Pwning the hapless or How to Make Your Security Program Not Suck

Presented at BSidesLV 2014, Aug. 6, 2014, 3:45 p.m. (30 minutes).

Pwning the hapless or How to Make Your Security Program Not Suck Customer data is our business. Whether within the financial or healthcare industries, the root of our business is to safely house and transmit information to and from trusted parties. With the growing demand of increased access - in healthcare, from providers, employees, visitors and patients, from a variety of devices, increased federal enforcements of privacy and security requirements under the new HIPAA Omnibus Rule, there is an ongoing challenge of ensuring patient and customer information is adequately protected. Numerous breaches within both the healthcare and financial fields have involved lost or stolen unencrypted devices, but mistakes by employees continue to be the biggest security threats to all businesses. Even tech-based companies are shown to be at risk for various social engineering attempts. Why do these breaches keep happening? How can you, as an IT professional, or merely an employee with the safety of your customers' data a concern, help your business create useful prevention strategies that employees will pay attention to? How do you train your non-tech employees to not be susceptible to social engineering attacks? Emily, an insurance professional with ten years experience of working for 3 of the 5 biggest US disability insurance companies, and Casey, a Security Engineer with history working for commercial financial firms, will explore the unawareness non-tech employees have of their actions, discuss useful training and resource organization and allocation. We will walk through a few scenarios (the successful and non) and discuss what we have learned from human behavior and how it can apply to enforcing security policies or creating a culture of care. Technical solutions will not be discussed specifically, as the focus will be on employee awareness, education and how we can do better. By working through a few scenarios that we have personally encountered, we will address the topics of - "Why To Care" - Problems with people caring about security - Testing your people - Getting the peons out of the loop - Rewarding Security Efforts

Presenters:

  • Casey Dunham
    Casey Dunham, is currently a Security Engineer with Bigelow Laboratories in Booth Harbor, ME. He also runs his own security consultancy, Gnosis Security, Inc. His InfoSec history includes working for commercial financial firms and volunteering at numerous regional and national InfoSec Cons,is the point of contact for DC207, and a member of PWM TOOOL.
  • Emily Pience
    Emily Pience is currently a Clinical Innovation Specialist with [redacted name of major American health and medical insurance company]. She has never worked in InfoSec but was raised by an Electrical Engineer in the cable industry, and believes herself to be a bastard of the engineering / InfoSec / modern Technology fields. She has worked for 3 of the 5 top disability insurance companies in the US and is working on her MS in Social Work. She is a member of PWM TOOOL and a founding supporter of I Am The Cavalry movement.

Links:

Similar Presentations: