Security Basics mailing list archives
Fwd: Security Awareness inhouse - Tips and Tricks?
From: "kevin fielder" <kevin.fielder () gmail com>
Date: Wed, 11 Apr 2007 14:14:44 +0100
Hi We are currently going through a similar process and are looking at the best ways to improve security awareness. One of the ideas we have is to try and make the training relate to the users lives, so - - highlight how fishing could lead to their personal ebay account becoming compromised, - disclosing passwords could allow a fraudster using their bank account, - leaving sensitive documents lying around could mean someone reading their performance review Etc I would not think most non technical users will be that interested in hacking demonstrations, and these while interesting to us wont really help improve their awareness of general security. I'd suggest covering your companies policy briefly, then break it down into specific areas such as: -Email security - as well as spam and phishing etc this can cover off what is acceptable use. -Web security - again acceptable, sensible use, highlight only visiting sites you trust, and ensuring the url looks as you expect it to etc. -Physical security - watch for shoulder surfing, check peoples id cards, accompany guests at all times, lock laptops to desks etc -AV - cover not opening unknown files, being suspicious of unexpected email even if it appears to come from a known source, not installing any unknown or unapproved software etc. it's likely that AV will be touched on in the email and web sections, but it's such a hot topic that I think it's worth a section of it's own. -out of office - this covers both how to look after themselves and the businesses equipment when traveling, but also things like not disclosing unnecessary information in the email out of office reply. I'm sure you'll think of loads more once you get going! As well as talking to all current employees you should try to get some security awareness added to any inductions programs your company has to catch new employees immediately. Another method is to have some form of periodic training such as a brief online course with a quiz at the end. Cheers Kevin -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Petter Bruland Sent: 10 April 2007 18:35 To: WALI; security-basics () securityfocus com Subject: RE: Security Awareness inhouse - Tips and Tricks? Good luck! :-) Make sure you have a good IT policy in the Employee Handbook, so that the employees sort of know what they can and cannot do at work. Make sure you speak their language, and don't use any technical terms, that's when they start drifting off. If you can find a "fun" way to tell them about certain vulns, hacks etc, that will help keep them focused. Showing them how an intruder is able to break in might be cool, but I don't believe that it will help you getting the point through to them. Anyway good luck! -Petter -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of WALI Sent: Saturday, April 07, 2007 9:30 AM To: security-basics () securityfocus com Subject: Security Awareness inhouse - Tips and Tricks? So, part of my new job profile is to undertake security awareness training within our (over a dozen) departments ranging from Mechanical Engineers, to civil and telecommunications, HR. Finance etc. The maximum slot that I can squeeze from their head of departments (attendance to be made mandatory) would be about 60 minutes. I have set up a website (Intranet) with latest threats and FAQ's (like, is my online browsing monitored etc), but for this 60 minutes session, I was wondering, what are the best ways to make it engaging and interesting for these non-IT guys, so that they return next time. Would Bluetooth hacking, password sniffing etc hold them to their seats? Phishing demo/Credit card fraud etc. Can anyone help me with stuff to go about it? All and any inputs are appreciated fir I know there would be lots of guys around here who have been there and done that but this would be my first time. Regards
Current thread:
- Security Awareness inhouse - Tips and Tricks? WALI (Apr 10)
- RE: Security Awareness inhouse - Tips and Tricks? Petter Bruland (Apr 10)
- RE: Security Awareness inhouse - Tips and Tricks? lalit.gupta (Apr 11)
- Message not available
- Fwd: Security Awareness inhouse - Tips and Tricks? kevin fielder (Apr 11)
- RE: Security Awareness inhouse - Tips and Tricks? Murda Mcloud (Apr 12)
- RE: Security Awareness inhouse - Tips and Tricks? Petter Bruland (Apr 10)
- <Possible follow-ups>
- Re: Security Awareness inhouse - Tips and Tricks? security (Apr 11)
- Re: RE: Security Awareness inhouse - Tips and Tricks? icsdm05028 (Apr 13)