Penetration Testing mailing list archives
RE: Enterprise Trainaing Programs
From: "Michael Scheidell" <scheidell () secnap net>
Date: Sun, 11 Jun 2006 13:37:41 -0400
-----Original Message----- From: mail () cybersekure com [mailto:mail () cybersekure com] Sent: Monday, June 05, 2006 8:23 PM To: pen-test () securityfocus com Subject: Enterprise Trainaing Programs Hello List, I'm the Securiy Director for a large bank. After having several pen-tests and audits performed for me I see that I need to do more training for my users.. THis is really apparent for phishing security knowledge... My questions: What are aother large companies doing for training of the user base?
Good questions, this is the first step. Acknowledging you have a problem. FBI stats show 65% of security breaches start internally. As a company that does those pen-tests and audits, some of the stories (without naming names) would curl your hair. Doing the second audit, after remediation (and pwc insisted on 8char/45 days, complex passwords). Interview one of the clerks in charge of customer service for the bank's credit cards: Q) How hard has it been for you to remember a complex password, now that you need to change it every 45 days? A) Not hard at all, I have it written right here: (under keyboard) Microsoft1 Three points off :-( This is the person who asks you on the phone "what is the last 4 of your social, what is your mothers maiden name" when you call. There is a pamphlet she mails out that warns credit card users not to write down their pin code on credit card. This isn't the worse! /* Warning: self serving marketing If the GLBA safeguard rule of may 2002 says identify ALL internal vulnerabilities, doesn't this include users? http://www.glba.us Microsoft developed a training program with 'media pro', with Richard Purcell, past Chief Privacy officer with Microsoft. It's a web based training program, and for VERY large banks, can be customized. Has several targets, you might want to check it out. We are a reseller, and I am sure one of our sales types would love to tell you all about it and arrange a demo. http://www.secnap.com/events.php?pg=15 */
How often should this training take place? ( Refresher courses??? New hire training??)
New hires, immediately. Refresher for everyone that FAILS, or causes a security breach (I didn't know that the screen saver on s & M radio .com was a program) But it says my CLOCK was wrong and I should download it!
How effective is CBT training of the user population using a LMS package?
Does EVERY company have some type of LMS training architecture?
No, but a lot more should.
Can you take an Open-Source LMS like Sakai developed my MIT and use it internally? What does this for the GPL? WHat If you wanted to sell the product to other companies you own?? Basically, I'm trying to figure out the best method for training my user population and enforcing my security policies I have created... I think an LMS system mught be the way to do it but it looks like LMS may be used mostly by colleges and NOT corporations??? -MailMan -------------------------------------------------------------- ---------------- This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. -------------------------------------------------------------- ----------------
------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Enterprise Trainaing Programs mail (Jun 05)
- Re: Enterprise Trainaing Programs Dietrich Heusel (Jun 07)
- Re: Enterprise Trainaing Programs Martin W. Freiss (Jun 07)
- Re: Enterprise Trainaing Programs killy (Jun 07)
- <Possible follow-ups>
- Re: Enterprise Trainaing Programs mikejones (Jun 07)
- RE: Enterprise Trainaing Programs Michael Scheidell (Jun 07)
- RE: Enterprise Trainaing Programs Christine Kronberg (Jun 08)
- RE: Enterprise Trainaing Programs Michael Scheidell (Jun 12)