subject:"RE\: Dave Aitel on end user security training"

RE: Dave Aitel on end user security training

2012-07-27 Thread Stu Sjouwerman

DANG ! I go away for a week, and then I miss this very interesting thread. 
[grumble]

I wrote a blog post about this one, you might like it:

http://blog.knowbe4.com/who-is-this-yahoo/

Warm regards,

Stu

From: Steven Peck [mailto:sep...@gmail.com]
Sent: Wednesday, July 18, 2012 6:51 PM
To: NT System Admin Issues
Subject: Re: Dave Aitel on end user security training

The whole article seems based on the premise that IT asks for end user security 
training because they are looking to dodge blame, not, you know, as part of a 
more comprehensive Security process which includes automation processes and 
layered defense.

It's like saying you shouldn't lock your car because they could just break a 
window to get in, you should hire a security gaurd that sits in your car while 
you are not there.

Steven Peck
http://www.blkmtn.org

On Wed, Jul 18, 2012 at 3:08 PM, Ben M. Schorr 
mailto:b...@rolandschorr.com>> wrote:
I agree with Andrew completely.

The premise of the article is flawed - nobody is doing security training 
INSTEAD of securing critical files or perimeter defenses. The fact remains the 
users SHOULD have at least some training to help boost their security awareness.

No level of "perimeter defense" saves you when a bad guy calls your end user on 
the phone and gets them to tell their password. What saves you there is a user 
who is smart enough to refuse to give their password to strangers over the 
phone.

And that too often takes training.

Ben M. Schorr
Chief Executive Officer
__
Roland Schorr & Tower
www.rolandschorr.com<http://www.rolandschorr.com/>

From: Andrew S. Baker [mailto:asbz...@gmail.com<mailto:asbz...@gmail.com>]
Sent: Wednesday, July 18, 2012 13:06

To: NT System Admin Issues
Subject: Re: Dave Aitel on end user security training

I think that the comments were far more instructive than the article itself.

>>I'll admit, it's hard to find broad statistical evidence that supports this 
>>point-of-view

I've seen marked improvement in internet behavior in 3 different organizations 
where I was able to implement security awareness training.   We went from more 
than 60% clicking on things they shouldn't, to less than 5% based on monthly 
testing.   This had a very tangible benefit in security remediation, which 
saved tons of time and effort.

I submit that if your security awareness training isn't working, then it's the 
specific implementation of training that should be evaluated, not the entire 
concept of training.
ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market...

On Wed, Jul 18, 2012 at 3:43 PM, Kurt Buff 
mailto:kurt.b...@gmail.com>> wrote:
I must say, I have to agree, for most business cases

http://www.csoonline.com/article/711412/why-you-shouldn-t-train-employees-for-security-awareness

OTOH, I don't think you have much alternative when dealing with family
and friends - training is pretty much all there is.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Dave Aitel on end user security training

2012-07-18 Thread Steven Peck

The whole article seems based on the premise that IT asks for end user
security training because they are looking to dodge blame, not, you know,
as part of a more comprehensive Security process which includes automation
processes and layered defense.

It's like saying you shouldn't lock your car because they could just break
a window to get in, you should hire a security gaurd that sits in your car
while you are not there.

Steven Peck
http://www.blkmtn.org



On Wed, Jul 18, 2012 at 3:08 PM, Ben M. Schorr wrote:

