.

End User Training

<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Mon Apr 15, 2013 2:47 am

End User Training

Hi all,

I was recently onsite for around two weeks and notice a lot of things that were lets just say plain wrong. I was not doing a security asset of any type I was just there to help the It help desk. During my time onsite I saw password being sent via email, password around computer screens and user would get up and leave me with their computer without even asking who I was.

So I guess my question is other than training what other ways are there to teach end user about security ? How hard do you think the lesson should be ?

I guess one of the problems with the end user is they don't care as its the company being attacked not them so do you think is ethical to target the user?
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

Grendel

User avatar

Full Member
Full Member

Posts: 246

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Mon Apr 15, 2013 9:51 am

Re: End User Training

Jamie.R wrote:So I guess my question is other than training what other ways are there to teach end user about security ? How hard do you think the lesson should be ?


Other than training? The only things left is that organizations have to be punitive, or implement security apps that force compliance with security policies... but that's the big problem - there has to be security policies, and it needs to be supported high within the organization.

However, the MOST effective method of improving security within an organization has been training, so that's where most of the money and efforts have been placed, and rightly so.
- Thomas Wilhelm, MSCS MSM
ISSMP CISSP SCSECA SCNA IEM

Web Site:
  • http://HackingDojo.com
Author:
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools
<<

n37sh@rk

User avatar

Jr. Member
Jr. Member

Posts: 70

Joined: Thu Jan 24, 2013 1:07 pm

Location: Anywhere

Post Tue Apr 16, 2013 7:59 am

Re: End User Training

I see these same things every day. It was worse when I worked for a local medical profession. Users getting up with patient data showing and computers not locked. I agree with Grendel the only way to fix or work on this is to have the support of upper management and have strict polices. You could try setting the screen timeout's and using group policy but that's still a long shot to getting users to comply.
C|EH,CPT
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Tue Apr 16, 2013 5:23 pm

Re: End User Training

Grendel wrote:However, the MOST effective method of improving security within an organization has been training, so that's where most of the money and efforts have been placed, and rightly so.


I'm not disagreeing with you, but I'd be interested in examples of how this has proven to be the most effective method of improving security in your experience.

From what I've read Security Awareness Training would appear to be a very contentious issue, for example:

On Security Awareness Training:The focus on training obscures the failures of security design

Arguments Against Security Awareness Are Shortsighted:A counterpoint to Bruce Schneier's recent post on security awareness training for users

Does Security Awareness Training Actually Improve Enterprise Security?
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

Grendel

User avatar

Full Member
Full Member

Posts: 246

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Tue Apr 16, 2013 7:21 pm

Re: End User Training

What I'm about to say will undoubtedly sound pedantic, but please understand you hit a nerve of mine that stems from a continual need by many to be noticed (even if they dont say anything valid). But the examples you provided are perfect examples of noise, simply for the sake of noise. There are a lot of posts similar to what you pointed to that are more like blogs, and less like valid research in the field of InfoSec. As a researcher, you always have to look at the source material and evaluate its validity in a discussion of this matter.

Simply put, none of the articles you linked have any research value. Instead, check out legitimate research, like that done by Susan Handche, professor at George Mason University (as an example). In "The Privacy Papers" (published by Auerbach), she quotes "corporations and government agencies... Will have to dedicate more resources to staffing and training of information system security professionals," and that employees "are not aware of the security consequences caused by certain actions... Thus it is imperative for every organization to provide employees with IT-related security information that points out the threats and ramifications of not actively  participating in the protection of their information."

She also indicated that "informed and trained employees can be a crucial factor in the effective functioning and protection of information systems." She also docents her findings, which doesn't exist in your articles.

There is a ton of real research, performed by real researchers out there, with research statistics to back up their claim. I just get frustrated reading articles like what you pointed out without any real research being done... And then people (not necessarily you) quotes them as something close to gospel.

</rant>
- Thomas Wilhelm, MSCS MSM
ISSMP CISSP SCSECA SCNA IEM

Web Site:
  • http://HackingDojo.com
Author:
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Wed Apr 17, 2013 2:27 am

Re: End User Training

I guess the question I am asking is how can you make a end user care about security. It seems to me that most end user don't care unless something affects them directly.

Companies can spend as much money on training as they want but unless the end user puts into practice what he/she has learned IMO the training is pointless.

So when doing a Pen Test/Social engineering should targeting an individual and their personal life be more in scope ?
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

Grendel

User avatar

Full Member
Full Member

Posts: 246

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Wed Apr 17, 2013 6:19 pm

Re: End User Training

Jamie.R wrote:I guess the question I am asking is how can you make a end user care about security. It seems to me that most end user don't care unless something affects them directly.

Companies can spend as much money on training as they want but unless the end user puts into practice what he/she has learned IMO the training is pointless.


I'm a believer in what Thomas Smith wrote regarding advertisement. Just replace the word "ad" with "security recommendation" and you'll see what it takes to make end-users want to participate in securing their organization:

"The first time people look at any given ad, they don't even see it.
The second time, they don't notice it.
The third time, they are aware that it is there.
The fourth time, they have a fleeting sense that they've seen it somewhere before.
The fifth time, they actually read the ad.
The sixth time they thumb their nose at it.
The seventh time, they start to get a little irritated with it.
The eighth time, they start to think, "Here's that confounded ad again."
The ninth time, they start to wonder if they're missing out on something.
The tenth time, they ask their friends and neighbors if they've tried it.
The eleventh time, they wonder how the company is paying for all these ads.
The twelfth time, they start to think that it must be a good product.
The thirteenth time, they start to feel the product has value.
The fourteenth time, they start to remember wanting a product exactly like this for a long time.
The fifteenth time, they start to yearn for it because they can't afford to buy it.
The sixteenth time, they accept the fact that they will buy it sometime in the future.
The seventeenth time, they make a note to buy the product.
The eighteenth time, they curse their poverty for not allowing them to buy this terrific product.
The nineteenth time, they count their money very carefully.
The twentieth time prospects see the ad, they buy what is offering."
- Thomas Wilhelm, MSCS MSM
ISSMP CISSP SCSECA SCNA IEM

Web Site:
  • http://HackingDojo.com
Author:
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Apr 17, 2013 7:25 pm

Re: End User Training

Also, when I do SAT, I emphasize that I'm teaching them things to keep them safe at home as well as at work. People will care a lot more when it's personal, and anything that sinks in will hopefully become ingrained as part of their normal behavior regardless of where they are.
The day you stop learning is the day you start becoming obsolete.
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Fri Apr 19, 2013 2:36 am

Re: End User Training

Thanks a lot this has given me some ideas. I get sent onsite a lot and one company are extremely bad with security despite my warnings. So I was trying think other ways to get it into their head certain things they do should just not done.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er

Return to Physical Security

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software