SECURITY AWARENESS TRAINING AS A SERVICE

How Small, Mid-Sized and Large OrganizationsEqually Benefit from Security AwarenessTraining as a Service

Q. Why there will be another security breach

The root cause of every successful cyber breach or incident is human error. Systems and software only function in the way they are configured and deployed. The glaring fault in every breach scenario is with the end-users decision making behind those systems, whether supporting them or using them.

Advances in technology and convenience are not doing enterprise environments any favors either. Every day IoT becomes more ubiquitous, making the obstacles that much larger to hurdle. By the end of 2019, there will be almost 27 billion IoT devices with a network connection of some sort. By the end of 2025 that number will nearly triple to more than 75 billion connected IoT devices.

Combating ordinary threats is a herculean task without the behemoth of IoT in the fight. Securing Enterprise environments, regardless of the size, is evolving into an all-out war. Large organizations, while sometimes well-staffed, suffer from the same primary weakness, lack of agility in the face of an apparent threat. Small organizations, while nimble and quick, are often spread too thin to respond to every possible threat head-on.

No matter the size of the organization, the common threat from inside is user decision making. As technology advances, so do security breaches; to diminish threats cultivated training, awareness, information sharing, and communication are integral in building a successful defense. Many organizations rely on off-the-shelf software or tools to handle security; sometimes in place of good AppDevSec and secure systems administration policies. While these off the shelf tools afford a measure of protection, it is limited, and it is fleeting. Tools and software are only as good as the staff who provide their care and feeding, i.e., maintenance and ongoing support. Even the largest organizations can be hard-pressed to dedicate staff to a single tool, or even a suite of tools, when the threat is so broad and most often of unknown origin.

Organizations whose primary focus is not cybersecurity, and who can afford to hire InfoSec staff, are in direct competition with even larger firms and Cybersecurity-focused developers who have deep pockets and great job offers. Tools entered the marketplace in the last several years touting the use of cognitive computing or artificial intelligence to combat cyber-attacks on a proactive footing. Though promising, the cost of entry into that space can be prohibitive for small to medium organizations.

Staffing to support these tools can also be difficult and costly. Firms now face a hard choice. Buy expensive high-power tools, but not have the staff to properly support them or duke it out in a salary battle for high-power staff and leave the design of cybersecurity strategy to commercial developers, not to mention small organizations who may not be able to afford either choice.

There is no such thing as a quick-fix or a silver bullet for any organization in the race to achieve security and peace of mind for corporate assets. If that is the case, other than drastically increasing annual budgets for dedicated IT security staff, what viable options do IT leaders have? There are two options that any organization can do which have an immediate and measurable improvement on the security posture of any organization.

1. Provide security awareness training for the entire workforce.
2. Provide ongoing and enhanced security training and exposure to the larger InfoSec community for any dedicated InfoSec staff.

If the goal of information security, at its most basic, is to make an organization a less appealing target than its neighbor, option 1 is the largest return on investment for these sort efforts. Raising the level of security awareness for employees greatly decreases the physical attack surface of an organization. End users will always be the most common and vulnerable entry point for any attacker. Continual improvement of security awareness makes the human element attack surface smaller, and as a result, less appealing as a target for Advanced Persistent Threat adversaries. If the question is “How?”, then the answer is calculated investment of time and money on targeted user education.

Some threats stay persistent

The largest commercial breaches and those that occurred against governmental entities, namely The Office of Personnel Management between 2012 and 2016, originated through compromised credentials of authentic users. In some cases, the credentials compromised were from outside contracted vendors like HVAC maintenance workers in the Target breach of 2013, which netted hackers the credit card numbers of 40 million customers.

Why do these kinds of issues continue to plague organizations today? Impatience, diversion, anxiety, and curiosity are all exploited elements of human behavior to coerce someone into opening a malicious attachment disguised as something innocuous or divulge proprietary information.

Gatepoint Research surveyed 1,400 various size businesses and found nearly 1/3 of respondents receive more than 520 suspicious emails weekly. This threat has been a plague in the IT world starting in 2005. Many years later, organizations are still trying to mitigate this threat and others like it. The common thread in nearly every sort of cyber-attack is the end-user.

To better combat cyber-attacks organizations must secure their people first. This goal is easily accomplished by giving employees the tools, information, and training they need to recognize and respond appropriately to an attack. Employees should be encouraged to share this knowledge within their teams, their organizations, and community to build trusted relationships. Certainly, these things alone will not provide a total solution, but they are a fast and effective foundation in conjunction with more technical security solutions implemented and managed by more technical professionals. While the principle of defense in depth can be applied to any organization to provide a multi- layered approach to securing digital assets, awareness, and training are necessary for every indepthdefense strategy for a reason.

Educating employees on threats their organization might face and the ways to combat them makes every employee a sentinel and a member of the InfoSec team. This practice is the base that will support all other efforts and is a force-multiplier for even the smallest of teams and businesses.

Formulate an educational experience

The mainstream approach to Security Awareness improvement is failing. The math is simple. Organizations are focusing more than ever on Security Awareness, but the reports of new breaches and compromised systems seem to come daily. When asked, most employees would say the most widely used security awareness training programs are more of an interruption in their day rather than a genuine chance to improve their skillset and knowledge.

The challenge is creating content that is engaging for technical and non-technical audiences alike, easily deployed and supported, and scalable for audiences of any size. Doing those things in concert is difficult enough, however keeping that content current and reflective of ever-evolving threats sounds downright daunting for most organizations when done in-house.

Equally as important as the question of who delivers training to an organization should be the content itself. Elements to be considered for a successful Security Awareness Training program are as follows:

1. Content must be engaging

In a world of a 15-minute news cycle, 144-character tweets, and microblogs having employees sit through Security Awareness Training sessions that last an hour (sometimes longer) is not a viable option for positive results. Catering to short attention spans and competing with the already ingrained drive to “get work done” should limit the length of any training material to improve effectiveness and retention. Not only should training material be tailored to the end-user or their role, but it should also focus on the organization/industry and the goals of the same. Being able to customize content, including voice narrations, easily should be a major factor in deciding what training platform an organization should be using.

2. Training should be user/role-specific

Training tailored to specific groups of users, by role or by risk level, is the most effective. While everyone in an organization should be exposed to a baseline of InfoSec 101, tailoring more intermediate and advanced materials specific to roles and risk levels of users in the organization elicits more buy-in than a generic catch-all approach. Security concerns for software developers and systems administrators differ wildly from that of the average user. Subjecting everyone to all the same training is not only a waste of money but also a waste of time and potential buy-in from end-users. Tailoring training in this way also allows for targeting specific problems when they arise without having to revamp an entire training program for all users.

3. Results must be trackable and measurable to be beneficial

To better target specific areas addressed by implementing Security Awareness Training, decision-makers must understand individual risk levels users pose. Having insight into user risk requires accurate and timely data. Does your monitoring program correlate incidents back to specific end-user behaviors? Does your Security Awareness Training program show you where users fail and how frequently? How do you know what changes to make to your existing training to make it more effective?

4. The timeliness of training can add valuable meaning

The most valuable time to capitalize on training for a mistake is at the time of the mistake. Providing targeted training specific to an incident, when users are hyper-aware of the actions that led to it and the negative outcomes, is the best possible way to train and address a root cause. The further away from an incident one gets, focus on the root cause and negative effect wanes, while the likelihood of a repeat incident increases.

5. Create a Culture of Security and Awareness

Just as simple compliance should not be the goal for any security policy, compliance with a directive to participate in security training should not be a goal for employees. Engage personnel in the process and create a sense of ownership for the overall security of the company. Breaching security doesn’t require compromising an entire organization. It only takes compromising a single user to gain a foothold into most systems. Make users understand why their contribution is important and how securing each person makes the organization stronger and more secure. Incentivize security in whatever ways you can!

