Security Culture

The ideas, customs, and social behavior of a particular people or society
that allows them to be free from danger or threats.

Metrics, a technical drill down

Profile photo of Daniel Andersson

Daniel Andersson

Information Security Advisor and Consultant at CAPSAB
Daniel is a senior security manager in the banking and card industry; he has worked with PCI DSS since 2005. Daniel has a broad experience regarding implementation of PCI DSS.

Daniel also has an IT engineering background working with a broad selection of platforms and communication equipment.

Daniel is ISACA Certified Information Security Manager (CISM) and PCI Professional (PCIP) and certified Security Culture Practitioner.
Profile photo of Daniel Andersson

Latest posts by Daniel Andersson (see all)

We all see that the goal is one of the most important parts in a journey, but without a clear understanding on where we are at the moment it is hard to know how long the journey will take and even in what direction the journey should start. In the security culture framework we do take care of ensuring that we have a clear understanding on where we are by defining metrics, that is used both to understand where we are but also to measure that we reach our goal.

This blog post will be quite technical to showcase what is possible to perform using technology to collect metrics on user behavior. Rest assured that all metrics is not this technical to collect and this level of metrics may not be where you start your journey with the framework, so bear that in mind when continue reading.

We need to identify where we stand in order to make plans to reach our goal.

Let´s look at the scenario, we have Acme company that has a policy in place which prohibits users to send social security numbers (SSN) via e-mails. It has been identified that all users do not follow this policy and it has been decided to use the security culture framework to improve the security culture around SSNs. The first step is to identify how many e-mails that has SSNs that is sent each month and by how many different users.

Using Data Loss Prevention (DLP), a software that identifies patterns in data transmissions, an automatic measurement is to be set up. In this blog-post we will look at setting this up with MyDLP which is available both as open source and an enterprise edition, which enables you to start with a free product and then move to the enterprise solution if you see the value of the product. We will not use the product to block any traffic as we intend to use other methods to ensure that the users do understand the importance of handling SSN in a secure manner.

In this blog-post we will not be able to cover all the steps to install and run the DLP solution, instructions on how to do the basic setup is covered on the getting started page at https://www.mydlp.com/getting-started/ ensure to configure the the e-mail server(s) that forwards mail from internal mail server to external mail servers to route their emails via the DLP server. If needed ensure that you have redundancy in the solution.

We will now specify one rule in the DLP software, the following settings shall be chosen

  • Rule channel : Mail Rules
  • Rule Actions : Log or Archive
  • Source : Any
  • Destination : Any
  • Information Type : Social Security Number

Above will create an rule that logs a match for the SSN pattern if it has been found, as the software uses pattern matching it may be that it is a false positive that is found, i.e. that a combination of numbers and/or text is formatted in so that the software identifies it as an SSN when it is not actually an SSN. If you choose the archive action the administrator of the DLP solution can review all hits and determine manually if it is a false positive or not.

Using technology to block a behavior will not build a sound security culture.

As you see when you define the rule you are able to block the outgoing email to prevent that SSN is sent and it may be tempting to use this method instead of building a security culture. The only problem is that users often is smarter than technology and will find a way around the block function which makes such block a quick fix that only will work during a short time frame. Your rule will now look like

 

MyDLP rule for security culture blog entry

 

You should always test your rule after implementation to ensure that it do identify SSNs, do this by sending a test e-mail with a fake SSN. If all is working it now time to sit back for a week or two while data is collected, giving you time to perform other security related tasks.

After your selected measure time you need to compile your data, this is done by collecting the data from the MyDLP web interface and exporting it to Excel, this is done in the “Logs” section, enter the dates that you would like to collect logs for press search and then export to Excel. In our demo environment this looks like

 

MyDLP export picture for security culture blog

 

Excel gives you endless possibilities to examine the data, for the basic metric you only need to count the number of log entries. For more analysis you could create pivot tables listing the top users that has been violating the security rules, this can be useful to identify certain departments that needs more focus in security awareness.

At this step you have your metrics and are able to enter the next module in the Security Culture Framework, but most important you have a good tool to easily measure your advancement in cultural change within this area.

The above solution can be applied to many other sensitive data than SSN, such as credit card data to ensure compliance to PCI DSS policies regarding email and sensitive cardholder data.

%d bloggers like this: