Five groups of people are frequently being tested by attackers:
1. End-users are fooled via social engineering scams in which they are tricked into providing passwords, opening infected attachments, loading software from untrusted sites, or visiting malicious web sites.
2. System and network administrators may be fooled in the same manner as normal users (and are often targeted because of their elevated privileges), but they are also tested when malicious software is operating on their systems and they may or may not see evidence of the infection and when they are unaware of vulnerabilities in software they have implemented allowing systems under their control to be compromised.
3. Security operators and analysts are tested with new and innovative attacks introduced on a continual basis. This requires that they upgrade their defenses, but they are often unaware of the new risks and of new defensive capabilities and techniques available to them.
4. Programmers are tested by criminals who find and exploit the vulnerabilities in the code that they write and engineers are tested by people searching for security flaws in their designs.
5. To a lesser degree, system owners are tested when they are asked to invest in cyber security but are unaware of the devastating impact a compromise and data exfiltration or alteration would have on their mission.
A constantly updated security awareness and education program for all users is important, but it will not stop determined attackers. Most determined adversaries will be stopped by effective implementation of the other Critical Controls, but some will slip through fissures in the security program. Skilled employees are essential for implementing and monitoring those Controls, for finding those attackers that get through the defenses, and for developing systems that are much harder to exploit. The most important mission-critical security jobs for most organizations, as identified by the 2012 Task Force on Cyber Skills established by the Secretary of Homeland Security, are as follows: (1) system and network penetration testers, (2) application penetration testers, (3) security monitoring and event analysts, (4) incident responders in-depth, (5) threat analysts/counter intelligence analysts, (6) risk assessment engineers, (7) advanced forensics analysts, (8) secure coders and code reviewers, (9) security engineers - operations, and (10) security engineers/architects who build security in.7
These task are so mission critical that organizations that do not execute them effectively often suffer dire consequences, including theft of critical data, corruption of sensitive information, major system outages, and, increasingly, actual destruction of systems, For any organization with high-value systems and information, effective skills development in these 10 job areas are an essential step to ensure that the right people with the right skills are in place.
Training is also closely tied to policy and awareness. Policies tell people what to do, training provides them the skills to do it, and awareness changes behaviors so that people follow the policy. Training should be mapped against the skills required to perform a given job. If, after training, users are still not following the policy, that policy should be augmented with heightened efforts to ensure that users are aware of and understand it.
1. Quick wins: Perform gap analysis to see which skills employees need and which behaviors employees are not adhering to, using this information to build a training and awareness roadmap.
2. Quick wins: Deliver training to fill the skills gap. If possible, use more senior staff to deliver the training. A second option is to have outside teachers provide training onsite so the examples used will be directly relevant. If you have small numbers of people to train, use training conferences or online training to fill the gaps.
3. Quick wins: Implement an online security awareness program that (1) focuses only on the methods commonly used in intrusions that can be blocked through individual action, (2) is delivered in short online modules convenient for employees (3) is updated frequently (at least annually) to represent the latest attack techniques, (4) is mandated for completion by all employees at least annually, and (5) is reliably monitored for employee completion.
4. Visibility/Hygiene: Validate and improve awareness levels through periodic tests to see whether employees will click on a link from suspicious e-mail or provide sensitive information on the telephone without following appropriate procedures for authenticating a caller; targeted training should be provided to those who fall victim to the exercise.
5. Configuration/Hygiene: Use security skills assessments for each of the mission-critical skills to identify skills gaps. Use hands-on, real-world examples to measure mastery. If you do not have such assessments, use one of the available online competitions that simulate real-world scenarios for each of the identified jobs in order to measure skills mastery.
AT-1, AT-2 (1), AT-3 (1)
The key to upgrading skills is measurement through assessments that show both the employee and the employer where knowledge is sufficient and where there are gaps. Once the gaps have been identified, those employees who have the requisite skills and knowledge can be called upon to mentor employees who need to improve their skills. In addition, the organization can develop training plans to fill the gaps and maintain employee readiness.
7 The Task Force on Cyber Skills report is available at http://www.dhs.gov/homeland-security-advisory-council-hsac#3.