Security's Everyman

Security's Everyman

Saturday, August 18, 2007

More on User Awareness Training

User Awareness is one of my favorite topics (like I had to tell you that). There are a couple of different camps when it comes to this. Those who think it is a vital part of a Information Security program and those who think it is a waste of time. I fall in the first category (again, like I had to tell you that).

In my opinion the problems with UA is that many programs are close to useless. They cover the topics but they do a poor job. Even if the information is correct the delivery is bad. Poorly written, delivered, boring, etc... This is the challenge in creating an effective UA program for your company. I have been a participant in a few UA classes in the past. They all have lived up to their reputation of being a waste of time. Now I'm in the process of designing a UA program for my company. I'm excited to have the opportunity. Now I will be able to put into practice some of the things that I truly believe will make UA effective. I'm going to work with some good friends who have been doing UA for a while and have created successful programs. Depending on budget and such I will possibly enlist them to provide content and counsel or possibly just allowing me to bounce ideas off of them. Then of course I have the resource of the Security Catalysts Community to draw from. Between their participation in programs and creating or having input into them I will have a rich pool of information and creativity to draw from.

Why do I bring this up now? Well, my thoughts turned back to here when I saw these two posts from Tom Olzak on the ITT Blog (here & here). The first one talks about how the bad guys are starting to turn their focus from firewalls, servers, etc to end users. Why? Because of a couple of reasons. There are lots of new attack vectors that work well and are easy to do. They attack the browser or other popular applications that are used frequently on the Internet. Java, Quicktime, Windows Media Player, JVM, JRE, Adobe Acrobat, Silverlight..... This is just a small sample. Many of these attacks require nothing more than the user visiting a web site that has a malicious add on it. This article from Brian Krebs at Security Fix has a good example of this.

The second post by Tom talks about how we need to start teaching Security Awareness in high school. Start the education before the users get into the workforce. I like that idea. Not only will it help when they do enter the workforce but maybe it will help at home. Maybe what they learn they will then teach to their parents. Hopefully by doing this we can spread the word outside the work place and get it into the homes where it needs to be.

I'm not sure if all of you are aware of how easy things are for the bad guys now. Hopefully you do, but if not I'd like to point you to a couple of good posts that Jeremiah Grossman pointed us to a few days back. They are here and here. Check them out to learn more about some of what is going on or at least what is possible.

Also if you want to learn more about putting together a good Security User Awareness Program you can talk to Michael Santarcangello, Rebecca Herold, or The guys at All of them can help you with your program.

1 comment:

Kai Roer said...

Andy, you might find interest in knowing I am developing the same over here in Europe. I fully agree - UA is essence, but most of the current trainings are like eating sand in Sahara (try it, and you see what I mean). I'll be welcoming a dialog on the topic.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.