User Security Training

Printable View

July 22nd, 2004, 10:56 PM
Tiger Shark

User Security Training

Brought on by this thread

OK.... Let's give this a bash..... I have been thinking about this for a while....

Security seminars for my (L)users.

It's actually kind of mandated by HIPAA, (sort of), and it would be fun to do. The issues that have always been the "show-stoppers" have been the lack of interest/care/don't give a rat$ a$$ attitude that I am going to face from the user base. With that in mind I figured that there are certain things that I can/may be able to leverage to my benefit.

1. I can't do seminars for all the users at the same time, (I have too many).
2. If I make them mandatory from the start I will foster the "yawn" factor.
3. I have some people that will turn up and be enthusiastic.
4. If it's made fun/exciting enough then they can recommend it to the less interested users.
5. If I can show them the benefits for their home computers it will be more "listenable to".
6. Once I have exhausted the "interested" and "encouraged by the 'interested'" people mandating the rest would be easier.
7. Once I have a level of interest/participation it will be easier to gain "acceptance" of updates.

So, with those in mind, what suggestions for subjects/approaches/exercises would you try?

I have the following in mind while making the point that what I am demonstrating works exactly the same as a computer on the internet, protected by a firewall or not.

1. Off to the side run a projector that shows the realtime security related syslog that I log 24/7 with a short explanation so they can see what happens as it happens, (they won't be able to read it - it will go past too fast - but that will add to the impact).

2. Show the different social engineering tactics used to get people to open viruses then open one on a private network and have a sniffer showing them the activity.

3. Have a machine loaded with spyware etc. and have someone try to work on it. Then run the tools to clean it and have the user run the same tasks a second time. (probably should do this first and run the tools while doing other things).

4. Connect to a custom web site and have it list the contents of the HD or something similarly "scarey". Show how easy it is to accomplish.

5. have some fun "hacking" a machine on the network, (yeah, I'll be logged in as a domain admin so it won't be real hard). I'd use PSTools for example.

6. Scan a firewalled box and an unfirewalled box with NMap. Show how much information can be gleaned. Show them that the default open ports, (NetBIOS), can be connected to remotely with ease and what can be gleaned. Make the point that the firewalled box takes so much longer which "drives hackers away".... ;)

7. Run a dictionary attack against a password file and discuss how to mess with the password crackers.

8. Discuss phishing and social engineering..... Maybe make a "play" out of it..... (with a staffmember?).

I dunno.... I dunno what's good in there and what's bad ....

Suggestions are welcome and it might help others that would like to be able to do the same thing. In the end we may be able to come up with a "script" for a session. It needs to be kept _simple_, it needs to be able to "have impact" both personally and professionally, it needs to be relatively short to present and it needs to be fun to attend for everyone.

Any suggestions.... Sensible ones please..... ;)

Have at it girls and boys......
July 22nd, 2004, 11:15 PM
Soda_Popinsky

Prove to them that you know what sites they visit!!!!!!

Visit a site, on the projector you show ethereal pick up the get request, and tell the audience that you run similar programs all day long, and you see WHAT the users look at, and WHO is looking at it. That'll stop the porno toolbars for good.
July 22nd, 2004, 11:18 PM
MK19

Give something that they can relate to in both the office and real life. like shoulder surfing and spyware. Maybe you can somehow show them how much information spyware can actually send out. The best scenerio being having a custom script that sends out info from a "mock" workstation to another workstation.

As you can tell I am against spyware since where I work they let them download alot of "cute" things (Webshots, comet cursor, etc) I like to make it a point that some of the most "invisible" and damaging code comes from games and things that look harmless.

Also maybe set up some user accounts with some easily crackable passwords that may be in the network (all of these made up but maybe one or two of them may have them) to stress the importance of strong passwords.

Basically, show them the power of the darkside and show them ways not to be a target.
July 23rd, 2004, 02:40 AM
Gump

Tiger, (I'm a certified card carrying RAIDERHATER, just thought you should know that)

To drive home a point on password policy, demo PWDUMP and John or L0pht crack. Like your hacking demo they won't have to know about your dictionary, but don't make it too obvious ;) . I saw this at SANS and it had SA's and It folks talking for hours.

Also it might wale a few up to why you have all those other nasty policies???
July 23rd, 2004, 03:45 AM
Palemoon

Well actuallly everyone has valid points and in a work enviroment and most businessi networks have grown out of need not function. I have taken this approach first company policy that old employee manual need revision and it needs to be up front.
EXAMPLE

1. Every employee manual covers theft of company property. Then it must clearly state that any company data belongs to the company.

2. Usage of company equipment and now it includes computers are not personal property but belong to the company and as such the following things are in force.