6. Test the effectiveness of training regularly and randomly

Drilling learned behaviors is an easy and inexpensive way to test the effectiveness of training and reinforce positive behaviors. Is your Security Awareness Training program able to test phishing emails internally to see who falls prey to these types of attacks? What about other types of social engineering attacks? Physical access restrictions? Test employees on these and other elements of your Security Awareness Training to determine the areas where your training is weak and then tweak it. Don’t forget to re-test using new materials as well. Remember to follow failures with immediate and targeted training for the element that needs correction and reinforcement. Strike while the iron is hot!

Any of these elements implemented individually might help improve an organization’s security footing. However, much like the principle of defense in depth, implementing them fully in a layered approach creates a scalable and sustainable method to improve Security Awareness Training and testing for any size organization. Similar to the topics in this piece, the difference between organizations are the amounts of time, money, and resources needed for implementation.

Users are safe, but what about the products they use?

Beyond the basics of Security Awareness Training for all users, many organizations bear the additional burden of securing the products they create. The process of creating software tools and products in an environment that truly embraces security is a tectonic shift for many organizations. Even with breaches announced regularly, Secure Development and DevSecOps are still regarded, at worst, as a burden by many, and at best a bonus but not necessity.

To those with roots in the industry, the benefits of such practices are obvious. Hackers take the path of least resistance. How can an organization with development concerns create more resistance? DevOps teams must have training on security best practices and how to write secure code. Blending AppSec into testing and acceptance criteria for end users becomes an easy step once you have implemented awareness and training. This process also requires that regular ITSec staff must also be involved in the development process to identify critical risks and create plans to mitigate any vulnerabilities encountered. C-level executives should be able to make decisions on secure development needs based on measurable risks versus an organization’s quantifiable security posture. All these things lead to security goals that are simple to understand and easily socialized within an AppDev team and the rest of the organization.

What this requires is additional, specialized Security Training for developers. Integrating security practices into the development lifecycle and verifying the integrity of developed applications during development helps to prevent incidents from occurring due to poor coding decisions. The same as basic security practice breaches due to insecure code all trace back to human error at their heart. Poor coding decisions during the development lifecycle create vulnerabilities, which if not tested for and remediated, are exploited once deployed into live environments.

Once the decision has been made to stop this revolving door of bad processes, AppDev leaders must decide on what the baseline Application Security Awareness lessons will be. These AppSec lessons lay down the foundations of application security and can be as basic as security vocabulary, the business impacts of bad design/coding, and an introduction to who might want to compromise their work. Once they have a solid grasp of AppSec basics, organizations can move onto more role-specific training for different development roles.

Training will, and should, vary by role and development language as each has its own set of challenges. The most effective lessons demonstrate both sides of the security equation: attack vs. defend. Teaching AppSec to developers means showing them the anatomy of an attack so they can better understand how to triage and defend against it. As bad actors are always looking for the path of least resistance, old tried and true toolkits, and scripts get rolled out often when attempted to compromise software or systems. Teaching how these tools work gives developers the knowledge of how to code against them, and how to code more cleanly to avoid these vulnerabilities in the first place.

Once the foundation of AppSec exists, and developers have a grasp of what attacks might look like from both sides, they should put this knowledge to work. Practical labs on how to improve your organization’s products are a great place to start for AppSec hungry developers. Testing their work, or the work of others in the organization for vulnerabilities is a great application of their newfound skills. Developing and working through a security test plan for their code is an effective tool for showing them what it was like before they knew the difference and strengthens the sense of ownership for the health and welfare of their code once it is out in the wild. A Security Awareness Training program targeting Secure Development should have the capability to test all the above. It must be hands-on, allowing developers to flex their muscles as both attacker and defender in real-world scenarios. This direct practice is what will set any AppSec training tool apart from its standard video and multiple-choice quiz competitors.