>  I agree with Andrew completely.  
>
> ** **
>
> The premise of the article is flawed – nobody is doing security training
> INSTEAD of securing critical files or perimeter defenses. The fact remains
> the users SHOULD have at least some training to help boost their security
> awareness.
>
> ** **
>
> No level of “perimeter defense” saves you when a bad guy calls your end
> user on the phone and gets them to tell their password. What saves you
> there is a user who is smart enough to refuse to give their password to
> strangers over the phone.
>
> ** **
>
> And that too often takes training.
>
> ** **
>
> Ben M. Schorr
>
> Chief Executive Officer
>
> __
>
> Roland Schorr & Tower
>
> www.rolandschorr.com
>
> ** **
>
> *From:* Andrew S. Baker [mailto:asbz...@gmail.com]
> *Sent:* Wednesday, July 18, 2012 13:06
>
> *To:* NT System Admin Issues
> *Subject:* Re: Dave Aitel on end user security training
>
> ** **
>
> I think that the comments were far more instructive than the article
> itself.
>
> ** **
>
> *>>**I'll admit, it's hard to find broad statistical evidence that
> supports this point-of-view*
>
> ** **
>
> ** **
>
> I've seen marked improvement in internet behavior in 3 different
> organizations where I was able to implement security awareness training.
> We went from more than 60% clicking on things they shouldn't, to less than
> 5% based on monthly testing.   This had a very tangible benefit in security
> remediation, which saved tons of time and effort.
>
> ** **
>
> I submit that if your security awareness training isn't working, then it's
> the specific implementation of training that should be evaluated, not the
> entire concept of training.
> 
>
> *ASB*
>
> *http://XeeMe.com/AndrewBaker*
>
> *Harnessing the Advantages of Technology for the SMB market…*
>
>
>
> 
>
> On Wed, Jul 18, 2012 at 3:43 PM, Kurt Buff  wrote:***
> *
>
> I must say, I have to agree, for most business cases
>
>
>
> http://www.csoonline.com/article/711412/why-you-shouldn-t-train-employees-for-security-awareness
>
>
> OTOH, I don't think you have much alternative when dealing with family
> and friends - training is pretty much all there is.
>
> Kurt
>
>   ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Dave Aitel on end user security training

2012-07-18 Thread Ben M. Schorr

I agree with Andrew completely.

The premise of the article is flawed - nobody is doing security training 
INSTEAD of securing critical files or perimeter defenses. The fact remains the 
users SHOULD have at least some training to help boost their security awareness.

No level of "perimeter defense" saves you when a bad guy calls your end user on 
the phone and gets them to tell their password. What saves you there is a user 
who is smart enough to refuse to give their password to strangers over the 
phone.

And that too often takes training.

Ben M. Schorr
Chief Executive Officer
__
Roland Schorr & Tower
www.rolandschorr.com<http://www.rolandschorr.com/>

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Wednesday, July 18, 2012 13:06
To: NT System Admin Issues
Subject: Re: Dave Aitel on end user security training

I think that the comments were far more instructive than the article itself.

>>I'll admit, it's hard to find broad statistical evidence that supports this 
>>point-of-view

I've seen marked improvement in internet behavior in 3 different organizations 
where I was able to implement security awareness training.   We went from more 
than 60% clicking on things they shouldn't, to less than 5% based on monthly 
testing.   This had a very tangible benefit in security remediation, which 
saved tons of time and effort.

I submit that if your security awareness training isn't working, then it's the 
specific implementation of training that should be evaluated, not the entire 
concept of training.
ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market...

On Wed, Jul 18, 2012 at 3:43 PM, Kurt Buff 
mailto:kurt.b...@gmail.com>> wrote:
I must say, I have to agree, for most business cases

http://www.csoonline.com/article/711412/why-you-shouldn-t-train-employees-for-security-awareness

OTOH, I don't think you have much alternative when dealing with family
and friends - training is pretty much all there is.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Dave Aitel on end user security training

2012-07-18 Thread Ziots, Edward

Personally, 

I am of the same mindset when it comes to user training. I think training and 
enforcing your policies and integrating them with your technical solutions can 
provide benefit.

I do how ever agree with his position on what you need to keep your eyes on 
which is your most critical assets and the threats that are present to them and 
where they might come from ( which could be a multitude of places)

I think with the whole APT thing, the thinking is going to have look more 
inward towards where the threat is coming from and that is users browsing/email 
habits, whether its malicious attachments, browser exploitation, it all has a 
social engineering flare to it( even if it comes from across the globe). 

