Some Thoughts on User Awareness Training

Users getting trained.
Users getting trained.

Brian Krebs published an article about a tech firm losing $46 million in a technology-based heist.  The heist used forged communications from senior executives to complete financial transactions.  This got me thinking about user awareness training and how we’re doing it and how we might do it better.

If I had to guess, I’d wager that many organizations focus their user awareness training on services like PhishMe.  These services allow you to conduct a phishing campaign against your own organization and deliver an awareness training message as a payload instead of a keylogger.  These services are great and build increased awareness among the general population.  Regulators love them because you have a control with a vetted design and an easy way to illustrate effectiveness.  There is a lot to like about these services, but I think they still leave a lot of awareness opportunities on the table.

Despite how you might feel occasionally, we are not all uniform cogs in the same machine.  We are grouped according to function and objective.  A single security vulnerability could affect each group differently based on their behavior and environment.  That sounds a lot like market segments to me.  I propose segment our user populations and develop security awareness marketing material based on the needs of those segments.  Let’s look at a specific example: The Certifi-Gate Vulnerability in Android OS

We might have the following segments in our organization:

Customer Service Representative

Work Profile: Works a standard 8-hour shift.  Access to PII and potentially card holder data.  Call center rules prohibit personal computing devices in the call center.  They are not authorized remote access to the network remotely so supervisors can manage overtime effectively.

Threat Scenario: Assuming other controls are functioning properly, their Android devices should not have access to company data or credentials.  Threat actors from this segment have a low capability and our controls enable us to resist these attacks effectively.

Communication Need: No formal communication is necessary.  A courtesy communication might garner associate engagement.

IT Server Support Staff

Work Profile: Uses privileged credentials to manage Windows and Linux server environment.  No routine access to PII or card holder data.  Might have access to file shares with proprietary information.  Authorized remote access to network via VPN and MDM services.

Threat Scenario: Routinely uses privileged credentials, which might, or might not, be his or her everyday log on credentials.  Could reuse privileged credentials to access the MDM and VPN client.  An exploited Android phone could capture privileged credentials.

Communication Needed: Awareness communication including technical description of the vulnerability and how it might be exploited.  Include refresher on operational security techniques with emphasis on credential management and the importance of using separate administrative credentials.  Include brief refresher on security incident reporting procedure.  Also include links to reputable articles covering the vulnerability.

C-Level Executives

Work Profile: Manages organizational operations and formulates enterprise strategy.  Has access to proprietary information, trade secrets, non-public financial information, and long-range strategic plans.  Works primarily in a mobile environment and consumes information constantly when on the move via smartphone and tablet. These devices are almost always in close physical proximity.

Threat Scenario: These executives receive a spear phish exploiting the Certifi-Gate vulnerability.  Industrial spies use the compromised device to read strategy and proprietary information.  They leverage the vulnerability to convert the smartphone or tablet into a passive listening device to gain insight and leverage into merger or acquisition negotiations.

Communication Needed: Customized spear phishing awareness communication.  Also include operational security refresher communication.  Combine these points into a presentation slide along with highlights from associated mitigation efforts across the enterprise.  Ask administratve assistant to place near the top of their daily review material.

These are just examples and scenarios I’ve come up with over the course of about 30 minutes.  I spent another 30 minutes organizing my thoughts and drafting this blog post.  I say that so you understand this is a quick and dirty example.

You’ll need to sit down with the right stakeholders at your organization to enumerate your largest market segments and develop a communications plan for each of them.  I’d recommend scheduling a half day table top exercise to get your initial thoughts and the have a couple of 30 minute follow-up meetings to dial in your final plan.  I think you’d get a lot of extra efficiencies engaging your marketing department in this process too.  They’ve done this before and can help you avoid rookie mistakes.

Drop me a note in the comments if you see things differently.

UPDATE: The SANS Securing the Human Blog has an article discussing components of a best of breed awareness program.  As always, SANS is full of good ideas and worth your time to read.

Leave a Reply

%d bloggers like this: