Blog

I just listened in on a great webcast by John Strand, one of SANS' lead instructors on their penetration testing courses. John spends an hour discussing the latest tools and techniques in conducting human based penetration testing, specifically phishing and spear phishing. If you are involved in penetration testing and/or awareness training this is a great resource. What I found most valuable is half way through. John focuses on the different levels of human testing (he breaks it down into three levels) stresses the importance of starting with the basic level. I could not agree more, I find this point key. If you spend enough time and research targeting an individual or organization, you can craft the perfect email that will fool anyone. No

The APT (Advanced Persistent Threat) has popped-up on the radar for many organizations, including those in government, defense or research. As many of you already know, APT is a type of threat (it is a WHO, not a HOW). Specifically a highly trained threat that is motivated to compromise your organization, and they have both the time and resources to get in. One of my favorite resources on APT is Richard Bejtlich @taosecurity.

Because APT has become such a threat, organizations are attempting to educate their employees. But the question becomes, what do you teach them, what behaviors do you want to change? These are not simple cyber criminals trying to install rogue anti-virus, this is nation-state stuff.

I'll be teaching MGT 433 this March 23/24 in sunny Orlando as part of SANS 2012, you can also virtually attend the class without having to leave home. If your organization is planning a new security awareness program, or looking to improve an existing one, this intense two day course is for you. In addition I'm updating the course so expect new material, including better integration with standard project management practices, more advance assessment labs, a new section on APT and formalizing the approval process.

What students like most

As I discussed in my last blog posting, we at SANS our going through our bi-annual update on security awareness training, specifically updating our awareness content. One of the key new modules we are developing is just for senior management. While it would be great for senior management to go through all the in-depth training as their employees, unfortunately reality dictates otherwise. Senior management is extremely limited on time, getting them to sit through an hour of training may simply not be an option. However if you can condense that key training to say five or ten minutes, this is far

Last week we discussed WHY you would want to consider phishing assessments as part of your security awareness program, specifically metrics and reinforcing training. Today we discuss HOW. Below are several different options, starting with the simplest and finishing with the most advanced. Each has its advantages and disadvantages, so try with whatever works best for you. If I left one out, let me know.

• URL Shortners: ManyURL shortening services likehttp://bit.lyandhttp://goo.gl have the ability to track how many people