Re: Free Security Awareness Resources

[Jimi Thompson <jimit () myrealbox com>]

As someone who does pen-testing, I can personally vouch that it's a 
_LOT_  easier to dial up to the receptionist and say something like "Hi, 
I'm Jane from IT and we're having a problem with your account.  Can you 
give me your user name and password?" than it is to brute force an 
account on a box somewhere.  Your odds of having it work the first time 
undetected go up astronomically. For those of you unfamilar with the 
process, just to have a valid account, even an unprivledged one, shaves 
hours off the process.  Once I'm in, even as the lowly "Guest", I can 
always raise my level of privledge to something useful.   Go Google on 
"getadmin.exe". 


On the flip side of this, we've also been able to mitigate two attacks 
because our phone staff have been trained and are aware of this type of 
technique.  They know when to alert us and we can either assume control 
of the call or offer real-time guidance on how to respond to the caller.
That allows us to offer up mis-information.


2 cents

Jimi


Gideon Rasmussen, CISSP, CFSO, CFSA, SCSA wrote:

> About a year ago I came to the conclusion that the threat of social 
> engineering has increased due to a recent focus on systems security 
> (e.g. firewalls, OS hardening, IDS, etc.). In other words, hackers may 
> consider it easier to gather information through a few phone calls and 
> complain to the help desk that they can't get in through VPN. The best 
> way to defend against social engineering is a solid security awareness 
> program 
> (http://www.cyberguard.com/news_room/news_newsletter_030926threatwithin.cfm). 
>
>
> As you probably know, security tips are a key component to an 
> awareness program. I have authored 19 security awareness tips written 
> with the average person as the intended audience 
> (http://www.gideonrasmussen.com/sectips). The current topics are 
> listed below. The site is free to download. I periodically update the 
> content with new tips.
>
> I have also established the security-awareness group 
> (http://groups.yahoo.com/group/security-awareness). You may find it of 
> interest. Membership has grown to over 500 members and posts are 
> regularly flowing in.
>
> If you have any questions or comments, please let me know. Thank you.
>
> Kind Regards,
>
> Gideon
>
> Gideon T. Rasmussen
> CISSP, CFSO, CFSA, SCSA
> Boca Raton, FL
> gideon () infostruct net
>
> Viruses
> Passwords
> Workstation security
> Clean desk policy
> Continuity
> Destruction of sensitive materials
> Photography
> Systematic removal of accesses
> Laptops
> Home computers
> Don't be afraid to say no
> Electronic devices
> Piggybacking and tailgating
> Operations security
> Backup your data
> Security incidents
> Business continuity
> Rogue wireless networks
> Visitor Escort
>
>
>
> --------------------------------------------------------------------------- 
>
> ---------------------------------------------------------------------------- 



---------------------------------------------------------------------------
----------------------------------------------------------------------------