RE: Enterprise Trainaing Programs

From: Michael Scheidell (scheidell@secnap.net)
Date: Sun Jun 11 2006 - 13:37:41 EDT

• Next message: thomas springer: "Sniffing USB-Datastream"
• Previous message: OuTiMe: "Small Problem"
• Maybe in reply to: mail@cybersekure.com: "Enterprise Trainaing Programs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> -----Original Message-----
> From: mail@cybersekure.com [mailto:mail@cybersekure.com]
> Sent: Monday, June 05, 2006 8:23 PM
> To: pen-test@securityfocus.com
> Subject: Enterprise Trainaing Programs
>
>
> Hello List,
>
> I'm the Securiy Director for a large bank. After having
> several pen-tests and audits performed for me I see that I
> need to do more training for my users.. THis is really
> apparent for phishing security knowledge...
>
> My questions:
> What are aother large companies doing for training of the user base?

Good questions, this is the first step. Acknowledging you have a
problem.

FBI stats show 65% of security breaches start internally.

As a company that does those pen-tests and audits, some of the stories
(without naming names) would curl your hair.
Doing the second audit, after remediation (and pwc insisted on 8char/45
days, complex passwords). Interview one of the clerks in charge of
customer service for the bank's credit cards:

Q) How hard has it been for you to remember a complex password, now that
you need to change it every 45 days?
A) Not hard at all, I have it written right here: (under keyboard)
Microsoft1
 
Three points off :-(

This is the person who asks you on the phone "what is the last 4 of your
social, what is your mothers maiden name" when you call.

There is a pamphlet she mails out that warns credit card users not to
write down their pin code on credit card.

This isn't the worse!

/* Warning: self serving marketing
If the GLBA safeguard rule of may 2002 says identify ALL internal
vulnerabilities, doesn't this include users?
http://www.glba.us

Microsoft developed a training program with 'media pro', with Richard
Purcell, past Chief Privacy officer with Microsoft.

It's a web based training program, and for VERY large banks, can be
customized.

Has several targets, you might want to check it out.

We are a reseller, and I am sure one of our sales types would love to
tell you all about it and arrange a demo.
http://www.secnap.com/events.php?pg=15

*/

>
> How often should this training take place? ( Refresher
> courses??? New hire training??)
>
New hires, immediately.
Refresher for everyone that FAILS, or causes a security breach
(I didn't know that the screen saver on s & M radio .com was a program)
But it says my CLOCK was wrong and I should download it!

> How effective is CBT training of the user population using a
> LMS package?
>

> Does EVERY company have some type of LMS training architecture?

No, but a lot more should.

>
> Can you take an Open-Source LMS like Sakai developed my MIT
> and use it internally? What does this for the GPL? WHat If
> you wanted to sell the product to other companies you own??
>
>
> Basically, I'm trying to figure out the best method for
> training my user population and enforcing my security
> policies I have created... I think an LMS system mught be the
> way to do it but it looks like LMS may be used mostly by
> colleges and NOT corporations???
>
> -MailMan
>
> --------------------------------------------------------------
> ----------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only one to win
> the Analyst's
> Choice Award from eWeek. As attacks through web applications
> continue to rise,
> you need to proactively protect your applications from
> hackers. Cenzic has the
> most comprehensive solutions to meet your application
> security penetration
> testing and vulnerability management needs. You have an
> option to go with a
> managed service (Cenzic ClickToSecure) or an enterprise software
> (Cenzic Hailstorm). Download FREE whitepaper on how a managed
> service can
> help you: http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to
> confirm your
> results from other product. Contact us at request@cenzic.com
> for details.
> --------------------------------------------------------------
> ----------------
>
>

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

• Next message: thomas springer: "Sniffing USB-Datastream"
• Previous message: OuTiMe: "Small Problem"
• Maybe in reply to: mail@cybersekure.com: "Enterprise Trainaing Programs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:04 EDT