Personally, I am of the same mindset when it comes to user training. I think training and enforcing your policies and integrating them with your technical solutions can provide benefit.
I do how ever agree with his position on what you need to keep your eyes on which is your most critical assets and the threats that are present to them and where they might come from ( which could be a multitude of places) I think with the whole APT thing, the thinking is going to have look more inward towards where the threat is coming from and that is users browsing/email habits, whether its malicious attachments, browser exploitation, it all has a social engineering flare to it( even if it comes from across the globe). I think things that should be high on the list for eyes on: Auditing of systems and the review of the logs: ( Too often auditing not turned on or not looked at on a regular basis) Asset Classification: Mileage Varies, but if you know what the business deems critical you tend to dedicate more time and attention and security and monitor to said systems and what information they provide to others. Egress filtering: IPS, Firewall, Web Proxy ( Again if you can't get the data back out the pipe, because the avenues of escape are blocked, then any attempts from high valued assets to talk to these or other restricted networks should be your heads up of possible compromise) Learning from previous events: Whether it’s a malware outbreak, Rootkit/Trojan etc etc learning where it might have come from and what can be permanently blocked or limited is a good way to "learn from your mistakes" Knowing what traffic is good and what is truly bad and shouldn’t be allowed on the network? (How many of you know what your users are actually doing on their PC's from a traffic prespective and take a proactive approach to limit nuisance traffic from going out your pipe.) My two cents on the subject: Now back to figuring out some Certificate Authority stuff with Windows 2003 Servers that won't enroll via certificates snapin. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected] -----Original Message----- From: John Hornbuckle [mailto:[email protected]] Sent: Wednesday, July 18, 2012 4:21 PM To: NT System Admin Issues Subject: RE: Dave Aitel on end user security training I'm not prepared to throw IT security awareness training out the window, but I agree with Aitel's position that enterprises should approach security with the assumption that some users will ignore what they were taught. He writes that "a user has no responsibility over the network," but that may not be realistic in this era. All of my users have a certain responsibility when it comes to protecting the network, just as we all have responsibility for our physical environment. If I'm the last person to leave the office but I don't lock the door, I'm neglecting my responsibilities. I can argue that I'm not the person in charge of facilities, but that doesn't fly. If I'm using an asset--regardless of what that asset is--I have a role in protecting it to the degree that I can. He also says that users "don't have the ability to recognize or protect against modern information security threats any more than a teller can protect a bank." Bad analogy. Bank tellers certainly DO have a role in protecting the bank's assets, such as requiring that customers provide proper ID before handing out cash. John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Wednesday, July 18, 2012 3:43 PM To: NT System Admin Issues Subject: Dave Aitel on end user security training I must say, I have to agree, for most business cases http://www.csoonline.com/article/711412/why-you-shouldn-t-train-employees-for-security-awareness OTOH, I don't think you have much alternative when dealing with family and friends - training is pretty much all there is. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
