Hacking Book | Free Online Hacking Learning


vipshop information security training system

Posted by forbes at 2020-03-27

Some information security awareness training is doomed to fail before it starts

Some studies have shown that most of the advanced persistent attacks (APT) are caused by the lack of security awareness of personnel. There are also a large number of cases that show that the proportion of "people" in security incidents is very high. Many people in the industry jokingly call "human" the "eighth layer" of TCP / IP, which requires a good awareness education to reduce the attack surface of the system.

Seeing this, many people may feel that a safety awareness training will be held every year and a simple test will be conducted after the training. If everyone passes the test, they can meet the compliance requirements and explain their work to the leaders. I can only say that Tucson is broken! Some information security awareness training has failed at the beginning!

What the hell is consciousness?

Exploration of information security training system

Figure 1. Vipshop information security training system architecture

The training carrier follows the development of the times. To what extent does the trend of the times develop, there will naturally be a corresponding carrier. In the era of no computer, use offline face-to-face courses and posters. Later, with the help of computers, mobile phones and wechat, it became a necessity of life and a new carrier of security training. Therefore, in the training carrier layer, we only need to keep up with the trend development, and there is not much innovation. Maybe in the future, we will do security training with holographic projection and VR games.

In order to stimulate consciousness with certain intensity and for a long time, the current training carrier of vipshop is divided into online and offline parts. Offline courses are mainly face-to-face courses and entity publications, while online courses include v-learning, e-mail, OA on the PC side, v-classroom and wechat on the mobile side, etc.

Figure 2. Safety technology training animation video

Figure 3. Long picture of security awareness information - Telecommunication fraud

Figure 4. Information security Tips-1

Figure 5. Information security tips-2

Figure 6, VSRC WeChat official account sharing

Figure 7. Information security face-to-face training PPT case sharing 1

Figure 8. Information security face-to-face training PPT - case sharing-2

Figure 9. Information security week - a hot spot

Figure 10 information security week - active partners

Figure 11. Vipshop OA column

Figure 12. 12th information security bimonthly - cover

Figure 13. Cover of the 13th bimonthly issue of information security

Figure 14. Information security bimonthly - Security Vulnerability warning

Figure 15. Screensaver - no account sharing

Figure 16. Screen protection picture - no weak password

Figure 17. Video course catalog of information security awareness education

Figure 18. Information security awareness education animation - Data Security

Figure 19. Information security awareness education animation - sharing account

Figure 20 information security bimonthly - life related security alerts

Figure 21. Information security technology training animation - course catalog

Figure 22. Training animation of information security technology -- SQL injection vulnerability

Figure 23. Security coding specification

5. The training object layer focuses on the personnel receiving information security training. We analyze the training objects from two dimensions: the first is the audience classification of the training courses; the second is the needs of the career development of the training objects.

The audience classification of training courses refers to that in addition to the "one size fits all" safety awareness training courses for all staff, special post safety skills training should also be implemented for each post, such as safety development, safety operation and maintenance, safety emergency response and other different categories.

Career development needs refer to the different safety training needs that may arise when employees enter the company with the consideration of technology promotion and post promotion.

For example a, a program developer needs to master the knowledge of security coding. When a program developer is promoted to a system architect, he may need to understand the security model, security architecture, threat modeling and other deeper technologies.

Example B, a salesman, promoted to business manager or even business director. From the past, it may only need to manage their own security awareness, to now, it is not a small challenge to manage the security awareness of all the people under the team, which needs to give them a security awareness training after identity transformation.

The training object layer is mainly divided into four stages: new employee stage, on-the-job stage, promotion stage and continuous education stage.

November to December 2016 is the time for all members of vipshop to take the information security examination. The one-and-a-half-month information security examination has been completed before New Year's Day 2017, with more than 26000 participants.

The information security department has carefully planned this examination, setting different examination contents for the whole staff awareness, development post, testing post, project manager post and product manager post. It embodies the specific concept of post training and post examination. The examination content design is closely combined with the training content.

In terms of information security awareness test questions, we have compiled two sets of question banks, covering nine different security fields, including mobile security, terminal security, confidential information disclosure, account Authority security, social engineering security, business security, personnel turnover security, key post responsibility separation and data extraction security. In the employee examination, each security field will randomly select questions in the system, and each person's examination content is different. The examination of technical personnel is composed of top 10 security loopholes, security coding specifications, security assessment process, business security technology and other aspects, to ensure that technical personnel can master the basic security technology and comply with the security management process.

Figure 24. 2016 Information Security Online Training

Figure 25. 2016 information security online exam

Although vipshop's information security training has initially become a system, it is still not to the extreme.

In the future, we will focus on the following key contents: