Transcription
How to Train RequiredSecurity Awareness Training2018 TAC Conference
Outline Why is training requiredNotes from State Information Security Officer LevelsFacts about Security Awareness Who fits in each What needs to be covered Tracking training Different approaches to training How to make training more effective
Why is Security AwarenessTraining (SAT) required?
Why SAT? To prevent and limit potentialexposure to unintentionaland intentional threatsagainst the system Natural threats Disasters that could endangerfacility or equipment Fire Flood Lightning
Why SAT? To prevent and limit potentialexposure to unintentional andintentional threats against thesystem Natural threats Unintentional threats Actions that occur due to lack ofknowledge or through carelessness Can be prevented throughawareness and training
Why SAT? To prevent and limit potentialexposure to unintentional andintentional threats against thesystem Natural threats Unintentional threats Intentional threats Designed to deliberately harm ormanipulate information systems,software or data
What about other SecurityAwareness Trainings?HIPPAAgency required SAT
Other Security Awareness Trainings Other trainings may be used to cover some topics But the training should focus on Security Awarenessas it relates to CJIS data Ex. Proper handling and marking of CJIS data.Encryption of CJIS dataIncident response when CJIS data could have beencompromised
What is CJIS Data? Any information providedby BCI via UCJIS tocriminal justice agenciesnecessary for theadministration ofcriminal justice. This data includes, but isnot limited to: Biometric Biographic Property Case/incident Motor vehicle Driver license Warrant Protective order Criminal history record
Security Awareness Fact #1 What is the most expensive computer virus in history?
Levels of Security AwarenessTraining
Level One
Who All personnel with unescorted access to securedlocation Janitors, repair men In BCI language Non-users
What Needs to be Trained Responsibilities andexpected behavior inregards to UCJIS information Implications of noncompliance Visitor control Physical access to spaces Incident response
How? Non-User Security AgreementResponsibilities and expectedbehaviorImplications of noncompliance Visitor Control and access tosecure location What to do if there is anincident
What Types of Security IncidentsNeed to be Reported to StateInformation Security Officer?
Reportable Incidents Server containing CJIS data was hacked Denial of service Root/administrator compromise Virus infections where it is shown that CJIS data could have beencompromised Unauthorized changes to hardware of software
Reportable IncidentsServer containing CJIS data was hackedDenial of serviceRoot/administrator compromiseVirus infections where it is shown that CJIS data could have been compromisedUnauthorized changes to hardware of softwareCJIS data leaked outside of a controlled area when proper handling procedures werenot followed. Sending CJIS data unencrypted via email Unauthorized access of CJIS data Anything that could have or has compromised CJIS data in any fashion
Reporting IncidentsCriminalJustice AgencyGarry Gregsonggregson@Utah.gov801 201-0922StateISOCJIS
Level Two
Who All personnel with access to CJIS data (without a login) In BCI language Non-access user
What Needs to be Trained All of level 1 Protect information subject to confidentiality concerns Proper handling of CJIS data Dissemination Destruction Media protection Threats, vulnerabilities, and risks associated with handling ofCJIS data Social engineering
Level Three
Who All authorized personnel with both physical and logicalaccess to CJIS data Physical: Any kind of unescorted access within the secureperimeter of the agency, to wiring or equipment that accesses,processes, transmits or prints unencrypted CJIS data Logical: Credentialed access (ie UserID and password) to acomputer, network, applications or any other device or systemthat accesses, transmits or prints unencrypted CJIS data fromoutside the perimeter of the physically secure area of the entity
Who In BCI language Users
What Needs to be Trained? All of level 1 and 2 General rules that outline theresponsibilities and behavior related tousage of information systems Creation, usage and management ofpasswords Web Usage – monitoring of user activityand prohibited sites Spam Specifics related to unknownattachments/emails Physical security- risks related to systemsand data Protection that needs to be made withrespect to Trojans, virus, malicious codesand malware Use of encryption techniques for transferringsensitive information over the Internet Issues related to access control Both information related and physical securitywith respect to laptops and their usage Issues associated with handheld devices anddesktops as well Individual accountability including anexplanation of what it means to the agency Specifics about if personally ownedequipment is allowed by the agency or thestate Specifics related to information security andconfidential items, their usage, backup,archiving or destruction after its need is over.
Level Four
Who Personnel with an IT role
What Needs to be Trained All of level 1, 2, and 3 Measures were taken for the protection of network infrastructure Access control measures Backup and storage of data and if the approach is centralized ordecentralized Protection of the system and information from Trojans, worms, andviruses including scanning and updating of virus definitions As part of the configuration management, application and systempatches need to be applied
Does this person require unescorted access toyour CJIS Secure Facility?What level of SecurityAwareness should be given?ADD-ed in UCJIS, Fingerprints submitted to BCI, SecurityAgreement and appropriate trainingLogin access toany databasecontaining CJISdata?YesBackground cleared?YesAccess to servers accessing,storing or transmitting CJISdata?YesAuthorizedaccess toCJIS data?NoNoYesCJIS SecurityAwareness Level 4CJIS SecurityAwareness Level 3CJIS SecurityAwareness Level 2NoCJIS SecurityAwareness Level 1No
SecurityAwarenessFact#2Random Fact #2 How long would it take to crack your password?Password Criteria(8 characters)Possible CombinationsLowercase alphabet208,827,064,576Upper and lowercasealphabet53,459,728,531,456Upper and lowercasealpha numbers218,340,105,584,896645,753,531,245,761Full set of allowedprintable characters set
SecurityAwarenessFact#2Random Fact #2 How long would it take to crack your password?Password Criteria(8 characters)Possible CombinationsLowercase alphabet208,827,064,576Upper and lowercasealphabet53,459,728,531,456Upper and lowercasealpha numbers218,340,105,584,896645,753,531,245,761Full set of allowedprintable characters setHow long would it takeon an average computer?
SecurityAwarenessFact#2Random Fact #2 How long would it take to crack your password?Password Criteria(8 characters)Possible CombinationsHow long would it takeon an average computer?Lowercase alphabet208,827,064,5762 daysUpper and lowercasealphabet53,459,728,531,4561.44 yearsUpper and lowercasealpha numbers218,340,105,584,8965.88 years645,753,531,245,761Full set of allowedprintable characters set45.2 years
SecurityAwarenessFact#2Random Fact #2 How long would it take to crack your password?Password Criteria(8 characters)Possible CombinationsHow long would it takeHow long would it takeon an average computer? on a supercomputer?Lowercase alphabet208,827,064,5762 daysUpper and lowercasealphabet53,459,728,531,4561.44 yearsUpper and lowercasealpha numbers218,340,105,584,8965.88 years645,753,531,245,761Full set of allowedprintable characters set45.2 years
Security Awareness Fact #2 How long would it take to crack your password?Password Criteria(8 characters)Possible CombinationsHow long would it takeHow long would it takeon an average computer? on a supercomputer?Lowercase alphabet208,827,064,5762 days1.8 secondsUpper and lowercasealphabet53,459,728,531,4561.44 years7.6 minutesUpper and lowercasealpha numbers218,340,105,584,8965.88 years31 minutes645,753,531,245,761Full set of allowedprintable characters set45.2 years4 hours
Tracking of SAT
Tracking“Records of individual basic security awareness trainingand specific information system security training shallbe documented, kept current, and maintained”CJIS Security Policy 5.2.2
TrackingHow? Use CERT
TrackingHow? Use CERT Spreadsheet
TrackingHow? Use CERT Spreadsheet Read receipt
Security Awareness Fact #3 In 2016, 95% of breached records come from what threeindustries? Government Retail Technology
How to Train SAT
How to Train? Biennial training withuser User Training and TestingAgreement TAC could require reviewof BCI’s SecurityAwareness Power Point
How to Train? Self review Provide BCI presentation
How to Train? Self review Provide BCI presentation Create one-sheet
How to Train? Group review All at once Special time frame to focuson Security Awareness Security Awareness Month Security Awareness Week 12 days of SecurityAwareness
On the twelfth day of security awareness training,my TAC reminded me: Not to trust unknown emails and attachmentsThe consequences of misuseTo change my password regularlyKeep my training currentProtect the informationMy fingers are in Rap BackOnly access data for the administration ofcriminal justiceDestroy or sanitize mediaKeep things secureReport security incidentsDon’t ignore computer updates
How to Train? Group review All at once Biennial in-service withagency Already mandatory and inplace Get yourself on the roster
How to Train? Group review All at once Continual training
How to Train? Group review Continual training Staff meetings Regularly occurring Small, single factorthought For users, 27 pointsthat must be coveredin 24 months
Encryption What needs to be encrypted? Anything containing any CJIS data How do you encrypt?
How to train? Group review Continual training Newsletters/Training email Don’t have one?Start one
Making SAT More Effective
Tip for Making SAT More Effective Enlist support from thetop If the boss says it has tobe done, it will likely bedone
Tip for Making SAT More Effective Choose the right method How much time do youhave? Will you be doing thisalone? What has/hasn’t workedin the past?
Tip for Making SAT More Effective Use real life social engineeringexamples Partner with your IT Are there any scams, phishing, hackingexamples from our agency? Find local examples Google news stories in your area of ongoing or recent Find agency related examples (OtherPDs, courts, government bodies)
Tip for Making SAT More Effective Engage your audience Ask the audience questions How many of you use the samepassword for multiple accounts? How many of your have received ascam email? Ask for examples
SecurityAwarenessFact #4
Tip for Making SAT More Effective Engage your audience Have them think like a hacker Google your agency See what information is accessibleand viewable about your agency Are your contracts public? Are your building floor plansavailable online?
Tip for Making SAT More Effective Engage your audience Review your agencies social mediapresence What do the pictures posted tellabout your agency? Entry credentials? Technology used? Work schedules?
CameraplacementOperatingsystem versionPhone systeminformationDesktop/laptophardware
Security Awareness Fact #5 What is the primary risk factor for successfulcyberattacks? Human error 95% of successful cyberattacks are the result of a phishingscam Successful awareness training can reduce risk by up to70%
How does your agency approachSecurity Awareness Training?
Security awareness training tries to limit exposure of our system and our data to threats. These threats can be nature threats\ബ unintentional or intentional. Natural threats are things that we don't have a lot of control over but could damage a facility 對or equipment housing CJIS data.
