RE: Enterprise Trainaing Programs

From: Michael Scheidell (scheidell@secnap.net)
Date: Wed Jun 07 2006 - 07:21:11 EDT


Mike: glad you asked again.

I replied once, maybe it was the bounce to the forged email address for
the original poster, I never saw my answer appear.

(posters: if you really want an answer, please use a REAL email address)

Yes, we all hate spam, but it is really rude to ask for an answer than
have one sent to you and have it bounce.
I used to use a FORGED FROM address but a valid reply-to address on
UseNet.
(would put a spamtrap in the from address)

Would you believe spammers dumb enough to send spam to the MESSAGE ID
because it looked like a valid email address?
But I digress....

> -----Original Message-----
> From: mikejones@rapper.com [mailto:mikejones@rapper.com]
> Sent: Tuesday, June 06, 2006 9:18 PM
> To: pen-test@securityfocus.com
> Subject: Re: Enterprise Training Programs
>
>
> I think this is a very valid post. The most common root cause
> for phishing is user awareness. Can anyone respond to this post?
>
Mike: glad you asked again.

I replied once, maybe it was the bounce to the forged email address for
the original poster, I never saw my answer appear.

(posters: if you really want an answer, please use a REAL email address)

Yes, we all hate spam, but it is really rude to ask for an answer than
have one sent to you and have it bounce.
> My questions:
> What are aother large companies doing for training of the user base?

Good questions, this is the first step. Acknowledging you have a
problem.

FBI stats show 65% of security breaches start internally.

As a company that does those pen-tests and audits, some of the stories
(without naming names) would curl your hair. Doing the second audit,
after remediation (and pwc insisted on 8char/45 days, complex
passwords). Interview one of the clerks in charge of customer service
for the bank's credit cards:

Q) How hard has it been for you to remember a complex password, now that
you need to change it every 45 days?
A) Not hard at all, I have it written right here: (under keyboard)
Microsoft1
 
Three points off :-(

This is the person who asks you on the phone "what is the last 4 of your
social, what is your mothers maiden name" when you call.

There is a pamphlet she mails out that warns credit card users not to
write down their pin code on credit card.

This isn't the worse!

/* Warning: self serving marketing
If the GLBA safeguard rule of may 2002 says identify ALL internal
vulnerabilities, doesn't this include users?
http://www.glba.us

Microsoft developed a training program with 'media pro', with Richard
Purcell, past Chief Privacy officer with Microsoft.

It's a web based training program, and for VERY large banks, can be
customized.

Has several targets, you might want to check it out.

We are a reseller, and I am sure one of our sales types would love to
tell you all about it and arrange a demo.
http://www.secnap.com/events.php?pg=15

*/

>
> How often should this training take place? ( Refresher
> courses??? New hire training??)
>
New hires, immediately.
Refresher for everyone that FAILS, or causes a security breach (I didn't
know that the screen saver on s & M radio .com was a program) But it
says my CLOCK was wrong and I should download it!

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:03 EDT