You are on page 1of 19

Lance Spitzner

www.securingthehuman.org/blog
info@securingthehuman.org
@securethehuman

Security Controls Implemented

EMET
Microso> Security Essen<als

WindowsOS

Encrypted File System


AppLocker

WindowsOS vs. HumanOS


Mandatory Integrity Control
Windows Service Hardening
Bitlocker
User Account Control
ASDL

Windows Defender
Malicious So>ware Removal Tool
Data Execu<on Protec<on (DEP)
Baseline Security Analyzer
Firewall Enabled by Default
Microso> Secure Development Lifecycle
Automa<c Upda<ng
So>ware Restric<on Policies
Trustworthy Compu<ng

2002

2004

HumanOS
2006

2008

2010

2012

2014

1 in 251,800,000
Source: http://www.bookofodds.com/content/view/full/252163

1 in 112,000,000

Source: http://www.bookofodds.com/content/view/full/248157

Common Misconceptions
Awareness has never worked
Someone always falls victim
Awareness is only about prevention

Fogg Behavior Model

2015 Sec Awareness Report

The Impact
First phish: 30-60% fall victim.
6-12 months later: Low as 5%.
The more often the training, the more
effective the impact.
Quarterly:
Every other month:
Monthly:

19%
12%
05%

WHO
Determine who is the target audience of your
program. Different targets require different
training.
Employees / Contractors
IT Staff / Developers
Help Desk
Senior Management

What
People can only remember so much, and you have
limited time and resources.
Focus on the fewest behaviors that will have the
largest impact.
Phishing
Poor password security
Failing to patch/update device
Sharing too much on social media
Not realizing you are a target
Accidental data loss / exposure

How
Engage; create content where people come
to you, 70-80% of your awareness program
also applies to peoples personal life.
Content people can consume on their own
schedule (Self-Education / Amassadors).
Communicate and reinforce regularly
throughout year.

@securitypenguin

Update Content
Your technology, business requirements, and
threats are constantly changing.
Update content at least once a year with
your Advisory Board.
Ensure you have budget allocated for
updates.
By sustaining your program long term, you
go beyond behaviors and begin to change
culture.

Metrics Framework
Metrics that measure the deployment of your
awareness program. - Are you compliant?
Metrics that measure the impact of your
awareness program. Are you changing
behavior?

Key Lessons Learned


Give yourself time for planning (2-3 months)
Dont try everything at once, you have years
to develop your program
Engage people, if they do not like the training
it will fail
Share success (and failure) stories

Summary
Humans are nothing more than another
operating system.
Secure the HumanOS by changing behaviors
with an active and engaging awareness
program.

Resources
www.securingthehuman.org/resources

Events
www.securingthehuman.org/events