Baseline in Depth

The entire Layer 8 Security Baseline process provides an excellent base for a Gap analysis of what Human issues are being encountered now and what level of best practice we are aiming for. It also provides an excellent tool to plan the best methods of education as well as what else needs to be done to address the human factor.

Behaviour, unlike awareness, is the ultimate objective of any campaign of this type. Just creating awareness or knowledge training alone, won’t succeed in identifying staff understanding of security principles, their attitudinal and Cultural issues, their Knowledge and Understanding of the topics, their Motivation, Moods, Emotive and Ego based concerns which ultimately leading towards changes in their behavioural components.

The Baseline also provides us with an excellent tool to focus the training components into where they are best needed. It’s like using a scalpel rather than a shotgun approach. We can identify the topics, by department of down to individual users, if needed that should be addressed. These areas of concern are broken down into three specific areas:

  • Knowledge – Do your staff actually understand the information.
  • Attitude – what are their attitudinal contributors that are being impacted by internal and external factors
  • Behaviour – how are they behaving and how would they behave in certain circumstances.

All these areas provide an invaluable tool and subsequent report to ensure the maximum success from the program to reduce the human risk associated with security.

Baseline primary components

Social Engineering

  • Phishing
    1. Email
    2. SMS
  • Social Media
  • Wi-Fi
  • USB Drop
  • Phone Engineering

Physical

  • Confidential Document
  • Workspace
  • Secure storage
  • Parking lot security
  • Tailgating
  • Contractors
  • Password retention

Auditing and Testing

  • Human Pen test
  • Human Vulnerability Assessment
  • Vendor Assurance
  • Risk, Governance
  • Policy Analysis
  • Human Incident Response analysis
  • Dark web analysis
  • Help Desk analysis
  • Industry Threat Profile
  • Unauthorised Apps, devices, Wi-Fi
  • Lost / stolen devices
  • Infected / updated devices
  • Privileged user audit

Human Assessment

  • Users B.A.C.K.S Questionnaire
  • Corporate Threat Profile
  • Cultural Assessment

 

____________________________________________________________________________________________________________________________________________________

Social Engineering

Email Phishing Awareness using 401 campaign

  • Number of people who fall victim to an email phishing attack.
  • These attacks replicate the very same one’s cyber attackers are using.
  • The goal is to measure who falls victim to such attacks.
  • How many opens, different devices, clicks, input PII, deleted after click
  • Number of people who detect and report an attack of any type.
  • This number should decrease over time as behaviours change.
  • A metric of 20% improvement is desired after each educate and reinforce

Social Engineering

SMS Phishing Awareness

  • Number of people who follow the link within a faked SMS
  • These attacks replicate the very same one’s cyber attackers are using with SMS / Text.
  • The goal is to measure who falls victim to such attacks.
  • How many opens, different devices, clicks, input PII, deleted after click
  • Number of people who detect and report an attack of any type.
  • This number should decrease over time as behaviours change.
  • A metric of 20% improvement is desired after each educate and reinforce

Social Engineering

Social Media

  • Users Review
  • Number of people who fall victim to a social media fraud
  • Number of Links clicked when connection is made
  • Corporate Review
  • Number of employees posting sensitive organizational information on social networking sites.
  • Do extensive searches on sites such as Facebook, Twitter, Instagram and LinkedIn to ensure employees are not posting sensitive organizational information.
  • This is to identify who is aware of the mechanisms used by Social Engineers and criminals who falsify Social Media accounts

Social Engineering

Wi-Fi

  • Simulated “free Wi-Fi”
  • Number of people who connect
  • How long they stay connected
  • Can their passwords be cracked?
  • Identify their activities

Social Engineering

USB

  • Number of people who inserted and clicked files on unidentified USB’s laying around
  • Who clicked on any file and who sent the device back to the Help Desk
  • Many people won’t insert a blank USB drive but once it is labelled as their organisations, people seem to trust this and look for what is on the drive. USB are blank and Labelled in company logo.
  • Measurement is done by link identification and analysis of devices handed in for analysis

Social Engineering

Phone Social Engineering

  • Number of employees who can identify, stop and report a social engineering attack.
  • Phone call assessments.
  • Security team calls random employees, attacking them as real cyber attacker would by attempting to social engineer the victim.
  • An example could be pretending to be a courier looking for someone within the organization

 

Physical

Confidential Documents

  • Is there a confidential document management procedure
  • of employees who properly follow data destruction procedures
  • Any digital devices that are disposed of (donated, thrown out, resold) may contain sensitive data. Check to ensure proper wiping procedures.
  • Check any rubbish bins or dumpsters for any sensitive documents that were not shredded.

 

Physical

Workplace

  • Number of employees who are securing their desk environment before leaving, as per organizational policy.
  • Number of employees who lock their screens when they leave their desks
  • Nightly walkthrough.
  • Security team does a walkthrough of organizational facilities, checking each desktop or separate work environment and looking to ensure that individuals are following organizational desktop policy.

