Archive for the 'User Awareness Training' Category

11
Oct
11

Let’s Talk Phishing

By John Stengel Leave a Comment
Categories: Security Assessments, Security Training and User Awareness Training

Phishing is one of those most dangerous scams on the internet today.  That is not news to anyone who even casually reads news.  When a phishing attack occurs the purpose is to gain access to critical data by attempting to coerce users into disclosing it.  An even more egregious attack is spear-phishing.  That is when an attack is personal to your employees.

When companies test their security they rarely test for phishing success.  Yet it is extremely relevant.  Not testing for phishing success is really just waiting to get your data stolen. 

Your employees don’t know how to react unless you train them.  You can’t train them until you know where you are weakest.

We offer this as a service to our clients.  Because not one test or assessment makes you secure.  It is through several tests can you really know where your security stands.

10
Oct
11

Communication is Key

By John Stengel Leave a Comment
Categories: Security Assessments, Security Training and User Awareness Training

The number one thing to make companies more secure is often overlooked.  It isn’t the firewall, the anti-virus, the, email filter, or even the 2FA process.  It is communication.

For example, if you encrypt a hard drive.  That is a great thing to do…Then an employee tapes the password to the keyboard because it is too complicated to remember.

If the risks and the process is never properly communicated to employees all the devices in the world will not make you 100% secure. 

Join me in Charleston on October 13, 2011 for a one day training class on how to make security a part of your organization. http://www.xtmtraining.com/trainingform.php

04
Oct
11

Phishing Attacks

By John Stengel Leave a Comment
Categories: Employee Deception, Security Assessments, Security Training and User Awareness Training

Most companies do not test for user reactions to a phishing scam.  This is a mistake.  Not knowing how a user will react to a phishing attack leaves your company vulnerable.

We offer phishing tests to help our clients protect their assets.  Don’t wait for an attack to occur.  Test for it so we can train your team properly.

19
Sep
11

End User Education

By John Stengel Leave a Comment
Categories: User Awareness Training

Another common mistake I see made in IT is they assume what settings or policies are doing makes sense to the end users.  This is absolutely not the case.  IT people should never assume their communication makes sense.  Any more then when a Doctor explains what test they are doing.  Most people would have follow up questions.

If your IT department has ever tried to roll out a security initiative or change a process and had to roll it back it probably wasn’t the process itself that failed but rather the process to roll it out.

Taking time to explain the Why of the process change and the How is the only way to get to the Success of any project.

04
Jun
11

Deciphering the Chaos

By John Stengel Leave a Comment
Categories: Risk Management and User Awareness Training

So if everything is running together and people are tuning out the risks they face, what can be done about it?  I am not sure reacting to every breach is the ideal approach.  I believe we can take a few simple steps to reduce our risks and control our exposure.  The main issue with all of these breaches is the theft of personal information.  So let’s just remove that from the equation and be in control of our own information.

Here is a brief list of what you can do to protect yourself online that most people don’t think about.  This is of course form the known risks and protections people should take.

  1. Use a Password Generator – I like and use Last Pass, www.lastpass.com.  It is a little plugin for all browsers and devices that creates and maintains all of my passwords.  I have no idea what most of my passwords are because I simply login to last pass and it fills in the username and password for me when I want to login.  I can view them if I want to but I don’t really need too much.  The best part is, no one can see the passwords except me.
  2. Don’t Be Honest – If I have one reputation in the world it is honesty, I do have others though.  But when it comes to internet security I choose to lie most of the time.  Take those password reset questions.  Why do we always want to be honest and give the real name of your high school or your Dad?  Almost any question websites ask the answers could be found by anyone doing a Google search about you.  My suggestion is to use made-up answers.  You can always use the same answer on different sites so you don’t forget but the key is to never be honest.  The website won’t know if your high school wasn’t really called Peanut Butter Crunch or that you weren’t born in Antarctica.  But by taking this simple step you can always reset your passwords, but most importantly the bad guys can’t because the information is bogus and only you know it.
  3. Keep it Personal – You never need to tell personal details about yourself online.   You can be social but not specific.  For example don’t say “I am going to dinner with John at 131 Main at 8:00.”  Two issues there, first I know you will be out of the house and I know where.  Say something like “John and I are going to dinner tonight.”  Also, avoid using sites that want to broadcast your location like Foursquare.  There are sites that tell who in your area is not home or out of town so you can break in.  The truth is I don’t really care that you are checked in at the Dunkin Donuts for the fourth time this morning.
09
Mar
11

No Birthday Wishes from Me

By John Stengel Leave a Comment
Categories: Security Training and User Awareness Training

I will withhold my birthday wishes for this one.  This is the 25th anniversary of the computer virus.

