Skills of Five Groups of People Constantly Being Tested by Attackers
- End users are fooled via social engineering scams in which they are tricked into providing passwords, opening attachments, loading software from untrusted sites, or visiting malicious web sites.
- System administrators are also fooled in the same manner as normal users but are also tested when attackers attempt to trick the administrator into setting up unauthorized accounts.
- Security operators and analysts are tested with new and innovative attacks introduced on a continual basis.
- Application programmers are tested by criminals who find and exploit the vulnerabilities in the code that they write.
- To a lesser degree, system owners are tested when they are asked to invest in cyber security but are unaware of the devastating impact a compromise and data exfiltration or alteration would have on their mission.
Training is also closely tied to policy and awareness. Policies tell people what to do, training provides them the skills to do it, and awareness changes behaviors so that people follow the policy. Training should be mapped against the skills required to perform a given job. If after training, users are still not following the policy, that policy should be augmented with awareness.
How to Implement, Automate, and Measure the Effectiveness of this Control
- Quick wins: Organizations should develop security awareness training for various personnel job descriptions. The training should include specific, incident-based scenarios showing the threats an organization faces, and should present proven defenses against the latest attack techniques.
- Quick wins: Awareness should be carefully validated with policies and training. Policies tell users what to do, training provides them the skills to do it, and awareness changes their behavior so that they understand the importance of following the policy.
- Visibility/Attribution: Metrics should be created for all policies and measured on a regular basis. Awareness should focus on the areas that are receiving the lowest compliance score.
- Configuration/Hygiene: Organizations should devise periodic security awareness assessment quizzes to be given to employees and contractors on at least an annual basis in order to determine whether they understand the information security policies and procedures, as well as their role in those procedures.
- Configuration/Hygiene: Organizations should conduct periodic exercises to verify that employees and contractors are fulfilling their information security duties by conducting tests to see whether employees will click on a link from suspicious e-mail or provide sensitive information on the telephone without following appropriate procedures for authenticating a caller.
- Advanced: Organizations should provide awareness sessions for users who are not following policies after they have received appropriate training.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls
AT-1, AT-2 (1), AT-3 (1)Associated NSA Manageable Network Plan Milestones and Network Security Tasks
TrainingProcedures and Tools to Implement and Automate this Control
The key to upgrading skills is measurement--not through certification examinations, but through assessments that show both the employee and the employer where knowledge is sufficient and where the gaps are. Once the gaps have been identified, those employees who have the requisite skills and knowledge can be called upon to mentor the employees who need to improve their skills. In addition, the organization can develop training programs that directly fill the gaps and maintain employee readiness.Control 9 Sensors, Measurement, and Scoring
Sensor: PolicyMeasurement: For each policy statement, measure the overall compliance every month.
Score: Pass if the compliance for each policy statement is increasing, fail if it is decreasing for any statement for more than three months in a row.