The Gatekeepers of it all

If they are doing their job correctly, most of the time, system administrators will get little attention unless something goes sideways. To the average end-user networks and servers run themselves. If these major parts of their work go unnoticed, then certainly all day-to-day security functions they fill are a mystery to most users. A few, but certainly not all, of the daily System Administrator tasks that involve security are:

• Monitoring network infrastructure, server, and application logs
• Patching operating systems and third-party software
• Monitoring antivirus software
• Monitoring network bandwidth and usage
• Ensuring that systems backups run correctly and are usable

These do not include the actual security event-related tasks delegated to System Administrators. “System Administrators are a key component of a sound infrastructure in any IT environment, especially when it comes to security,” said Cody Rucks, a DevOps engineer in corporate operations at CareerBuilder. “Whether actively working to prevent threats, doing an analysis of trends, implementing policies or engaging with SaaS vendors to ensure they are not allowing a lapse in security policy, it is the system administrator that helps to protect the integrity of the environment by leveraging close collaboration with security teams.”

For a role that is integral to the security of the largest segments of any Enterprise, there must also be additional Security Awareness Training. As with Developers, System Administrators require additional training specific to their role to enhance understanding and application of security principles in their work.

ITsec leaders wanting to enhance the overall security of their core systems should ensure that System Administrators receive additional training and information on the importance of:

• basic security – using/managing firewalls, antivirus, antispam, encryption software to secure the network and sensitive data
• user education – providing documentation and support to users on the appropriate use of enterprise technologies, data, and access
• trend awareness – as threats to systems are evolving daily System Administrators must stay aware of new methods and tools to mitigate the risks that those threats pose
• security patching – keeping operating systems and applications up to date to avoid vulnerabilities
• audit logging – capturing and reviewing server logs for gaps or anomalous behavior
• implementing security policy – defining user responsibilities for the systems they use
• password management – maintaining hypercomplex passwords and encryption for key business systems
• access controls – managing user access at a level appropriate to their actual needs on any given system

Like Secure Developer training, the Security Awareness training for System Administrators must be role-specific and can be technology-specific at times. Training should provide for active testing of this knowledge in the attack & defend manner as discussed for Developers. Only by understanding the nature of the vulnerabilities in the network can resources plan for defending them and then remediating them altogether.

Training should preferably include the ability for customization specific to the systems in each enterprise environment. This customization would allow for targeted training and enhance awareness for systems resources that are in contact with every day. Real-world examples always provide more interest and information retention as opposed to theoretical examples and generalizations seen in some training offerings.

Talk about all these things once in awhile

Once an organization has decided to invest in Security Awareness Training, it is on the road to enhancing its security posture for the better. After training is successful, there are additional steps that will help make it more successful. Create an atmosphere where security is a socialized topic. While two employees in the same role may receive the same training, they will likely see some things differently from one another. Sharing their different points of view and exchanging information is an easy way for misconceptions to be aired and resolved. Creating securityfocused discussion groups or technical meetups within the organization is an easy way to foster the desire to learn more from the peer group and to be more actively involved in securing the organization and its assets.

No matter the size of your organization, today is the day that you will face the most advanced and persistent threats you have ever encountered. That is, until tomorrow when bad actors have had one more day to collaborate, share attack vectors, compare notes, prepare more social engineering attacks to make an organization’s life miserable for their entertainment and personal gain. Whether a part of a large or small business, you should use the tools of training, awareness, information sharing, and communication to your advantage to secure your organization, level the playing field, and meet attackers head-on.

Like Secure Developer training, the Security Awareness training for System Administrators must be role-specific and can be technology-specific at times. Training should provide for active testing of this knowledge in the attack & defend manner as discussed for Developers. Only by understanding the nature of the vulnerabilities in the network can resources plan for defending them and then remediating them altogether.

Training should preferably include the ability for customization specific to the systems in each enterprise environment. This customization would allow for targeted training and enhance awareness for systems resources that are in contact with every day. Real-world examples always provide more interest and information retention as opposed to theoretical examples and generalizations seen in some training offerings.

ABOUT THE AUTHOR:

Chris Schumacher is a Senior Consultant with New Light Technologies and a former C-Suite executive in both the private and public sectors and previously focused on Law Enforcement and Critical Infrastructure protections. He is on a mission to eradicate ignorance as a leading cause of cyber insecurity for individuals, businesses, and government agencies alike.

CONTRIBUTORS:

Carl Alleyne II is a Senior DevSecOps Engineer with New Light Technologies and Edwina Vincent is a Deskside Support Technician with New Light Technologies. Both are deeply experienced in implementing and supporting security controls and best practices for Government and private sector clients. Their insights as technical reviewers of Reflare’s product offerings for Systems Administrator and Secure Developer modules were invaluable to the process of creating the foundation for this work.

Solution Profile

Equally as important as the need for Security Awareness Training is the team you engage to provide it. As a trusted advisor to commercial businesses and Federal, State, and Local government entities, New Light Technologies is hyper- aware of the mission-critical security needs faced by the private and public sectors. It is for that reason that we chose to review Security Awareness Training as Service, as provided by Reflare.

While reviewing their offerings, we discovered that not only does Reflare’s training provide Security Awareness at all levels and disciplines in any enterprise, but it is also highly customizable and scales easily to organizations of every size. We understand the need for tools that provide high impact results without straining team resources when it comes to configuration, deployment, and management. Reflare has created a Security Awareness Training As A Service toolkit that provides solid results right out of the box for those organizations looking for a solution with little to no configuration. Enterprises with more complex training needs will find that the level of customization available, and the ease of managing it, in the Reflare toolkit is a gamechanger.

Adding business-specific content can be done by the organization itself and the changes are immediately made available to trainees. With an AI voice engine that integrates custom content into the out of the box offering, even the most customized deployment of these products appears seamless to end-users. Naturally, the contents can be consumed using nothing, but a web browser and care has been taken to provide high levels of accessibility for trainees with special needs.

Going beyond training end-users on the fundamentals of security awareness, which these tools do incredibly well, Reflare also provides robust training options for in-house development teams and resources in systems administration roles. The training was highly interactive in all modules, and especially so for the more technical disciplines. DevOps and SysAdmin personnel going through Reflare training modules advance through multiple scenarios with practical exercises where they must operate in attack and defend roles to demonstrate skills learned.

These challenges are performed on real computers running real operating systems with real vulnerabilities which are launched for each user individually in the cloud. By using cutting edge technology, Reflare makes this level of interactivity available straight from a trainee’s web browser - meaning that no special software needs to be acquired, installed or maintained. In comparison to other training systems experienced over the years, technical reviewers were delighted at how different, and inclusive the Reflare toolkit was and how much new material they retained.

Looking at all of this from the C-Level perspective, deploying Reflare into any environment, no matter the size creates a force multiplier. In organizations with dedicated ITSec staff, Reflare’s tools keep all users up to date on security concerns and trends; allowing ITSec staff to focus on active defense and remediation of security risks. Organizations with little or no dedicated staff for ITSec needs benefit greatly because educating end-users on security basics, and current trends provide a base layer of defense against the most common attacks in use today.

As a reselling partner of Reflare Security Awareness tools, New Light Technologies is ideally positioned to help any organization reap the benefits of this amazing technology and content. Our team has been improving the security posture of our customers for more than 15 years. We are excited to partner with Reflare to take training to the next step of its evolution when it comes to Security Awareness.

Speak with New Light Technologies today to learn how Reflare is changing the future of ITSec training and how this amazing toolkit can help secure your employees, your data, and your business.

newlighttechnologies.com 1-800-206-5994

reflare.com 1-800-229-3586