Re: KnowBe4 Security & Awareness Training Feedback

[Austin Bollinger <austinbollinger () GRCC EDU>]

I hear great things about KnowBe4 which may be a great hands off option.
If you want a more affordable and flexible option as in free puppy that
takes a little extra work, read on.

It all comes down to what resources/tools do you have and is there
enough allocated time to make this work - the DIY phishing simulator and
training. We can thank open source contributions for making this more
realistic otherwise we would have to program a phishing simulator from
scratch - one already exists courtesy of Jordan Wright
( https://jordan-wright.com/)  from Duo Labs!

If you/coworkers are not afraid of or willing to learn certbot and
maybe basic Postfix then consider https://getgophish.com/ followed by
https://github.com/ILiedAboutCake/DirectoryPhish or use PowerShell
yourself to pull your own AD users out. Import into Gophish via csv
which is documented well over here
https://docs.getgophish.com/user-guide/building-your-first-campaign/importing-groups

Now you have the phishing simulator part done after ideally firewalling
off the admin panel (default port for admin is 3333).

Next step, get your phishing training in working order. Working with a
postsecondary facility, there is bound to be LMS (Learning Management
System)! Good news is there is FREE SCORM compliant training for
phishing so you can even track grades on-prem. Head over to
https://cofense.com/cbfree-download-all/ and at the top left "CBT -
English (All Modules)" within you will find:
CBT_Advanced_Spear_Phishing_V4_HTML5.zip
CBT_General_Phishing_English_V4_HTML5.zip
CBT_Spear_Phishing_English_V4_HTML5.zip

Good luck and have fun whatever your choice is! If anyone has a
question, feel free.


Regards,
Austin Bollinger
IT Security Analyst
IT at Grand Rapids Community College
austinbollinger () grcc edu |
https://grcc.edu/informationtechnology/informationsecurity


> > > Neal O'Farrell <neal () SCHOOLEDINSECURITY ORG> 3/29/2019 9:30 AM >>>
I'm not in higher education but know KnowBe4 for years and while their
products are highly regarded, they are also highly generic. Which
usually ends up diluting their effectiveness.

I think there's a good opportunity for an immersive awareness program
specifically tailored for the needs, challenges, and audiences of higher
ed.

A good start might be for people to chime in with what they feel they
need or are missing, and that current solutions don't provide. You can't
fill the gaps until you identify them.

Neal.

Neal O'Farrell
Schooled In Security
www.schooledinsecurity.org
neal () schooledinsecurity org
(925) 914 0248 (EST)

When we say "next generation security," we really mean it!


On Fri, Mar 29, 2019 at 9:15 AM Frank Barton <bartonf () husson edu>
wrote:


Jason, I would say that KnowBe4Suffers from the same industry problem -
they do try to make the content industry-agnostic (and to be honest,
while I'm not on the content side, I would like to see the ability for
some customization to make things more "us")

As to the "bending the truth", I'm not sure I would go that far. There
are some nuances that I think are missed, or things that might be a bit
'over-generalized' (which leads to the industry-agnostification).
Getting the balance right between "good - engaging content" and
"technical precision" in a field that is very rapidly changing can be
very difficult. on the whole, I think KnowBe4 gets the balance just
about right, and tries to make their content accessible to everyone, no
matter the technical skill level

We just pushed out our annual Security Awareness Training, and I would
say that the content was just about "high average" with a focus on
social engineering. 

Education is somewhat of an 'odd duck' when it comes to some of the
ITSEC problems that the industry sees. I wonder if maybe EDUCause should
work on creating either training content, or (as in a Logical OR) a
training platform to provide and track training that can be focused to
the challenges that we face in Higher Ed (Lets face it... how man
y other
businesses need to worry about SmartTVs, XBoxen, and the whole alphabet
soup of compliance every day in addition to having their customers
living on site?)



On Fri, Mar 29, 2019 at 8:57 AM Jason Fried <friedj () sunysuffolk edu>
wrote:


Good morning,
 
Common feedback – especially from faculty – for our current product is
that this is obviously not built for higher ed, but is more
industry-agnostic. Would those who have or will responded about KnowBe4
provide their thoughts on that, along with that ‘bending of the truth’?
Many thanks…
 
Regards,
 
Jay
-- 
Jason Fried
Information Security Officer
Information Technology Services
Suffolk County Community College
O: 631.451.4291 / M: 631.897.6064
@SuffolkITS
 
From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>On Behalf Of Frank Barton
Sent: Friday, March 29, 2019 8:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] KnowBe4 Security & Awareness Training Feedback
 
Joshua,
Another "Hello from up in Maine" We are using KnowBe4 for both their
Phishing and user education. We have bee happy with it, both from an
overall content perspective as well as from a management perspective.
 
I will echo what Chad said. sometimes there are some "degrees" of truth
that might be lost, but overall I have been happy with the content.
 
Frank
 
On Fri, Mar 29, 2019 at 6:30 AM Chad Tracy <ctracy () bates edu> wrote:


Joshua,
 
Hello from up in Maine. Nice to see the weather finally getting better
up here. I PoC'd KnowBe4 a couple years back... in short, it came down
to price. I had used Knowbe4 for our Phishing platform, which I loved...
very easy to use and their support was very easy to work with and they
were always immediately available. The ISAT was very well presented but
I had issues with the content - meaning that I took a few of the
training modules and completed the quizzes for each module and I
actually got many of them wrong... What I know to be true with regard to
security and what they know to be true... well, we have varying
truths...lol. I felt that if I had heartburn over the content than I was
sure to have a ton of feedback from the community.
 
For what it's worth, I know of one other institution that is moving
away from Knowbe4 and back to SANS STH. 
 
**You heading to the Educause Security Conference this year? 
 
Best,
 
Chad
 
On Thu, Mar 28, 2019 at 4:19 PM Gomez, Joshua <J.Gomez () snhu edu>
wrote:


Hey There,
Are any other Universities currently a customer of KnowBe4? We are
currently considering them for our ISAT content provider but wanted to
get feedback from an actual customer in Higher Ed. If you feel more
comfortable messaging me directly, I can be reached atj.gomez () snhu edu.
Thanks In advance!
 
Joshua Gomez |Consultant, Information Security
Information Technology Solutions
 

 
-- 
Chad Tracy
Director of Information Security, Policy and Compliance
Bates College
207 786-6491

 
-- 
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University


-- 
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University
 
This email has been received from a sender outside of the GRCC network.
Use caution before clicking links/attachments