July 22nd, 2004, 10:56 PM
User Security Training
Brought on by this thread
OK.... Let's give this a bash..... I have been thinking about this for a while....
Security seminars for my (L)users.
It's actually kind of mandated by HIPAA, (sort of), and it would be fun to do. The issues that have always been the "show-stoppers" have been the lack of interest/care/don't give a rat$ a$$ attitude that I am going to face from the user base. With that in mind I figured that there are certain things that I can/may be able to leverage to my benefit.
1. I can't do seminars for all the users at the same time, (I have too many).
2. If I make them mandatory from the start I will foster the "yawn" factor.
3. I have some people that will turn up and be enthusiastic.
4. If it's made fun/exciting enough then they can recommend it to the less interested users.
5. If I can show them the benefits for their home computers it will be more "listenable to".
6. Once I have exhausted the "interested" and "encouraged by the 'interested'" people mandating the rest would be easier.
7. Once I have a level of interest/participation it will be easier to gain "acceptance" of updates.
So, with those in mind, what suggestions for subjects/approaches/exercises would you try?
I have the following in mind while making the point that what I am demonstrating works exactly the same as a computer on the internet, protected by a firewall or not.
1. Off to the side run a projector that shows the realtime security related syslog that I log 24/7 with a short explanation so they can see what happens as it happens, (they won't be able to read it - it will go past too fast - but that will add to the impact).
2. Show the different social engineering tactics used to get people to open viruses then open one on a private network and have a sniffer showing them the activity.
3. Have a machine loaded with spyware etc. and have someone try to work on it. Then run the tools to clean it and have the user run the same tasks a second time. (probably should do this first and run the tools while doing other things).
4. Connect to a custom web site and have it list the contents of the HD or something similarly "scarey". Show how easy it is to accomplish.
5. have some fun "hacking" a machine on the network, (yeah, I'll be logged in as a domain admin so it won't be real hard). I'd use PSTools for example.
6. Scan a firewalled box and an unfirewalled box with NMap. Show how much information can be gleaned. Show them that the default open ports, (NetBIOS), can be connected to remotely with ease and what can be gleaned. Make the point that the firewalled box takes so much longer which "drives hackers away"....
7. Run a dictionary attack against a password file and discuss how to mess with the password crackers.
8. Discuss phishing and social engineering..... Maybe make a "play" out of it..... (with a staffmember?).
I dunno.... I dunno what's good in there and what's bad ....
Suggestions are welcome and it might help others that would like to be able to do the same thing. In the end we may be able to come up with a "script" for a session. It needs to be kept _simple_, it needs to be able to "have impact" both personally and professionally, it needs to be relatively short to present and it needs to be fun to attend for everyone.
Any suggestions.... Sensible ones please.....
Have at it girls and boys......
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
July 22nd, 2004, 11:15 PM
Prove to them that you know what sites they visit!!!!!!
Visit a site, on the projector you show ethereal pick up the get request, and tell the audience that you run similar programs all day long, and you see WHAT the users look at, and WHO is looking at it. That'll stop the porno toolbars for good.
July 22nd, 2004, 11:18 PM
Give something that they can relate to in both the office and real life. like shoulder surfing and spyware. Maybe you can somehow show them how much information spyware can actually send out. The best scenerio being having a custom script that sends out info from a "mock" workstation to another workstation.
As you can tell I am against spyware since where I work they let them download alot of "cute" things (Webshots, comet cursor, etc) I like to make it a point that some of the most "invisible" and damaging code comes from games and things that look harmless.
Also maybe set up some user accounts with some easily crackable passwords that may be in the network (all of these made up but maybe one or two of them may have them) to stress the importance of strong passwords.
Basically, show them the power of the darkside and show them ways not to be a target.
July 23rd, 2004, 02:40 AM
Tiger, (I'm a certified card carrying RAIDERHATER, just thought you should know that)
To drive home a point on password policy, demo PWDUMP and John or L0pht crack. Like your hacking demo they won't have to know about your dictionary, but don't make it too obvious . I saw this at SANS and it had SA's and It folks talking for hours.
Also it might wale a few up to why you have all those other nasty policies???
\"If you take a starving dog in off the street and make him prosperous he will not bite you, this is the principle difference between a dog and a man\" - Mark Twain
July 23rd, 2004, 03:45 AM
Well actuallly everyone has valid points and in a work enviroment and most businessi networks have grown out of need not function. I have taken this approach first company policy that old employee manual need revision and it needs to be up front.
1. Every employee manual covers theft of company property. Then it must clearly state that any company data belongs to the company.
