Re: Security unawareness

[<michael.blanchard () emc com>]

Can I get an AMEN borthers and sisters!!!


Michael P. Blanchard
Senior Security Engineer, CISSP, GCIH, CCSA-NGX, MCSE
Office of Information Security & Risk Management
EMC ² Corporation
32 Coslin Drive
Southboro, MA 01772


-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Rob, grandpa of Ryan, Trevor, 
Devon & Hannah
Sent: Thursday, July 19, 2012 3:25 PM
To: funsec () linuxbox org
Cc: infosecbc () yahoogroups com
Subject: [funsec] Security unawareness

I really don't understand the people who keep yelling that security awareness is no 
good.  Here's the latest rant:

http://www.pcworld.com/businesscenter/article/259461/why_you_shouldnt_train_e
mployees_for_security_awareness.html

The argument is always the same: security awareness is not 100% foolproof 
protection against all possible attacks, so you shouldn't (it is morally wrong to?) 
even try to teach security awareness in your company.

This guys works for  a security consultancy.  He says that instead of teaching 
awareness, you should concentrate on audit, monitoring, protecting critical data, 
segmenting the network, access creep, incident response, and strong security 
leadership.  (If we looked into their catalogue of seminars, I wonder what we would 
find them selling?)

Security awareness training isn't guaranteed to be 100% effective protection.  
Neither is AV, audit, monitoring, incident response, etc.  You still use those thing 
even though they don't guarantee 100% protection.  You should at least try 
(seriously) to teach security awareness.  Maybe more than just a single 4 hour 
session.  (It's called "defence in depth.")

Tell you what: I'll teach security awareness in my company, and you try a social 
engineering attack.  You may hit some of my people: people aren't perfect.  But 
I'll bet that at least some of my people will detect and report your social 
engineering attack.  And your data isolation won't.

======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
            Often the best way to win is to forget to keep score.
                                          - Marianne Espinosa Murphy
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.