Security Awareness Training Refresh

hey everyone my name is Lauren Clausen so I work for a rapid7 for as a security governance analyst and I just want to give a round of applause to the AV team and our volunteers here at 'besides thank you I'm especially excited to be here at besides and to be sharing this talk it to me fits in very well with the kind of mission statement and eat those of this conference of continuous conversation and learning collaboration so we are gonna have you guys interacting with each other throughout this so I know if you need to run now you're like it's cool it's cool so yeah we're gonna have a little bit of a conversation but I want to just say

thank you to besides for having me here so we can get into this all work together to generate and share this knowledge so a little bit about me my background is a software security engineer I worked at two different government organizations I was a maker and a breaker doing Android development and a couple other things that I can't really talk about but following security policies at these kind of places isn't optional it's necessary right you if you break policy you get a written warning from the sturdy team you could potentially lose your job or your clearance or you could spend up to ten years in federal prison so that's pretty high stakes for following the rules when I got to rapid7

and after I left this kind of industry I found that that structure was kind of taken for granted a lot of people in this industry and in corporate the corporate world don't have these constraints on them to really follow those security policies and even think with security in mind so when I got to rapid7 my role became to re-engage and retrain our users how do we get people to think about security without these massive personal consequences so how many people in the room have taken some kind of security awareness training yeah that's expected right how many people had a really great experience with their security runner streaming cool what are you guys doing here that's kind

of expected right how many people remember what was in the security awareness training that they took okay cool you are the security people and half the room raise their hand think about all of the people that don't care about security taking that training and how many of them remember maybe anything at all so that's the problem we're here to talk about today we you know we have really smart people working at our companies or at least I hope so and getting these people to think about security might be a little bit out of their comfort zone so how do we take people back to that beginner mindset of I'm an expert in my field but I don't

really know about security and how do we get them into that frame of mind so we can train them and teach them the ways to do that so a lot of these people have that it won't happen to me it's now I'm not going to do that I wouldn't fall for that kind of mindset but we all know that they do security awareness training doesn't just have to be a compliance check box we have this opportunity to really train our users about things that we think are important and that our company feels are important and we all know the stories someone gets the flashdrive in the mail and it says very important data for your company and they

just plug it in or we have this guy who's so generously holding open the door to the person that forgot their badge or couldn't had it in their other purse or whatever it is or you know clickbait we have when a free cruise just click this little button and who knows what happens and passwords everyone's favorite so post-it notes they're simple passwords that get taken or stolen and it affects all of us so I'm not here to tell you what should be in your security awareness training because we're all different right our organizations our users our company our industry everything is different and we what we want to think about with security awareness training is really

catering the content to your audience in your environment so I bet that everyone in this room has security policies that are different than the person sitting next to them and that's a good thing because all of us as I said are different when we talk to our employees about training and security we really need to keep that in mind that what we're training them on is relevant to them that it's something they're interested in and that they're going to remember after they watch the video or whatever it is and keep that with them as they go through their day to day so my goals for today are to offer you some new tools in thinking about security

awareness training and a different way to think about it so that you can really reach your employees and your users and share this information with them some immediate impact we're gonna have discussions with some of your neighbors and then we can bring it all back together so hopefully you'll walk away with some new tools and something that you can take home with you to customize to your audience how you're going to train them so when I got to rapid 7 the way we started with this process of redoing and revamping our security awareness training program was identifying what the gaps were so where do you need to work on training your users is there a specific thing that

comes to mind of like oh yeah everybody's breaking this policy or this rule or doing this behavior and why is that so we want to talk about the what the problem is and I'm going to go into some rap example rapid7 examples of what we looked at and then the why right so without explaining to your users or your consumers why this is important it's never going to stick with them they're never going to implement it so it's really changing that behavior and letting them learn from these trainings so I'll talk about what we came up with a trap 7 why it was relevant and why we cared about it and then how we actually

trained people and offered these opportunities for learning and then we're going to have you guys talk to each other you'll have this opportunity to pick out the points where you may be your security program is lacking or the training program has a gap and how we can step forward with it so here's three examples from rapid seven this first one are acceptable use policy so most people have this in place for us we had users who didn't fully understand this policy that they were making mistakes without even knowing that there was potentially a security risk so one example is our rapid 7 and our acceptable use policy every time you walk away from your computer you're