 

Physical

Secure Storage

  • Number of unlocked secure storage containers
  • The number of files left on the desk at the end of the day, unsecured

 

Physical

Parking lot security

  • Number of employees who left their devices unsecured in their cars in the organization’s parking lot.
  • Do a physical walkthrough of the parking lot and identify any cars that have devices that are visible on a car seat.
  • While your organization’s parking lot may be a secured environment, this measures employee behaviours. If they are leaving unsecured or visible devices in their car at work, they are most likely doing it when they are off facilities, as well.

 

Physical

Tailgating

  • Attempting to follow others into the building
  • Ascertaining how far within the building the tailgating can achieve
  • Identifying if any network connections can be made whilst inside the building
  • Utilising building resources to engineer into other departments / companies

 

Physical

Contractors

  • Security team calls random employees, attacking them as real cyber attacker would by attempting to social engineer the victim.
  • An example could be pretending to be a courier looking for someone within the organization
  • Or maybe a contractor saying that they must check the air- conditioning in the computer room

 

Physical

Password Security

  • Number of staff locations with passwords or confidential information written on Postit Notes or pieces of paper left on the desk
  • Walk through to validate information
  • Security team does a walkthrough of organizational facilities, checking each work environment and looking to ensure that individuals are following organizational policy
  • Identify the staff who have troubles with their passwords and must write them down.
  • Number of staff locations with passwords or confidential information written on Postit Notes or pieces of paper left on the desk

 

Auditing and Testing

Human Penetration Testing

  • To identify technical vulnerabilities visible externally or internally
  • Perform Human Penetration test, within guidelines to identify areas of risk with identifiable issues
  • Identify the threats and recommend remediation procedures, patching, etc. to remove the risk
  • Report with recommendations

 

Auditing and Testing

Human Vulnerability Assessment

  • Assess the vulnerability of particular staff that are of concern
  • Assessment of the human vulnerabilities as a process which defines, identifies, and classifies the security holes (vulnerabilities)
  • Vulnerability analysis can forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use
  • Getting maximum benefit from a vulnerability assessment requires an understanding of your organization’s mission-critical processes and underlying infrastructure and applying that understanding to the results.
  • Report identifying the vulnerabilities, patches and remediation suggested

 

Auditing and Testing

Vendor Audit

  • Perform vendor assurance review or audit to make sure the vendor is not placing them at risk when they outsource their services to third party service providers.
  • Organizations which outsource parts of their business operations expect and rely on the vendor to manage risks associated with the outsourced activities. Such risks may be related to the privacy of sensitive customer data, security, unauthorized access by internally or externally, system functionality, availability of data for recovery purposes, and business continuity and disaster recovery plans.

 

Auditing and Testing

Wi-Fi Audit

  • Identify rogue access points and users utilising these
  • Staff circumventing corporate systems and policies
  • Audit security of organisation Access points
  • Secure passwords
  • Configuration audit and timeout analysis
  • Site survey
  • Security settings applied
  • Authentication and encryption validation
  • Management interfaces secured
  • SSID configured securely
  • Logging and Monitoring activities

 

Auditing and Testing

Policy Review

  • Ensure that a suitable Security Policy is in place
  • That the security policy lays out objectives, assigns various responsibilities, and provides direction to protect the organization’s critical information.
  • That the regulations and compliance mandates are addressed in the security policy and are in place and contain a variety of critical security elements.
  • That the policy is it is easy to read and easy to access and to communicate policy changes accordingly
  • That the Security Policy works with users, not against them, and the policies are written in “plain English” and focus on brevity
  • Keep track of the policies in a centralized location
  • Change management of policies
  • That there is proper spelling and grammar used
  • Ensure that every policy contains a revision and version information table
  • Ensure the policy accurately reflect the way the company currently conducts business?
  • Ensure that the policy adequately deal with the issues it is intended to address?
  • Ensure that the policies to be created address new business, human, technology and legislative requirements?

 

Auditing and Testing

Incident Response

  • Pertaining to cyber incidences, suspicious activities and malware
  • Ensure that the Incident Response procedures are documented
  • That they are well communicated and that they are easy to understand
  • Ensure that they Identify responsibilities
  • Validate that staff are reporting incidents and not ignoring them
  • Measurement would be to initially see an increase in reported incidents as staff start to follow the process, then a further increase as staff better identify the attacks.

 

Auditing and Testing

Help Desk Analysis

  • This follows on from the Incident Response audit
  • Identification of issues relating to:
  • Previous 6 months incidents caused by staff
  • Severity of incidents
  • Breaches
  • Remediation times of incidents
  • Are staff reporting incidents, before or after incident has occurred

 

Auditing and Testing

Industry Threat Analysis

  • This audit identifies the organisation, its relative risk profile within the industry, and the risk profile of the organisation
  • Industry profile
  • Relativity of customers to particular industry
  • Likert threat index

 

Auditing and Testing

Unauthorised devices / Data

  • Undertake an audit of:
  • Unauthorised Applications
  • Corporate and BYOD
  • Unauthorised Devices
  • Wi-Fi, USB, Camera, BYOD
  • Unauthorised Data
  • Stored extensive amounts of personal information
  • Stored confidential data on personal devices, without adequate MDM
  • Actively involved in information about vulnerable persons
  • Actively involved in sensitive information, such as racial and ethnic origin, political opinions, sexual orientation or criminal records
  • The devices carry a risk of identity theft or financial harm
  • The device carries a risk of harm to a person’s life, safety, liberty, reputation or livelihood.

 

Auditing and Testing

Lost Stolen Devices

  • Number of devices (laptops, smartphones, tablets) that were lost or stolen. What percentage of those devices were encrypted.
  • Reports to Help Desk or by physical asset audits.
  • Employees should be trained in maintaining physical security of their devices. In addition, if your organization has policies on the use of encryption for devices, this measures if employees are following them.

 

Auditing and Testing

Infected / non-updated devices

  • Percentage of devices that are updated and current. Looking at AV, OS updates etc.
  • Measure whether people are keeping their devices updated and current, especially when concerning BYOD (Bring Your Own Device).
  • Number of infected computers.
  • Help desk and centralized AV management software.
  • Most infected computers are a result of human behaviour (infected attachments, malicious links, etc.).
  • This number should go down over time as employees are trained.

 

Auditing and Testing

Privileged User Audit

  • Analysis of the privileged users:
  • Who has access rights and to what?
  • Executive
  • Executive assistants
  • IT
  • Help Desk
  • HR
  • What do they have access to
  • Is access creep controlled
  • Password sharing
  • EA / PA review

 

Human Assessment

User B.A.C.K.S Questionnaire

The B.A.C.K.S user questionnaire is a specially developed analytical tool designed to ascertain the critical components of your staff behaviour.

Behaviour, unlike awareness, is the ultimate objective of any campaign of this type. Just performing awareness or knowledge training alone, won’t succeed in identifying staff understanding of security principles, their attitudinal and Cultural issues, their Knowledge and Understanding of the topics, their Motivation, Moods, Emotive and Ego based concerns which ultimately leading towards changes in their behavioural components.

When the 4-minute B.A.C.K.S user questionnaire is undertaken by all staff, the results allow us to ascertain an accurate baseline measurement (where are we now), especially if this is incorporated with the results from other tests like the corporate threat profile and the social engineering simulated attacks. This baseline provides an excellent base for a Gap analysis of what Human issues are being encountered and what level of best practice we are aiming for.

The BACKS user questionnaire also provides us with an excellent tool to focus the training components into where they are best needed. It’s like using a scalpel rather than a shotgun approach. We can identify the topics, by department of down to individual users, if needed that should be addressed. These areas of concern are broken down into three specific areas:

  • Knowledge – Do your staff actually understand the information.
  • Attitude – what are their attitudinal contributors that are being impacted by internal and external factors
  • Behaviour – how are they behaving and how would they behave in certain circumstances.

All these areas provide an invaluable tool and subsequent report to ensure the maximum success from the program to reduce the human risk associated with security.

 

Human Assessment

Corporate Threat Profile

  • Corporate based Risk Assessment Questionnaire is to ascertain the corporate perspective towards humans and the possible impact this may have on staff behaviour
  • This is a checklist designed to identify and document the existence and status for a recommended basic set of cyber security controls (human, policies, standards, and procedures) for an organisation.
  • The questions asked here are used to identify any potential issue from a corporate perspective that may have an impact on the staff attitude, behaviour or culture.
  • Ascertain the corporate perspective towards staff and the possible impact this may have on their behaviour
  • The measurement of this questionnaire is to align with the user’s responses undertaken within the BACKS questionnaire and to identify any areas / gaps in the policies, controls and standards.
  • Ultimately, Does Policy = Behaviour?

 

Human Assessment

Cultural Assessment

  • Cultural Assessment ofSecurity culture, Corporate culture, Fear or Reward culture, Peer group encouraged culture, and a Top down driven culture.
  • To validate that the impact the security and corporate culture is having on the attitudes and motivation of the staff
  • Broken down into the specific areas to identify any areas of concern.

 

Analysis

  • Analysis of the raw data of the relevant sections to build a profile of:
  • Corporate issues
  • Knowledge issues and Focus areas
  • Bad actors
  • Educational requirements
  • Cultural issues
  • Motivational issues
  • Changes required

 

Report

  • Encompass Issues with:
  • Departments
  • Users
  • Topics
  • Risky behaviour
  • Attitudes
  • Motivations
  • Culture

 

Planning

  • Planning encompasses the entire organisation, broken into departments, learning methods, measurement processes, outcome expectations, roadmap and journey for the upcoming period.