Security Training Employees on the Cheap

--

@author Randy Gingeleski

@since 03/03/2017

@see for businesses

--

“… Provide your security staff with the most up-to-date training available. Send them to Defcon or Black Hat. Let them learn from those who are heavily involved in attacking networks.” – David Biser (source)

Whoa, whoa, whoa. Hold on there, David Biser.

What if I’m a company that cares about security but not enough to send my employees to conferences or training? Maybe we just don’t have the money, like in a Cloudpets scenario where their stock fell 99% after haxxor mega-pwnage.

Has War & Code got a solution for you! You’re going to set aside time for your employees to watch conference videos, when they eventually are on YouTube for free.

PROS:

  • The only costs to you are network bandwidth from YouTube and your employees’ time (however much that is worth).
  • You can have different employees watch different videos to figure out what’s relevant to your situation. Then they can summarize the important stuff and share it internally.
  • You can get all this done in faster-than-real-time by utilizing YouTube’s variable playback speeds, if you’re really tight. At 1.5x or 1.25x you don’t sacrifice much understandability.

CONS:

  • It’s possible not all conferences will release their material later, though it has become common to do so.
  • There is typically a several months’ delay between the actual conference and releasing these presentation videos + materials. So if there’s something especially juicy at the con, it might get used against you before you’re aware, if this is your only channel of learning.
  • Depending on your company size and culture this might come off as really cheap. And if your employees know there’s flush cash in the bank, they’ll want to go crazy at the cons.

That’s all I’ve got. I just saved your company major bank. 💰💰

Here are some conference playlists from 2016 to get you started –

Defcon 24 archives

Blackhat USA 2016 briefings

What might be even more effective is setting up simulated red team / blue team scenarios or a CTF environment for your people.

But all that’s beyond the scope of this post. 😉