supposed to lock your computer right we have technical controls in place automatic screen savers that after a certain amount of time the computer locks itself but we have an unwritten rule that if you find a computer unlocked and you happen to access it you can send out an email to the whole office with the subject line donuts and the next day the owner of that computer has to bring in donuts for the whole office so you would think that this is a pretty good deterrent for leaving your computer unlocked but you'd be surprised how much people like donuts another example as a company that creates security products we have a lot of people around who are really smart

and very interested in security and often that leads to them you know hacking around and scanning networks or building exploits and whatever it is we have Metasploit if you are out here taking a look at our products so we have people doing these these things that are a part of their job but and that's really great but it's not so great when it's on our corporate network or it's open where it could cause real harm so why right that's our what those were our two gaps the why is scanning networks is obviously a precursor to a cyber attack it alerts our security team we're getting flagged by this a lot so how do we get users to not do that

behavior internally to set it up on one of our lab networks for the donating you know physical access if your computer is open long enough for someone to send an email it's not open long enough for them to take data so segregating that data so our solution what we did this acceptable use for us was one of our low-hanging fruit it was an opportunity to address a lot of issues in one setting so we created a video in-house that had our security team speaking to each of these issues so this gave us an opportunity to get people to see our team and then also to learn about the reasons that we have these policies in

place so that they can actually implement them and understand and not just look at it as a rule right like oh this says it so I have to do it but it says it because this is the risk so for all of the software that we don't allow we talked about the why and how this really affects our company that you're doing these behaviors we got our head of InfoSec to get on camera and say I'm the person that's receiving these alerts at 11:38 or 2:00 a.m. whatever it is stop doing this because I'm getting this this notification you're wasting our time and our resources when really we want to be focusing that in other ways some of the

results of this training after we released it we got a lot of good feedback from it but we were also now able to track exceptions as I said there's people these this is their job so we want to know who is doing this when they're doing it so that we can approve certain use cases where this is okay right we had a couple of people reporting violations which can get into a little bit hairy of an area but it was cool again to then go to those people that were potentially in violation of this policy and say how can we work with you to fix this how can we find a solution that all of us are feeling

comfortable with we also had a lot more people talking about security so if you put your goofy security team in front of the camera and send it out to the whole company a lot of people are going to be talking about it and it was cool to have that conversation and see those conversations going on it gave us an opportunity to discuss with people why we have this and what what we're talking about um last Donuts that's questionable okay another gap that we identified was password management we had we have a single sign-on solution that and two-factor authentication so we have technical controls but we found that there were still some users that were in

securely storing their passwords and that we're reusing passwords or sharing passwords in ways that we didn't approve of why is this an issue obviously passwords are the keys to the kingdom so we want to make sure they're secure and sharing that with our users to explain each of those little bits was really important so one of our solutions is right here we have a bot in our chat application that pops up if you type the word password you get this little alert that says are you trying to send a password over slack please use secure file transfer instead and it gives you the link to how you can send that information securely we did discover

that people were abusing the bot quite a lot the word password comes up in conversation quite a bit so this bot was getting a lot of use we ended up adapting as we went forward to say can you send me the password will now alert this and it has a couple more heuristics included so our solution in addition to things like the bots were in person training for groups that were specifically at risk so we sat down with some of the departments that were sharing these kind of information for us our marketing department has all the social media information for our company right so they had to share the Twitter password or the whatever link so they

could get that information out to people and we wanted to give them a solution that could make that easier without being insecure so we have a password management tool that we implemented there are many of them LastPass one pass key pass or one password sorry and these are all great solutions to give your users an alternative to the insecure ways that where they're doing it and in a lot of ways it makes their life a lot easier which is a good thing so as a result again we were having violations being reported to us which gave us more opportunity for enablement we could then reach out to the group that had their passwords listed somewhere public in the company

