User Security Training

[alanmott]

Hi,

First off, I'd like to express my support for your attempt to get "user buy-in" to IT security by educating them. It pays dividends, and I speak from experience. I'll quote you an example. In one of our regional offices I was conducting a review of their IT security. They had a spare terminal that had an external CD-Writer. This was an obvious security threat in that staff could write any data they wanted to CD and export it home. It was suspected by staff that we would be removing this facility as part of our review, a facility some found useful. Consequently, we were regarded as something akin to Nazi war criminals for the early part of our visit. After our presentation on IT security, about half the staff hung around afterwards to voice their concerns about this Cd-Writer, and requested that we remove it (something we were going to do anyway). At a stroke, peer pressure was brought to bear to certain "hard nosed" users who saw security as "stupid". Pressure applied by their own colleagues, not by us security experts. Our recommendation was therefore accepted by management without a murmur. Raising user awareness, and consequently gaining user buy-in, is therefore the single most important thing you can do in IT Security. They are, afterall, the weakest link in our defences.

So what works? How do we do this? Your ideas thus far are basically sound. You know your users better than I do, so you will know best what they will be responsive to, but in general a large amount of visually impressive demonstartaions have an effect. But they won't want 15 mins of technical background first before you get onto demonstarting the hack. Demonstarte a hack they can understand with their existing level of knowledge. I find browser hijacking works well here. Users relate to web browsing, so knock up a few web pages with nasty mobile code embedded in that produces visible results. I show three such attacks;

* A web site that changes your default start page
* A web site that adds a new user to your PC
* A web site that captures the contents of your clipboard and displays it on a new page

These are quick to show and produce plenty of "wow factor".

The real hacking attempt is interesting to users as well. I demonstrate hacking into an XP bos from a Linux box using the remote desktop facility in XP. This involves guessing a username and password (which I've pre set up to use account "Administrator" with a password pf "password". I get the users to guess these credentials when the Winlogon box appears on the MS-Terminal Services window on the Linux box. They love it. It makes them feel like they are doing the hacking. you can see the smiles go around the room when after about three wrong guesses the get it right and we then log on to the victim's PC. Once your in, steal a npotepad file from your victim PC. Do this by opening notepad, and ask the audience for a phrase. Anything will do, the more ludicrous and surreal the better. Save the file using a filename again chosen by the audience. When you steal the file, open oit on your attack PC and they can then see the phrase they chose. This proves that the attack you're demonstarting is real, and hasn't been "doctored" or "fiddled" in any way. It adds credibility.

Regarding your point about making the seminars mandatory, and that engendering a "yawn factor" amongst the audience. This is certainly true, but counter it through marketing. You should word your publicity for these seminars in a fun, light hearted way that wil intrigue users. Mention The Matrix. Make it seem like they're getting a glimpse into the "underworld" of computing. And make it relevant to their home PC. Thats a hook that will get them to turn up, and you can then cover corporate policy alongside that. In essence, keep emphasisng the point that provided they follow the corporate policy, the network isn't vulnerable to the kinds of exploit you're demonstrating - the exploit only works because the victim has no regard for security (having the audience guess the password is a good way of driving this point home).

Advertise the seminars by creating cool looking posters to put up round the workplace. Pique their interest with references to James Bond etc. But don't overdo the humour when your actually running the presentation. This can cheapen the message. Be relaxed and informal, but remember your not a standup comedian. Your job is to educate them about IT Security, not make them laugh.

Regards,
Alan

Another word of advice. Don't make it too long. I manage to keep my presentation/demonstration down to about 90 mins, and some people think thats too long.

[Tiger Shark]

Damn... I started this a month ago!!!!!

Ok.... What I have attached here and in the next post 'cos it's a tad big is a Powerpoint presentation entitled "Computer Security, what it means to you at home and at work".

This version of the presentation is meant as the "self study" version for users to reference over the network.

You will notice a few things about it.... Not the least that I frigging *SUCK* in the artistic department.

What I think we could do is all take a look.... If you find things you don't like PM me and tell me how I should rephrase something and on which number panel it is on. For the "artsy" amongst you maybe you could come up with a better color scheme/layout then send me a sample.... Lets not make it all dark a skiddie site like and lets not have too much flourescence in it..... A lot of my users are little old ladies as I'm sure many others around here are. Yeah, see if you can make it a blend of professional, exciting with a hint of "The 3v1l h4x0r" of you can, that would be cool.

I think if we combine all our talents on this then we could leave the final version up here on AO for us all to use...

Any Takers?

[Tiger Shark]

Part 2 of Computer security ppt