• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

End-user IT Security Resources

Raevenlord

Raevenlord

News Editor
Joined
Aug 12, 2016
Messages
3,755 (1.33/day)
Location
Portugal
System Specs
System Name The Ryzening
Processor AMD Ryzen 9 5900X
Motherboard MSI X570 MAG TOMAHAWK
Cooling Lian Li Galahad 360mm AIO
Memory 32 GB G.Skill Trident Z F4-3733 (4x 8 GB)
Video Card(s) Gigabyte RTX 3070 Ti
Storage Boot: Transcend MTE220S 2TB, Kintson A2000 1TB, Seagate Firewolf Pro 14 TB
Display(s) Acer Nitro VG270UP (1440p 144 Hz IPS)
Case Lian Li O11DX Dynamic White
Audio Device(s) iFi Audio Zen DAC
Power Supply Seasonic Focus+ 750 W
Mouse Cooler Master Masterkeys Lite L
Keyboard Cooler Master Masterkeys Lite L
Software Windows 10 x64
Hey all.

I'm looking at a good way to have a cybersecurity / end-user diagnostic and training programme for my current work. The objective is to inform people on user-preventable cybersecurity risks and increasing awareness to IT security requirements, besides regulating Internet access and allowed/not allowed behaviors.

The idea here would thus be to:

1) Diagnose current IT security knowledge and practices from all users (can be achieved by a simple Google Docs Questionnaire that's e-mail distributed throughout our infrastructure, which I can easily achieve);
2) Simulate phishing attacks and other end-user dependent vulnerabilities;
3) Deploy instructional resources in a planned, automated way (example, creation of an email newsletter that would, if possible, aggregate resources that would then be interpreted according to our security and mission environment)
4) Re-diagnose.

So what I'm looking for is some online resources that may already exist on this topic, from reputed sources, that I can then adapt to my reality. Industry practices, governmental tutorials and FAQs that already exist, and so on.

Thanks in advance you guys.
 
jsfitz54

jsfitz54

Joined
Jun 18, 2010
Messages
2,329 (0.46/day)
System Specs
Processor Intel i7 970 // Intel i7 2600K
Motherboard Asus Rampage III Formula // Asus P8P67 Deluxe
Cooling Zalman CNPS9900MaxB // Zalman CNPS11X
Memory GSkill 2133 12GB // Corsair V 2400 32GB
Video Card(s) ASUS GTX1080 // MSI GTX1070
Storage Samsung 870EVO // Samsung 840P
Display(s) HP w2207h
Case CoolerMaster Stacker 830se // Lian Li PC-9F
Audio Device(s) onboard
Power Supply Seasonic X 850w Gold // EVGA 850w G2
Mouse Logitech G502SE HERO, G9
Keyboard Dell
Software W10 Pro 22H2
Hemmingstamp said:
If you put part of what you've written cybersecurity / end-user diagnostic and training programme into Google it comes back with a mountain of info from MS to smaller players.

Empowering your remote workforce with end-user security
The Ultimate Guide to Security Awareness Training
SANS Security Awareness End User Training
Security Awareness Training - Cyber Security Solutions ...

Search some more, the list is endless.
Click to expand...

He's not asking for a mountain of Google. He's asking industry peers for what they know has worked in their organization.

Your reply doesn't fit his needs.
 
H

Hemmingstamp

Joined
May 15, 2020
Messages
578 (0.40/day)
jsfitz54 said:
He's not asking for a mountain of Google. He's asking industry peers for what they know has worked in their organization.

Your reply doesn't fit his needs.
Click to expand...

Scrubbed to avoid unnecessary arguments.
 
Last edited:
Yukikaze

Yukikaze

Joined
Sep 24, 2008
Messages
2,665 (0.47/day)
System Specs
System Name Dire Wolf IV
Processor Intel Core i9 14900K
Motherboard Asus ROG STRIX Z790-I GAMING WIFI
Cooling Arctic Liquid Freezer II 280
Memory 2x24GB Corsair DDR5 6667
Video Card(s) NVIDIA RTX4080 FE
Storage AORUS Gen4 7300 1TB + Western Digital SN750 500GB
Display(s) Alienware AW3423DWF (QD-OLED, 3440x1440, 165hz)
Case Corsair Airflow 2000D
Power Supply Corsair SF1000L
Mouse Razer Deathadder Essential
Keyboard Chuangquan CQ84
Software Windows 11 Professional
Simulate phishing attacks and other end-user dependent vulnerabilities
Click to expand...

So for this I can tell you some tales from the corporate world. There are external companies that will do simulating phishing for you, for starters. But you can probably do this yourself with some effort.

