March 14, 2006 at 6:38 am #2191509
I’m in between a rock and a hard place – can I have some help, please?Locked
by gadgetgirl · about 16 years, 5 months ago
By way of explanation, a bit of background?..
I was opted onto a group formed within the IT department and given the remit of improving departmental communications. For our sins, we came up with having a bi-monthly team luncheon to catch up with what each of the teams is currently undertaking, which projects are due/completed etc.
This started ok, with the department head giving a talk on the strategy of the ICT department, an update on the National picture, and its associated projects. The Information Management team then did a 10 minute presentation on their part of things, I did 10 minutes on the National Smart Card system, then we had a knowledge quiz after lunch.
Then the bombshell was dropped as to the next few ?ICT Luncheon Sessions?. Each team takes a turn for the next couple of meetings, and presents something FOR TWO AND A HALF FLIPPIN? HOURS on their topic. The parting shot is that whilst all other sessions will be run by teams of at least 6 people, I?m in the unfortunate position of being in a team of one. Me. That?s it, that?s all, just me. And security is one helluva topic to try and make interesting to an IT Department full of techies who already know about security???
So, guys, I need help. I have no problem giving presentations, doing induction sessions etc., and I?m not at all bothered about standing and talking in front of people, with or without making a fool of myself (I have tripped over so many specs of dust on a stage you wouldn?t believe it)
What do I do to fill 2.5 hours? It wouldn?t be as bad if I could give the general Information Security talk, but as these guys hear it twice a year from me anyway, there is absolutely no point, and I think they?d hang me out to dry if I did it again.
How, after I?ve filled those 2.5 hours, do I do a knowledge check on them, without doing a quiz?
I have around six weeks to the Luncheon date; the reason I?m starting now is that I know, because I do incident investigation, that I could be pulled off this particular project at any time, to take control of the response team.
So ? any ideas, silly security stories, powerpoint shows more than gratefully received. I really am at my wits end as to how to fill this void in time.
I know you?ll help if you can, so in advance of all the support I just know I?ll get from here, have a small but meaningful present from me, by clicking on this link?..
Many, many thanks in advance
GGThis conversation is currently closed to new comments.
March 14, 2006 at 6:49 am #3267242
Hope this will help
by rob mekel · about 16 years, 5 months ago
What about a 2 hour presentation by a hacker on your systems (or special test environment). Some workshop equivalent can do wonders. Special if there are some hot shots from top level management this wil bring the security awareness to a high level.
Just peer mail me if you wanna know more.
March 14, 2006 at 7:15 am #3267228
by gadgetgirl · about 16 years, 5 months ago
In reply to Hope this will help
these are ground floor techies for the most part, and are well aware of the problems/issues/downfalls of the system we use. I really don’t want to go there – yes, I could show them very easily the downfalls of some things in here, but a) they don’t have the cash to do anything about it and b) we’re about to go into a merger situation anyway, so nothing would be done about it.
Do me a favour, though, Rob – keep thinking!
March 14, 2006 at 7:26 am #3267220
by rob mekel · about 16 years, 5 months ago
In reply to thanks, but
And y’re welcome.
What about let them heck each others (testnetwork) system. Make a game out of it, but give one of them the best anti spy/spam/hack-software your using or would like to use. Maybe that will catch them, as they are techies they do like the challenge of hacking oneanother.
March 16, 2006 at 2:18 am #3074882
Understand the poor end user.
by antonyu · about 16 years, 5 months ago
In reply to thanks, but
Try and get the “propeller heads” to put themeselves in the shoes of poor user. Try and classify the types of users from the big power users down to middle aged mum. (No offence intended) Then get them to try and understand what each type of user may do to cause a security breach.
If they can’t empathise with their customers, then they will never come up with a 100% security. Like Chevy Chase said in Caddy Shack to play golf to need to “be the ball”
At least this is open ended discussion type topic. You decide when it is finished.
March 20, 2006 at 8:21 am #3075032
by david.a.williams · about 16 years, 5 months ago
In reply to thanks, but
2.5 hour presentation is silly unless your training and offering a certification! No matter who the presentor is holding the audience attention for 2.5 hours is nearly impossible.
Time for a reality check. Tell your boss you only need 1 hour; 40 minute presentation and 20 minute Q&A. If he wants to keep them there longer get a tv and turn on the soap operas.
March 14, 2006 at 7:07 am #3267233
by dugadugdug · about 16 years, 5 months ago
As your audience is, or should be, up on most things regarding security and your workplace, why not ask a few of those people what topic(s) they would like to be presented or hear more about. Any upcoming related policies you could present? How about existing related policies, do they know the ins and outs of each of them?
March 14, 2006 at 7:12 am #3267232
good thought, Dug
by gadgetgirl · about 16 years, 5 months ago
In reply to A thought…
I’ll have an ask around for some topics.
As for policies – I’ve spent my first year in here manufacturing 13 of them, so they’re all up to date with those (yes, I had to re-do every damn IT related policy in here! and add a few of my own!)
I’ll see what I get back when I ask for topics….if anything….
March 14, 2006 at 7:25 am #3267221
Climb down from the tree
by amcol · about 16 years, 5 months ago
You’re constraining yourself because you perceive you’ve been given a inviolable order from above.
The idea is not to fill 2.5 hours, the idea is to impart value and information. If you can do that in one hour and give a bunch of reasonably high priced professionals 90 minutes back they weren’t expecting, in my eyes you’d be a hero.
The trick is to come up with a proposed outline for a compelling presentation, one whose value and informational content will be obvious. You have six weeks…do this in the next week, which shouldn’t be too hard, then show your outline to management. Get all the heads nodding at your wisdom and sagacity, and then tell them you’ll be able to make the presentation in less than half the alloted time (always leave room for Q&A, which always takes longer than you think). They’ll have a hard time saying no to you.
Don’t fill time just to meet an artificial goal. Show your initiative and courage by daring to go outside the bounds set for you.
March 22, 2006 at 12:39 am #3075986
AM is right
by cuteelf · about 16 years, 5 months ago
In reply to Climb down from the tree
To fill 2.5 hours would take you weeks, as you can already see you’re scared of large groups of people/ presentations.
Now if you have something you really truly care about and that you’re passionate about, you’ll start rambling on and on and blabbing and running your mouth like this and keep going on and on and filling in until you run out of oxygen.
You could do:
Find somethign you think is a weak link within the group, related to security and something you like…..and let them learn.
Find something you want them to buy…and sell it!
What about finding funny anecdotes about security? And rub in what needed to be done during those spots?
What bout having 4 sets of teams compete for soemthing? Break them up and see if they can Hack a Unix box, Filter a VPN and crack the codes?
Do you want to inform them of something new?
Let them play with new-ish toys?
Get across the message they’re good but need to improve?
What about doing a practical example of social engineering?
Teams again, and see if they can get the info?
Go over IPv6? 😛 bleh.
March 14, 2006 at 7:42 am #3267207
Change Step, Shock em
by dawgit · about 16 years, 5 months ago
Insead of the same-ole, do something different, really different. Security (& terrorism) is on everyones mind, but no-ones actually thinking about what that really means. Do a presentation on that theme, invite people outside your org. to participate. There are alot of professionals out there more than willing to help you with that with loads of good info. And, you know what? It’s all very relevant in our field (think ‘Katrina’) Just ‘What do you do?’, ‘How do we’?, ‘Where’? Ok, you have policies, but what would people do if ‘If’ happens out-side your door? —- You’ll need more time than a couple hours.
March 16, 2006 at 7:03 am #3074786
by jbarnes · about 16 years, 5 months ago
In reply to Change Step, Shock em
I don’t have time to read through all 44 replies, so if you’ve already gotten this one, you can ignore.
Since these are techies, they’re probably really awful at writing coherent communications. Why not a seminar on Best Practices for Composing E-Mail Messages? You can start off by going over when and WHEN NOT to use e-mail. Remind them that using the phone or walking to someone’s cube is still a valid form of communication. Follow that with a discussion on writing good, clean, targeted, coherent messages.
Contact me if you want some specifics.
