Most are designed to help organizations address teleworking risks related to COVID-19 scams.
The surge in teleworking in response to the COVID-19 pandemic has heightened cyber-risks for organizations across industries — especially those with little prior experience dealing with a remote workforce.
Indeed, threat actors attempting to take advantage of the situation have sharply increased attacks on enterprises using COVID-19-related phishing lures, Web domains, and other tactics. In April, for example, Google reported detecting some 18 million malware and phishing messages and more than 240 million spam messages per day on Gmail that were related to COVID-19. Its security researchers also identified more than one dozen government-backed threat actors using COVID-19-related lures to try and distribute malware or steal data.
In response, numerous security vendors and others have recently announced free products and services to help organizations address the new threats. These offerings include endpoint threat detection and response tools, secure remote access tools, security assessment and monitoring tools, and mobile access tools. Some are targeted at small and midsize organizations, while others focus more on the needs of large enterprises.
Among the myriad offerings have been a handful targeted at educating organizations and workers about the security risks associated with remote work, in particular, and security hygiene, in general. The programs are particularly useful because many organizations have been forced to support a work-from-home workforce with little prior preparation or notice. A recent Kaspersky survey of 6,000 individuals worldwide, in fact, found that 73% of employees working from home after the COVID-19 pandemic started have had no security guidance or training from their employers. The survey also found 27% of the respondents had received COVID-19-related phishing emails.
“While employees are trying to get used to the new reality of working from home, IT and cybersecurity teams are under pressure to enable them to continue working safely,” said Andrey Dankevich, Kaspersky’s senior product marketing manager.
The following are six examples of free security awareness and training programs designed to help organizations and workers hone up on the security basics.
Who: The nonprofit Information System Security Certification Consortium (ISC)2 offers a wide range of training and certification courses for cybersecurity professionals. It is best-known as the organization behind the CISSP certification and other popular programs, including the Certified Information Systems Security Professional course and the Systems Security Certified Practitioner (SSCP) and Certified Cloud Security Professional (CCSP) certifications.
What: (ISC)2 is offering free access to everyone to its recently released “Utilizing Big Data” course ($200 value). The organization is also offering a heavily discounted all-access pass to its entire catalog of Professional Development Institute courses. For $649, individuals can now access all 35 PDI courses that (ISC)2 offers. Typically, the bundle is valued at $10,420.
The nonprofit is also offering its core CISSP and CCSP courses at a 33% discount. The self-faced CISSP program is now available for $561 versus $849, and the self-paced online CCSP program is now priced at $496 instead of the usual $749. Discounts are also available for (ISC)2 online instructor-led courses. Details are available here.
Why: “This is a challenging time for many organizations as well as the cybersecurity professionals who keep them safe from cyberattacks, as they work to support remote workforces and keep their businesses running,” said Wesley Simpson, COO of (ISC)2 in announcing the discounts.
Who: The SANS Institute provides a wide range of information security training and certification courses for private- and public-sector organizations. The organization’s course list covers tops ranging from an introduction to cybersecurity, to incident response and forensics, auditing and monitoring, law and security investigations, and security of ICS and SCADA systems.
What: In March, SANS announced a free “Securely Working from Home” deployment kit for organizations and for individuals/employees needing help figuring out how to secure work-from-home environments amid the COVID-19 pandemic. The awareness guide for organizations covers topics such as identifying the top risks to focus on, how to securely communicate and engage with a remote workforce, and what to teach employees about security risks. The advice available on SANS’s website includes tips for secure videoconferencing. Videos, documents, and other material available for download from the SANS site can be used freely for noncommercial purposes. SANS is also hosting a series of capture-the-flag (CTF) events for anyone interested in participating.
Why: Like others offering free programs, SANS says its goal is to help organization stay secure amid a sharp increase in attacks related to the COVID-19 pandemic. “During these unprecedented times where social distancing is the required norm and cyber attackers are increasing their activities, it is more important than ever to find ways of engaging and supporting our community,” said SANS fellow Ed Skoudis.
Who: Fortinet is a cybersecurity vendor that offers a range of firewalls, intrusion prevention, and endpoint security technologies to enterprise organizations. The company says it has over 440,000 customers worldwide.
What: Fortinet has made its entire catalog of 24 online security courses available to everyone for free for the rest of 2020. Previously, the courses — which cover topics such as public cloud security, secure access, and Secure SD-WAN — were available for free only to the security vendor’s partners. The courses are from Fortinet’s self-paced National Security Expert eight-level security certification and training program. The free programs have been broken down into three categories: advanced training for security professionals, technical training for IT professionals, and awareness training for teleworkers.
Why: “The current reality has forced many organizations to face rapid change and new risks as they’ve transitioned to remote workforce models,” said Fortigate EVP of products John Maddison in announcing the program. The courses will help organizations address the evolving needs of organizations securing highly distributed and remote workforces, the vendor noted.
Who: Lucy Security provides IT security awareness training and testing tools for enterprise organizations. Its modules include educating and engaging employees on a variety of security threats, such as phishing and other email attacks, and testing their awareness related to browser vulnerabilities, spoofing, and ransomware.
What: Lucy is providing free access to a variety of its security courses, training videos, and checklists primarily to help employees working from home to better detect and navigate security threats related to COVID-19 and mobile and remote access, in general. Available free courses — which include downloadable learning materials — cover topics like working from home securely, phishing awareness, and secure mobile-device use. The modules that are available for free download include a work-from-home security checklist, sample COVID-19 phishing scams, and mobile device awareness training.
Why: According to CEO Colin Bastable, Lucy Security launched the free programs in response to a tenfold increase in phishing emails since early March. “Bad actors are taking advantage of the COVID-19 situation to prey on distracted and unprepared workers,” Bastable said. “Lucy wants to actively address this acute need for education by giving people free, immediate access to helpful training tools and information.”
Who: Kaspersky is a leading provider of antivirus and anti-malware tools for enterprise organizations and consumers. According to the company, some 270,000 corporate clients and over 400 million users use its products.
What: In April, Kaspersky rolled out a free course on the basics of security when working from home. The security vendor has teamed up with Area9 Lyceum, the provider of an adaptive learning platform, to deliver the 30-minute course. Part of the course is on how people can physically avoid getting infected by COVID-19, while the other part is how users can prevent their home workplaces from being taken over by cybercriminals.
Why: According to Elena Molchanova, head of security awareness marketing at Kaspersky, the training courses are based on real-life situations and designed to demonstrate how even simple actions can help mitigate cyber-risk for employees working from home. “Due to the COVID-19 pandemic, more people are working from home now than ever and must ensure that their devices are secure,” Molchanova said.
Who: Red Canary is a managed threat detection and response vendor. The company also provides a range of educational and training resources for organizations.
What: Red Canary has made its entire collection of webinars available to anyone without registration. Simply navigate to the Red Canary website, then click and watch any webinar in the company’s archive. The offerings include a range of case studies, guides, and training material. Topics cover include case studies, MITRE ATT&CK, detection and response, threat hunting, and test and measurement.
Why: Red Canary is making its information more easily available for information security professionals looking to expand their education.
By Jai Vijayan