Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Awareness Training offerings?


  • Please log in to reply
4 replies to this topic

#1 honeybadger17

honeybadger17

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:28 PM

Posted 16 April 2016 - 03:55 PM

I am hoping for some feedback on Security Awareness Training offerings.  The entity I work for has recently done a demo with KnowBe4 but they are the first company we've contacted.  

 

I'm interested in a few things:
1) If anyone has used them and if so, do you have any comments to offer regarding their offerings, results, ROI, etc.  (I'm aware of Kevin Mitnick and his capabilities so that's a plus); 
2) If anyone has any recommendations regarding other vendors.

 

We have around 3000 users.  We're looking for an efficient solution to user training that will employ minimum infrastructure requirements on our part.  We'd prefer not to spend too many man-hours building an environment to test our users with phishing tactics (if that's possible).  If we have to build in-house, what opinions do you all have regarding the best way to approach this?

We've been hit a handful of times this past year with ransomware/cryptoware and we've done well with network backups but we want to bring some user training to the table, test those users, and measure results in a cost-effective manner.

 

Many thanks to those of you who have some suggestions.  I'm scouring Google in the meantime.


Edited by honeybadger17, 17 April 2016 - 07:58 AM.


BC AdBot (Login to Remove)

 


#2 Smsec

Smsec

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 AM

Posted 16 April 2016 - 07:37 PM

I haven't used any commercial offerings. Here's a couple of resources that might be helpful:

 

Very good one-hour talk on Security Awareness training by the Director of Information Security at Visa Inc

 

Gartner Magic Quadrant for Security Awareness. I don't have a copy of the report as they're not cheap so I don't know what criteria they used. This page has the quadrant chart showing where companies ranked.

http://www.inspiredelearning.com/sat/gartner-magic-quadrant-for-security-awareness/



#3 honeybadger17

honeybadger17
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:28 PM

Posted 17 April 2016 - 07:58 AM

Smsec, that quadrant was awesome!  It helps me to know which vendors are in the game and where they fall.  Now I can do some research on them.  Many thanks!!!  


Edited by honeybadger17, 17 April 2016 - 08:39 AM.


#4 ScathEnfys

ScathEnfys

    Bleeping Butterfly


  • Members
  • 1,375 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:12:28 PM

Posted 17 April 2016 - 10:42 AM

If we have to build [a self-phishing system] in-house, what opinions do you all have regarding the best way to approach this?

IMO you should do this if at all possible, and it shouldn't take many man-hours. An effective self-phishing system only needs a few basic components:

  • A mass-mailing system (which you probably already have)
  • A server that the self-phishing links point at, which will host a basic site that tells employees what they did wrong (this is so basic you could run it on a Raspberry Pi if you wanted to)
  • A logging system of some sort that detects which employee clicked on the link (optional, but highly recommended as a self-phishing program without teeth is not very effective)
  • A policy related to phishing (as above, optional but highly recommended)

Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase

#5 Smsec

Smsec

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 AM

Posted 17 April 2016 - 02:52 PM

Here's an open source phishing kit you can download and run on your own hardware. I haven't had a chance to test it yet but it looks relatively easy to setup and use based on a quick view of the documentation. You can configure a phishing campaign and view the results.

 

https://getgophish.com






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users