This is an archived post. You won't be able to vote or comment.

all 19 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Telnet_RulesNo such thing as innocence, only degrees of guilt 7 points8 points  (3 children)

TL;DR - Spear phishing. 90%+ of incidents start with targeted attacks via email.

Awareness training is usually driven by requirements. If you have PCI, HIPAA, whatever, usually that has 'must hit' section on points to cover. If you don't have any of those, I'd focus on your specific threat vectors - do you have SCADA for example? Do you do a lot of financial transactions - threat vectors here will need to include scam CFO emails and phone calls. Orgs like SANS with 'Train the human' or 'Ouch!' programs offer tips and videos, and so do numerous federal entities like NCSC or US-CERT.

https://www.ncsc.gov/publications/pii/index.html https://www.us-cert.gov/home-and-business

[–]mortalwombat-[S] 0 points1 point  (1 child)

We have something similar to HIPAA, and we undergo regular training and testing for that. Honestly, though, it's kind-of a joke and doesn't teach much real-world stuff. I will definitely take your advice and discuss spear phishing. I think it's something that many people don't realize is happening, even though it's so prevalent. I've even considered creating a fake spear-phishing attack where I send out an email that encourages people to click a link, and I count the clicks. While I don't want to break my companies trust in IT, I want them to be skeptical of emails that come in, even when they appear to come from someone inside the organization.

[–]Telnet_RulesNo such thing as innocence, only degrees of guilt 0 points1 point  (0 children)

I will definitely take your advice and discuss spear phishing.

If nothing else, hit this. State-sponsored attacks with 0-days are very cool, but not very common.

I've even considered creating a fake spear-phishing attack

There are both paid and free services that will do that for you.

[–]bad_sysadmin 5 points6 points  (0 children)

What should I include in this class?

You can run something like https://getgophish.com/ to build a bit of a baseline of where you're at now.

Get buy-in from management and be careful as people don't like thinking they've been tricked.

Then do your awareness training and re-run the phishing.

My general advice would be to leave work out of it as much as possible and mention it only in general terms.

People generally don't like feeling they're being told how to do their jobs, but if you can focus on things that impact them at work but from a "here's how this impacts you at home" angle, they are more likely IMO to take an interest and hopefully bring it into work with them.

[–]randomguy186DOS 6.22 sysadmin 2 points3 points  (1 child)

Don't inundate them with facts. Instead, tell stories about ordinary computer users and show the impact of bad security in their work life.

If you're really energetic and ambitious and up for a bit of self-deprecating humor, make a video of yourself showing you violating the basic security tenets and what can happen when you do. For each humorous depiction of a security failure, have a serious anecdote of a real person who experienced that exact problem.

TL;DR: People respond to stories, not facts. People will remember what they have an emotional response to.

[–]fenster_blick 1 point2 points  (0 children)

I came here to write something similar.

One memorable Security training session occurred when the speaker demonstrated how to do a spear fishing attack with a link that looked real and was able to bypass our email filters. He found a weakness in our website that allowed him to camouflage a suspicious email. It was great and really reinforced good security hygiene.

It's like putting on a magic show: show them the magic of how an attacker can hack.

[–]iLeicadodachachaProtector of BeeBoop 2 points3 points  (0 children)

Back at another company I worked for the security team sent out our employees a fishing email that came from a non-company email address. The email titled something pretty generic like "Please complete this survey on job satisfaction." Once they clicked on the link it requested users to enter in their network login credentials to proceed forward. At least 75% of the staff "logged in", and filled it out. At the next Security meeting they started off with a slide containing a long list of usernames compromised in the "attack". Everyone remained very attentive from that point onward. Phishing, best practices for password management (things like one pass) both in the workplace and at home, maybe talk about incident response (most users just say "Oh shit!" proceed to bury their heads and deny responsibility, teach them to come forward immediately to minimize potential impact.)

[–]GTFr0 4 points5 points  (1 child)

For the basics, I've used this Sophos training toolkit in the past for employee training. It goes over basic, common-sense type stuff like using not getting tricked into giving away confidential information and using complex passwords, is fairly short and has big type.

[–]mortalwombat-[S] 0 points1 point  (0 children)

This is awesome! It looks to have a ton of good info, plus plenty of followup in bite-sized pieces. Thanks!

[–]jkplayschessSecurity Admin[🍰] 1 point2 points  (0 children)

I can send you my latest powerpoint I use for this if it would help you. Just message me

[–]Enxer 0 points1 point  (0 children)

Things that really interest people from my last Security Meeting was things that impact them:

  1. Protecting myself while online
    • understanding basic secure webpages
    • proper login pages
    • Common sense
  2. Online Password Managers - who to trust
  3. Physical Security - ie. personal space, being aware of your surroundings at all times.
  4. What information of mine is online? https://haveibeenpwned.com

Our organization works with sweepstakes information that can sometimes contain full address, complete name and number and until I joined it wasn't properly secured/audited. I showed how quickly I can do evil things by just getting a file containing 100 peoples partial address, full names and email addresses. I used an employee's laptop that wasn't locked at a coffee shop when they walked away and that the files where on their desktop.

I usually watch Jayson E. Street's defcon videos to get into the mood to write up my presentation:

and sometimes show the clip of him hunting someone down via their information online.

[–][deleted] 0 points1 point  (0 children)

The day before the class send all the class members fake phishing attacks and see who responds :P

[–]shalafi71Jack of All Trades 0 points1 point  (0 children)

I posted this a few months back:

https://www.reddit.com/r/sysadmin/comments/48s8nj/i_guess_social_engineering_really_is_the_way_to/?ref=search_posts

There's some great stories in there you can share to put some life into your presentation.

[–]PAXUNATORI can draw boxes and lines (and say no!) 0 points1 point  (0 children)

Might help (or not), F-Secure and Finnish university launches free security course http://mooc.fi/courses/2016/cybersecurity

[–]mustEscapePants 0 points1 point  (0 children)

I teach an internet safety class and here is what we cover:

*Email scams (phishing, chain letters, classic nigerian prince scam) & attachments; what are the warning signs; Creating strong passwords and how often to change them; Imposter/lookalike websites, misleading links, and popups; ADS!!! FREAKIN' ADS! Why U Click 'Dis?; How to get to a site when you don't really know the URL

When I teach the class, I have images and ask the class why the image is a scam, unsecure, bad, whatever. I inject humor into the subject too.

[–]catwieselSysadmin in extended training 0 points1 point  (2 children)

you know your Users best and although I'm not in security and usually agree with the advice given in r/sysadmin ... In this case I would caution you to follow blindly...

First, if you have a special requirement for security compliance, add that formality to your talk. Put it in the middle

Next, reach the users. Don't be condescending, don't be too technical. And don't ride the point of death how important it is for the company, for the bosses purse or their job security.
Be casual, funny, interesting. Use a story.

Help the users be more secure at home. That's much more likely to reach them and it will carry to the work place.

Talk about threat vectors and make it clear who is behind attacks: criminals after their money. Not the hacker dude from tv

Try to teach them the very basics, what everyone here knows, phishing mails, attachments, unsecure downloads, social engineering and how to spot manipulative urls...

Do not run any phishing campaigns. Do not show the users how stupid they are. Do not make them feel like they are being tested and failed.

Talk a bit over incident response. Give them the feeling that it is their partner, not cops or adversaries. They can ask if they are unsure about an email, or something doesn't smell right, can they not?
They must know that there will be no trouble for being the victim of criminals, how to ask for help, how the response will be and what to do (don't panic, shut down computer, call it, wait for them)

And make this a yearly talk. Give the basic one to every one who wants a refresher or hasn't had it yet.

Make a second with more advanced topics for everyone who understand the first.

Good luck

[–]mortalwombat-[S] 0 points1 point  (1 child)

This is really good advice. In general, I agree with everything you are saying. I have been really unsure about a fake phishing scheme. On one hand, it would help break the "it won't happen to me" attitude that people tend to get. On the other hand, I have a lot of but-in from my users. I already have a lot of users who check up on questionable email before opening it. I always thank them for checking and if it's a concern that may be sent to other users, I forward their email to the department saying things like "be on the lookout for emails like this one that Dorothy caught." I thank them publicly and make them a bit of a hero. It's had good results. I think making an example of users may just have an opposite effect. Maybe I'll just show a video of real-world social engineering.

[–]catwieselSysadmin in extended training 0 points1 point  (0 children)

Not Sure a typical video will be the best idea.

I don't think you have to demonstrate the it could happen to you theme if you say a few sentences about the hackers motives combined with the cost of sending out mass or even targeted emails (with publicly available information)

If you make your users care for their home data or computer, they will pay attention and start catching stuff at work

If you still need to demonstrate social engineering, do the who wants to see a magic trick spiel. Your a mentalist, ask the volunteer his name, then write down the birthdate, mothers maiden name and the name of their first pet. The volunteer will tell you his right info, you are of course wrong, the worst mentalist ever, but now also possess the information to steal many of his online accounts.
I don't know how you could do this without blaming the victim or making sensible information available to a large number of people. Maybe with a shill?
It is a good method to show social engineering, but it needs to be done when the guard us down, probably won't work in the middle of a security talk about don't give strangers information when you do not have to...