The overall idea is to create a few tiers of phishing e-mails ranging from obvious to harder to spot. You send these, and track who in your organization fell for the links. You create a couple of tiers of training, one of those who fall for the easy ones, and one for those who only fall for the more complicated ones. You assign these automatically to people who fall for the fake phishes.

One thing that is important: You also need a phishing e-mail reporting mechanism, and explain to people how to use it. Your fake phishes should get reported, and the reporters should be rewarded. Those who do not report, but don't fall for it get nothing, and those who fall for it get training. Those who keep falling for it would need some serious talking to.

This works. People stop clicking on bullshit if they end up taking mandatory trainings on how to not click on bullshit, or at the very least you identify the risky individuals in your organization, and can act accordingly. Additionally, real phishing attempts will get reported, and your organization will know if it becomes a target thanks to the diligent folks in it. This also allows you to raise the alarm on such campaigns targeting you.
 
A

AltCapwn

Supporter
Joined
Nov 1, 2017
Messages
521 (0.22/day)
Look for "Terranova". Does exactly what you want.
Tho it's a Canada / Quebec based company, you should still be okay as it's a SAAS.
terranovasecurity.com

homepage

Avoid data breaches with customizable, affordable cyber security awareness training solutions from Terranova Security.
terranovasecurity.com terranovasecurity.com
 
Bill_Bright

Bill_Bright

Joined
Jul 25, 2006
Messages
12,147 (1.87/day)
Location
Nebraska, USA
System Specs
System Name Brightworks Systems BWS-6 E-IV
Processor Intel Core i5-6600 @ 3.9GHz
Motherboard Gigabyte GA-Z170-HD3 Rev 1.0
Cooling Quality case, 2 x Fractal Design 140mm fans, stock CPU HSF
Memory 32GB (4 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s) EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s) Samsung S24E650BW LED x 2
Case Fractal Design Define R4
Power Supply EVGA Supernova 550W G2 Gold
Mouse Logitech M190
Keyboard Microsoft Wireless Comfort 5050
Software W10 Pro 64-bit
Before EVER creating any training program, you must know your audience. And sadly, we know nothing of yours.

Are they 10-year olds? 70-year olds?
Are they techies eager to learn and adapt new technologies and techniques?
Are they techies who already know it all and just need a refresher (and perhaps a reminder of company policy)?
Are they Luddites who resist change and new technologies?
Are they IT people at all?

The trick is to avoid speaking over the head of the uninformed while at the same time, avoid talking down to the very experienced. Good luck with that. I might suggest two classes, one for the total newbie and another advanced "refresher/reminder" class for the experts.

Is this training to be used only at work on the buttoned down corporate computers? Or training they can take home and use on their personal computers too?

Are any of these employees "road warriors" - travelers with mobile devices who frequently need to connect to hotel, airport and other strange networks?

And speaking of devices, what kind? PCs only? PCs and laptops? Company provided smart phones? Windows? Macs? Linux?

*****

The user is ALWAYS the weakest link in security!

Don't be "click-happy".

BY FAR, the greatest threat to computer security (either corporate or personal) is users being tricked into clicking something they shouldn't. And that is typically, and sadly, very effectively accomplished by the bad guys using Social Engineering. So what I did with the very diversified group of users I was dealing with was to teach them what "Social Engineering" was and to pound into their heads not to be "click-happy" on unsolicited links, popups, emails, attachments and downloads.

At the time, way back in the early 90s when I was the Network Manager for a major Air Force base wide area network, "click-happy" initially referred to users who got impatient when waiting for their computers to "unfreeze", and they started to click at everything, press all sorts of keys, etc. causing their computers to lock up even more. But I think we were the first, or certainly one of the first to use "click-happy" in reference to avoiding malware. And it stuck.

Users don't need to know the specific or technical terms like "phishing", "vishing", or even "social engineering". They don't even know how to recognize a socially engineered threat. What they need to know and to remember is to be suspicious! Always! Especially on any unsolicited link, popup, email, attachment or download. And then they need to remember, and be disciplined to avoid being "click-happy" on those items.

If, out of the blue, they get an email from their bank, the IRS, Facebook or dear ol' Mom that says something about a password reset, or special offer, just delete it and go visit the bank or Facebook, etc. via their normal links.

Note I mentioned Facebook because I personally have received several Facebook Account Recovery Code emails lately that were scams designed to get FB users to enter their current FB password on a fake reset page - thus giving the bad guys access to their FB account. A bunch of COVID scams are circulating now too. :(

See also (old but still good): https://us-cert.cisa.gov/ncas/tips/ST04-014
 
You must log in or register to reply here.
Top