I think things that should be high on the list for eyes on:

Auditing of systems and the review of the logs: ( Too often auditing not turned 
on or not looked at on a regular basis)

Asset Classification: Mileage Varies, but if you know what the business deems 
critical you tend to dedicate more time and attention and security and monitor 
to said systems and what information they provide to others. 

Egress filtering: IPS, Firewall, Web Proxy ( Again if you can't get the data 
back out the pipe, because the avenues of escape are blocked, then any attempts 
from high valued assets to talk to these or other restricted networks should be 
your heads up of possible compromise) 

Learning from previous events: Whether it’s a malware outbreak, Rootkit/Trojan 
etc etc learning where it might have come from and what can be permanently 
blocked or limited is a good way to "learn from your mistakes" 

Knowing what traffic is good and what is truly bad and shouldn’t be allowed on 
the network? (How many of you know what your users are actually doing on their 
PC's from a traffic prespective and take a proactive approach to limit nuisance 
traffic from going out your pipe.)

My two cents on the subject:

Now back to figuring out some Certificate Authority stuff with Windows 2003 
Servers that won't enroll via certificates snapin. 

Z

Edward E. Ziots, CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org

-Original Message-
From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, July 18, 2012 4:21 PM
To: NT System Admin Issues
Subject: RE: Dave Aitel on end user security training

I'm not prepared to throw IT security awareness training out the window, but I 
agree with Aitel's position that enterprises should approach security with the 
assumption that some users will ignore what they were taught.

He writes that "a user has no responsibility over the network," but that may 
not be realistic in this era. All of my users have a certain responsibility 
when it comes to protecting the network, just as we all have responsibility for 
our physical environment. If I'm the last person to leave the office but I 
don't lock the door, I'm neglecting my responsibilities. I can argue that I'm 
not the person in charge of facilities, but that doesn't fly. If I'm using an 
asset--regardless of what that asset is--I have a role in protecting it to the 
degree that I can.

He also says that users "don't have the ability to recognize or protect against 
modern information security threats any more than a teller can protect a bank." 
Bad analogy. Bank tellers certainly DO have a role in protecting the bank's 
assets, such as requiring that customers provide proper ID before handing out 
cash.



John Hornbuckle, MSMIS, PMP
MIS Department
Taylor County School District
www.taylor.k12.fl.us





-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Wednesday, July 18, 2012 3:43 PM
To: NT System Admin Issues
Subject: Dave Aitel on end user security training

I must say, I have to agree, for most business cases


http://www.csoonline.com/article/711412/why-you-shouldn-t-train-employees-for-security-awareness


OTOH, I don't think you have much alternative when dealing with family and 
friends - training is pretty much all there is.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterp

Re: Dave Aitel on end user security training

2012-07-18 Thread John Cook

Bank tellers also get extensive training to protect the bank. Try getting a 
company to pony up for end user security training. I managed to convey it's 
importance to my upper mgmt, it has certainly paid off as I test them randomly 
and the failure rate has dropped off considerably.
John W. Cook
Network Operations Manager
Partnership for Strong Families

- Original Message -
From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Wednesday, July 18, 2012 04:20 PM
To: NT System Admin Issues 
Subject: RE: Dave Aitel on end user security training

I'm not prepared to throw IT security awareness training out the window, but I 
agree with Aitel's position that enterprises should approach security with the 
assumption that some users will ignore what they were taught.

He writes that "a user has no responsibility over the network," but that may 
not be realistic in this era. All of my users have a certain responsibility 
when it comes to protecting the network, just as we all have responsibility for 
our physical environment. If I'm the last person to leave the office but I 
don't lock the door, I'm neglecting my responsibilities. I can argue that I'm 
not the person in charge of facilities, but that doesn't fly. If I'm using an 
asset--regardless of what that asset is--I have a role in protecting it to the 
degree that I can.

He also says that users "don't have the ability to recognize or protect against 
modern information security threats any more than a teller can protect a bank." 
Bad analogy. Bank tellers certainly DO have a role in protecting the bank's 
assets, such as requiring that customers provide proper ID before handing out 
cash.



