Impressing Security Upon End-Users Visually?

get quad writes "I continually have to remind our end-users to be vigilant about the usual web security hazards, such as not clicking links in the occasional spam email that passes through our filters, avoiding suspicious websites, why some websites aren't entirely safe or appropriate for the work environment (Facebook apps, MySpace, remote access apps, proxies, etc), and the myriad other things an end-user can do to get into trouble. What I'm hoping to find are video or flash examples (mind you, in layman's terms) of what Web-based exploits/zero-day threats are capable of, how they can happen, and the harm they can ultimately cause — rather than posting links to technical docs the users will never bother to read. Getting the point across in a purely visual and less technical manner seems much more effective. Does anyone have any suggestions or experience with this type of training?"

www.IdentityTheft.info video

[Cyko_01]

here is a great video that shows how to detect a phishing scam using examples http://www.youtube.com/watch?v=bzfPUmQcfDs

Backdoor.Ghostnet

[adnd74]

Symantec Security Response has an excellent video about Backdoor.Ghostnet on their youtube channel.

I think the message here is that if you don't practice safe computing, the tools exist that empower just about anyone to pwn you

Re:Dont you mean "oppresing"...

[1s44c]

I did find this:

http://arstechnica.com/security/news/2008/09/study-confirms-users-are-idiots.ars

I'm not sure if it's the study I was thinking of though.

Phishing article on SciAm

[Unequivocal]

http://www.scientificamerican.com/article.cfm?id=how-to-foil-phishing-scams

This is a good start and I'd recommend investigating the author's other published material.

Study confirms [Re:Dont you mean "oppresing" (sic)

...study-confirms-users-are-idiots.ars [arstechnica.com]

Unfortunately, there should be another article titled "study confirms that computer system administrators are also mostly idiots"... but, of course, that wouldn't win any awards on a site like arstechnica, which caters to the computer geek set, which likes to pretend that they are not idiots.

Nor on a site like slashdot, for that matter. (Moderation: troll, here it comes.... guess I'd better click that "post anonymously" box, or else I'm gonna burn through karma...)

Re:Change their perspective to be self gratifying

[buchner.johannes]

https://bugzilla.mozilla.org/show_bug.cgi?id=267888
I guess patches are welcome...

Look for vids of the WMF bug

[BLKMGK]

Sunbelt Security had a video posted of what occurs when you got hit by the old WMF bug awhile back. You could see software being installed, icons appearing on the desktop, and the desktop background being modified as this thing went to town and began popping fake AV warnings. It was one of THE most extreme and informative examples I can think of for this.

Here's a copy of it I found on Youtube. A search for "WMF exploit" on YouTube will get you plenty of hits :-)

http://www.youtube.com/watch?v=WTBcDJ9kJH4

IMO, I think this answers your question!

Re:Yell at them and make them feel like shit.

Ya right, they just stopped reporting it. So your douchbag boss forced his employees to sign something or be fired, because you are sick of doing your job?

How about you just install anti spyware and anti virus software and be done with it. Its always worked for me, even if they click something evil it gets squashed immediately and everybody moves on with their life.

Too bad your expensive services don't include proper management of the computers you are paid to manage. Thats YOUR job dickweed. Not the users. If I was your boss and we had repeated infections, you'd be unemployed and your replacement would take care of the issue once and for all.