Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Dont Let Lousy Teachers Sink Security Awareness
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/16/2014 | 4:11:50 PM
Re: Excellent Review
It's great that you have such a positive -- and long-term view -- of the issues. It sounds like you are up to the challenge. Thanks for sharing.
User Rank: Moderator
6/16/2014 | 4:03:49 PM
Re: Excellent Review

My successes come from a variety of places. In many places, it comes from the fact that I understand learning and culture change is a process. Due to various NDAs as well as privacy agreements, I cannot share the names of the companies.

Many people when they go to implement something that will change culture, they find struggles in changing it because often times, it is expected to happen overnight. As Cory said in his article, change does not happen overnight.

One of the challenges I actually face on a day-to-day basis. We have people in the organization who do not take the security program seriously and tend to either ignore the message we are sending out or they scan it and then toss it aside because they do not believe it applies to them. As part of my job it is to help these individuals see that while it is important and it does apply to them, there's more to it than just rules and regulations; that these are in place for a reason, not just to make their life more difficult.

I do look forward to continuing to grow my security program here at the organization where I am employed as the individuals I work with are fantastic. Perhaps a bit stubborn, but that's to be expected with culture change.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/16/2014 | 3:32:42 PM
Re: Excellent Review
@SecOpsSpecialist Where have you found your successes in creating a security culture? I'd love to hear about your victories -- and also some of your challenges.
User Rank: Moderator
6/16/2014 | 12:20:34 PM
Excellent Review
Cory -

You have a fabulous article here and I found myself nodding along and agreeing with you. As the Security Awareness person for my organization, I often find myself in this same position. It's a mandate that users lock their workstations before they walk away from them, but there are some, who still forget to do it. We can remind them only so much before we have to show them the error and have them realize what can actually happen because they've left the machine unprotected.

You are absolutely right when you say that security culture cannot change overnight, especially in an organization where there's a mixture of the newer blood and the older blood. I sincerely hope that more people pay attention to this, especially those who are trying to start a security awareness program at their place of employment.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/12/2014 | 9:56:24 AM
PEBCAK & luser
I can't tell you how frustrating it is -- as an end-user -- when the assumption from the technical team is that the problem is a result of operator (luser) error. If the technology worked flawlessly a lot of of IT people would be out of a job! In order to fulfill Security Awareness Tip No. 1: Get users on your team you'll need to treat users as real people (not PEBCAKs) with something between their ears.
User Rank: Apprentice
6/11/2014 | 6:11:08 PM
Great Article!
Great Article.  I agree.
Randy Naramore
Randy Naramore,
User Rank: Ninja
6/11/2014 | 4:40:27 PM
Re: tips
Good post. Very interesting read.
User Rank: Apprentice
6/11/2014 | 3:54:08 PM
Re: Tough Material
Wow... thanks for your thorough comments. It sounds like you have a lot of practical advice from first hand experience....

On the idea of having consequences to breaking policy part... I think there is a middle ground. First, I agree that you need both training and technical security controls.... That's my point. The best training won't make ppl perfect, so you still need to audit, but the best technical security measures are not infallible... together they reinforce each other. Also, I do agree that your organizations security policy should have some potential teeth... meaning employees should understand that major breaks in policy could result in termination. And the employee should be held accountable, meaning at the end of a training, they should somehow acknowledge that they understand the policies that were communicated to them (signing something)... but that said, I do believe you can communicated these policies in a way that the employees understand what's at stake. Rather than an attitude of, "here's the rules, follow them or else," you can adopt a tone of, "here's some serious problems, and here's how they can cost our business, and all of us, money and heartache... here are some rules that you should follow to avoid these issue, and by the way, if you follow these rules at home, you might avoid issues there as well. We do enforce these rules, and will hold you accountable to them, but they really are in your best interest."