According to the article in 1986 Basit and Amjad Farooq from Pakistan circulated Brain, the first computer virus on a floppy disk.

http://content.usatoday.com/communities/technologylive/post/2011/03/documentary-examines-the-inception-of-pc-viruses-25-years-ago/1

15
Nov
10

Transparency is Overrated

By John Stengel Leave a Comment
Categories: Risk Management and User Awareness Training
Tags: , ,

I was so sick of the term transparency during the 2008 Presidential election.  Not that I think transparency for Government is a bad idea but because I know it won’t change with this administration or the next so they should just quit lying about becoming transparent.  Remember Pelosi promised pay as you go, which was before we went trillion’s in the red.

As much as I like to talk politics I will skip that and get to my point.  Society is far too transparent for my taste.  On my way to a trip on Friday ( I won’t say where for risk of being a hypocrite) from the time I left the parking shelter to the time the bus arrived at the terminal everyone on the bus knew absolutely everything this one lady did the last night.  Her drunk fight with her boyfriend, everything they fought about, his issues and what he should have done, what she did, etc.  I have no interest in listening but she was obliviously to her volume and made everyone feel awkward.

I can randomly pull up Facebook pages of people I don’t know and read about their kids, their friends, birthdate, etc.  These people have one or two things going on.  One, they don’t realize it and aren’t aware of the security risk involved here.  Two, they don’t really care about the risk.  They want to be transparent and open with their lives.

Many of these same individuals are happy to be transparent with what they do for your company and what your company does behind the scenes.  They will name their bosses by name and what they have done wrong or what he did yesterday, “My Boss Joe Daniels from accounting is headed to Seattle for the weekend.  He is worried he won’t make it back in time for his son’s baseball game.” That one sentence can cause someone terrible identity damage.  Transparency on the web assumes there are no nefarious folks also looking at the information.

There are actually web sites that update when addresses should be robbed just based off of their transparency.  Business leaks are even worse.  Since we don’t want to control what people say and think outside of work I suppose we just need to hire better people and try to sniff out the gossips during the interview process.  If people gossip about family and friends they will definitely gossip about the corporation.

Corporations can stay proactive and monitor leaks on the web.  When information is found they leaker can be dealt with.  They can also prevent it from being leaked from inside the company walls with DLP protection.

12
Nov
10

Protecting the Little Things

By John Stengel Leave a Comment
Categories: User Awareness Training
Tags: , , ,

One of my interests is in identity theft protection.  This isn’t exactly related to my job so I guess you could call this a hobby.  I am working on speaking engagements regarding this to local churches and groups.  There is a lot of crossover in the two industries.

One example is in crumbs of information.  Let’s say I give you my wallet; that would be easy to steal my identity.  But let’s say you have my name, we start talking one day and you ask me my birthday, you ask what school my kids go to, etc.  Individually these items are useless.  Together they can be devastating.

In business I have your company name, I can call and speak with the receptionist and most likely get the D&B number of the company, I can call back and get the name of the partners, and another call could go directly to one of the partners verifying information so we can finalize the change in the credit line.  Four phone calls and a brief morning of work and I have secured the business identity.

Privacy has to be drilled into the company, deep down at its core.  No compromises ever.  And how is this accomplished?  By training everyone, employees and management.  Not with a brief free seminar once.  A consistent training program that is remembered and repetitive.  We can all get sloppy.

Take a look at this video from 60 Minutes with identity theft expert John Sileo.

20
Oct
10

WatchGuard Training in Nashville – Next Week

By John Stengel Leave a Comment
Categories: Security Training and User Awareness Training
Tags: ,

We have three spots open for our WatchGuard training class in Nashville, TN starting Monday.  This will be the only WatchGuard XTM training class in the area for some time.

Go to www.xtmtraining.com to register.

15
Oct
10

Is All Malware Bad?

By John Stengel Leave a Comment
Categories: Security Training and User Awareness Training
Tags: , ,

Is all malware bad?  After reading about the Stuxnet virus I would say no, there is a beneficial place for some malware.  Maybe we need a new name for this type of software.  I am open to suggestions.

http://www.scmagazineus.com/stuxnet-examined-at-vancouver-conference/article/180654/

« Previous Entries

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 37 other followers

LinkedIn

Follow me on Twitter

  • We just wrapped up another week of WatchGuard training in Charlotte. Thank you to all of our students. We are h…http://t.co/QZGehP5j 19 hours ago
  • Google Wallet Hacked Again. Good thing they forced merchants to use it! http://t.co/mSjheLsi 19 hours ago
Follow

Get every new post delivered to your Inbox.

Join 37 other followers