cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Neil2094
Newcomer I

Planning a InfoSec week

Seasons Greetings,

 

I hope this is the right place to post this..

 

I am seeking some guidance on the delivery of a InfoSec week. I am currently planning one for my organisation, the goals are:

 

  1. Raise awareness of infomation security, the expectations, goals, and responsibilities of those within the organisation
  2. To demonstrate ongoing awareness and training to uphold ISO 27001 compliance
  3. Improve the security culture

 

I have 'mind mapped' some ideas and discussion points around my choosen core subjects, which are:

 

  1. Social Engineering
  2. Securing Data
  3. Online Safety
  4. Email safety
  5. Confidence (as in confidence to report something suspicious or a mistake)
  6. Reporting (how incidents are reported)
  7. Physical security
  8. Securing credentials
  9. Mobile / Tele-Working

My worry is that this may bore our users who will just see this as mandatory hoop to jump through in order to get back work. I have made a conscious decision to avoid using powerpoint as the main presentation method, although I expect that it maybe necessary at stages.

 

I am looking for a more engaging and interactive method and could use some advice from the commuity.

 

I am little introverted and not particuarly charismatic so, I have concerns that I may end up taking the wrong approach, what delivery methods have you found to be successful? What challenges did you have in maintaining engagment? How did measure success of the sessions?

 

thanks for any guidance, feedback, replies

4 Replies
Cyberconstlearn
Newcomer III

I would say it depends on your target audience. Each type of group will have a different type of setting that is better for them. Perhaps even asking a few of them what they would like to see from each group (formal, informal, Q&A style..etc) would help you get a better grasp of what would be the most beneficial. If this is a company requirement type training, at best they will gloss over it and take the quiz at the end and be done for their "yearly" checkup, so those are only good for the due diligence/care of the company aspect.

My suggestion, just be up front. Ask them, get feedback, plan according, and then continuously update the program with feedback from each "session" what worked, what didn't (noticing any similarities to Cybersec PDCA?). Also candy for right answers is always a good way to keep people involved, or perhaps company swag giveaways.

 

~edit oh and above all, of course, get some leadership (as high up as you can get) buy in to at least the first couple of these sessions. Where the leaders are, others will follow.

CISOScott
Community Champion

When I used to do New Employee Orientation (NEO) I would wheel in a cart that had a laptop on it, some antennas and some pcap capturing devices. As I was giving the NEO presentation about cyber security I would ask this question: "How much does it cost to be a hacker?" I would get several responses from the audience and then I would say "This laptop was bought from a surplus store for $30. I bought a hard drive for $50. I downloaded some free software off the internet, and these antennas I bought used for $30. $110 and I am hacking." I would then proceed to call out some of their home routers or networks that their phones were trying to connect to. It was an eye-opening presentation and I held their attention throughout the hour long class.

 

For another one I fired up the Social Engineering Toolkit (SET) and asked "How hard is it to send a spoofed email loaded with a malicious file?" After getting a few answers, I proceeded to show them how in less than a minute I could send one. 

 

These hands-on displays garner more attention than someone droning on about cyber security rules and regulations. Make it exciting. Give them something they can use or shock them with how easy it is to hack things. Here's an idea:

 

Show them HaveIBeenPwned. Have them look to see if any of their corporate or personal emails have been involved in a publicly disclosed breech. (HaveIbeenpwned.com). If you are the security person for your company, sign up for their domain notifications so that anytime anyone's company email is involved in a publicly disclosed breech, you can be notified. I did this in an organization of about 5000 and would get several emails a month. This also gave me ammo to use when telling senior management that we had a problem with employees using company email for non-company use. I saw such misuse as match.com (dating site), biglots.com (retail store), victoriasecret (adult clothing store), etc.   This also helped lay the groundwork for me to have conversations with the end users while not being adversarial against them. It let the user talk to me and get to know the security department. I would usually receive some follow up security questions about a different topic. This also further reinforced the acceptable use policy of only using company email for company use.

 

As a security person you want to be approachable. You also want to be knowledgeable and give the users something they can use not just throw in the trash when they leave the room. I would suggest using a live session of some kind.

rslade
Influencer II

> Neil2094 (Newcomer I) posted a new topic in Tech Talk on 12-13-2019 05:58 AM in

> Seasons Greetings,

Happy Solstice Party Period to you.

>   I hope this is the right place to post this..

I might have thought "Career," but, you're right, we have limited choices ...


>   Social
> Engineering Securing Data Online Safety Email safety Confidence (as in
> confidence to report something suspicious or a mistake) Reporting (how incidents
> are reported) Physical security Securing credentials Mobile / Tele-Working

Fairly good list.

> what delivery methods have you found to be successful?

Posters tend to be good. (Think advertising.) Use different methods. Repeat
simple themes/memes. Have more advanced/interactive discussion sessions, but
limit those to "champions."

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Writing is a dying form. One reads of this every day.
- Lemony Snicket
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
edfosho
Reader III


@CISOScott wrote:

When I used to do New Employee Orientation (NEO) I would wheel in a cart that had a laptop on it, some antennas and some pcap capturing devices. As I was giving the NEO presentation about cyber security I would ask this question: "How much does it cost to be a hacker?" I would get several responses from the audience and then I would say "This laptop was bought from a surplus store for $30. I bought a hard drive for $50. I downloaded some free software off the internet, and these antennas I bought used for $30. $110 and I am hacking." I would then proceed to call out some of their home routers or networks that their phones were trying to connect to. It was an eye-opening presentation and I held their attention throughout the hour long class.

 

For another one I fired up the Social Engineering Toolkit (SET) and asked "How hard is it to send a spoofed email loaded with a malicious file?" After getting a few answers, I proceeded to show them how in less than a minute I could send one. 

 

These hands-on displays garner more attention than someone droning on about cyber security rules and regulations. Make it exciting. Give them something they can use or shock them with how easy it is to hack things. Here's an idea:

 

Show them HaveIBeenPwned. Have them look to see if any of their corporate or personal emails have been involved in a publicly disclosed breech. (HaveIbeenpwned.com). If you are the security person for your company, sign up for their domain notifications so that anytime anyone's company email is involved in a publicly disclosed breech, you can be notified. I did this in an organization of about 5000 and would get several emails a month. This also gave me ammo to use when telling senior management that we had a problem with employees using company email for non-company use. I saw such misuse as match.com (dating site), biglots.com (retail store), victoriasecret (adult clothing store), etc.   This also helped lay the groundwork for me to have conversations with the end users while not being adversarial against them. It let the user talk to me and get to know the security department. I would usually receive some follow up security questions about a different topic. This also further reinforced the acceptable use policy of only using company email for company use.

 

As a security person you want to be approachable. You also want to be knowledgeable and give the users something they can use not just throw in the trash when they leave the room. I would suggest using a live session of some kind.



I like this - hands on approach, some real life demos.

 

I did something similar with a team at a university, and it proved popular with some of the students just showing them what can be done if you don't take InfoSec seriously. 

 

HaveIBeenPwned is a great intro into why you should care about your email addresses and password hygiene.