Monthly Archives: December, 2014

Social Engineering Tips

Cleaning crews and Keyloggers, oh my!


Capture The Flag competitions are very useful ways to rethink and find creative solutions to solve the challenge. The Social Engineering CTF caused me to think a few angles I hadn’t considered before. Top item of the flag list: Is IT Support handled in house or outsourced? All the way down to what technology the company is using. What’s contained in the photograph are potential attack vectors or key bits of information that could lead to exploitable opportunities. Take a gander J


Say Cyber one more time…

IT Security’s love hate relationship with the word Cyber

I attended DefCon 22 and as usual it was great! However, the word Cyber brewed controversy and passionate debates. One presentation by Keren Elazari thoroughly summarized the word’s roots and explained its essence. Others carried flasks embracing liquid alcohol yumminess upon the mere mention of the word.


I personally say it’s here as long as it’s used correctly but not too frequently. Do you hate the word? Have you played the Cyber drinking game? Or do you embrace it like a warm Snuggie?

DefCon 22 participant custom made T-shirt

How to suck at setting up an Information Security Awareness training program for your organization

In my 20+ years of working in IT Security I have seen great programs and completely non-existent programs. Most organizations I’ve worked for have yearly Ethics
Training but no end user/employee based IT Security training. Organizations understand damage to reputation and fines for ethics violations but are still ignorant to the real risk of damage to reputation or fines resulting from data breaches.  Ethics training is as important and can go hand in hand with a robust IT Security awareness program.

 1.       Starting an awareness program without full executive/management buy-in.

a.       New is change and change is
. If you have buy-in at a high level employees will have more confidence in the program.

b.      Added bonus: higher visibility with D$cision Makers!

2.       Start an Information Security Awareness training program just to check a box.

a.       If your organization doesn’t take it seriously, your employees won’t either.

3.       Start an Information Security Awareness training program with no budget.

a.       An Information Security Awareness training program is risk mitigation.

b.      Your CEO is averting or minimizing that horrible press release when your customer database is posted to PasteBin! This will make their lives easier.

c.       Post-it note IT Security awareness “posters” by the coffee machine might work for an office with a few people, maybe.

4.       Assume Information Technology or Information Security is solely responsible for data protection.

a.       Every employee is entrusted with valuable data, everyone in the organization should protect it.

5.       Inability for management or employees to understand the value of data they are entrusted with.

a.       That new research and development into nanotechnology whatever is worth money, at least as much your company has spent in R&D.

6.       Assume IT or IT Security personnel are trainers and can train employees.

a.       These are IT/IT Security professionals, not Professional

b.      If IT or IS must train employees, train the trainer must be funded for the program to be successful.

7.       Pay an outside consulting firm to start an awareness program without actual knowledge of your business.

a.        Knowing your business means you can observe how technology is utilized by business units.

8.       Internally start an awareness program without asking the business units.

a.       Same as #6. Get to know your business units higher risk targets, such as the personal assistants to a upper management or C level executives are also targets.

9.       Assume a logon splash screen: “Use this computer or network for business only!” constitutes a proper Information Security Awareness training program.

a.       How many people actually read those warnings on a regular basis? I log in before coffee so I know I don’t.

10.   Enforce usage guidelines without a complementary Information Security Awareness training program.

a.       You are being written up for X“, say HR. “But I didn’t even know X was wrong to do?!” says employee. Otherwise known as: don’t hit people with a big stick if they don’t know what they did wrong.