Brought on by this thread

OK.... Let's give this a bash..... I have been thinking about this for a while....

Security seminars for my (L)users.

It's actually kind of mandated by HIPAA, (sort of), and it would be fun to do. The issues that have always been the "show-stoppers" have been the lack of interest/care/don't give a rat$ a$$ attitude that I am going to face from the user base. With that in mind I figured that there are certain things that I can/may be able to leverage to my benefit.

1. I can't do seminars for all the users at the same time, (I have too many).
2. If I make them mandatory from the start I will foster the "yawn" factor.
3. I have some people that will turn up and be enthusiastic.
4. If it's made fun/exciting enough then they can recommend it to the less interested users.
5. If I can show them the benefits for their home computers it will be more "listenable to".
6. Once I have exhausted the "interested" and "encouraged by the 'interested'" people mandating the rest would be easier.
7. Once I have a level of interest/participation it will be easier to gain "acceptance" of updates.

So, with those in mind, what suggestions for subjects/approaches/exercises would you try?

I have the following in mind while making the point that what I am demonstrating works exactly the same as a computer on the internet, protected by a firewall or not.

1. Off to the side run a projector that shows the realtime security related syslog that I log 24/7 with a short explanation so they can see what happens as it happens, (they won't be able to read it - it will go past too fast - but that will add to the impact).

2. Show the different social engineering tactics used to get people to open viruses then open one on a private network and have a sniffer showing them the activity.

3. Have a machine loaded with spyware etc. and have someone try to work on it. Then run the tools to clean it and have the user run the same tasks a second time. (probably should do this first and run the tools while doing other things).

4. Connect to a custom web site and have it list the contents of the HD or something similarly "scarey". Show how easy it is to accomplish.

5. have some fun "hacking" a machine on the network, (yeah, I'll be logged in as a domain admin so it won't be real hard). I'd use PSTools for example.

6. Scan a firewalled box and an unfirewalled box with NMap. Show how much information can be gleaned. Show them that the default open ports, (NetBIOS), can be connected to remotely with ease and what can be gleaned. Make the point that the firewalled box takes so much longer which "drives hackers away"....

7. Run a dictionary attack against a password file and discuss how to mess with the password crackers.

8. Discuss phishing and social engineering..... Maybe make a "play" out of it..... (with a staffmember?).

I dunno.... I dunno what's good in there and what's bad ....

Suggestions are welcome and it might help others that would like to be able to do the same thing. In the end we may be able to come up with a "script" for a session. It needs to be kept _simple_, it needs to be able to "have impact" both personally and professionally, it needs to be relatively short to present and it needs to be fun to attend for everyone.

Any suggestions.... Sensible ones please.....

Have at it girls and boys......