Infosec now offers campaign kits through its Infosec IQ product: prebuilt campaigns consisting of layered training materials and implementation recommendations. While many vendors are willing to provide guidance on how you should build and deliver your campaign, these kits from Infosec Institute already have that guidance built in. This means even less work for you, along with the knowledge that you are delivering the same training content that other organizations have successfully implemented.
As stated, these kits have layered training material. This means that content is available in multiple forms and all relate back to a central theme. The main content takes the form of short videos, either animated or live action. To support these videos, supplementary training in the form of posters, digital banners, email templates, phishing templates, education pages, and life-size banners are provided. All this content relates back to the main theme of the kit and seeks to reiterate some of the most important points from the main video series.
Infosec Institute provides layered security awareness campaigns. Source: Infosec Institute.
Currently Infosec has three kits available, but let’s look at one example in more detail: a kit called WORKed. This kit includes 12 videos as the main source of content, including a trailer that can be used to tease the content before launch. Each video follows live-action characters in an office setting, re-enacting instances where security is called into question. The videos are short (less than five minutes) and comedic, each video acting as a single episode in a series. Supplementary materials like those described previously are included. They depict certain characters and scenes from the videos to remind end users about the content they watched or to tease upcoming content.
Building and delivering a security awareness and training program for the first time should be a low-hanging-fruit initiative: low effort, high reward. Even a small amount of training can greatly increase the security of an organization. However, some organizations simply do not have the time or experience to put together their own campaigns and remain confident that they will be successful. Maybe they should train more frequently, focus less on passwords, or complement every other module with posters, etc. This line of thought is a rabbit hole that can be avoided by using the prebuilt campaigns offered by vendors like Infosec Institute. All you must do is decide the dates when the training is to go out – the vendor takes care of the rest (e.g. providing already-selected content, updating the training, tracking participation). This leaves you to monitor at your leisure the metrics the vendor offers that measure the effectiveness of your program.
These prebuilt, layered campaigns are also valuable to those who already have a training program in place. Due to the short nature of the videos included in these prebuilt campaigns, they can be easily integrated into an existing program. This is especially effective if you are looking to increase the frequency of training, while exploring new training styles.
We often hear that businesses are continually cyber insecure or under attack. However, recent penetration testing from Rapid7 shows that businesses are getting better at securing their networks against cyberattacks. While organizations continue to have exploitable weaknesses, attackers are having greater difficulty penetrating deeper into businesses’ networks.
Four zero-day vulnerabilities were discovered in IBM’s Data Risk Manager. While the vulnerabilities are concerning, more so is IBM’s response when addressed. The company simply stated, “It’s out of scope.” – meaning it had no intention to rectify or address the issue.
The Internet of Things is increasingly embedded with our daily lives. While these devices make life more accessible, for every new device, a new attack vector for cyberattackers is created.
Qualys VMDR has hit the live market. Originally unveiled in February 2020 at Qualys Security Conference, VMDR is now publicly available as of April 16, 2020. Partnering with both large and small MSSPs, VMDR is designed to be scalable to any business enterprise and to automate the entire management cycle on all endpoints.
Microsoft’s end-of-life support for Windows 7 has run into its first set of issues with its extended security updates (ESUs). Administrators who paid for the ESU found out their downloads are not applying.
Qualys’ newest product, VMDR (Vulnerability Management, Detection, and Response), will be available in March and will provide an all-in-one cloud-based solution for vulnerability management. VMDR will automate the entire management cycle on all endpoints.
Microsoft has added its Windows 10 Tamper Protection controls to the public version of Microsoft Defender. Previously available only to enterprise users, Tamper Protection is intended to better detect threats that make it past other defences and to provide remediation suggestions.
Qualys Research Labs, a vulnerability management provider, discovered a vulnerability in the OpenSMTPD Mail server used in conjunction with the OpenBSD operating system. This flaw allows for an attacker to execute arbitrary code with command privileges.
A leaked UN report showed that servers were compromised during a cyberattack that exploited an older version of Microsoft SharePoint. This breach is a case study in the importance of both patch management and transparency.