2. Usage of company equipment and now it includes computers are not personal property but belong to the company and as such the following things are in force.
3. No expectations of privacy in email or web surfing or workstations local drive because all these records can be asked for in any legal matter and as a business must be provided.
To make a long story short on the employees manual the one where I work and revised reads.
All network activity is monitored 24/7 (Twenty Four Hours Seven Days a Week) if personnel are not present logs keep a record that is revied daily. Logs or personnel may if called for monitor do the following.
1. Remotly Access your desktop to view activity.
2. Aduit your system unannounced at any time.
3. By remote shut down or re-boot your system.
4. View any email content in your in-box and record all outboud or in bound email.
I short best bet is for the company to fully explain their position of computer usage up fornt and the extent of what they can look at.
Then begin to train the weakest link in the security chain the users and make them well aware that Anonymous does not mean unknown.
I just placed a Monitor that has a garaphical interface showing all netork connections internal and external in a window are that any employee can see as they wal by the server room it also shows then names of the workstations that each have an employee name. I got to design mine it's not in the basement in the center of the main floor it has full windows so even what I do can be seen I do not hide the IS department we simple enable the busines to operate. Don't let IT enforce things let anyone see what you do and fellow employees will give them a hard time say such and such we have a deadline and I'm working my butt off and I walked past the server room and what were you bidding for on E-Bay...I thought you were part of the team
I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg
July 23rd, 2004, 04:48 AM
* Show them what could happen if they dont lock their console...using unlocked PC maybe simple email sent to president or supervisor telling them not so nice things about their breath. ha ha. It will get people to notice I guarantee it!
* Empower them to take action when they see fellow employee doing something wrong. This isn't a witch-hunt or turning everyone into narcs or snitches...but tell them to ask the person not to do that. Or if serious go straight to HR.
* Reminding them there is no expectation of privacy as others said here. Show how you can track their websurfing.
* Explain how they aren't anonymous on the Internet nor within your network. Show examples (like above): firewall logs, web proxy logs (if applicable), etc.
* Give lots of examples of the results of various incidents due to improper activities: re.; the neighbor with the PC they had to reload due to virus infection, the worker who had their credit cards stolen due to trojan on their machine from a bad website, the worker who lost important documents because machine due to malware and spent 3 all-nighters to redo missing deadlines and thus bonus or job promotion opportunity, etc.
Mostly showing exploitive actions and cause-and-effect which is good.
Good thread here...I'm hoping to learn lots to help me teach my users as well.
July 23rd, 2004, 05:15 AM
Maybe you should take on a new job?
Travel from company to company scaring the hell out of their employees?
FUD works wonders... you see it all the time.
Your job could be something like this:
Before long... you'll have your own book.
You just have to give me a "free lunch" for the idea.
is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
July 23rd, 2004, 08:24 AM
Tiger, I have found that the attention span of anyone that is not deeply interested in a subject to be about 30 seconds.
There are a couple of ways around this.
1. Humor -- keep them listening with alot of jokes and pratfalls.
2. Tie the lecture to some personal dire consquence -- like death.
3. (and the best way) Show lots of cartoons and animations.
In several case studies, attendies at presentations retained most of the information handed to them via animations and cartoons. Encluding CEO's and upper management types.
Since it is not considered buisness like to use cartoons and such, visual graphics have become the mainstay of proffessional presentations.
\"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
July 23rd, 2004, 02:11 PM
Just a short note, I would say the best way to get and keep their attention is to show them the worst case of each thing.
If its leaving a console unlocked show them what could happen such as a rogue user copying financial records to a disk or viewing illegal content on the net in order to get them in trouble.
If its wirtting their password on their monitor, show them what the janitors can do on the weekend to their computer.
People know its bad to do these things but most don't know why or believe that its too hard to do. Prove to them that it isn't.
July 23rd, 2004, 02:17 PM
I would be happy if users just took the 1st step in the right direction and lock thier computer when they leave their desk. Once that is drummed in then we can start on password, email and Inertnet.
I have to say the way I managed to get a few people to understand was by sending emails from their computer when they had walked away. It had more impact on the people still at their desks when they suddenly saw how easy it was and they didnt want people sending from name.
We fortuneatly have a very strictly controlled Internet access and mailsweeper, many users can't get in to the situation when they might be installing or opening something they shouldnt be but for all that we still have to drum the importance of it all in to them. Too many users still consider a computer a "magic box" and untill that is changed getting them to understand security is going to be very hard.
sorry for the rant - having a bad user day
I have plent of thought and talent. I just don\'t give a damn