• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

End-user IT Security Resources

Raevenlord

Raevenlord

News Editor
Joined
Aug 12, 2016
Messages
3,755 (1.18/day)
Location
Portugal
System Specs
System Name The Ryzening
Processor AMD Ryzen 9 5900X
Motherboard MSI X570 MAG TOMAHAWK
Cooling Lian Li Galahad 360mm AIO
Memory 32 GB G.Skill Trident Z F4-3733 (4x 8 GB)
Video Card(s) Gigabyte RTX 3070 Ti
Storage Boot: Transcend MTE220S 2TB, Kintson A2000 1TB, Seagate Firewolf Pro 14 TB
Display(s) Acer Nitro VG270UP (1440p 144 Hz IPS)
Case Lian Li O11DX Dynamic White
Audio Device(s) iFi Audio Zen DAC
Power Supply Seasonic Focus+ 750 W
Mouse Cooler Master Masterkeys Lite L
Keyboard Cooler Master Masterkeys Lite L
Software Windows 10 x64
Hey all.

I'm looking at a good way to have a cybersecurity / end-user diagnostic and training programme for my current work. The objective is to inform people on user-preventable cybersecurity risks and increasing awareness to IT security requirements, besides regulating Internet access and allowed/not allowed behaviors.

The idea here would thus be to:

1) Diagnose current IT security knowledge and practices from all users (can be achieved by a simple Google Docs Questionnaire that's e-mail distributed throughout our infrastructure, which I can easily achieve);
2) Simulate phishing attacks and other end-user dependent vulnerabilities;
3) Deploy instructional resources in a planned, automated way (example, creation of an email newsletter that would, if possible, aggregate resources that would then be interpreted according to our security and mission environment)
4) Re-diagnose.

So what I'm looking for is some online resources that may already exist on this topic, from reputed sources, that I can then adapt to my reality. Industry practices, governmental tutorials and FAQs that already exist, and so on.

Thanks in advance you guys.
 
Hemmingstamp said:
If you put part of what you've written cybersecurity / end-user diagnostic and training programme into Google it comes back with a mountain of info from MS to smaller players.

Empowering your remote workforce with end-user security
The Ultimate Guide to Security Awareness Training
SANS Security Awareness End User Training
Security Awareness Training - Cyber Security Solutions ...

Search some more, the list is endless.
Click to expand...

He's not asking for a mountain of Google. He's asking industry peers for what they know has worked in their organization.

Your reply doesn't fit his needs.
 
jsfitz54 said:
He's not asking for a mountain of Google. He's asking industry peers for what they know has worked in their organization.

Your reply doesn't fit his needs.
Click to expand...

Scrubbed to avoid unnecessary arguments.
 
Last edited:
Simulate phishing attacks and other end-user dependent vulnerabilities
Click to expand...

So for this I can tell you some tales from the corporate world. There are external companies that will do simulating phishing for you, for starters. But you can probably do this yourself with some effort.

The overall idea is to create a few tiers of phishing e-mails ranging from obvious to harder to spot. You send these, and track who in your organization fell for the links. You create a couple of tiers of training, one of those who fall for the easy ones, and one for those who only fall for the more complicated ones. You assign these automatically to people who fall for the fake phishes.

One thing that is important: You also need a phishing e-mail reporting mechanism, and explain to people how to use it. Your fake phishes should get reported, and the reporters should be rewarded. Those who do not report, but don't fall for it get nothing, and those who fall for it get training. Those who keep falling for it would need some serious talking to.

This works. People stop clicking on bullshit if they end up taking mandatory trainings on how to not click on bullshit, or at the very least you identify the risky individuals in your organization, and can act accordingly. Additionally, real phishing attempts will get reported, and your organization will know if it becomes a target thanks to the diligent folks in it. This also allows you to raise the alarm on such campaigns targeting you.
 
Look for "Terranova". Does exactly what you want.
Tho it's a Canada / Quebec based company, you should still be okay as it's a SAAS.
terranovasecurity.com

homepage

Avoid data breaches with customizable, affordable cyber security awareness training solutions from Terranova Security.
terranovasecurity.com terranovasecurity.com
 
Before EVER creating any training program, you must know your audience. And sadly, we know nothing of yours.

Are they 10-year olds? 70-year olds?
Are they techies eager to learn and adapt new technologies and techniques?
Are they techies who already know it all and just need a refresher (and perhaps a reminder of company policy)?
Are they Luddites who resist change and new technologies?
Are they IT people at all?

The trick is to avoid speaking over the head of the uninformed while at the same time, avoid talking down to the very experienced. Good luck with that. I might suggest two classes, one for the total newbie and another advanced "refresher/reminder" class for the experts.

Is this training to be used only at work on the buttoned down corporate computers? Or training they can take home and use on their personal computers too?

Are any of these employees "road warriors" - travelers with mobile devices who frequently need to connect to hotel, airport and other strange networks?

And speaking of devices, what kind? PCs only? PCs and laptops? Company provided smart phones? Windows? Macs? Linux?

*****

The user is ALWAYS the weakest link in security!

Don't be "click-happy".

BY FAR, the greatest threat to computer security (either corporate or personal) is users being tricked into clicking something they shouldn't. And that is typically, and sadly, very effectively accomplished by the bad guys using Social Engineering. So what I did with the very diversified group of users I was dealing with was to teach them what "Social Engineering" was and to pound into their heads not to be "click-happy" on unsolicited links, popups, emails, attachments and downloads.

At the time, way back in the early 90s when I was the Network Manager for a major Air Force base wide area network, "click-happy" initially referred to users who got impatient when waiting for their computers to "unfreeze", and they started to click at everything, press all sorts of keys, etc. causing their computers to lock up even more. But I think we were the first, or certainly one of the first to use "click-happy" in reference to avoiding malware. And it stuck.

Users don't need to know the specific or technical terms like "phishing", "vishing", or even "social engineering". They don't even know how to recognize a socially engineered threat. What they need to know and to remember is to be suspicious! Always! Especially on any unsolicited link, popup, email, attachment or download. And then they need to remember, and be disciplined to avoid being "click-happy" on those items.

If, out of the blue, they get an email from their bank, the IRS, Facebook or dear ol' Mom that says something about a password reset, or special offer, just delete it and go visit the bank or Facebook, etc. via their normal links.

Note I mentioned Facebook because I personally have received several Facebook Account Recovery Code emails lately that were scams designed to get FB users to enter their current FB password on a fake reset page - thus giving the bad guys access to their FB account. A bunch of COVID scams are circulating now too. :(

See also (old but still good): https://us-cert.cisa.gov/ncas/tips/ST04-014
 
You must log in or register to reply here.
Back
Top