March 14, 2006 at 8:13 am #3267190
amcol is right
by m_a_r_k · about 16 years, 5 months ago
Don’t try to fill 2 1/2 hours. Instead, give them 2 1/2 hours worth of information. A really good presentation can do that in LESS than 2 1/2 hours. You have a few weeks before D-Day. Do a lot of research on the Internet. People like to hear real-world stories. IT security and hacking/cracking/sleuthing are pretty cool subjects if you can give them stories about how some hackers operate and how they can get caught.
Another thought, even though your audience is supposed to be IT-savvy, you should still start the presentation off with a few basics just so everyone is on the same page. Every book needs an opening chapter to introduce the topic and tell the reader what to expect. A presentation is no different.
March 18, 2006 at 1:06 am #3074100
by kiltie · about 16 years, 5 months ago
In reply to amcol is right
I agree with amcol and mark too, make “Quality” rather than “Quantity” the priority.
Check with management before hand, they are human too, and probably don’t relish the idea of sitting down for two and a half hours for this.
Management will LOVE the idea that you saved the company 60 to 90 mins of company time to get their workforce back into productivity sooner.
It’s also a good idea to research the internet on a few scare stories about security, that will give you a base on which to put your presentation gadgetgirl.
glgl and I hope all goes well, let us know what happens please?
March 14, 2006 at 12:44 pm #3267122
by jdmercha · about 16 years, 5 months ago
First off I’d try to reverse the order of things. Since they think they are up on security mattters, give them a test first. Then go over the answers as your presentation.
Do you have statistics on security events? Use those statistics to frame questions. Questions like; What is the most common attack we see on our metwork?, How many machines on the network are not fully patched?
I bet the FBI would love to come in and give your talk for you.
How about including legal responsibility? If you find child porn on a PC are you legally obligated to report it to the authorities? If customer data has been exposed, what are the legal ramifications?
March 14, 2006 at 1:05 pm #3267115
Some quick and random thoughts
by maxwell edison · about 16 years, 5 months ago
Bring in an outside speaker for part of the presentation.
Do a round-table, and ask for comments and concerns from the audience.
Check the SANS institute Web site for some ideas.
SANS even offers Webcasts that you could show.
Ask the “powers that be”, what’s the point?
Show a video of Old Yeller. They’ll never ask you to present again.
March 14, 2006 at 1:37 pm #3267104
Horseshack screams ohhhhhhh!! Ohhhhhh!
by jkaras · about 16 years, 5 months ago
Wow, sorry about your luck. If I were you I would try these.
If you can have a working training room have a hands on workshop demo. Have them set permissions to a dummy server for true understanding. Or have a nice power point demo with great screen shots, then have a Jeopardy contest on the material covered. Get creative with the questions complete with a silly noise maker to chime in. Of course it will be teams. You could have either bragging rights or some cheap trinkets if management will sponsor. The good thing about the game is that people will have fun and pay closer attention to what was covered. It will also display who payed attention and who didnt.
Basically I support interactive methods to not only pass the time but make something boring fun. Who knows, it may be a hit with management that will garner a budget for prizes?
March 14, 2006 at 1:52 pm #3267097
The brain can absorb only as much as the seat can endure.
by sleepin’dawg · about 16 years, 5 months ago
2 1/2 hours is quite a long time for a presentation on any topic, short of presenting a scheme for world domination. I am assuming here that this 2 1/2 hour fiasco is to happen [b]after[/b] lunch because there is absolutely no point in trying to present anything while people are going to be concentrating on eating and will only resent any intrusions on those processes.
First thing [b]I[/b] would do in your place, is send out a small one page questionaire, asking questions about what people would like or [b]need[/b] to know more about security. Make the questions multiple choice (3-4 choices, 3 being optimal) and circulate it by Email. Demand, not request but still, be polite, a response within 48 hours. Try limiting the questions to six with ten being the maximum. At the end ask for any additional comments but tell them to keep it under 25 words or less.
Ask too many questions and you risk people making demands you may be illequipped to handle, ask too few and people won’t take it seriously enough to reply.
[b]Don’t bother waiting for any replys; you won’t really need them.[/b] However, print out the ones you do receive; I’ll tell you why in a moment.
Now do a quick inventory of all the products you use inyour security function and get on to the suppliers [b]and[/b] publishers and ask them to send you all the information available on the various products, what they do , how they do it and why they do it. If you are using products you don’t like and think there are better options available get information on those options and make a case on why it would be more efficient to switch. You might get any immediate benefit from this but you may plant a few seeds that just might germinate further down the road. If nothing else you will have proven that your on top of things as far as security is concerned. While you are talking to the suppliers it might help if they have case studies on hand, which have been sanitized for distribution to their clients.
Once you have assembled all the information you need, put together a presentation c/w lighting effects, voice over and background music. Make sure it doesn’t run less than 50 minutes but no more than 55 minutes. At this point suggest a 15 minute break for refreshments, rest room etc. I say call for a 15 minute break but in reality, it will run out to 20 minutes. Lets face it, there is only so much you can say at these things because your audience is to broad based. Your topic is only going to be interesting to a select few, the rest will only be going through the motions and pretending interest. The object here is not so much to fill the time with quality information as it is to get through the time without anyone falling asleep on you. You are talking to a bunch of techs who, if they don’t already know your information, think that they do. the more important thing for you is not to bore them but to entertain them like just so many ADDs children. Getting them on their feet and letting them move around will keep them awake and appreciative.
It is important to start your presentation as close to the hour mark as possible. When you call for a break at the 55 minute mark, people will figure they won’t have to return until the quarter after mark. Right there you’ve killed off 20 minutes from the 2 1/2 hours and people will actually be more grateful to you than critical of you for cutting the time short. Now it’s time to turn your audience into the presenters of your presentation. If you want to know how to do that pm me. BTW making presentations for clients is one of the various things my company does and we do it for varied audiences, in assorted languages and on many diverse topics. 😉
March 14, 2006 at 5:15 pm #3266365
by av . · about 16 years, 5 months ago
2 1/2 hours is a long time for a presentation, so I would depend on video, webcasts, music and humor.
You could develop a main theme like a “rogues gallery” of security offenders from Kevin Mitnick to Judy the accounting clerk that shows why security is necessary and sometimes defeated.
Or, maybe you could show security gone awry in the future with a theme like the Tom Cruise movie “Minority Report.”
Use lots of video and sound bytes that will emphasize your point and keep people interested. Everyone from Bush to Jon Stewart to SNL.
It really doesn’t seem fair that you have to do this by yourself. What a test. Creating a presentation takes alot of time. Good luck.
March 16, 2006 at 1:07 am #3074897
by tony85 · about 16 years, 5 months ago
Somewhere on the web is a test to see how well you can recognise “phishing” sites – this is really good, as there is a Citibank one that is genuine and really does look like the fake ones.
You could probably use a few of these to get things going – maybe you have some of your own.
A good book that will give you some really great examples and background is “Security Engineering” by Ross Anderson ISBN 0-471-38922-6. Ross also has a web site at http://www.ross-anderson.com. A serach on him will also quickly show you that he is a strong privacy advocate.
Another related topic is the recent root kit issue.
Many of these are the inter-relationship between security, traceability and privacy.
If you want to see where things might be going, try looking at initiatives being launched and supported by the European Commission.
I am guessing that from the size of your department that you are in a fairly large company, in which case, there is also a good chance that the company works internationally.
Having been the “rapporteur” for some EC sponsored workshops recently in this area, I can tell you that it is a fertile ground and one that can cause some interesting debate.
You can also think up some “straw poll” questions that you can use from time to time to liven up and change the pace e.g. before starting on privacy, ask for a hands up on who thinks it is an issue. After presentations and debate, ask the question again. If your company does business in Europe it may soon have to be an issue as it is in the European Constitution, which will evetually be ratified.
If you want more on this, then email me privately.
March 16, 2006 at 1:21 am #3074895
by theadmin · about 16 years, 5 months ago
On http://www.packet-level.com/ you might find some pdf, ppt and articels on subject to take for your presentations….
Take a look at the downloads section !