3. No expectations of privacy in email or web surfing or workstations local drive because all these records can be asked for in any legal matter and as a business must be provided.

To make a long story short on the employees manual the one where I work and revised reads.

All network activity is monitored 24/7 (Twenty Four Hours Seven Days a Week) if personnel are not present logs keep a record that is revied daily. Logs or personnel may if called for monitor do the following.
1. Remotly Access your desktop to view activity.
2. Aduit your system unannounced at any time.
3. By remote shut down or re-boot your system.
4. View any email content in your in-box and record all outboud or in bound email.

I short best bet is for the company to fully explain their position of computer usage up fornt and the extent of what they can look at.

Then begin to train the weakest link in the security chain the users and make them well aware that Anonymous does not mean unknown.

I just placed a Monitor that has a garaphical interface showing all netork connections internal and external in a window are that any employee can see as they wal by the server room it also shows then names of the workstations that each have an employee name. I got to design mine it's not in the basement in the center of the main floor it has full windows so even what I do can be seen I do not hide the IS department we simple enable the busines to operate. Don't let IT enforce things let anyone see what you do and fellow employees will give them a hard time say such and such we have a deadline and I'm working my butt off and I walked past the server room and what were you bidding for on E-Bay...I thought you were part of the team :)

Good Luck
July 23rd, 2004, 04:48 AM
ric-o

Couple thoughts...

* Show them what could happen if they dont lock their console...using unlocked PC maybe simple email sent to president or supervisor telling them not so nice things about their breath. ha ha. It will get people to notice I guarantee it!

* Empower them to take action when they see fellow employee doing something wrong. This isn't a witch-hunt or turning everyone into narcs or snitches...but tell them to ask the person not to do that. Or if serious go straight to HR.

* Reminding them there is no expectation of privacy as others said here. Show how you can track their websurfing.

* Explain how they aren't anonymous on the Internet nor within your network. Show examples (like above): firewall logs, web proxy logs (if applicable), etc.

* Give lots of examples of the results of various incidents due to improper activities: re.; the neighbor with the PC they had to reload due to virus infection, the worker who had their credit cards stolen due to trojan on their machine from a bad website, the worker who lost important documents because machine due to malware and spent 3 all-nighters to redo missing deadlines and thus bonus or job promotion opportunity, etc.

Mostly showing exploitive actions and cause-and-effect which is good.

Good thread here...I'm hoping to learn lots to help me teach my users as well.
July 23rd, 2004, 05:15 AM
phishphreek

Wow Tiger...

Maybe you should take on a new job?

Travel from company to company scaring the hell out of their employees?

FUD works wonders... you see it all the time.

Your job could be something like this:
http://www.amazon.com/exec/obidos/tg...e&s=books&st=*

Before long... you'll have your own book.

You just have to give me a "free lunch" for the idea. ;)
July 23rd, 2004, 08:24 AM
moxnix

Tiger, I have found that the attention span of anyone that is not deeply interested in a subject to be about 30 seconds.

There are a couple of ways around this.
1. Humor -- keep them listening with alot of jokes and pratfalls.
2. Tie the lecture to some personal dire consquence -- like death.
3. (and the best way) Show lots of cartoons and animations.

In several case studies, attendies at presentations retained most of the information handed to them via animations and cartoons. Encluding CEO's and upper management types.
Since it is not considered buisness like to use cartoons and such, visual graphics have become the mainstay of proffessional presentations.
July 23rd, 2004, 02:11 PM
zENGER

Just a short note, I would say the best way to get and keep their attention is to show them the worst case of each thing.

If its leaving a console unlocked show them what could happen such as a rogue user copying financial records to a disk or viewing illegal content on the net in order to get them in trouble.

If its wirtting their password on their monitor, show them what the janitors can do on the weekend to their computer.

People know its bad to do these things but most don't know why or believe that its too hard to do. Prove to them that it isn't.
July 23rd, 2004, 02:17 PM
tealbambino

I would be happy if users just took the 1st step in the right direction and lock thier computer when they leave their desk. Once that is drummed in then we can start on password, email and Inertnet.

I have to say the way I managed to get a few people to understand was by sending emails from their computer when they had walked away. It had more impact on the people still at their desks when they suddenly saw how easy it was and they didnt want people sending from name.

