thomas whipp presentation4 b. thomas whipp presentation
4 b. thomas whipp presentation
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SIntegrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3S
 
Practical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated WorkforcePractical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated Workforce
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
 
Role of Sentiment Analysis in Cybersecurity
Role of Sentiment Analysis in CybersecurityRole of Sentiment Analysis in Cybersecurity
Role of Sentiment Analysis in Cybersecurity
 
Questioning Assumptions - A Simple Path
Questioning Assumptions - A Simple PathQuestioning Assumptions - A Simple Path
Questioning Assumptions - A Simple Path
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
PINAR AKKAYA - The Human Dimension
PINAR AKKAYA - The Human DimensionPINAR AKKAYA - The Human Dimension
PINAR AKKAYA - The Human Dimension
 
Human_Factors_KA_webinar_-_slides.pptx
Human_Factors_KA_webinar_-_slides.pptxHuman_Factors_KA_webinar_-_slides.pptx
Human_Factors_KA_webinar_-_slides.pptx
 

Mais de ClubHack

India legal 31 october 2014
India legal 31 october 2014India legal 31 october 2014
India legal 31 october 2014ClubHack
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreCyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreClubHack
 
Cyber Insurance
Cyber InsuranceCyber Insurance
Cyber InsuranceClubHack
 
Summarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatSummarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatClubHack
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleClubHack
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...ClubHack
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodClubHack
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalClubHack
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathClubHack
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanClubHack
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiClubHack
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaClubHack
 
XSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiXSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiClubHack
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012ClubHack
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack
 
One link Facebook (Anand Pandey)
One link Facebook (Anand Pandey)One link Facebook (Anand Pandey)
One link Facebook (Anand Pandey)ClubHack
 

Mais de ClubHack (20)

India legal 31 october 2014
India legal 31 october 2014India legal 31 october 2014
India legal 31 october 2014
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreCyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
 
Cyber Insurance
Cyber InsuranceCyber Insurance
Cyber Insurance
 
Summarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatSummarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threat
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep Kamble
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun Rathod
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara Agrawal
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
 
XSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiXSS Shell by Vandan Joshi
XSS Shell by Vandan Joshi
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011
 
One link Facebook (Anand Pandey)
One link Facebook (Anand Pandey)One link Facebook (Anand Pandey)
One link Facebook (Anand Pandey)
 

The Difference Between the Reality and Feeling of Security by Thomas Kurian

  • 1. She looks I’m gonna steal trustworthy your toys The difference between the “Reality” and “Feeling” of Security Human Perception and it’s influence on Information Security
  • 2. The 3 pieces that makes up information security Technology (Firewall) Information People Process Technology and processes are only as good as the people that use them 2
  • 3. Focus of the talk • The Human Factor in Information Security • The difference between “Awareness and Competence” • The power of perception • Solution Model + Examples 3
  • 4. Awareness I know the traffic rules…. 4
  • 5. Competence? Does it guarantee that I am a good driver? 5
  • 6. ….even in Information Security!!!! Don’t tell anyone, Security my password is….. Policy Never share passwords 6
  • 7. Awareness >> Behaviour >> Culture Awareness Behaviour Culture (Competence) • I know • I do • We know and do Aim for a responsible security culture 7
  • 8. What organizations need? A system that periodically shows the current Security Awareness and Competence Levels Awareness score is 87% LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Competence score is 65% MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE A smart attacker will always try to influence the perception of the employee 8
  • 9. The power of perception Why do people make security mistakes?
  • 10. Imagine… APJ Abdul Kalam walks into this room right now and offers you this glass of water…. 10
  • 11. Now, imagine this… This man walks into this room right now and offers you this glass of water…. 11
  • 12. Question Which water did you accept? Why? 12
  • 13. Analysis Were you checking the water or the person serving the water? People decide what is good and what is bad based on “trust” Perception is influenced by Trust 13
  • 14. How people make security decisions? Influence of perception 14
  • 15. Analysis Of these two, which terrifies you the most? More people die of heart attacks than by getting eaten by sharks You may feel safe when you are actually not 15
  • 16. Analysis Of these two, which terrifies you the most? Adrenoleukodistrophy More kids die choking on french fries than due to Adrenoleukodistrophy People exaggerate risks that are uncommon 16
  • 17. I hope now it is clear that we must address the human factor…. Let us summarize… 17
  • 18. Reason 1: Security is both a “Reality” and “Feeling” For security practitioners security is a “Reality” based on the mathematical probability of risks For the end user security is a “feeling” Success lies in influencing the “feeling” of security 18
  • 20. The Incident In March 2011, RSA, one of the foremost security companies in the world disclosed that cyber-attacks had penetrated its internal networks and extracted information from its systems. The consequences were • Financial Loss • Reputational Loss
  • 21. Attack Employee clicked on the attachment of the mail The embedded component exploited the vulnerability
  • 22. Analysis: Why did the attack happen?
  • 23. You may wonder… RSA must be having best-in-class firewalls, anti-viruses and other security systems. So, how did this attack happen? Failed to address the Human Factor
  • 24. Reason 2: Technology…yes, but humans…of course! Aircrafts have become more advanced, but does it mean that pilot training requirements have reduced? Medical technology has become more advanced, but will you choose a hospital for it’s machines or the doctors? 24
  • 25. The Solution Model Security Awareness and Competence Management
  • 26. The solution is based on HIMIS • HIMIS – Human Impact Management for Information Security • Released under Creative Commons License • Free for Non-Commercial Use http://www.isqworld.com/himis 26
  • 27. HIMIS Implementation Model Define Strategize Deliver Verify Responsible Information Security Behavior 27
  • 28. Define • Choose the ESPs • Review and approval of ESPs 28
  • 29. Strategize For awareness management • Coverage • Format & visibility: Verbal, Paper and Electronic • Frequency • Quality of content • Retention measurement.(surveys,quiz) For behavior management • Motivational strategies • Enfoncement/ disciplinary stratégies 29
  • 30. Deliver • Define tolerable deviation • Efficiency • Collection of feedback • Confirmation of receipt 30
  • 31. Verify • Audit strategy • Selection of ESP’s • Define sample size • Audit methods For awareness: Interviews, Surveys, Quizzes, For behavior: Observation, Review of incident reports, Social engineering? 31
  • 32. Examples • Deploy false emails seeking information • Tailgating into the facility • Placing media labeled with ‘confidential information’ in cafeteria or other places 32
  • 33. Reporting model Organization’s awareness score was 87% LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Organization’s competence score was 65% MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE 33
  • 35. 1. Differentiate between Awareness Vs. Competence Consider both “Awareness” and “Competence” independently Awareness Assess, ESP Improve, Re- assess Behaviour (Competence) ESP – Expected Security Practice 35
  • 36. 2. Visualize ….and influence perception 36
  • 37. 3. Scenario based training (Make people solve challenges) 37
  • 39. 4. Remember drip irrigation Which is more effective – Drip irrigation or spraying a lot of water once a day? Small doses, more frequent 39
  • 40. 5.Re-measure frequently Organization’s awareness score was 87% ? LOW AWARENESS MEDIUM AWARENESS HIGH AWARENESS Organization’s competence score was 65% ? MEDIUM LOW COMPETENCE COMPETENCE HIGH COMPETENCE 40
  • 41. Summary “A smart user in front of the computer is a good security control and is not that expensive.” 41
  • 42. Let’s switch ON the Human Layer of Information Security Defence Thank You http://www.isqworld.com/himis