For instance http://www.packet-level.com/archives/archives10.htm
Good luck and watch out for the dust 🙂
March 16, 2006 at 1:57 am #3074890
by jim.allen1 · about 16 years, 5 months ago
Hi Gadget girl
not sure how many members in you presentation group but to do 2.5 hours is over the top…
so a few suggestions
passwords with the histroy of encryption
the security of HCFD’s (hand carried floppy disc’s) conpaired with the internet.
methods of ‘stealing’ screen emmisions wire tap and induction loops
methods of stopping theft – never turn the pc on…etc
how much data can be stolen in 2.5 hours! –
data corruption intentional and accidental
March 17, 2006 at 10:08 am #3076984
More on Passwords (from “Hackers”)
by too old for it · about 16 years, 5 months ago
In reply to passwords
Every time I go into a building where the passwords are on sticky notes on the monitor (machine, domain, AS/400, the bank .. doesn’t matter) I recall the scene from “Hackers” where Lord Nikon is delivering flowers, and just has a look around.
How many unsupervised and unverified people do we (you) have just wandering around?
March 16, 2006 at 2:07 am #3074886
What an opportunity!
by kevin.dorrell · about 16 years, 5 months ago
GG, It sounds like your management is taking intra- and inter- departmental communication seriously, which has got to be a “Good Thing”.
I see your point that 2.5 hours is a long time. With no disrespect to your presentation skills, it will seem a long time for your listeners as well as for you. So here is an idea: why not prepare a presentation lasting about an hour or so, then throw in a few contentious or provokative discussion points near the end. Points that you believe need to be resolved, but which you cannot do entirely within your own remit. Then sit back and watch the ensuing discussion.
Security is often a matter of finding the correct balance between security and convenience. It is sometimes difficult to pin down management to where this balance should be struck. The discussion should give you some valuable indicators.
If your management is really as open and communicative as they seem to be, then they will welcome such an aproach. Judge for yourself.
March 16, 2006 at 10:43 pm #3077137
by fcleroux · about 16 years, 5 months ago
In reply to What an opportunity!
1) If you work for a large national company, not everyone may know what the biggest security breaches have been in the last two years. Do a recap of the TEN TOP SECURITY BREACHES. What they were, how were they handled. Were they handled properly? Could Changes be made to the process??
2) Current threats! Review current threats that you think are the biggest issues. This is a great chance, what are you not doing properly because of lack of funding???? Point out these areas as security threats (but don’t mention money). Let everyone know there is an issue and hope management acts on it.
3) Emerging Threats! Have you pre-planned for emerging trends and threats. Are you ready to tackle a bad RootKit on a system?? Identify these as of yet non-identified issues, spell them out, indicate if there is a plan in place to deal with them, who is responsible for dealing with them, get some input and so on. This needs to be done anyways but may end up causing you more work.
4) Are the products you are using adequate. SpyBot and Ad-aware suck. So does MS Anti Spyware. Should you be using other products?? Is you Anti Virus Software the best you can be using, should you be using something else. How are the Firewalls? Have Security Policies been updated to include new technologies and new threats?? Is SKYPE listed or covered by any of your policies??? Good time to review policies or at least “SET UP A TASK GROUP” to deal with a review. This should kill some time.
5) Waste Time. Have food brought in by someone else (some very good Bakery Goodies, cakes or so) with coffee if required half way through your 2.5 hour session. This is usually a very well liked break anyways. Freshens the brain!
March 16, 2006 at 2:46 am #3074879
by craig.christine · about 16 years, 5 months ago
They will already know loads, but there are loads of good stories of guys with ther pants down never women! and you have the added advantage you could send them out to see how many sites they could pick up in the area, to kill 2 hours perhaps? or get them trying to hack into each others computers, to show how easy it can be, they would love that. You could then sit back “supervising” with a nice coffee. While they test themselves and preen about their results.
March 16, 2006 at 3:00 am #3074871
New Technology To Check Out
by quickest2 · about 16 years, 5 months ago
PLEASE READ AND RESPONE: THIS IS WHAT WE HAVE ALL NEEDED….
PROTEXX INC. A BRIEF BACKGROUND
Today’s technology started development in 1996. Its mission then, as now, was to develop and market encryption software to provide for the safe transmission of sensitive data and to protect the identity of both the sender and the receiver.
During the last five years, the patent pending technology was refined and tested, and Protexx? marketed its first 2048 bit encryption software package, said to be impenetrable by currently available hacker technology. It is designed to be used by organizations and individuals in a wide variety of sensitive fields, including, but not limited to medicine, law, corporate information, government and finance.
Protexx? 2048 bit encryption technology has been reviewed by NSA, Hewlett-Packard, and IBM and is now in use in several high security installations. The software package may be downloaded from the company?s Web site at http://www.protexxinc.com , and can include a biometric positive identification component which once installed by both sender and receiver, assures complete security for transmission of data over the Internet. The company maintains its own network-operating center [NOC] for use only by authorized subscribers. Each user receives a certificate of authorization, admitting his computer and only his identity to the Protexx? secure transmission system.
THE PROBLEM: NAKED IN MACY?S WINDOW
WiFi and the Internet pose a growing threat to personal, medical, legal and corporate information ? just what can be done about it?
Consider the following:
A Company CEO was instant messaging with the director of personnel about potential layoffs. The IT department ?sniffed? it and information was transmitted throughout the entire corporation before any decisions were made. As a result of the network security intrusion behind the firewall key people were lost.
Unencrypted diagrams were emailed between a company?s research and development center and its production facility, were intercepted, and as a result, the competition got the product into production first.
Two soap opera writers were instant messaging each other over WiFi, a tabloid reporter sniffed it, published it, and the show lost audience share.
These are not theoretical possibilities; they actually happened, and they point out the vulnerability of any Internet communication, particularly those that travel over wireless links, to be intercepted.
?Anyone can sit in Panera Bread, or any place with a public WiFi connection, with a sniffer (a software tool) and intercept people?s personal information ? such as credit card numbers ? at will,? says Bill Tabor, Protexx, Inc. Chief Technical Officer. ?With an appropriate antenna, the range of a sniffer can be several miles.? And it gets worse.
Tabor says, ?Even if you are running some sort of encryption ? such as when you connect to the web page for your credit card information or place an order on line ? the most prevalent form of Internet encryption, 128-bit SSL, can be readily cracked with freeware that can be downloaded from a public Web site. Many 256-bit encryption techniques can be cracked as well.?
He adds, ?The bottom line is that most people, and most organizations, don?t realize how incredibly vulnerable their data is when it?s moving over the Internet. Even if you are using commonly available encryption technology, you?re sitting naked in Macy?s window, and you don?t even know it.?
THE GOOD NEWS
Recognizing the growing need to protect medical, legal, financial, insurance, corporate, and personal data as it travels the Internet, Protexx Inc. has created a fully portable encryption system for ensuring the integrity and protection of data.
Here is how it works. Suppose you want to check your credit card account from a public WiFi connection, but want to do so securely. Assuming you have already downloaded the Protexx encryption software from http://www.protexxinc.com and installed the authentication certificate, simply double-click on the two red Protexx? VPN icons in the taskbar icon tray. This establishes a connection with the Protexx? server at its Tier One protected facility. The Protexx software on the server does a handshake with the software that is on your computer. Your computer and the Protexx server exchange public encryption keys, and this starts a 2048-bit encryption system that has a rotating key.
From the point of the first handshake, all communication between your computer and the Protexx server is essentially invisible to prying eyes. From there, you can sign into any Internet location, knowing that the wireless portion of your communication is now intrusion proof.
HP Storage Security Executive Summary Document #5982-5975EN, 05/2004, Page 14: “A very long key, for example, 1000 bits, has far too many possibilities to try in a million years using all the computers in existence”
For two people to establish secure Internet communication between them ? for example if a research and development center wanted to email plans to a production facility ? all that?s required is for both parties to authenticate by signing into the Protexx? server and then email normally between them. The information will be automatically encrypted at the sender?s computer, travel securely over the Internet, and will be automatically decrypted at the recipient?s machine.
Protexx encryption technology, which is built around open source, has been under development for five years, has been extensively tested for the past two years, and now is available to users throughout the United States. The cost for an individual user is $4.95 per month subscription, and corporate clients can pay much less per user, based on the number of monthly subscribers.
Protexx? provides mission critical systems with much needed bulletproof security layer from hacking software.
Protexx is real-time security technology that secures your all of your data in motion.