John Hornbuckle, MSMIS, PMP
MIS Department
Taylor County School District
www.taylor.k12.fl.us





-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Wednesday, July 18, 2012 3:43 PM
To: NT System Admin Issues
Subject: Dave Aitel on end user security training

I must say, I have to agree, for most business cases


http://www.csoonline.com/article/711412/why-you-shouldn-t-train-employees-for-security-awareness


OTOH, I don't think you have much alternative when dealing with family and 
friends - training is pretty much all there is.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

CONFIDENTIALITY STATEMENT: The information transmitted, or contained or 
attached to or with this Notice is intended only for the person or entity to 
which it is addressed and may contain Protected Health Information (PHI), 
confidential and/or privileged material. Any review, transmission, 
dissemination, or other use of, and taking any action in reliance upon this 
information by persons or entities other than the intended recipient without 
the express written consent of the sender are prohibited. This information may 
be protected by the Health Insurance Portability and Accountability Act of 1996 
(HIPAA), and other Federal and Florida laws. Improper or unauthorized use or 
disclosure of this information could result in civil and/or criminal penalties.
 Consider the environment. Please don't print this e-mail unless you really 
need to.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Dave Aitel on end user security training

2012-07-18 Thread John Hornbuckle

I'm not prepared to throw IT security awareness training out the window, but I 
agree with Aitel's position that enterprises should approach security with the 
assumption that some users will ignore what they were taught.

He writes that "a user has no responsibility over the network," but that may 
not be realistic in this era. All of my users have a certain responsibility 
when it comes to protecting the network, just as we all have responsibility for 
our physical environment. If I'm the last person to leave the office but I 
don't lock the door, I'm neglecting my responsibilities. I can argue that I'm 
not the person in charge of facilities, but that doesn't fly. If I'm using an 
asset--regardless of what that asset is--I have a role in protecting it to the 
degree that I can.

He also says that users "don't have the ability to recognize or protect against 
modern information security threats any more than a teller can protect a bank." 
Bad analogy. Bank tellers certainly DO have a role in protecting the bank's 
assets, such as requiring that customers provide proper ID before handing out 
cash.



John Hornbuckle, MSMIS, PMP
MIS Department
Taylor County School District
www.taylor.k12.fl.us





-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Wednesday, July 18, 2012 3:43 PM
To: NT System Admin Issues
Subject: Dave Aitel on end user security training

I must say, I have to agree, for most business cases


http://www.csoonline.com/article/711412/why-you-shouldn-t-train-employees-for-security-awareness


OTOH, I don't think you have much alternative when dealing with family and 
friends - training is pretty much all there is.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Dave Aitel on end user security training

2012-07-18 Thread Andrew S. Baker

I think that the comments were far more instructive than the article itself.

*>>I'll admit, it's hard to find broad statistical evidence that supports
this point-of-view*

I've seen marked improvement in internet behavior in 3 different
organizations where I was able to implement security awareness training.
We went from more than 60% clicking on things they shouldn't, to less than
5% based on monthly testing.   This had a very tangible benefit in security
remediation, which saved tons of time and effort.

I submit that if your security awareness training isn't working, then it's
the specific implementation of training that should be evaluated, not the
entire concept of training.

* *

*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
Technology for the SMB market…

*

On Wed, Jul 18, 2012 at 3:43 PM, Kurt Buff  wrote:

> I must say, I have to agree, for most business cases
>
>
>
> http://www.csoonline.com/article/711412/why-you-shouldn-t-train-employees-for-security-awareness
>
>
> OTOH, I don't think you have much alternative when dealing with family
> and friends - training is pretty much all there is.
>
> Kurt
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Dave Aitel on end user security training

Re: Dave Aitel on end user security training

RE: Dave Aitel on end user security training

RE: Dave Aitel on end user security training

Re: Dave Aitel on end user security training

RE: Dave Aitel on end user security training

Re: Dave Aitel on end user security training

7 matches

Site Navigation

Mail list logo

Footer information