| Author |
Message |
![[Post New]](/Sysforums/templates/default/images/icon_minipost_new.gif) 11/05/2009 22:38:35
|
Obelix
SysAid Wiz
Joined: 12/06/2008
Messages: 901
Offline
|
Educating users has been suggested for years as a best practice in network security. It makes a lot of sense especially now when, thanks to the advance in perimeter security technology on server side, the threat shift from the system to the application hence the new branch - endpoint security. So it's the first thing that come to my mind when I got overwhelmed by the work I need to do just to keep up.
The thing is everytime I sweep the faces of my users... how they sneered triumphantly cause they managed to sneak in some porn or multimedia files... or seriously chatting... or sigh upon another facebook hunks... I just...
I can't help to think the education will be more a push than a help.
What I'm talking about is... in security... you can't talk about the protection without mentioning the attacks. Now what guarantee after the training the users will exercise more of the protection than the attack ? Would they be awaken and start doing things cautiously... or would they be "enlighted" and start creatively pushing the boundaries ?
I know... I know... security through obscurity doesn't work. They eventually will learn it somewhere anyway. All eyes upon the subject is better than SOME eyes. Have faith on people. Be positive. But in risk management don't we have the responsibility to minimize the risk ?
So should we or should we not educate ?
|
That is not a bug, it's a feature...
When everything else fail try SysAid Wiki by Techguy |
|
|
15/05/2009 11:23:43
|
scumgrief
Super SysAider
Joined: 25/02/2009
Messages: 57
Offline
|
For our organization (dealing with medical records) we decided to actively discipline staff (getting Human Resources involved) who were caught with a security violation. But it hardly seemed fair to discipline staff for something they didn't receive training on. So we have a very thorough, required annual security training, with the understanding that if staff violate the security policies they are being trained on, there will be consequences (oral warning->written warning->termination, etc)
So I would say, if you decide to do security training, you have to be ready to take a stand and have a process in place to enforce your policies/rules.
But if you don't train, it's pretty hard to enforce your policies.
scum
|
|
|
15/05/2009 11:37:20
|
avc
SysAider
Joined: 03/07/2008
Messages: 9
Location: Atlanta, GA USA
Offline
|
being at a small shop, I found this video and gave it to the training dept to show people:
http://www.vita.virginia.gov/communications/publications/servicebulletin/default.aspx?id=7456&QuarterImage=second08
4th item down "New video: "The Duhs of Security" promotes effective security"
you can also find it on youtube.
|
|
|
16/05/2009 00:17:50
|
Obelix
SysAid Wiz
Joined: 12/06/2008
Messages: 901
Offline
|
This is true story and fresh from my cave...
I fire a mass e-mail warning user that powerpoint is now the fav target. You know what's the first and most asked question ?
"How do they put the malware in powerpoint ?"
|
That is not a bug, it's a feature...
When everything else fail try SysAid Wiki by Techguy |
|
|
18/05/2009 07:40:03
|
Tim Sutton
Super SysAider
Joined: 15/07/2008
Messages: 59
Offline
|
Obelix wrote:This is true story and fresh from my cave...
I fire a mass e-mail warning user that powerpoint is now the fav target. You know what's the first and most asked question ?
"How do they put the malware in powerpoint ?"
My reply would be "it's very complicated but we are seeing active use of this in the wild and as such you need to be aware of it"
There's a difference between making people aware that things are dangerous and showing them how to do "black hat" stuff.
If you want some good reading on security which isn't dry at all, try Security Monkey's blog over at ITToolBox.com. http://blogs.ittoolbox.com/security/investigator/ Have a read of his case files as they set real security into a realistic scenario ... plus they fun to read.
|
|
|
![[Up]](/Sysforums/templates/default/images/icon_up.gif){kind=icon}
