Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
On Security Awareness Training
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
nannasin28
50%
50%
nannasin28,
User Rank: Apprentice
4/16/2013 | 3:00:03 AM
re: On Security Awareness Training
they have no other sane alternatives.- AMS1117

Scizyr
50%
50%
Scizyr,
User Rank: Apprentice
3/25/2013 | 7:17:43 PM
re: On Security Awareness Training
I have never been a fan of Dark Reading.- My initial impressions when I first discovered it was that it was filled with a bunch of hacks who don't really know what they are talking about.- I'm glad to see my first impression was justified.-- Because Bruce doesn't know how to properly train people or care to become better at training we should all just give up on education entirely.- Don't bother teaching your kids to look both ways before crossing the road, that will ruin the fun they have playing in traffic.

In response to Bruce's direct question to the readers: "Have you ever met an actual user?"
Yes, I work with end-users daily as part of my responsibilities.- I am unfortunate to be employed by a company with hundreds of employees that has no training program in place and it is solely my responsibility to mitigate security risks.- In the few years at this position I have dramatically decreased the amount of viruses and phishing attacks by having one-on-one conversations with the end-users, explaining to them simple things they can try to detect these things.- They aren't technical and they don't learn quickly like technically-minded people but it gets them thinking about it and soon they start learning on their own.- Now they contact me when they see something suspicious on their computers.

This is just one example where very brief, low-level training has very clear and measurable benefits.-

If you really want to know why the InfoSec industry is in such a desperate state, look no further than the author of this blog post, employed as a "chief security technology officer." Bruce Schneier, may your reputation be forever blemished for authoring such nonsense.-
pjhillier
50%
50%
pjhillier,
User Rank: Apprentice
3/21/2013 | 11:42:12 AM
re: On Security Awareness Training
I particularly enjoyed Dr. Gary Hinson's response to this tripe:-http://blog.noticebored.com/20...

On a personal note, I suspect poor Bruce isn't getting enough attention lately.
KMA01
50%
50%
KMA01,
User Rank: Apprentice
3/20/2013 | 9:09:44 PM
re: On Security Awareness Training
Obviously you don't know much about IT security and never had to deal with phishing and social engineering.
EGALLAGHER240
50%
50%
EGALLAGHER240,
User Rank: Apprentice
3/20/2013 | 8:38:42 PM
re: On Security Awareness Training
From personal experience (at a previous employer) I dropped our virus counts over 200% in the course of a year by providing simple training/tips on a continual basis to my users.- (not just once a year, train, sign off and forget)- I did it via emails every week or so about the latest attack vectors and general security topics.- Once you get the users interest and buy-in, the rest is easy.- Published a few years ago via an article on searchsecurty.com.- http://searchsecurity.techtarg...
solardalek
50%
50%
solardalek,
User Rank: Apprentice
3/20/2013 | 8:32:10 PM
re: On Security Awareness Training
You wrote: "If four-fifths of company employees learn to choose better passwords, or not to click on dodgy links, one-fifth still get it wrong and the bad guys still get in."

I disagree with this. -When the "bad guys get in" among the untrained, they're typically serving ads and sending spam. -More serious attacks CAN be detected and prevented with adequate training. -Successful non-fatal attacks may even encourage the untrained to seek training that will help them prevent more serious attacks in the future. -

More:-
http://tinyurl.com/bshcdvn
DougShieldsSecurity
50%
50%
DougShieldsSecurity,
User Rank: Apprentice
3/20/2013 | 3:48:02 PM
re: On Security Awareness Training
If the US government had taken this same defeatist-attitude regarding healthcare, we would not have affected smoking rates in this country over the years. -We have. -Also look at the buzz generated by the movie SuperSizeMe. -Employee behavior modification is the goal and it can be done effectively. -You just need the right program to get employees to think before mindlessly clicking on links, making Facebook posts, bragging about IP in a bar, etc..
slimjim00
50%
50%
slimjim00,
User Rank: Apprentice
3/20/2013 | 3:23:30 PM
re: On Security Awareness Training
I disagree. Whether you're a developer or Joe (End-Loser)
user itGs your job to be aware and cognizant of these daily threats and the
Security Engineers to inform and educate them.-
The problem of being Social Engineered is systemic from ground zero.

I think to do nothing for and just count Joe User
completely out of the picture is a sure recipe for failure.- After all Security is ever so changing and
will always be a layered approach.- After
all the End Loser is your weakest link, right next the lazy coder or
developer.- Right?
stefragre
50%
50%
stefragre,
User Rank: Apprentice
3/20/2013 | 1:23:13 PM
re: On Security Awareness Training
Aside from the obvious, Bruce is right about something else, change your passwords/phrases regularly....-
brunes
50%
50%
brunes,
User Rank: Apprentice
3/20/2013 | 12:43:37 PM
re: On Security Awareness Training
The one part of this I disagree with is the notion that we should be-designing-systems that force you to choose long passwords. This is already too big a problem today on the internet. I don't care if jo-schmo-blog-101's site is-compromised- so I should not be forced to create a long password there. Simmialrly, guess what, I don't really care much if someone hacks into my hulu account. The number of accounts on the internet that I actually care if they were compromised (because they store personal data that I care about) are very few and far between. Yet, EVERY website thinks that they are important enough that they need to be an iron vault.

Rather, online passwords should be obliterated, or used sparingly. Sites need to make more use of the federated identity systems of Google Twitter OpenID and Facebook. I should not need to have 150 different usernames and passwords, all of which are possible attack vectors, to use the internet. And if you are running a site and refuse to do this, then I certainly should not have to choose a 8 character alphanumeric password to post-pseudo-anonymously-on a blog like this one.

Forcing people to create ever-more complex passwords to access low-security data simply makes the problem worse and worse because people then re-use those passwords on multiple sites because they have no other sane alternatives. And then ONE of those sites is compromised, making ALL of the other sites compromised, some of which MAY be storing important information. Whereas if the user was allowed to use crappy one time passwords on these unimportant sites, it would not be a problem. Or even better, just allow login with OpenID or Google or Facebook.
Page 1 / 2   >   >>


News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7856
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
CVE-2021-28793
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
CVE-2021-25679
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
CVE-2021-25680
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
CVE-2021-25681
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...