hi and welcome back In our last video, we talked about how to get our users involved and make them feel like they're a part of the security team. We also win over how to view email headers and verify where that email came from. So now we're gonna hop into actually training the users. And really, there's two ways
to train the users, and I think both are extremely valuable.
So the first way is passive fishing training, and that includes things like reading quizzes. Blawg posts things like that at my organization. We perform passive training every month. Every month, email our users will get an E mail, directing them to some training to go over fishing and social engineering
things that we think will help
improve our security posture.
So there are many companies that will help you do that many vendors available, but you can also do it yourself. One thing you need to remember, though, is you need to make it fun. If it's the same boring, repetitive information, the users aren't going to pay attention that click through it, and they're not gonna care.
Active fishing, training. That's really the fun stuff. That's what I love it's the actual fishing campaigns against the users. And again, one of the biggest things I want to advise you on is we need to remember the goal. It's not to try and trick the user's. This is going to cause this trust and make any future trainings and
cooperation between users and other teams extremely difficult. Nobody wants to
be made to feel stupid or they fell for a trick.
The main goal we need to remember is to educate the user's. We want them to help us, and we can do that by helping them recognize and report possible phishing attempts.
So in addition to the many paid fishing campaign software's available, there are a few open source ones that I found that are really easy to set up and use again. I've used both of these, and I've had good success being able to track fishing. Campaign sent phishing emails. Um, look at the click through rate. See who read the email, who deleted it,
who visited the website and what they did
on that website. Both Kingfisher and Go Fish have really nice dashboards and reporting features available that you can share with your executive team with state colder that actually requested that penetration test.
And these are just a couple over the ones available out there. There's a ton of things you can do
toe help improve that security posture.
So we're going to end module for with just another quick quiz.
The first question is, what are some ways you can spot a fishing attempt?
And if we know these, we can make sure users of these,
so one, verify the address and check the email header. Verify sources and times with Google's header tool. Is it really from who it says it is?
The next Dylan re read the body of the email? Is there a strange sense of urgency? Does the language or slang not make sense?
There's a lot of things to look for that can tip you off that it is a phishing email.
Remember to verify all links. And if you don't know how to do that, I think I mentioned a few times in this course you just hover over any link and then I'll show you where it's actually going to take you. So there could be a link that says Password reset. You have her over, and it shows that you're going to a Google form.
Most password resets won't require you to enter your information into a Google form.
So what are two types of training that you can use?
And that's right, both active and passive. Both have their value,
and they're both fun to do and help you healthy users.
So congratulations you've completed Cyber is crafting the perfect email course. In this course we learned quite a bit, So here's just another quick summary of some things we went over.
The first step in any fishing campaign needs to be re con. If you don't take the time to do re conwell and gather that information, you're not going to have a good time trying to write a phishing email that's going to pass.
Once you've done your wreak on, you need to use that information again to help you write that phishing email. Include details that normal people wouldn't know If you done good recon on organization, you should know the structure who works where, and you can use that to your advantage
again. Keep up with the current fishing techniques and e mails that are going around. There's a lot of podcasts you can listen to just talk to your users, see what they're seeing. There's a reason that these e mails are going around and why they're working.
Social Engineering Tool Kit is one of the best tools for penetration. Testers perform phishing attacks. It's really easy to use, and it
you can set up your own templates and easily send out e mails.
Lastly, we need to remember our goal, and that is to keep the network safe. Phishing emails will continue to work until everyone is playing for the same team.
If we can help our users, they can help us keep the network safe.
That's all for Cyber is crafting the perfect email course. I'd like to thank you all for checking it out, and I hope you've learned something. If you've got any questions or feet back, please feel free to reach out to me on any of the following things below. At Perry underscore Dustin on Twitter, my blawg nerdy in the brain dot com and my website Dustin perry dot com.
Keep an eye out for more courses. Thanks