Re: Security unawareness

[rackow () mcs anl gov]

According to the article, you really don't need to lock your car when at the
mall or your house when you are away.  There are still successful thefts taking
place and we should work more towards coming up with better ways of preventing
them since these are not 100% effective.

Training is NOT to make you completely immune, but to improve awareness
and response.  Having users act as a late(?) warning system on stuff that
did get through but looks phishy is still better than them just trusting
things and getting infected.  In that eutopia, the end user would think
that everything is clean and hackers can't get something past the sensors.
Therefore EVERYTHING is safe to click on.  Even the personal message from
the company president asking you to click on the attachment to see naked
pictures of his trophy wife.

PCWorld should be ashamed of themselves for publishing such dribble.



michael.blanchard () emc com made the following keystrokes:
> Can I get an AMEN borthers and sisters!!!
>
>
> Michael P. Blanchard
> Senior Security Engineer, CISSP, GCIH, CCSA-NGX, MCSE
> Office of Information Security & Risk Management
> EMC =B2 Corporation
> 32 Coslin Drive
> Southboro, MA 01772
>
>
> -----Original Message-----
> From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On B=
> ehalf Of Rob, grandpa of Ryan, Trevor, Devon & Hannah
> Sent: Thursday, July 19, 2012 3:25 PM
> To: funsec () linuxbox org
> Cc: infosecbc () yahoogroups com
> Subject: [funsec] Security unawareness
>
> I really don't understand the people who keep yelling that security awarene=
> ss is no =
>
> good.  Here's the latest rant:
>
> http://www.pcworld.com/businesscenter/article/259461/why_you_shouldnt_train=
> _e
> mployees_for_security_awareness.html
>
> The argument is always the same: security awareness is not 100% foolproof =
>
> protection against all possible attacks, so you shouldn't (it is morally wr=
> ong to?) =
>
> even try to teach security awareness in your company.
>
> This guys works for  a security consultancy.  He says that instead of teach=
> ing =
>
> awareness, you should concentrate on audit, monitoring, protecting critical=
> data, =
>
> segmenting the network, access creep, incident response, and strong securit=
> y =
>
> leadership.  (If we looked into their catalogue of seminars, I wonder what =
> we would =
>
> find them selling?)
>
> Security awareness training isn't guaranteed to be 100% effective protectio=
> n.  =
>
> Neither is AV, audit, monitoring, incident response, etc.  You still use th=
> ose thing =
>
> even though they don't guarantee 100% protection.  You should at least try =
>
> (seriously) to teach security awareness.  Maybe more than just a single 4 h=
> our =
>
> session.  (It's called "defence in depth.")
>
> Tell you what: I'll teach security awareness in my company, and you try a s=
> ocial =
>
> engineering attack.  You may hit some of my people: people aren't perfect. =
> But =
>
> I'll bet that at least some of my people will detect and report your social =
>
> engineering attack.  And your data isolation won't.
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  (quote =
> inserted randomly by Pegasus Mailer)
> rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
>            Often the best way to win is to forget to keep score.
>                                          - Marianne Espinosa Murphy
> victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
> http://blogs.securiteam.com/index.php/archives/author/p1/
> http://twitter.com/rslade
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.