// BLOG
Cat Massage and Security Awareness
April 12, 2011
A friend posted an awesome video on Youtube today.
Unfortunately, it reminded me of far too many of the security awareness videos I’ve seen in the past few years – entirely focused on the message and without any real thought about the presentation. The goal of your security awareness campaign isn’t to end up on Everything Is Terrible. It’s to change the behavior of your users.
Let me ask you… did that video make you want to run out and massage your cat? Or let that lady within 100 yards of your cat?
I’d encourage you to ask the same question about your users and security awareness… do the videos you’re showing your users actually make them want to DO something? If not, you’re wasting time, money and effort….
Sticky Like Porn
March 10, 2011
Every organization uses security awareness training to give their users the message on the importance of information security and the role they play. The way you get your message across is the difference between checking the box and being effective.
We were asked by a potential customer to show him something that was “sticky”, so that the message stayed with their users for more than the 2 minutes it took to check the boxes. We have a pretty creative bunch here at MAD Security and we also take pride in being a bit different but more effective when it comes to security in general. This exercise was no different. Check out the following video for our take on “sticky” when it comes to anti-virus:
Click the image to view the video below:
Outside the fact that everyone still thinks 1970’s porn is still cool, what could be taken away from the video you just watched? Maybe the best lesson learned from the pizza guy is not the importance of anti-virus at all, but the magnitude of giving our users something that they will remember. This is imperative because we rely on them to be our first line of defense and one or our most important assets.
The first thing you might say to yourself is, “we couldn’t get away with using that at our organization” and the second thought should be that if you could, your users would never forget the importance of the message in the video. You are right, most couldn’t use this video in their workplace but they could, and should use the right messaging when expecting their users to “get” security. Be on the lookout for other MAD Security awareness videos in the near future (some not as risqué as this one).
MAD Security is hiring a Security Engineer ASAP
January 27, 2011
MAD Security is hiring a security engineer immediately for one of our partners. See the brief below; for more specific information on experience requirements, visit our job posting the Security Engineer position.
Brief:
One of MAD’s partners requires a resource to work in and with its Security Operations Center (SOC) team. This role will be a security engineer who will perform research, curriculum development and training based on a wide variety of roles within the SOC. This includes knowledge of SOC-relevant devices (e.g. Cisco routers/switches, ASA/PIX firewalls, HIDS/NIDS, SIEM, domain controllers, mail and other servers). This role will involve documenting processes and developing training curriculum which will be used as a part of a complete role-based SOC training program delivered both on-line and in some cases in a classroom setting.
This posting is time sensitive, so don’t delay in submitting your application; head over to the Security Engineer posting now!
Who cares about Security Awareness? (or: why “Just Say Security” doesn’t work)
November 18, 2010
I spend a lot of time talking with people about our awareness training efforts. And the first thing that almost every one of our clients who “gets it” tells me is the same thing: ”We don’t want security awareness.”
That’s not how they say it, but that’s what they’re ultimately saying. What their actual words are vary quite a bit, but they’re usually along the following lines:
- Our users are the main source of breaches within the organization.
- If only our users would stop {insert user action here – clicking on links, writing passwords on sticky notes, leaving docs on printers, picking up USB sticks in the parking lot}
- We just can’t get our users to do the right thing.
I never hear our clients say: “I just wish our users knew more about security stuff.” Their fundamental complaint is always that their users DO the wrong things.
In fact, we often hear these complaints about members of the information security staff (and our social engineering engagements bear out that we can compromise even those whose job titles define them as the “security aware” parts of the organization).
This is why I often make the claim that absolutely nobody cares that their users are security aware. They care that their users behave in such a way that they don’t compromise their organizations. What we have traditionally called “security awareness training” is actually a behavior modification exercise.
When viewed that way, it’s clear why our efforts fail. If you look at most of the traditional “security awareness” efforts (like the SANS “Securing the Human” effort that I have been so vocal about), it’s clear that it can’t possibly work. The reason is simple: posters, screen savers, etc. come from the idea that if we just teach our users something enough times, that they’ll get it.
Unfortunately, simply saying something repeatedly isn’t enough to change behavior. It’s what the PSA (Public Service Announcement) movement discovered in the late-80s and early-90s. If saying “Just Say No” was enough to create a generation that didn’t want to do drugs, we’d have won the drug war in the 80s. Instead, the global drug market hums along as a $321 Billion market.
In order to change behavior, all the research says that you have to get people emotionally invested. That’s what all the great behavior modification campaigns (i.e. marketing campaigns) have done. And what “security awareness training” fails miserably at.
So, how do you hook emotions as part of security awareness campaigns? You’ll have to wait for my next blog post…
Everything Old is New Again…
November 15, 2010
There’s a common theme among the last couple of posts on here: first, I ranted about SANS new Securing the Human program, and then Josh got all ranty about Forrester’s “Zero Trust Model”. Here’s the thing – my biggest frustration with both of these “innovations” in our industry is that they’re nothing new. Both SANS and Forrester are reinventing the wheel and running around claiming it to be something new.
To wit – let’s take a quick Back-to-the-Future gander at two interesting paragraphs. From Forrester’s site about the ZTM: ”In today’s new threat landscape, this is no longer an effective way of enforcing security. Once an attacker gets past the shell, he has access to all the resources in our network. We’ve built strong perimeters, but well-organized cybercriminals have recruited insiders and developed new attack methods that easily pierce our current security protections. To confront these new threats, information security professionals must eliminate the soft chewy center by making security ubiquitous throughout the network, not just at the perimeter.”
Then, let’s walk all the way back to 2004 to view the mission statement of the Jericho Forum: “The Forum is dedicated to the idea that success in today’s business environment is dependant upon the ability to collaborate and do business by enabling the secure flow of data over the Internet. Its members recognized from the outset that today’s business requirement for the flow of data between mobile workforces, customers, suppliers and business partners, is increasingly eroding the ability of traditional perimeter security solutions to protect our systems. To enable business to embrace the Internet while protecting valuable company information, our industry needs new IT security models.”
Whoa. It’s like the Jericho Forum was talking about this whole “Zero Trust”, no-perimiter, the-outside-is-the-inside thing all the way back in 2004. Forrester’s only a HALF A FREAKING DECADE BEHIND.
SANS is even worse. The demo content on their Securing the Human page isn’t much more advanced than your average Successories poster. And the videos actually make this circa-90s video look good:
The frustrating thing about it all is that we have these security vendors claiming to be advancing the state of the practice, when they’re really just running around peddling the old solutions that have failed the industry in the past (or, in Forrester’s case, peddling something that was state of the art 6 years ago as something that they just came up with on their own).
Here’s the thing – some of us are actually out there doing interesting new work. It gets lost at times in the noise of those who are better at self-promotion (or have much larger PR budgets).
As an example, I’m consistently impressed with the work that Rob Cheyne and his team are doing over at Safelight Security – there’s nobody better for security awareness video content. But you’ve probably never heard of them, unless you’re working with them and seeing them get results for your organization. Our partners at Lockpath are similarly doing awesome work in the GRC space. But, again, unless you’ve had the opportunity to actually implement Keylight and see how it changes your security management strategy, you probably haven’t ever heard of them.
That, to me, is what we should be measuring our success on: results with our clients. That’s how I measure our success at MAD. It’s also why I get so completely ranty when I see someone taking ideas and content circa 5-10 years ago and claiming that they have great new ideas.
