On Sun, 2002-05-05 at 19:07, El C0chin0 wrote: > I would like to know the types of training you feel is most > effective in reaching the common layman regarding > Information Security. I would also like to know what
The layman can get a lot out of simple infosec awareness. While this only scrapes the surface, it still leaves you with a lot of material to work with. A few random ideas: o Skeptical / critical thought (social engineering awareness) - how do you handle email attachments, can you trust a web site, do you give someone your userid/password, how much information do you give somone on the phone, do you trust someone when they show up at the office with only a nice suit and a business card to establish their legitimacy, etc. o Password Management - selecting a good password, where and how to store passwords, sharing passwords, etc. o System Management - using anti-virus software, the importance of updating software (patches, updates, virus definitions, etc), software selection & vulnerability (ie: Outlook is behind a lot of email virus threats, do you really need it - sometimes the answer is 'yes', but not always), why creating a network share with a null password is a bad idea, firewalls / personal firewalls, etc. o Encryption & User Services - interception of network traffic, HTTP+SSL, SSH vs Telnet & FTP, email and S/MIME or PGP/GnuPG (and PGP's uses besides encrypting email), what a certificate means (authenticated identity vs. certification of business practices), etc. When you make a presentation, it should remain practical. Keep the subject to "real world" concepts and situations. Maybe associate the issue with existing policies. And drive home the point with an example. My most effective presentations to non-infosec audiences have always involved a "scare the horses" bit. People tend to shrug off a lot of these basic infosec issues as some kind of paranoid delusion unless they can see how it affects them directly. You can present a hypothetical situation, but a real-life horror story seems to hold more weight. A demonstration is even more convincing. To convince a user base to switch to SSH, I set up a demonstration using dsniff to capture live telnet traffic within a test network - SSH was considered a Real Good Idea when the first passwords began to pop up. Note that this should not be fear-mongering; keep your examples realistic. > type/kind of training should InfoSec Professionals go > through in order to be effective? I really like what SANS does. Some of the best resources available are due to the infosec community. SANS works with that concept. SANS courses are written and instructed by individuals within the infosec industry. Off-hours at SANS conferences are filled with invaluable, informal "birds of a feather" discussions (the real value to a SANS conference, IMHO). The certification (GIAC) process requires the individual to write a practical, which is in turn available to the community (enriching the available documentation / knowlege). To those who are unable to make it to SANS conferences, they have also began offering online courses (although one should really attend at least one conference if possible). -- .: Paul Hosking . [EMAIL PROTECTED] .: InfoSec .: PGP KeyID: 0x42F93AE9 .: 7B86 4F79 E496 2775 7945 FA81 8D94 196D 42F9 3AE9
