Penetration Testing mailing list archives
RE: Enterprise Trainaing Programs
From: "Michael Scheidell" <scheidell () secnap net>
Date: Wed, 7 Jun 2006 07:21:11 -0400
Mike: glad you asked again. I replied once, maybe it was the bounce to the forged email address for the original poster, I never saw my answer appear. (posters: if you really want an answer, please use a REAL email address) Yes, we all hate spam, but it is really rude to ask for an answer than have one sent to you and have it bounce. I used to use a FORGED FROM address but a valid reply-to address on UseNet. (would put a spamtrap in the from address) Would you believe spammers dumb enough to send spam to the MESSAGE ID because it looked like a valid email address? But I digress....
-----Original Message----- From: mikejones () rapper com [mailto:mikejones () rapper com] Sent: Tuesday, June 06, 2006 9:18 PM To: pen-test () securityfocus com Subject: Re: Enterprise Training Programs I think this is a very valid post. The most common root cause for phishing is user awareness. Can anyone respond to this post?
Mike: glad you asked again. I replied once, maybe it was the bounce to the forged email address for the original poster, I never saw my answer appear. (posters: if you really want an answer, please use a REAL email address) Yes, we all hate spam, but it is really rude to ask for an answer than have one sent to you and have it bounce.
My questions: What are aother large companies doing for training of the user base?
Good questions, this is the first step. Acknowledging you have a problem. FBI stats show 65% of security breaches start internally. As a company that does those pen-tests and audits, some of the stories (without naming names) would curl your hair. Doing the second audit, after remediation (and pwc insisted on 8char/45 days, complex passwords). Interview one of the clerks in charge of customer service for the bank's credit cards: Q) How hard has it been for you to remember a complex password, now that you need to change it every 45 days? A) Not hard at all, I have it written right here: (under keyboard) Microsoft1 Three points off :-( This is the person who asks you on the phone "what is the last 4 of your social, what is your mothers maiden name" when you call. There is a pamphlet she mails out that warns credit card users not to write down their pin code on credit card. This isn't the worse! /* Warning: self serving marketing If the GLBA safeguard rule of may 2002 says identify ALL internal vulnerabilities, doesn't this include users? http://www.glba.us Microsoft developed a training program with 'media pro', with Richard Purcell, past Chief Privacy officer with Microsoft. It's a web based training program, and for VERY large banks, can be customized. Has several targets, you might want to check it out. We are a reseller, and I am sure one of our sales types would love to tell you all about it and arrange a demo. http://www.secnap.com/events.php?pg=15 */
How often should this training take place? ( Refresher courses??? New hire training??)
New hires, immediately. Refresher for everyone that FAILS, or causes a security breach (I didn't know that the screen saver on s & M radio .com was a program) But it says my CLOCK was wrong and I should download it! ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Enterprise Trainaing Programs mail (Jun 05)
- Re: Enterprise Trainaing Programs Dietrich Heusel (Jun 07)
- Re: Enterprise Trainaing Programs Martin W. Freiss (Jun 07)
- Re: Enterprise Trainaing Programs killy (Jun 07)
- <Possible follow-ups>
- Re: Enterprise Trainaing Programs mikejones (Jun 07)
- RE: Enterprise Trainaing Programs Michael Scheidell (Jun 07)
- RE: Enterprise Trainaing Programs Christine Kronberg (Jun 08)
- RE: Enterprise Trainaing Programs Michael Scheidell (Jun 12)