Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Seeking user training techniques

from [Abdul-Aleem Sayed] Network Security [Permanent Link]
Subject: Re: Seeking user training techniques
Date: Tue, 27 Sep 2005 20:36:44 +0400 


Hello Folks,


Volker, Live training... excellent idea, but may not work in all
cultures, certainly, not here in the Middle East.  

The problem with security education/awareness is that it is a very dry
subject. In order to increase staff's span of attention you need to
spice it up with a bit of humour.  I remember John Clease ( he of Monty
Python fame) used to produce a series of business management video with
titles like "How to conduct a meeting", "customer care" etc.  Again very
dry subjects, but because of the humour he injected into it, the concept
and message remained, well after the awareness session was over.  

As an example take a video of your organisations CEO walking about the
company premises without an ID badge and get a janitor to stop him and
tell him off for not wearing the badge. Make it funny and see how that
goes down with the staff. 







Cheers

-- 
-------------------------------------------------------
Abdul Aleem Sayed, CISSP
Information Security Team
Emirates Telecommunication
PO Box 3838
Abu Dhabi
United Arab Emirates
Tel:     + 971 2  6184957
Mobile:  + 971 50 6625844
Fax:     + 971 2  6316774

pgp key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB7E30D4F

-------------------------------------------------------- 



On Mon, 2005-09-26 at 21:56 +0200, Volker Tanger wrote:

Greetings!

On Sat, 24 Sep 2005 21:39:51 +0530
Pranav Lal <pranav.lal@gmail.com> wrote:


 I have been thinking about including some games or simulation 
 exercises in the training to re-enforce the material that has been 
 taught. Does any one have any ideas on what I could include? 


It seems the only idea working is to keep them in "live" training. 

I hear a story said to have happened at Anderson in New York: in the
"hoteling" office they usually had ~500 of the ~4000 consultants working
at a time, with people always changing office seats. And 50 laptops
stolen each year and more PDAs and cellphones. Issuing a security policy
to lock away equipment when leaving the place did not help at all,
neither did security training.

What they did is to hire 2 people that had to "steal" equipment not
peoperly watched/guarded. The employees only got "their" stuff back
against a (longer) security briefing and "voluntary" donation to one of
some selected charities. As result the number of laptops lost dropped to
single digit numbers.

Unforeseen side-effect: the consultants got to know each other much
better, work climate soared compared to prae-thief times. To make life
simpler now even the "only-here-for-1-2-days" ones intoduced themselves
(and their projects) to colleagues in the same office. And colleagues
knowing each other (and knowing the permanent danger of someone
"securing" left equipment) have an eye on each other's stuff when
someone left e.g. to the gent's room...   ;-)

Similar things can be done in other areas, too: sending probes out in
form of greeting cards or other "cool" stuff (executables, of course).
When run these report back who ran them - and the culprit's email
account is suspended until an extra security briefing. Walking around in
lunch break can detect workstations left but not locked (resulting in a
locked user account until briefing). If storage of files on local PCs is
forbidden, IT can "update" (exchange) hardware randomly without warning
to the user - there is by definition no data on the workststation, isn't
it? Of course the "old" PC is kept in the old state for a few days, just
in case...

Common to all these is that you need the backing from top management. As
soon as you have to start making exceptions, you won't be able to do
anything any more. And the exceptions usually are the most vulnerable
DAU ones (e.g. top management itself). 

The advantage is that you usually can combine these continuous tests
with tasks that have to be done anyway orthat can be easily automated:
sending random probes can be done automatically, exchanging workstations
simultaneously is perpetual inventory and hard-/software upgrade. Plus
you can cut down security training as users are kept on guard and only
those proven to be in need of training (culprits caught as above) have
to be re-trained. 

Do not forget to add in positive side-effects (any broken PC can be
replaced from "update" pool in 5 minutes, possibility to work from any
workstation, energy saving through (locking) screen savers) that are
increasing efficiency and the we-are-well-cared-for feeling with the
employees, and that's even easier to be sold to management...   
;-)

Bye

Volker
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Seeking user training techniques, Jose Varghese
Next by Date:  Re: Seeking user training techniques, Richard Owen
Previous by Thread:  Re: Seeking user training techniques, Volker Tanger
Next by Thread:  Re: Seeking user training techniques, Pranav Lal
Indexes:  [Date] [Thread] [Top] [All Lists]