We fortuneatly have a very strictly controlled Internet access and mailsweeper, many users can't get in to the situation when they might be installing or opening something they shouldnt be but for all that we still have to drum the importance of it all in to them. Too many users still consider a computer a "magic box" and untill that is changed getting them to understand security is going to be very hard.

sorry for the rant - having a bad user day
July 23rd, 2004, 04:04 PM
alanmott

Hi,

First off, I'd like to express my support for your attempt to get "user buy-in" to IT security by educating them. It pays dividends, and I speak from experience. I'll quote you an example. In one of our regional offices I was conducting a review of their IT security. They had a spare terminal that had an external CD-Writer. This was an obvious security threat in that staff could write any data they wanted to CD and export it home. It was suspected by staff that we would be removing this facility as part of our review, a facility some found useful. Consequently, we were regarded as something akin to Nazi war criminals for the early part of our visit. After our presentation on IT security, about half the staff hung around afterwards to voice their concerns about this Cd-Writer, and requested that we remove it (something we were going to do anyway). At a stroke, peer pressure was brought to bear to certain "hard nosed" users who saw security as "stupid". Pressure applied by their own colleagues, not by us security experts. Our recommendation was therefore accepted by management without a murmur. Raising user awareness, and consequently gaining user buy-in, is therefore the single most important thing you can do in IT Security. They are, afterall, the weakest link in our defences.

So what works? How do we do this? Your ideas thus far are basically sound. You know your users better than I do, so you will know best what they will be responsive to, but in general a large amount of visually impressive demonstartaions have an effect. But they won't want 15 mins of technical background first before you get onto demonstarting the hack. Demonstarte a hack they can understand with their existing level of knowledge. I find browser hijacking works well here. Users relate to web browsing, so knock up a few web pages with nasty mobile code embedded in that produces visible results. I show three such attacks;

* A web site that changes your default start page
* A web site that adds a new user to your PC
* A web site that captures the contents of your clipboard and displays it on a new page

These are quick to show and produce plenty of "wow factor".

The real hacking attempt is interesting to users as well. I demonstrate hacking into an XP bos from a Linux box using the remote desktop facility in XP. This involves guessing a username and password (which I've pre set up to use account "Administrator" with a password pf "password". I get the users to guess these credentials when the Winlogon box appears on the MS-Terminal Services window on the Linux box. They love it. It makes them feel like they are doing the hacking. you can see the smiles go around the room when after about three wrong guesses the get it right and we then log on to the victim's PC. Once your in, steal a npotepad file from your victim PC. Do this by opening notepad, and ask the audience for a phrase. Anything will do, the more ludicrous and surreal the better. Save the file using a filename again chosen by the audience. When you steal the file, open oit on your attack PC and they can then see the phrase they chose. This proves that the attack you're demonstarting is real, and hasn't been "doctored" or "fiddled" in any way. It adds credibility.

Regarding your point about making the seminars mandatory, and that engendering a "yawn factor" amongst the audience. This is certainly true, but counter it through marketing. You should word your publicity for these seminars in a fun, light hearted way that wil intrigue users. Mention The Matrix. Make it seem like they're getting a glimpse into the "underworld" of computing. And make it relevant to their home PC. Thats a hook that will get them to turn up, and you can then cover corporate policy alongside that. In essence, keep emphasisng the point that provided they follow the corporate policy, the network isn't vulnerable to the kinds of exploit you're demonstrating - the exploit only works because the victim has no regard for security (having the audience guess the password is a good way of driving this point home).

Advertise the seminars by creating cool looking posters to put up round the workplace. Pique their interest with references to James Bond etc. But don't overdo the humour when your actually running the presentation. This can cheapen the message. Be relaxed and informal, but remember your not a standup comedian. Your job is to educate them about IT Security, not make them laugh.

Regards,
Alan

Another word of advice. Don't make it too long. I manage to keep my presentation/demonstration down to about 90 mins, and some people think thats too long.
September 1st, 2004, 08:14 PM
Tiger Shark

Damn... I started this a month ago!!!!!

Ok.... What I have attached here and in the next post 'cos it's a tad big is a Powerpoint presentation entitled "Computer Security, what it means to you at home and at work".

This version of the presentation is meant as the "self study" version for users to reference over the network.

You will notice a few things about it.... Not the least that I frigging *SUCK* in the artistic department.

What I think we could do is all take a look.... If you find things you don't like PM me and tell me how I should rephrase something and on which number panel it is on. For the "artsy" amongst you maybe you could come up with a better color scheme/layout then send me a sample.... Lets not make it all dark a skiddie site like and lets not have too much flourescence in it..... A lot of my users are little old ladies as I'm sure many others around here are. Yeah, see if you can make it a blend of professional, exciting with a hint of "The 3v1l h4x0r" of you can, that would be cool.

I think if we combine all our talents on this then we could leave the final version up here on AO for us all to use...

Any Takers?
September 1st, 2004, 08:15 PM
Tiger Shark

Part 2

Part 2 of Computer security ppt