Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Dress Like A Gnome: 6 Security Training Essentials
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
5/6/2014 | 12:14:11 PM
Re: Dress like a Gnome
Ed,  speaking as a user that is relatively attuened to InfoSec issues, I couldn't agree with you more about the importance of technical controls to enforce good security hygiene. I want to do the right thing, but so often the demands of the day-to-day lead to the path of less resistance (bad behavior)...
Ed Moyle
Ed Moyle,
User Rank: Apprentice
5/6/2014 | 9:37:36 AM
Re: Dress like a Gnome
Security training is hard to pull off well generally.  Even when done well and using creative approaches as this article describes, the economics of it are challenging.  There are two reasons for this: attrition and human nature.  To keep pace with attrition, training needs to be done over and over and over and periodically refreshed in new and creative ways.  Plus, human nature is contrary to what we want.  People want to be helpful to each other - in fact, I'd argue (as many behavioral scientists believe) that helpfulness is "hardwired in" as a trait required for the human species to survive (think for example about what helping others means for a hunter/gatherer society - Dawkins has an excellent discussion of this in the Selfish Gene).  

Anyway, point is... In general, my preference has always been to try to find technical controls that enforce the right behavior (even if doing so requires recouping some of the costs from the training budget).  For example, rather than training helpdesk staff not to give out passwords, modify the system so they don't know it in the first place - rather than training people not to send out personal information, change the process/system so they can't.  I'm not saying "don't train", I'm just saying minimize the surface area - a technical control is almost always less expensive long term since it's a one-time investment vs. ongoing cost.  It also tends to work better since you're not fighting against human nature.  

Anyway, just food for thought and my humble two cents.  
Randy Naramore
Randy Naramore,
User Rank: Ninja
5/5/2014 | 3:07:24 PM
Re: Dress like a Gnome
Maybe you are correct but it is a good thought.
Robert McDougal
Robert McDougal,
User Rank: Ninja
5/5/2014 | 2:48:12 PM
Re: Dress like a Gnome
You are exactly right Randy!  People, for better or worse, have a vulnerability that cannot be patched.  All people want to be helpful to other people.  Social engineers use this fact to get people to do what they want to do.

Additionally, if a social engineer can display an air of authority and sound like he knows the subject matter he is talking about, most people will not question him or her.  

The sad truth is awareness is extremely important but, we will never be able to secure the human completely.
Randy Naramore
Randy Naramore,
User Rank: Ninja
5/5/2014 | 12:59:35 PM
Dress like a Gnome
People have always been the easier target for hackers, they have emotion and can be reasoned with and can be breached easier than windows (believe it or not).


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-2390
PUBLISHED: 2022-08-12
Apps developed with Google Play Services SDK incorrectly had the mutability flag set to PendingIntents that were passed to the Notification service. As Google Play services SDK is so widely used, this bug affects many applications. For an application affected, this bug will let the attacker, gain th...
CVE-2022-2503
PUBLISHED: 2022-08-12
Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear targe...
CVE-2022-2779
PUBLISHED: 2022-08-12
A vulnerability classified as critical was found in SourceCodester Gas Agency Management System. Affected by this vulnerability is an unknown functionality of the file /gasmark/assets/myimages/oneWord.php. The manipulation of the argument shell leads to unrestricted upload. The attack can be launche...
CVE-2022-38179
PUBLISHED: 2022-08-12
JetBrains Ktor before 2.1.0 was vulnerable to the Reflect File Download attack
CVE-2022-38180
PUBLISHED: 2022-08-12
In JetBrains Ktor before 2.1.0 the wrong authentication provider could be selected in some cases