and say hey guys this is maybe isn't the best way to do this can we put it here instead and then user behavior has changed so we've been able to see how we're getting more traffic through our secure file transfer transfer and that less passwords are being sent over these insecure channels phishing social engineering so this is an obvious one right this is perpetually the issue the why on this is 95% of all attacks on enterprise networks originated from spearfishing 74% of organizations think that this is the biggest risk to their company someone clicking an email so being able to address this and let our users know that this is a real issue these are the things that can happen and

this is what we want you to do about it our solutions we have an annual fishing campaign that we do for all employees and if you happen to fail the fish and click on it you get redirected to a full set of training information so why was this email fake what could have happened these are the risks and we also have an opportunity and a avenue for people to report phishing campaigns or email they suspect is a fish we test continuously and we're sending follow-ups on this so that people are constantly thinking about what they're getting in their email and what they are clicking on or being phone called about so what we saw our last training I said was a

acceptable use training and just getting people thinking and talking about security we actually saw a 10% increase in phishing emails reported over the last quarter so more people were sending us emails that they thought were suspicious and we actually had nine of them that were legitimate phishing attempts so that's nine opportunities that we just shut down from someone getting into our network a lot of our response to phishing is an automated process where we're analyzing the email and all the URLs that are in it sorry so that we can determine whether this is a true or false positive so we're not perfect when we sent out our last email for our acceptable use training this is what the email looked

like yeah does this look like it might be missed because our users thought so so basically we say this is a required activity this is the deadline it's going to be a exception on our sock to report if not everyone fills this out we say that we train all our employees this was the email immediately following this one of our pen testers came up with this message that posted it to our public security channel is that that email for completing acceptable use training is the perfect phishing email template I'm stealing the verbiage and using it for my next engagement so we also are learning we have to be better about this and you know it what it's all about that

we were able to get this feedback and think like oh yeah we're telling you not to click phishing emails we just sent you an email that looks like one telling you you have to do this so you know continuous learning is a core value at rapid7 so we're living it on this one okay so we just went through some of the big gaps so the what and the why and then how we came out to solve this problem well we also what we're gonna dive into next is some of the takeaways and things we learned at rapid7 that you can use going forward in your trainings and these might not work for everyone but they were things that we

found really valuable at the end of ours so show off your information security team this is us this is the end of our video you got a nice hilarious shot of us jumping after we just told you for 15 minutes about security so making the security team especially for us available and know who they are it was awesome to have people come up to us in the my way and say oh I just saw your video or you were in that training even as I was presenting this to one of our marketing people as a dry run before I came here she was like yeah I felt like I had to take it because Katie was in it

and I know her and she's gonna come hunt me down so having that relatability and people that they know in a video or in a talk or whatever and you it doesn't have to be a video right it could be just an email announcement or a newsletter but keeping the security team at the forefront makes it that much more important for people to pay attention assuming that your security team is on good terms with the rest of your organization accepts feedback so that a phishing campaign phishing email that we just got that was unsolicited feedback but we also gave people an opportunity to contact us after we did the training so our original video is about

acceptable use and a couple things in there were things that people aren't gonna like right so what are people doing is something's annoying them they're gonna ignore it or try and disable it or just complain about it so we wanted people to reach out to us and we provided a way to file an exception so if you have a legitimate use case for any of the things we tell you you can't do you can file an exception through our ticketing system that goes to security and one of us will reach out and answer your question it might be approved or we might say that's not really a legitimate thing we don't want you doing that

this also forces people to consider why they're doing the behavior right if they have to reach out to a question and they're thinking like oh but I really want to use this and they have to type up their explanation they might realize oh yeah that is a gap so this was really useful for us we also have public channels where people can reach out to us and ask questions and we got a lot of that after this training so that was that was valuable for us share the why if people don't understand why these things need to happen they're not going to be able to implement a new behavior so we're trying to get that ingrained in

our users but this is stuff that really matters and this is why one of the things we talk about is why you can't have games on your computer and it's not that we're not going to be productive we trust that you're getting your work done it's that a lot of these games that you're downloading have malware embedded and we can't update them and that's introducing risk into our network that we and our environment that we can't fix or don't even know about so being able to tell people the reasons and then speak to it and have them come back to you is really was really valuable role based training nothing is worse than watching or sitting through a training

that you don't care about and doesn't apply to you so taking this opportunity to speak to the things that are relevant to each of your users the training video that we were using before we had this new one talks about thumb drives and removable media and CDs and disk drives and whatever else and that is specifically not approved in our policy so why are we telling people about this when we're then later asking them not to use it at all so thinking about who your users are and what they need the fact that we did password management solutions and training for our marketing group who specifically needed to share accounts and then for future we're

trying to do secure lifecycle development training specifically targeted at our engineers and our product teams so just thinking about how you can reach out the individual groups that you need to and what you need them to know and we're all humans right so putting yourself in someone else's shoes it's easy to say this data is at risk and this data getting out would put our company at risk and financial and whatever else but for you to say what if you were the person who if your company has a list of attendees to an event or travel plans what if that was your information that just became public and now everybody knows where you're gonna be at what time would you

feel okay with that in the time of social media maybe you're doing that on your own and then yeah cool whatever but whatever the example is thinking about well what if that was me would I feel cool like sending someone someone sending my social security number over slack or whatever it is so flip that question on your employees and trying to bring that human aspect back to security of that we're all in this together and if that was you how would you feel about it and then keep it going refreshers reminders notifications I said newsletters before having a public channel we send out announcements with IT tips or is tips on a regular basis and just keeping that security

message available for people to go see and refresh when that slack bot came out we were releasing that to our users and we also were sending out information about the training so if this is something you need a refresher on go have a look at it this is the opportunity for you to do that so it's not a one-and-done we want to provide people this opportunity to see the information and try and pick it up a second time and a third time you don't have to require it but having it there that if someone has a question they can go back and say like oh yeah I think that was in there what did it talk about

okay so we talked about at rapid7 what our gaps were what the things were that we were looking into and that we needed to fix and then how we could get that out to our users what what methods we used and what time we took to do that so what we're going to do now is you guys are going to have a chance to discuss some of this I'll have two questions for you and well we'll get into that but basically what is the hardest aspect to train people on in your environment or where do you think the biggest risk is that you need and you don't have to get like super specific you know we got a

lot of hackers in the room but you can talk about where where do you need to improve or what do you think you would like to improve and then how you convey that so what are some methods or ideas of like and it can be really specific or really vague so how do you convey those things to the people that you need to know about them so we've got the what right what are your gaps what do you need people to know and what do you want your users to be doing why why does this matter why should I care and why is this a problem how how do you train your users how do you get this information

out how do you get them to understand why it's important okay here's a list from NIST of all of the potential things that could be in a security awareness training program right so these are some ideas for you guys to think about and the ones highlighted in orange were the ones that I just talked about through here so feel free to you can dig into those a little bit more or you can pick something else but I want you guys right now to I'll throw that other side back up I want you to introduce yourself to the person next to you if you're sitting alone scoot in a little bit we're gonna talk okay no one bites and take a couple minutes

I'll give you like five minutes each and we'll see how that goes to discuss is a lot of the what the why and the how so here's your chance I'm going to be walking around so feel free to grab me over if you have a question or want to talk okay go ahead the other one there we go yeah okay wrapping up your last final discussion okay so I love that you guys were really getting into it and a couple groups that I talked to there was some real questions like well what do I do so I want to take this time for you to ask your peers right we're all here to learn so does anybody have something

that they came up that came up with that in your small group or your you and your friend talking here that you were like I don't know what to do about this or anything you want to share that came up

okay so my English is not so good because I'm brothers you don't know so I would try here okay we have some challenges in Brazil because some of our users some of like people that work for our company like they have the key knowledge meant that about some process of the company but they don't have a computer they don't have a smartphone it's like people there's like mining rock rocks and like working in the meadow and something like this you know so these people have specific acknowledgement about some formulas that we use to like my knee rocks and and do something like these are explained late for so how can I like target these people in my security awareness program

you know like it's hard to me if I have about I don't know thirteen thirteen thousand people in my company you know it's like and half of these people is like don't have a computer or a smartphone yeah you know it's global the company so how can i target these these people in my secrets program like fishing is like it's not a problem we're going back right this is general we're not talking about computers yeah okay guys he's like oh man I have fishing probably okay I understand about fishing simulation about training fish and stuff like this but man is like users you know they like take a self through it up a storage position computer and what's on

