I just listened in on a great webcast by John Strand, one of SANS' lead instructors on their penetration testing courses. John spends an hour discussing the latest tools and techniques in conducting human based penetration testing, specifically phishing and spear phishing. If you are involved in penetration testing and/or awareness training this is a great resource. What I found most valuable is half way through. John focuses on the different levels of human testing (he breaks it down into three levels) stresses the importance of starting with the basic level. I could not agree more, I find this point key. If you spend enough time and research targeting an individual or organization, you can craft the perfect email that will fool anyone. No one learns from such an event. John explains why its important to start with basic emails, one that almost anyone should detect (but still don't). For example, whenever I craft phishing emails as part of an assessment, I make sure there are at least three ways people could have easily figured it out (and no, analyzing email headers is not considered an 'easy' way to figure it out). Then I make sure to point these 'faults' out after the assessment so people can learn.
Anyways, listen to the webcast yourself. You can grab the webcast archive from the Core Security website.
About the Author
Lance Spitzner
Director, SANS Security Awareness
Lance has over 20 years of security experience in cyber threat research, awareness and training. He invented the concept of honeynets, founded the Honeynet Project and helped pioneer the field of cyber intelligence. Lance has published three security books, consulted in over 25 countries and helped hundreds of organizations establish mature security awareness programs. Lance serves on the Board for the NCSA, is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. He served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.