Re: Security demonstrations

[fddi_sent () yahoo com]

I agree with the notion of providing security demonstrations in the work place, but would it be more wise to perform 
more security awareness trainings versus potentially enlightening your users on how to tap into each others emails via 
session hi-jacking?  If you are the info sec guy responsible, you may be creating more work for yourself.

I too have thought about showing my users the power of open source tools to show how vulnerable networks could be, but 
I decided against it because of potential abuse.  Sure users can find this information all day long on the Internet, I 
just would rather not find myself in a room during an investigation only to hear "He was the guy that showed us how to 
do it".  

One suggestion that may be a decent compromise, but not as jaw dropping is demonstrating basic google hacking 
techniques.  Again, not jaw dropping but what you can do is make it into somewhat of a game. Google hacking techniques 
are basic but can yield good information about a particular site.  When you couple the basic techniques along with 
creativity, you can find a wealth of information about your own site that you did not know was available.  

Make the training interactive and give prizes to your users that end up finding information on your site that you did 
not know was publicly available.   This creates additional sets of eyes looking at your organizations information 
assets at a very low cost.  It also makes your users aware of simple techniques available to all users and at the same 
time reinforces the notion that security is everyones responsibility, not just the IT staff. 

Good Luck!
fddi_sent