Instagram you know we have this type of problem like we create a solution like to have using machine learning imagine cognition to solve this problem ya know but how can I like educate my users they don't have a computer in a smartphone I was think like many see not drawn you know something because I don't know what to do in those like I'm just sharing my problem thing he really know and that's a cool example right but security extends way beyond computers there's a lot of security we have to talk about um anybody have an idea for what's your name my friend Igor anybody have an idea for Igor of what he can do well it sounds like you

kinda have to go old school yourself and have like posters and flyers and analog stuff signs and whatnot like that to me I would think that you could invite groups and you could you could target the the groups that you have the most problems with invite them to lunch have a contest about security it'll excite them a little bit maybe they'll win an iPad or something rather than you'll have to watch later so if there are no official structures that you can use to communicate with them directly and to get them there will be you know facial structures that you can then use so do something cool and get the people to talk about it amongst themselves well it

might be hard to get a water-cooler talk for all the people who are mining work at the same site but at least over a few degrees you will be reaching the people if you can do something cool that the people will then talk about awesome yeah and I add on I heard a I was talking to someone yesterday about this talk and they were like oh what are you talking about security awareness training and they're like oh cool like what are you what is it so they were telling me that they had heard at this company that every meeting that they start no matter what it's about it could be the security team it could be a public whatever every

meeting is they start with a security tip so whatever it is like make sure you lock your computer continue on with the meeting or don't take photos when you're on your office site or don't share this publicly because this could harm our so whatever it is but being able to tip those things out at intervals and keep security on people's mind as they go okay any other like I have a problem I don't know what it is anybody else have anything yeah over here up front Oh what do you go go to me do next yeah so we deal with doctors a lot and they push back a lot whenever we want to implement some new security policy one

main one being when they go into an exam room they want patient data up and ready for them to log on we we've done things like smart cards and you know PIN codes to try and alleviate the impact on them but I was curious what other people do to either get through to doctors so if they understand why it's important and stop complaining or you know maybe not on topic but if someone has suggestions on you know this type of scenario you can tell me outside or something yeah okay who's got users who don't want to follow this security policy because I'm sure that's everyone here so any idea what your name you name Jeremy anybody

got anything for Jeremy yeah you could use the badges and near-field communications to alert the PC that this doctor is within proximity you could also train the office staff by the way the doctor needs to know do it for him what are they supposed to do anyway you know fill up a cool I have a you have an idea okay I one of the things I recently was working with the password management tool that is thinking about implementing having if you have your phone I don't know if doctors carry their phones with them in operating rooms but if you walk up to your computer and you have your phone nearby it actually auto unlocks it

so they're doing stuff over Bluetooth and some Wi-Fi tools so there are things like that out there to make it easier to set that up and have easy access when it's needed okay you had another issue you lift the mic up a little bit I was thinking about how hard it is is that better yeah okay and every security awareness training I've had it all my jobs has been annual and that just seems like a really really long time and between training and I I'm always surprised that it's not monthly there's like you know a talk about it or a refresher but you can do it cheaply you know the communication doesn't have to be expensive right there's a lot of

cheap ways to communicate but do it regularly and more often I was always surprised at security where who's trading was an annual thing yeah and so I work on our compliance team and governance and oh I think the driver for a lot of that is that compliance check box of did you train your complete employees and is it done annually and some people are doing that bare minimum and it works maybe it solves your compliance issue but yeah it's not enough so as I talked about availability and having that like keep it going there are many ways to send out and keep the conversation going outside of that one two year video or like stagger your trainings and send messages

in that newsletter from the security team that has some tip or a new issue or new thing whatever it is yeah so that's a real challenge and I would love to see people doing these trainings more often and even if it's I mean there's plenty of material that already exists right you said it's expensive it doesn't have to be there's a lot of things that exist on the internet out there whatever if it's an article or something on YouTube and you send it out to people and it's quick there's a company write down that now that's doing security awareness training like advertisements that are very fast they're like under a minute and they're hilarious the whole point is to get you

laughing and just thinking about it so those things are there and it's really our responsibility as the security team to get our it that in front of people's eyes at least my perspective we had one more back here one more thing to add we're asking yeah I really like the idea of the video for example and I was already thinking how can i implement it in my own company like inviting other people from other teams like engineers or I don't know people from products to talk about some security topics that involve them in the in the process and they can be the security champions in that area love that but the idea also is if through my

policy it's mandatory for everyone to do security training annually whatever how can I track who did the training yes one of my ideas it was also to like do the Google Forms where you need to go through a questionnaire but that doesn't mean that the person went through the video anyway so how can I solve that problem yeah that's a good question so we have a content management tool that if you assign something to a user you see how far they get through the process so you have that checkbox and you have the list of people that saw it the list of people that completed it and whatever it was but if that's not something

that's available and you're offering this training to your users employees whatever it is and you're able to say send out that video maybe your Google Form or your thing that's attached to it is a quiz so we have a quiz that follows up our video that you have to fill out the answers you have to get whatever score and we're not trying to trick people we want them to learn so one of the questions is like if you have a question about what to do like something in this policy goes against your job but these are four options what do you do and like one of them was like egg the security teams house complain about it in our slack

application I forgot to cry and file an exception it's like yeah it's obvious but just getting people to like think about it and have that follow-up so maybe I don't know if this is like would satisfy an auditor but if really what you're trying to do in the training is get people to understand the topics if you follow up with that quiz that could be enough to say if you're answering all these questions then you get it you know what we're talking about it or what we're talking about and this is why we're taking it forward so that's one idea okay I think we're we're coming up on time just want to do a quick recap

the what the why on the house so you guys have had really great feedback in questions for each other I encourage you to continue this conversation outside of this room we still have a whole half a day here at B sides and then I know a lot of people are here for the rest of the week so really thinking about that what had what is the gap what are we trying to work towards why why does this matter and then the how ways to train your users okay you are all now security superheroes go out and train your your users I'm gonna open it up just for questions for the last few minutes if you have any feel free to ask and then

I'm gonna also be at the rapid7 booth just around the corner if you want to come ask me about questions phishing campaigns tools whatever it is that we use feel free to do so so thank you everyone here I hope you have a good 'besides one quick one yeah how professional are your videos so we had a question up here that said and this is totally a culture thing at rapid7 we are totally laid-back and relaxed we can do sweer things where our security teams jumping up and down and like whatever and we had someone say like well I wouldn't fly in my company like nobody would get it they would turn it off and just be not cool with it so

that's a balance that you have to work on for us we do you have a camera and like a room in house we had our marketing team and our communications team work with us to create this video and it is hosted on our content management system but it doesn't have to be that professional as you were saying you could get people in front of a cell phone and record them talking about security and why it matters and put it on YouTube and that's what you send out so it doesn't have to cost a lot of money or be really expensive to get the message out that security matters and you need to do this not just at your

office but in your day to day life that every moment that you're thinking about security you're going to be safer and we collectively will be safer hopefully Thanks well maybe one more yeah thank you do you have any tips for working with people who actively reject essentially spending time with security training and so on simply because they state I've been working in a security company as a security engineer or a secure software developer whatever for so many years I don't have time I have a deadline coming up so if you give me this questionnaire I'm gonna have one of my people in my team to do that write up all the answers and then distribute it to my team

because I need to hit my deadlines and that person in that case actually had his domain password as password 2014 in 2018 those are fun right those are those experts that are experts but don't get the basics so yeah and you know what that's something we're forever going to be running into but it can be nice to invite people like as I said earlier put on that beginner's mindset and if you frame it as like I know where all the see and we all know this stuff but we're going to talk about it anyway and having those reminders and those password whatever having the posters up like all of that gets people to think about it

more often and yeah maybe there are those outliers maybe you throw the book at them and say you have to do this for our audit or we're gonna be in big trouble so there's many many ways that you can address it yeah that's a tough one I don't know maybe someone in here has it and we can keep this conversation going out in the hallway because I think we're wrapping up but thank you all for being here I really appreciate it I hope if you have questions you come talk to me afterwards thank you thank you very much