For further information about Protexx or its 2048 bit encryption software package, call, write or e-mail company president Peter Letizia, Protexx, Inc., 10784 Crescendo Circle, Boca Raton, Florida 33498-4871. PLetizia@ProtexxInc.com
Protexx, Inc. also has offices at, 35 Evergreen Parkway, Westport Connecticut 06880. Contact Mark L Myers, Chairman, 203 682 6436. MMyers@ProtexxInc.com
March 16, 2006 at 3:52 am #3074864
Security, what is there to be afraid of?
by vytautasb9 · about 16 years, 5 months ago
To keep an audience’s attention for 2.5 hours (I suggest you try to shorten it to 1 hour) it might help to make use of real life examples to illustrate a security concept. A real case history is more likely to keep people’s attention than some theoretical presentation (especially during a lunch or shortly after). There must be many examples in the news to choose from. Have up to 10 examples (perhaps you can pick something that happened in your institution?) of what went wrong, present them, and perhaps ask the audience for ideas on what could have been done from a seecurity standpoint. You probably won’t need to go over all the examples and topics based upon how your audience responds. Best wishes for your presentation.
March 16, 2006 at 3:52 am #3074863
Out of the box
by billphillips · about 16 years, 5 months ago
GG – Good luck with your presentation whichever way you choose, but it could be a golden opportunity for you rather than a millstone.
Have you considered going down a different route. They are getting communicated to about technical advances which they would rather
(a) Not know
(b) Find out themeselves in their own time and manner.
Your initial remit was to improve departmental communications, therefore what about highlighting communication skills.
Show information flow, and causes of blocks (Personalities, politics, different communication skills and approaches).
You could present this, then go into communication “skill” games between departments, or better still, with mixed members – Techies love these challenges.
You could finalise with a discussion on how people felt about the succcesses and challenges and the importance of ongoing communications.
It gets them thinking about, and understanding the root cause of communications problems – US !!
March 16, 2006 at 3:56 am #3074861
Out of the Box – What’s a square
by goodwisj · about 16 years, 5 months ago
ISO 17799 is as dull as ditchwater and extremely important….. So find some important people who aren’t dull and subcontract the thing to them….
Get a psychologist to present on Maslow and then get the team to relate it to IT Infrastructure and IT Security
Get a locksmith to come in with a Safe containing an Easter egg (timing should just about work, I think). Get the team to try and crack the safe… then crack their heads with the confidential information that you have managed to scavenge from their desks, their bins, their phone conversations overheard even from their blogs and websites. Show them that security doesn’t necessarily require technology, rather dedication – a way of life.
You are bound to have a contact in the security community who could come in and talk cyber-crime to them for you…. again rewards are good – IT teams and chocolate really are made for eachother. Depending on which end of the UK you are, I may have someone you could try for this….. mail me if needed.
I know I’m probably teaching you to suck eggs…. however it is normally the simple stuff that catches us out……. for example some police forces are concerned that a radio with encryption may fall into the hands of undesirables…. yet they have the audio blaring out of vehicle radios, portable radios and over speaker systems in Police Stations…… Their systems are designed to be high availability, maintain integrity and yet are not confidential……
Fourth and final – how about identifying the real risks to security and potential compromise – more information is probably at risk due to people becoming vulnerable to pressure because of debt, embarrassing personal information, or secrets than is due to hacking and high-tech crime (again, ask some police buddies about the background checks that they have to do for contractors, etc). Get people thinking about CIA in their lives rather than in their work…….
So a slightly different and not very technical approach to security; but I know that this can work – I’ve had to present on Information Security to a room full of seasoned security professionals – strangely, I have used at least one of the techniques above – now decrypt which one it is……
Speaking of which – why not get a kid’s book of codemaking/breaking and get them to send messages to and fro………. get them thinking about all the different layers in a network and the encryption and compression that is used and get them to risk assess an installation that they know well – perhaps even CRAMM them….
Enough, I’m going into meltdown…… hope you find a useful answer to your quest – between all of us there should be at least one good nugget out there…..
March 16, 2006 at 4:33 am #3074856
subject for you
by ka2sph · about 16 years, 5 months ago
I would like to suggest, as a topic, how people with handicaps work hard, graduate from college with good to excellent grades only to find out that there is a term, “you lack proper experience”. This term is the way companies and their HR people get rid of handicapped people as prospective employees.
I am legally blind, have a spinal cord injury so while I walk with braces and crutches I am looked at by HR people like some sort of freak. I graduated in 1982 from a top college in New Jersey with a cumulative average of 3.79. I put in 90 hours a week between classes, homework, and required work (25 hours minimum)in the computer center, and that was not good enough as experience? I worked part time in a corporate computer center under work/study but that too meant nothing. I finally caught on. The Americans With Disabilities Act means nothing to businesses. They never got the message beyond how to make sure handicapped people like me never got into their companies since we were not “beautiful people”.
March 16, 2006 at 9:37 am #3074673
Try a temp agency or recruiter
by foothillscg.com · about 16 years, 5 months ago
In reply to subject for you
My husband had an experience with someone who looked like you described yourself, but he was also very short and black, although he seemed to see fine. He came in with a team to do a 6-week, work-intensive project with 5 others, and he did more to enlighten people’s view on the “handicapable” than anything else we’ve seen. He was a great guy, a good worker, and if he hadn’t moved, I’d place him in a heartbeat.
In California, companies that have contracts with the government are required to have “quotas” (I forget the euphemism that they use) of minorities, women and disabled.
My point: try contracting at defense contractors, NASA, or government directly.
March 16, 2006 at 2:48 pm #3077224
March 16, 2006 at 5:03 am #3074848
by morti · about 16 years, 5 months ago
Tech Republic has some material they call Lunch & Learn that may be of help for you. One I have looked at focuses on computer security and includes PP slides as well as suggested verbage.
Not knowing the audience it is hard to hit the target, but some other thoughts are: telecommuting, changing from landline to cell phones, the future of backshoring, the whys & wherefors of computer security outside the office (or on the road.
Hope this helps.
March 16, 2006 at 5:09 am #3074845
by v_vegso · about 16 years, 5 months ago
Latest tech articles about security developments. List of new viruses, and why or why not are severe threat(rating them). Research and list magazines and web sites that would help newbies in the security field. Talk about new companies that offer any new products or services. Schools that offer courses and quality of them. Rate books, etc… You can do the ratings of these items which would take time and also expose that you are a guru !!!
March 16, 2006 at 5:13 am #3074844
by morti · about 16 years, 5 months ago
Many support folk seem to forget that the users don’t have nearly as much training or interest in technology as the techs have. There are a couple sites I have found that could be used to start some customer empathy training. One is http://www.techtales.com and the other is http://www.computerworld.com/departments/opinions/sharktank
Many of these will seem humorous at first but you could then ask the audience how the tech could have acted to better serve the customer. After the initial response of returning the computer because the user is too dumb to have it, how do you resolve the situation and make the customer / user feel good about themselves and your professional support. After all, we want to be seen as value added rather than a sufferable necessity.
March 16, 2006 at 5:13 am #3074843
step way, way out of the box
by danetter · about 16 years, 5 months ago
If communications are as important as the charge implies, there should be a system for that purpose — departmental communications. Talk about the design of such a system. Look up the approach used by Gerald Nadler. Point out that there actually is already an informal, undefined system that has been judged not to work well enough. Emphasize the question of whether such a system might be useful or even could be designed, and, if so, how it could be designed. Most of your audience will think the whole notion is ridiculous; hopefully at least a few of the brighter and more thoughtful will understand.
March 16, 2006 at 5:20 am #3074840
by plumley9 · about 16 years, 5 months ago
Since ‘security’ is the topic, take the best electic ideas you get here and create a ‘Pop’ quiz. then explain the best answer for each twist.
i.e. 1 – Would you give away your password for candy? About a thousand people in Picadilly Circus gave their passwords to researchers for a piece of chocolate. (Note – password without userID) 2 – Would you put a ‘Free’ CD in your machine at work? About 1200 loaded a self-destructing phone home bug on a CD given to them as they exited the London Underground. 3 – Do you remember DOS, specifically interrupt 13? Why are we glad it is gone? And do you understand the Virtual Machine equivalent and its impact? 4 – If the big threat is the ‘RootKit’, should security design and install one first to monitor systems? If so, How do you build one that nobody else can subvert? Sony and Symantec didn’t know. Last Question – Did you ever tell somebody something you should not have? How are you going to keep that from happening again?
March 16, 2006 at 5:23 am #3074837
It Seems To Me
by dask · about 16 years, 5 months ago
It appears that initially these sessions were built to provide an opportunity for various technical specialists to communicate ideas, visions, strategies, etc.
Now it sounds like they have adjusted the focus to a pulpit training for each unit.
I suspect that most of what you would like to convey to them, you have via policies, guidelines, discussions, etc.
To develop your 2 1/2 hours,
1. could you determine some of what keeps those individuals up at night (worries) and integrate your discusssion into those areas.
2. I used to do a periodic security survey with inbedded questions like, “Do you think that it wastes organizational funding (that might be used for merit increases or profit sharing, etc.) for people who play solitaire, doom, or shop for their next stereo while at work? Try some thought provoking question based on their business concerns and then provide facilitation of interactive ideas on those concerns. In essense, be the conduit to get them to provide the training and ideas to fulfill their own needs.
Needless to say, try to focus the question on things that concern the organization’s security needs as well, but bring it down to their business requirements, not yours.
This may enlighten you, provide you with new ideas, and concerns (sleepless nights), but it may also help integrate your focus areas (availability, data integrity, and confidentiality) into their processes.
What do you think?
March 16, 2006 at 5:24 am #3074836
More items to talk about
by rreichma · about 16 years, 5 months ago
What about covering Business Compliance activities from a security point of view, covering such items as:
Security Status Checking (Health Checking) of Infrastructure devices covering Networks and Client Server environments.
Security and Integrity Management (Apar Management)
User Id Management and Revalidation with an emphasis on Priviliged and Shared Users.
Portable Media, Disaster Recovery, Firewall Management etc etc etc.
March 16, 2006 at 5:25 am #3074835
Security topics for security people
by pete1978 · about 16 years, 5 months ago
Okay, granted that most IT workers are already familiar with security topics, but this does not mean that they apply them. It seems curious to me that you seem to have a dual role. First, you are the communications team person. Second, you are in a security leadership role. BTW, I did not list this in any particular order.
My question is why did they take a person from the security leadership position and give that person the additional responsibility of addressing communications issues? Perhaps there is a relationship. Perhaps, higher authorities have come to realize that there are security issues within the department’s communications.
That, therefore, could be a topic — Communication Security. Or what to say and what to not say in communications.
March 16, 2006 at 5:37 am #3074832
Virus & Intrusion Protection
by wildhorses · about 16 years, 5 months ago
“Implementing V-Lans for Virus & Intrusion Protection”
We implemented vlans as a way to isolate departments from each other to provide a secondary method of controlling a virus outbreak if it where to get by our virus scanning products and to protect interdepartmentle privacy, etc.
March 16, 2006 at 5:39 am #3074830
Re: Topic Suggested: Strategy, Tactics, & Project Management
by blackfalconsoftware9 · about 16 years, 5 months ago
Instead of flipping out yourself, I would suggest that you cause your listeners the same reaction.
Bad project management is a very serious problem in the Information Technology field. The field itself is the only technical profession that has failed to keep pace with proper management techniques developed over the past 25 to 30 years.
Proper project management is also a vital tool on the corporate battlefield but few senior managers understand this. Those that do are making great strides with their firms against their competitors that mostly repeat the same self-destructive mistakes that have always been doing.
You can understand this vital area of Information Technology by purchasing the following books by Steve McConnell who promotes those methods that are in use today which are highly successful:
Rapid Development – 1996
(still being purchased today
Software Estimation – 2006
In terms of military tactics on the corporate battlefield I would suggest the following:
The Art of War – Sun Tzu
On War – Von Clausewitz
Moltke on the Art of War – Hughes
Strategy – Hart
The reason for the military selections is becuase once you read through them you will understand how corporations are designed and how they think as an institution. The philosphies of Sun Tzu, Von Clausewitz, and Moltke are incorporated in senior management thinking using a construct known as the “Postioning Theory” which is directly linked to these men’s theories of warfare.
I promise you, you will not only have enough information to speak for two hours but you will literally “blow your audience away” if you prepare your presentation properly.
Black Falcon Software, Inc.
March 16, 2006 at 5:45 am #3074826
Lunch & Learn
by lcave · about 16 years, 5 months ago
Do a lunch & lean on Pivot tables. That will keep everyone’s attention for as long as you need.
March 16, 2006 at 5:49 am #3074824
Try Demand Management
by daveh839 · about 16 years, 5 months ago
All IT and App Dev teams are always swamped with work that they can’t keep up with. Its either “invisible” maintenance work to keep the lights on, or project work that usually isn’t managed as well as it should be. The first step to getting things under control is demand management, there are reams of info on the subject and tools are plentiful. You could discuss it in a QA type forum for days, so a couple hours probably wouldn’t be too difficult. Try ITIL.org, or even Tech Republic’s project management topics.
March 16, 2006 at 5:56 am #3074820
Reply To: I’m in between a rock and a hard place – can I have some help, please?
by doug m. · about 16 years, 5 months ago
I’d give a talk on how much time is wasted in these stupid presentations. Seriously, this company I once worked for had so many meetings it was a complete waste of time. Things like train the trainer, customer interface, and then all of the corporate BS “cover our ass” training. If something cannot be covered succinctly in 30 minutes or less, it’s a waste of time. Sorry I wasn’t able to contribute a topic for you.
March 16, 2006 at 5:59 am #3074817
by paulspin · about 16 years, 5 months ago
Talk about the convergence of devices, document control and contact mgmt. Lots of stuff going on here. Allowing you to read a doc then question the author wherever they are via the above technologies. The network will know if they are logged on (using messengers) or remote (via cellphone/blackberries signed on) and then route you directly to them.
Big subject but lots of areas in this to improve comms and also maintain security
March 16, 2006 at 6:13 am #3074811
Security talk ideas
by wjryan · about 16 years, 5 months ago
Not sure how many folks you have to deal with but how about grabing a computer lab and/or pairing folks up to work at a workstation together and let them try to be secure? In other words, make a couple of scenerios where they get to play SecAdmin.
Or let them see a virus in action on a workstation via a projector, or how the network is attacked via a dashboard? Build testing moments from the scenerios.
Last idea, give them some “tools” and see if they can either (a) create a firewall (home use opportunity)or (b) hack into a station you set up (walk in your shoes moment).
Hope this helps and good luck!
March 16, 2006 at 6:16 am #3074809
Reply To: I’m in between a rock and a hard place – can I have some help, please?
by the admiral · about 16 years, 5 months ago
Try a two hour presentation on:
March 16, 2006 at 6:44 am #3074797
by goodwisj · about 16 years, 5 months ago
Someone has visualised the workings of what I lovingly/laughingly call my brain………wow.
Admiral, sorry I think GadgetGirl needs Security Management, not Process Management…….
Fantastic animation though……
March 16, 2006 at 6:21 am #3074804
by bill.thompson · about 16 years, 5 months ago
You might want to start with a presentation of how improving communications can increase productivity and enhance team work then throw out a topic and have an open discussion with the group.
I would have 3 or for topics in my pocket that relate to current projects that many people might be involved in.
hope this helps.
March 16, 2006 at 6:59 am #3074788
Brown Bag – Lunch & Learn
by gordon.rudd · about 16 years, 5 months ago
I always like to learn something when forced by management to sit for 2+ hours. Routers, switches and hubs…are always a good thing to know and architecture of the network is another.
If forced to stay on topic (inter departmental communications) Google “True Colors”, review the material and present that. The particiapants can even log onto one of many web sites and take the personality test.
It will help communication.
March 16, 2006 at 7:09 am #3074778
History of Hacking?
by wilski · about 16 years, 5 months ago
Hi Gadget Girl
I just read in a magazine today that it is the 20 year anniversary of the first known computer virus- called Brain, which sort of leads me onto an idea.
Maybe give a talk on the history of security, and how everything came to be at the moment? I know that you would have to do a bit of research, but there are probably some sites out there that would give you a few shortcuts/bit of extra knowledge.
I know that in my CCNA training, one of the best things that I still remember is when I read about the history of networking, and how we “evolved” into the current state of affairs. Hope that it helps.
Or you could break it up into sections and use different topics- such as strategies of cyber attack, impact, and then make it like a bit of a game. One side of the team would have to choose a strategy and attack the organisation and try to find a way through, while the rest of the team would build a defence… fun….
March 16, 2006 at 7:19 am #3074772
Sarcasm works in these situations
by master3bs · about 16 years, 5 months ago
Do a two and a half hour presentation on how much time IT has saved us over the years, to the point that we can now waste time on two and a half hour presentations. 😛
March 16, 2006 at 7:24 am #3074766
Rock and Hard Place
by wkobus · about 16 years, 5 months ago
I have several security presentations that you are free to use at my web site http://www.TESS-LLC.com.
March 16, 2006 at 7:32 am #3074763
Topics for Discussion – Hypothetical Security Attack
by knudson · about 16 years, 5 months ago
Take them on a tour of how you would attack your own company from the outside if you were the hacker. Go through an exercise of how you could punch holes through the security processes, procedures and practices of your own company.
Create a hypothetical scenario where someone or some organization from the outside wants to gain access to critical systems and information maintained within your company. With this scenario in mind, you can take many different paths in your presentation. Split up your discussion into areas that directly impact each segment of your audience. Make them think about the things that they do day in and day out, and how their choices and actions impact the overall security of your company.
Don’t forget to include social mechanisms such as finding sticky notes with passwords stuck to monitors, keyboards and posted on the wall next to the computer.
When someone comes in to repair a computer, copier, telephone system etc., what sort of security measures are in place to prevent them from gaining access to information that could make it easier for someone on the outside to launch an attack?
When a person leaves the company, what processes are in place to ensure that they do not continue to have access to knowledge and systems? How long does it take before access is denied once an individual or company terminates their business relationship with your company? Hours? Days? Weeks?
What mechanisms are in place to secure data within the company? Do people have access to USB ports to download information to little USB Data keys? A small key can contain a gigabyte or more of information these days… is there any critical information that would be accessible to an insider that might be a potential risk? How is that information safeguarded?
March 16, 2006 at 7:57 am #3074753
Discussion about security concerns of the use of Skype in Corporations
by jiblanco_2000 · about 16 years, 5 months ago
You could have a discussion about the security threats that the use of Skype could cause to your company. You can present the case and ask for participation. I recommend you to read an interesting article I found in Von Magazine, January 2006 Issue. It is called the “The Skype Phenomenon”. Here is the link to the magazine: http://www.vonmag-digital.com/vonmag/200601/
You can go the the Table of Contents and go to the article. Using that article as a guide you can do more research in order to go deepter into the case.
I hope you find my idea interesting. Thanks for the huggy bear!
March 16, 2006 at 8:01 am #3074749
What to do for two hours…
by tweakerxp · about 16 years, 5 months ago
Pizza and beer for everyone. That’s always a hit!
March 16, 2006 at 8:07 am #3074737
Thanks and clarification
by gadgetgirl · about 16 years, 5 months ago
First of all, heartfelt thanks to all posters, and also to the senders of the many pm messages I?ve been receiving all day ? special thanks to whoever it was in TR that put this up on the NetNote today, too!
A few bits of clarification are needed:
I work in the NHS in the UK, and have no budget to spend on bringing in external help on this one. We?ll be out of our own area so as not to be interrupted, and the lunch is at the end of the session, so I can?t ?give them time back?. The last thing I want to do is to point out the pitfalls/downfalls/shortfalls in the system here: there is no budget to change anything at all here, we?re about to go into a merger situation, so the cash box is well and truly closed until the new Trust strategy is formed (we?re counting in months, here, not weeks??..bureaucracy)
This session will take place in a board room type of room, around the table ? no desks, no pc?s involved, and only minimal presentation kit (if I?m lucky, and can scavenge some beforehand)
My role in this is purely my job ? information security. The reason I was opted onto the other group is that I?ve led in team building exercises and managed away days in a previous life. This is just the groundwork so that Information Management, Governance, Security, the Patient systems and the IT department itself all get an ?overview? on the work of the other teams. Having done inductions and legal update sessions for all of the people in these teams in the first place, I want to try and expand their knowledge, and let them have a bit of a laugh, not just preach security at them all over again.
So my proposed outline (thanks Dawg ? Lifesaver Extraordinaire) is to do about an hours presentation, then give them a break, which will probably extend to around the 20 minute mark. When they return, we?ll have a talk session, hopefully on things they themselves have suggested. I want to include questions from myself concerning the DR side of things (because I know they?re all sadly lacking in applying information security in a DR situation)
I like jdmercha?s idea (thanx!) of doing the quiz first, prior to the presentation ? should prove interesting to see what percentage of answers change. I can base the presentation on some of the items in the quiz.
Most of all, I want FUN. Having sat through numerous presentations in my working life, I just know how soul destroying these things can be, and I am DETERMINED mine is not going to go down the same way, which is why my monthly induction presentation contains animations, soundbites as well as stupid stories to keep the inductees awake. The Rogues Gallery idea (thanx American Voter!) could go in here, and as far as I?m concerned, the sillier the security lapse, the better. I?m hunting for stupid/silly/comical stories at the moment, but any forthcoming from here would be more than welcome ? and yes, I always give credit for these! (thanks, Dawg ? AGAIN!) And, TheAdmin, thanks for the website links!
The talk session will now probably include a straw poll (thanks Tony@ – btw, I think I know you!) so I think the basic outline is probably just about there, thanks to all of you.
If you hadn?t gathered, this is the first chance I?ve had to be on the board for any length of time since the day of the OP ? guess what? Another two incidents rolled my way! Now you see why I?m doing this well in advance of the date!!
Sincere thanks to all once again
(keep it all coming!)
March 16, 2006 at 1:38 pm #3077266
no person is an island
by trhansen · about 16 years, 5 months ago
In reply to Thanks and clarification
In all the posts I read it seems as if you and you alone should do the presentation. Comunication, even in IT, is between people. Select a few people that must give input to you for you to do your job and assign them specific portions to present. Include your specifcations like: no more than 20 mins., use humor, etc.
The point would be to demonstrate how you are working to change communication for the better. Show them how things break down and several alternitive ways of fixing dificult areas.
March 16, 2006 at 8:13 am #3074732
I hope this helps
by ryannerd · about 16 years, 5 months ago
My company recently did something similar where each department was to give an hour presentation and then quiz everyone to see how boring you were.
One department was very funny and for their quiz they had a computer with projector, they divided the room up into 3 or 4 teams and we all played Jeopardy. Here’s the program they used to make and run the game:
Good luck with your presentation.
March 16, 2006 at 8:36 am #3074710
Have some fun with them.
by fvrba · about 16 years, 5 months ago
Make up an incident that could affect your company but present it as if it did, in fact, happen. I’m sure you can make it believeable since you’ve got experience with other incidents happening there. You can have papers with notes on them to help you stay on track but tell them the papers are reports or audits or some such stuff. They won’t see them since they’ll be in a folder that you take to the microphone with you. You might be able to take up 30 minutes or so with this.
Some people will porbably be on the edge of their seats and some may be wondering if they’re going to be in any kind of trouble or who did get in trouble for this.
I’ve got two stories that are kind of long that were presented to me over the last couple years. One is simple carelessness and the other was an intended social engineering intrusion. Both are true. If you’d like them, let me know. I’m sure you know of several yourself.
PS You could read one of Kevin Mitnick’s books for ideas.
March 16, 2006 at 8:59 am #3074698
How does a Tech organize, work habits & notes
by charles.bass · about 16 years, 5 months ago
There are certain number of ways that I’ve used to standardize how I set up computers and servers.
There is also a couple of software packages I use for my day-in and day-out notes.
Essentially, I use “Ultra-Recall” to organize all my notes and work along with “KnowBase” to find things really fast by keywords.
They save me time by not having to reinvent the wheel/solution.
March 16, 2006 at 9:03 am #3074696
talk about quality
by wojtek.szala · about 16 years, 5 months ago
I would talk about quality – you may talk on this for hours and since everybody know some about it it should not be difficult to get some peoples response which always help the presentation/speach.
Try to present japanese quality circles idea which besides quality serve as a good way of communication improvement ‘without rank boundries’
Let me know if this could be helpful to you
regards and best luck 🙂
March 16, 2006 at 9:25 am #3074684
How about Blindfolds??
by outlawmech · about 16 years, 5 months ago
I know this sounds silly, But if all these parts of IT or ICT are working toward one goal, couldn’t you use the time to benefit team building?
But I guess having them build a model of a network blindfolded wouldn’t do it. But, bringing the point home is. Security is vital. Needed, and dangerous. Departments tend to loose focus after a bit. And hey, if they know all this already, why do you have all the problems to fix??
I probably didn’t help. Nor have I truly encouraged you either ( sorry).
But, I would say: 1) find a focus 2) team building thru skits, humor, and violence ( ok not the violence)3)and lastly( whew! she says)bring donuts heheh.
March 16, 2006 at 9:35 am #3074674
When in doubt …
by neilsm · about 16 years, 5 months ago
I could easily do 2 or 3 hours comparing and contrasting sed and awk – with occasional references to perl. I expect I wouldn’t be asked again. Sometimes attack is the best defence.
March 16, 2006 at 9:50 am #3074663
Amusing Case Studies
by rebecca.buffington · about 16 years, 5 months ago
I would find some really amusing examples of security failures and point out what could have/ should have been done to avoid them. Find out what other companies in similar and different industries have done to tighten security. Pros and Cons of each solution. Good Luck.
March 16, 2006 at 9:58 am #3074659
What about general IT (IN)security?
by michael_orton9 · about 16 years, 5 months ago
What would happen if your chest freezer needed daily updates to its thermostat to stop it defrosting? Nonsence of course. But we accept this on our more expensive PCs.
Would you expect to have to upgrade the thermostat’s controls every month?
Whould you expect the freezer to be obscelete every 2 or 3 years?
Or your television?
They work for 5, even 10 years without daily updates, no viruses, no spam, porn only if you pay for it.
No adverts for brest / penis enlargement with the 10.00 news either.
No phishing letters from Barclays, eBay, payPal with your favourite Soap.
Yet we accept all of this as the norm from Microsoft.
P[erhaps this is an idea.
March 16, 2006 at 10:09 am #3074652
by tundraroamer · about 16 years, 5 months ago
Get a list of attendees and pre arrange to have their logons and electronic keys (if used) turned off when they arrive for the meeting. Take them outside the building and then tell them that lunch is ready but before they can have it, they have to logon to check their e-mail for an important message that contains a pass to the lunchroom for their meal which they must print out in order to attend.
And then leave them alone and go the lunch room to wait to see who shows up.
Once the group is reassembled, have them each explain how they got in.
Then discuss how they circumvented security to accomplish the goal. Obviously you will have to coordinate a few things ahead of time.
March 16, 2006 at 10:28 am #3074637
by infinitymoo · about 16 years, 5 months ago
Probably the hottest subject under the faculty of Information Science, its also one of the best-kept secrets of many business’s success. I suggest you get books from Ben Gilad on this subject (related words: Early Warning, Blindspots, Competitive Analysis). And there’s also the Society of Competitive Intelligence Practitioners (aka SCIP) that you can check up on.
Its the “magic link” between maximizing IT infrastructure/practice and empowering the business itself to not only survive, but dust their competition away.
As I understand u need to stick to the topic of security? Ever heard of “cloaking” information? Its about managing the flow of competitively sensitive data (which is impossible to completely control). Its under the topic of Defensive Competitive Intelligence (be careful of the ‘hardware security bias’ e.g. bugs, surveillance equipment, etc. as this is more about risk and people management than it is 007 stuff).
If you want more info on this stuff, just reply on my thread and we can setup a communique (maybe through Skype, or IRC). Good luck!
March 16, 2006 at 10:44 am #3074629
by edward_b_mccabe · about 16 years, 5 months ago
Have you thought about moving away from the technical aspect of security and focus in on the people and processes?
You made the mention that it was difficult to “make [a security presentation] interesting to an IT Department full of techies who already know about security” — but honestly, how much do they really know about security as a whole? I’ve met a number of techies that were hot and smokin’ when it came to their respective roles, but when it came to security they had predominately a biased view that security degraded their abilities by requiring an investment of time to do something that “technically” could be done in half the time.
As you know, security sits on a tripod made up of people, processes and technology. Judging from my past experience with dedicated, die-hard, ?still awake at 4:45AM playing the latest Playstation? game with a halfapot of coffee left to go?, IT techie types they understand the technology (the how) but do not understand the processes (the why) that drives the implemented technology.
This is also a great opportunity to get some feedback from the IT staff on how they view the organizations security program, how effective they feel the security posture is and how methods are viewed. You can use it as a roundtable event to get their views and ultimately buy-in, additionally you could use the time to market yourself and security services out to the rest of the staff.
IT and Security have the same goals, providing a service and the additional support of that service. The two entities have widely differing mindsets however. IT is almost always concerned with getting the service(s) to the end-user as painless, easy and quick as possible. Security is concerned with the confidentiality, integrity, authenticity and availability of the services as a whole. Security wants to make sure that yes the end-user can do what they need to do while at the same time balancing the risks associated with providing the service.
I have discovered more times than not security is viewed as an business inhibitor and not a benefit to business. While most people may think that having a firewall and the latest AV makes them secure ? the reality is that the personnel and procedures supporting the technology aid them in being secure. Educating all staff within an organization as to the need for security and why certain policies and procedures are in place can save lots of time preventing an incident than responding and recovering from an incident.
Or as my grandmother used to say ?an ounce of prevention is worth a pound of cure.?
Of course that?s only my .0164 euro on the topic, I could be wrong.
March 16, 2006 at 12:20 pm #3077296
by noncomposmentis · about 16 years, 5 months ago
I lot of good suggestions here, although I must admit to not reading all of ’em ;-p
However, one thing I find gets overlooked at the sharp end of IT security is the social element.
Perhaps if you look into the `social engineering’ techniques used by the more creative rogues out there.
There’s an awful lot of material available if you mooch it out – perhaps if you managed to master a method or two in SE yourself, you could use that as part of your presentation.
Maybe set a seemingly simple test sheet that you refer your audience to at the beginning of your seminar/demonstration – Then collect ’em up and have a friendly assistant process the answers. One approach might be to question them on responses to hypothetical – but very possible – scenario’s of attack. Might do well to not go for the formal test thing though……..maybe only have multiple choice boxes for them to tick off – while you ask the questions and give the options from the front. How well you get people to relax will depend on you )
Then you can hit seminar mode and give spiel on the attack methods, possible area’s of vulnerability and, of course, how these can be countered or mitigated.
30 minutes from time, you could present a demographic analysis of the answers, by role, susceptibility and subsequent level of security liability.
If you don’t have anyone who can work on the analysis of their answers during, then you can follow up later – but this would be missing an opportunity to close the session well, by my thinking.
Two and a half hours is a long time, I’ll admit – but I think SE offers a lot to hold the attention – everybody likes to know how the conman might work, right?
March 16, 2006 at 12:28 pm #3077295
by thomas.gossard · about 16 years, 5 months ago
Try doing a talk and demo of incident response. I also am in the tech field and get the security talks all the time and they all say the same thing, “this is what you need to do BEFORE you get attacked”. How many talks do we get about what to do once we’ve been hacked? You can talk about what they should do if they think or know they’ve been hacked, what indicators they might see to point out they have been hacked. Then do a demo showing them a system that did get hacked. Show them the log files and other traces the hacker left behind. Everyone always talks about the before hack work, no one ever does the after hack talk.
March 16, 2006 at 12:33 pm #3077293
Geek speak to regular english
by mat hancock · about 16 years, 5 months ago
Phrases and acronyms that only IT pros would know or understand need to be translated into everday english for the end users, and there needs to be some sort of standard in your department – doesn’t there?
You could compile a list of methods for general translation, like ‘personify the computer – for example – it’s having trouble talking to the other machine’, and use these for your knowledge test.
As far as I know there is nothing written in stone, so you could have pretty much free reign, and even toss in a bit of humour (to help any flagging popularity!)
Should be relatively simple to pad out to a good three ours without too much brainwork – good luck!
March 16, 2006 at 1:39 pm #3077265
Sources for ideas: Risks, 2600
by devon · about 16 years, 5 months ago
First of all, what’s your penalty for running under on time? Most people appreciate less rather than more.
If you must fill time, you could try expanding your mandate beyond a narrow definition of security to wider issues of risks in computing. A great place to start on this would be to look at the risks newsgroup at http://catless.ncl.ac.uk/risks.
Another place to look, for more narrowly-defined security issues, would be 2600 – the magazine and the website: http://www.2600.com/.
March 16, 2006 at 3:40 pm #3077206
by raelayne · about 16 years, 5 months ago
There are many PowerPoint presentations on the Internet, published there by their authors, I can only assume. Grab one (say, on “Ethical Hacking” or some other arcane subject) and deliver it. There’s no excuse for starting from scratch.
March 17, 2006 at 10:34 am #3076971
March 16, 2006 at 4:06 pm #3077200
by mlawton · about 16 years, 5 months ago
Don’t do it all yourself silly girl, get some help. How about corporate firewall presentation and what goes on to block traffic. Or how about virus eradication once the horse is out of the barn kind of thing. These two might raise awareness of what people just take for granted or how much extra work is involved if they aren’t careful. If all else fails show them an old silent movie. Good luck!
March 16, 2006 at 6:50 pm #3077176
Address Your colleagues’ PERSONAL INFO SECURITY
by ksnmohan · about 16 years, 5 months ago
One of the areas your Colleagues will be surely listening to with rapt attention is the threat posed to their individual, personal information security.
All of them will be having cell phones with BT and you can give live demonstrations – in the course of your talk – how you are able to break into their Cell phones.
Prof K S Narayanan
March 16, 2006 at 11:51 pm #3077131
wireless connectivity home vs. office
by heather.mama · about 16 years, 5 months ago
as a (future) small business owner and stay at home mother, I have a very difficult time so far making my wireless internet work the way i expect it to. going to and from an office, and or mobile office (via internet cafe’, cell phone, wi-max) is daunting
March 17, 2006 at 5:09 am #3077078
Security Audit of the people you are talking to
by donkey_butter · about 16 years, 5 months ago
I think it would be an interesting topic if you did a complete security audit of the people you are speaking to. Look for security holes, analyze network traffic, and look at the logs. Call people out on security breaches, and then address ways to fix them. It would be a good laugh and informative.
March 17, 2006 at 5:33 am #3077074
150 reasons why we should adopt ITIL
by contracttrain · about 16 years, 5 months ago
There you go
1 minute per reason..
Considering security cover ITL process pretty much like a blanket you should have plenty of fodder..
March 17, 2006 at 7:15 pm #3074135
by sarge62436 · about 16 years, 5 months ago
There would be significant value in a discussion on effective interpersonal communication in general, and email, phone, and verbal skills in particular. No doubt your audience has a high degree of technical skill; do they know how to communicate these skills to others, including the tailoring of their approach to the audience?
March 18, 2006 at 4:08 am #3074086
you already know what to do
by vaspersthegrate · about 16 years, 5 months ago
When in doubt, pull interactive community out.
Poll your audience in some manner. What 3 tough security questions do *they* wish someone would attempt to answer?
In every field, there is annoying mystery, knowledge gaps, need to resolve empty space.
If not poll your audience, study polls of security experts on what they themselves feel are hot topics, emerging issues, undreamt of threats.
There is much that your audience does not understand or know about security, relevant to their real world concerns, and future events.
Borrowing ideas and presentations from others is not the best approach.
Devise a way to tap into audience needs. What can make their life easier, or how can they be motivated to advance in their understanding of constantly evolving security tech?
Stories, facts, anecdotes, bizarre tales, etc.
March 18, 2006 at 9:06 am #3074061
Set them on a quest….
by admin · about 16 years, 5 months ago
How bout telling them, since they are so enlightened on security already, you took the opportunity to invite a particularly nasty hacker community to the task of hacking into each of their departments! Just to test if they’ve been listening to your talks the last few sessions. You supplied only the IP publics of course, but tantilized them with tidbits of corporate espionage and free donuts. Watch THEM scramble.
March 19, 2006 at 1:57 am #3074036
What I’d do
by neilb@uk · about 16 years, 5 months ago
is drug the lunch drinkies so that your entire audience falls asleep for a couple of hours. You can the either chill out or take their wallets or whatever. Wake them up after a couple of hours so that they can do the exam on the “presentation” that you “gave”.
Seriouly, I wish you luck. I can neither give nor sit through a 2.5 hr presentation. Dawg’s killed the first half quite elegantly but you’re still stuck with another 75 minutes!
If the management gimp who proposed this is in the audience then I think that he’ll probably realise that it wasn’t a sensible decision but if he’s not then you need to make him pay. [b]That[/b] is what I’d use the second hour for – I’m sure your audience would be willing to help after listening to your Security presentation for an hour and a half.
(No offense meant, of course)
March 20, 2006 at 5:19 pm #3076468
An odd question perhaps but…
by tig2 · about 16 years, 5 months ago
You don’t specify if your arena is Security (as in IT Systems Security), Security (as in Data Security) or Privacy Security (as in the protection of specific types of data- names, DOBs, SSNs, etc.) I think that I would actually try encompassing ALL of those arenas in order to fill your 2.5 hours. In fact, I have done exactly that in my own company in the US with our Indian outsource partners.
While I understand that the laws that govern are different between here and there, I know for certain that there are similarities. I have built in to the presentation that I use some “knowledge checks” that require my audience to identify key points- e.g. what is law, what is best practice? I use chocolate as prizes for getting the right answer ahead of your mates. Oddly- it works. But then, most of us in IT can be had for chocolate…
I have to do my presentation for 4 hours which sometimes causes me to pray publically for pre-frontal lobotomy and wish to work in Marketing (ooops! Synonomous…) but I have really enjoyed the challenge as I am a closet masochist and enjoy the pain. Kidding aside, I know that this can be done and not even at the expence of your better judgement.
Please feel free to peer message if you would like details and examples.
March 21, 2006 at 12:51 pm #3076125
What is SECURITY and where does it begin?
by merlin the wiz · about 16 years, 5 months ago
In reply to An odd question perhaps but…
I agree with TiggerTwo “You don’t specify if your arena is Security”. The latest scam in CA is a phone call at home “will you accept a collect call from XXXXX (first name only). This is the YYYY jail. The charge will be $$$ for the first three minutes.” Then if XXX is a familiar name you are hooked. Any thing that supports a scam is also a security threat. Is identity theft a security issue? Usually not to the IT Department. But, it sure is to the department manager (and anyone else in the group) who has had his identity compromised. I would start with a question similar to “What is security? There are many definitions of security from personal security to corporate security that affect all aspects of our lives. What can we do about it.” Yes, you will have a number if individuals that are very computer security literate, (maybe) but, how many companies lost significant amounts of money due to The World Trade Center and Katrina? All of those losses could have been prevented through proper security practices.
If this goes like I expect, you will have a very informative discussion group that will
March 22, 2006 at 9:48 am #3076784
Virtual PC and Virtual Server 2005
by tinman007 · about 16 years, 5 months ago
You can establish a test base for testing internet securities all in a virtual scenario I feel this is a good way to do testing and save alot of time and effort. Plenty of info to pull it off and maybe turn some heads.
March 22, 2006 at 10:33 am #3076768
by sf_pat · about 16 years, 5 months ago
Forensics is in the Security News a lot nowadays. This is a area of public interest that can not be satisfied. Take some real or imagined incidents and discuss with the group (look at Sans indexed articles).
How the security was probably breached.
What steps the firm could have taken to prevent the breach.
How a incident response team might pick up on a simular incident in real time in the future.
Relate these if possible to security measures they currently are doing at this time.
March 23, 2006 at 8:04 am #3075722
Great discussion subject here
by billaaa3 · about 16 years, 5 months ago
You might get some good talks out of a new book coming out this June on Prometheus Books. I’m the co-author of “The Geek Gap – Why Business and Technology Professionals Don?t Understand Each Other, and Why They Need Each Other to Survive” which addresses a lot of the very issues your discussion group is probably trying to deal with.
I’m not particularly good at beating my own drum, but we’re getting some excellent recommendations from assorted high-profile folks who’ve gotten a peek, like Doc Searls (Linux Journal) and Tom Peters (In Search of Excellence).
We have a website up (sorely in need of updating, but we’ll get there) – http://www.geekgap.com – that may give you an idea of the book. As I said, it isn’t out til June, but shoot me an email and I may be able to get you a discounted copy a little sooner, if needed.
Good luck with the discussion group!