Tough Material
@Corey Nachreiner
First, kudos on a thorough article. It's a fine collection of tips. I'd like to add a few notes of my own. I've been in IT, specifically build/release management, for 15+ years, and security has always been the secret passion. Because of that, it is always part of my auditing documentation. Also, I write howtos and other documentation for staff, so I have a special interest in training, but also methods for ensuring retention of information.
Argument No. 1: One or more bad eggs can and do cause significant damage. This is why a two-pronged approach to security is needed: 1) Build the technical infrastructure needed to prevent internal and external security risk, accompanied by the right organizational processes (checks and balances), and 2) train users thoroughly both in terms of "best practices", common mistakes, and so forth, but ALSO remind them the seriousness of aiding in security abuse, knowingly or otherwise. I think that right there is one major shortcoming in user training: Put the fear of legal response and termination into everyone; sounds harsh but you know that Snowden's example has set in motion process and technology audits like nothing seen in that department in years. This is serious stuff.
Argument No. 2: To my notes above, the average person WILL care about security once they realize they can be held accountable, and that abuse of security protocols is punishable in no small way.
Argument No. 3: Surprise! Those archaic references are now becoming obsolete with more average users becoming tech savvy, partly because the population of users is younger and tech has been at their fingertips since childhood. My daughter isn't interested in tech as a profession, but at 7 years-old she has her own Debian GNU/Linux computer, uses LibreOffice regularly and pointed out technical work-arounds in TuxPaint I hadn't thought of. Any IT staff that are dumbing down or not trying to educate based upon assumptions on the end user are going to have a very unsuccessful career ahead of them.
Tip No. 1: Based upon my previous comments, you can guess I'm half on the fence here. I do believe in the draconian rules, to some extent. Fear of legal punishment is what put me on a straight and narrow path when I was a young man. But at the same time, I believe that personalizing the benefits of security are key, too. Billions of dollars are taken from innocent people through cyber crime and in the end, we _are_ here to make life better for the average person.
Tip No. 2: Absolutely agree. And do it with simple graphics in a brief presentation or video. YouTube is king when it comes to training!
Tip No. 3: And the same holds true with documentation. Always explode the acronym first, before switching to it in later parts; i.e. "Open Web Application Security Project" (OWASP) has a MeetUp. Join the OWASP MeetUp today."
Tip No. 4: I find tying your example to cyber crime news that makes network news works really well. Heartbleed was good for that because it was all over CNN, MSNBC, CSPAN, and major networks. Snowden (how he did it, not why) is also a good example. Use recognizable examples - saves you time to recreate the hack yourself.
Tip No. 5: Say no more. I have kids! On a serious note, though, you need to also remind folks that they are their colleague's keeper when it comes to security. Incentives for whistle blowers, while it may leave a bad taste in the mouth, might be necessary. Taking the game from a friendly group competition that is visible to an internal game where bad behaviour is recognized and privately reported for gain is sometimes what it takes to keep employees from joining together to commit crime, or from ignoring signs of criminal behavior they witness.
Tip No. 6: Every company is different and ultimately, you may have to choose between a visible security team and an invisible one. When folks forget there are security personnel onsite, auditing traffic and observing video sessions, they slip and make mistakes. Someone who is intent on committing a crime is going to do it, but only when they feel safe to do so. The initial training and fear of reprisal is a necessity, but at what point do you decide that the fun and games approach to security needs to go out the window and maintaining a quiet, efficient and hard-hitting security audit team makes more sense?
Everything You Need to Know About DNS AttacksIt's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask.
Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted.
Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Incident Readiness and Building Response Playbook
In this special report, learn the Xs and Os of any good security incident readiness and response playbook.
Tweet This
1 Comments
User Rank: Strategist
6/16/2014 | 4:11:50 PM