Anyway, sounds like we both agree, but I think you can deliver these sorts of policies in a way that comes down less harsh, and will still result is as much adoption of whatever practice you are teaching...
User Rank: Apprentice
6/11/2014 | 3:44:13 PM
Re: tips
Thanks... I was recently reminded what it is like to be new to a subject that has it's own language. I started a new hobby, and joined a forum that talked about (aerial videography with multicopters), and the forum members had a ton of acryonms and terms of their own. I could not understand half the posts until I figured out a ton of new acronyms... So this experience really drove that tip home for me. ^_^
User Rank: Ninja
6/11/2014 | 2:54:00 PM
Tough Material
@Corey Nachreiner

First, kudos on a thorough article.  It's a fine collection of tips.  I'd like to add a few notes of my own.  I've been in IT, specifically build/release management, for 15+ years, and security has always been the secret passion.  Because of that, it is always part of my auditing documentation.  Also, I write howtos and other documentation for staff, so I have a special interest in training, but also methods for ensuring retention of information. 

Argument No. 1:  One or more bad eggs can and do cause significant damage.  This is why a two-pronged approach to security is needed:  1)  Build the technical infrastructure needed to prevent internal and external security risk, accompanied by the right organizational processes (checks and balances), and 2) train users thoroughly both in terms of "best practices", common mistakes, and so forth, but ALSO remind them the seriousness of aiding in security abuse, knowingly or otherwise.  I think that right there is one major shortcoming in user training:  Put the fear of legal response and termination into everyone; sounds harsh but you know that Snowden's example has set in motion process and technology audits like nothing seen in that department in years.  This is serious stuff. 

Argument No. 2:  To my notes above, the average person WILL care about security once they realize they can be held accountable, and that abuse of security protocols is punishable in no small way. 

Argument No. 3:  Surprise!  Those archaic references are now becoming obsolete with more average users becoming tech savvy, partly because the population of users is younger and tech has been at their fingertips since childhood.  My daughter isn't interested in tech as a profession, but at 7 years-old she has her own Debian GNU/Linux computer, uses LibreOffice regularly and pointed out technical work-arounds in TuxPaint I hadn't thought of.  Any IT staff that are dumbing down or not trying to educate based upon assumptions on the end user are going to have a very unsuccessful career ahead of them. 

Tip No. 1:  Based upon my previous comments, you can guess I'm half on the fence here.  I do believe in the draconian rules, to some extent.  Fear of legal punishment is what put me on a straight and narrow path when I was a young man.  But at the same time, I believe that personalizing the benefits of security are key, too.  Billions of dollars are taken from innocent people through cyber crime and in the end, we _are_ here to make life better for the average person.   

Tip No. 2:  Absolutely agree.  And do it with simple graphics in a brief presentation or video.  YouTube is king when it comes to training! 

Tip No. 3:  And the same holds true with documentation.  Always explode the acronym first, before switching to it in later parts; i.e. "Open Web Application Security Project" (OWASP) has a MeetUp.  Join the OWASP MeetUp today." 

Tip No. 4:  I find tying your example to cyber crime news that makes network news works really well.  Heartbleed was good for that because it was all over CNN, MSNBC, CSPAN, and major networks.  Snowden (how he did it, not why) is also a good example.  Use recognizable examples - saves you time to recreate the hack yourself. 

Tip No. 5:  Say no more. I have kids!  On a serious note, though, you need to also remind folks that they are their colleague's keeper when it comes to security.  Incentives for whistle blowers, while it may leave a bad taste in the mouth, might be necessary.  Taking the game from a friendly group competition that is visible to an internal game where bad behaviour is recognized and privately reported for gain is sometimes what it takes to keep employees from joining together to commit crime, or from ignoring signs of criminal behavior they witness.   

Tip No. 6:  Every company is different and ultimately, you may have to choose between a visible security team and an invisible one.  When folks forget there are security personnel onsite, auditing traffic and observing video sessions, they slip and make mistakes.  Someone who is intent on committing a crime is going to do it, but only when they feel safe to do so.  The initial training and fear of reprisal is a necessity, but at what point do you decide that the fun and games approach to security needs to go out the window and maintaining a quiet, efficient and hard-hitting security audit team makes more sense?
Page 1 / 2   >   >>

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file