Is your company security aware
Sponsored Links
This presentation is the property of its rightful owner.
1 / 17

Is Your Company Security Aware? PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Is Your Company Security Aware?. Presented By: Brian Picard GSEC. Personal Background. Progressive Insurance – Security Architect 10 Long Years ( 6 years in Identity/Security ) GIAC – GSEC Certified

Download Presentation

Is Your Company Security Aware?

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Is Your Company Security Aware?

Presented By:

Brian Picard GSEC

Personal Background

  • Progressive Insurance – Security Architect

    • 10 Long Years ( 6 years in Identity/Security )

    • GIAC – GSEC Certified

    • Wide range of background experience ( ie Server Administration, Networking, Development, Identity, and Security Architecture )

  • Private Consulting – Anything Technical

    • 9 Year ( 4 years in Identity/Security )

    • Network Development

    • Server Implementations

    • Custom Development

    • Security Consultations and Instruction


  • Security Awareness Program

  • Security Effort Statements

  • Sample Security Awareness Efforts

    • Social Engineering

    • Public Information Gathering

    • Development Challenges

    • Physical Security Awareness

    • Adjacent Risks

    • Other Samples

Security Awareness Program


This should not be done as a group activity


  • Definition: This describes where your company’s security awareness is focused and a rough outline of the scope.

  • Efforts: This describes what efforts will be made to meet your goals.

  • Timeframe: This will define how long your company will follow this initiative before re-evaluating it’s position.

Security Effort Statement


These need to be done as a group activity


  • Objective: Goals, Scope (In AND Out), Gaps

  • TargetAudience: Intended Targets, Depth Of Technical Knowledge

  • Actions: Mediums of Delivery, Durations, Required/Optional

  • AdditionalReferences: Other Sources Of Information

  • Measurements: Verification On Success

Sample Security Efforts(Social Engineering)

  • Objective: To inform employees about Social Engineering and to give them the ability to professionally deal with a suspected Social Engineer. The scope will include social engineering applied to phones, emails, and physical entry to the buildings.

  • Target Audience: All Company Employees

  • Actions: Company-wide web cast about Social Engineering. Including a definition, common real-world examples, and ways to deal with suspected social engineers.

Sample Security Efforts(Social Engineering)<Cont>

  • Additional Resources:

  • Measurements:

  • A company-wide web test administered 6 months after the training is completed.

  • Random Social Engineering attempts done from outside consultants.

Sample Security Efforts(Public Information Gathering)

  • Objective: To inform employees about Public Information Gathering. The scope includes web and verbal content with individuals inside and outside the company.

  • Target Audience: The target for this security effort is Web Content Analysts and Point Of Sale employees.

  • Actions:

    • A web based find the information internal game. This game will include potentially critical company information hidden on a typical looking company web site.

    • An internet scavanger hunt for public information on companies with explanations on how this information could be useful to an outsider.

Sample Security Efforts(Public Information Gathering)<cont>

  • Additional Information:


  • Measurements:

  • Post assessment of Information Gathering game.

  • Internet Scavenger Hunt to gather required pieces of information about companies based off their corporate web site

Sample Security Efforts(Development Challenges)

  • Objective: To inform developers of the potential problems with unsafe coding practices. The scope of this will include Cross-site scripting (XSS), SQL Injections, and Improper Input Validation.

  • Target Audience: Web developers that work on an external facing application.

  • Actions: This effort will be comprised of a progressive set of challenges regarding the above mentioned topics. After each challenge some hints will be given to help solve the next round of problems.

Sample Security Efforts(Development Challenges)<cont>

  • Additional Resources:





  • Measurements:

  • The completion of the required challenges within a designated time frame.

  • The completion of a follow-up set of challenges, different then the first, six months after completion of the previous round.

  • Bug tracking for reported SQL Injection, XSS, and Input Validation Issues.

Sample Security Efforts(Physical Security Awareness)

  • Objective: To inform the employees about potential problems with lacking physical security. The scope for this shall include only entering the building.

  • Target Audience: All employees with badges.

  • Actions:

    • An online bulletin explaining the problems and statistics around un-authorized individuals.

    • Movable Plaques mounted around badging stations explaining that every person should swipe their own badge and those attempting to tailgate should be questioned.

Sample Security Efforts(Physical Security Awareness)<cont>

  • Rotation of entry staff to encourage the requirement of swiping and diminish the likelihood of known employees being allowed to enter.

  • Colorful Posters or Cutouts moved around the company encouraging employees to swipe for their own entry and question others attempting to enter on their swipe.

  • Measurements:

  • Trending on the number of un-authorized people in the buildings.

  • Trending on the number of card swipes per day.

  • Sample Security Efforts(Adjacent Risks)

    • Objective: To inform all company employees that work on external data transactions with other companies about Extended Security threats.

    • Target Audience: Any employee that work on external data transactions.

    • Actions: A Web Based Training (WBT) that explains the potential problems and history of known problems around network extensions.

    • Measurements: A post assessment of the content covered in the WBT.

    Sample Security Efforts(Other Samples)

    • Security Informational Sessions

    • Security Posters

    • Security Bulletins

    • Data Classification Awareness

    • Phishing

    • Source Code Management

    Final Thoughts

    • Publish Your Security Awareness Statement

    • Trust but Verify Completion of Efforts

    Recap And Personal Contact Information

    • Recap

    • Contact Info:


  • Login