You do realize that it takes money to sue someone correct? Well, technically you could file yourself but you will quickly lose because a laymen is not going to understand the required procedures even assuming they could figure out the correct paperwork to file to get the case started.
Very few lawyers work pro bono. If any risk at all existed in the case (including to their reputation) lawyers can and often do refuse cases.
No, it's not practical for a homeless person to sue anyone. In a criminal case a lawyer must be provided if the person can not afford one, but that is not true with civil cases.
Why the summary munged Alexander's laughable salary request and a lawsuit by a journalist is a bit baffling.
First issue, the lawsuit. The NSA refused to provide under Federal Law. It should not come as a surprise to anyone that this agency is ignoring (or at least attempting to ignore) Federal Law. The right answer is to disband the NSA and hand SIGINT over to the Military which tends to follow the US Constitution a bit more closely. While we are disbanding things, we should also revamp the CIA, FBI, DHS, and TSA removing most of their powers and executives that also ignore the law.
Second issue is that Alexander thinks he's brilliant enough to make a million a month telling people what most IT Security professionals can do for a much better rate. I'd do better than he does at securing a company, and I'll do it for much less. In fact I can think of a few dozen people I'd recommend for much less, and for a million a month I'd have a full staff doing audits _and_ consulting. You don't need to be a former General to be intelligent about security, you need knowledge.
In other words, if Alexander can get a million a month for consulting it sure as hell is not for security. It would be for cronyism.
Try being working or lower middle class and doing the same thing. When you can only save a few hundred a month for a house due to rent costing over 1.5 times a typical mortgage payment
I moved out of poverty and into the upper middle class over time. There is no silver spoon or handouts for the overwhelming majority of people that move out of poverty to a better income.
Being debt free gives me more cash than a person that has lots of debt. Their money goes to interest payments, mine stays in the bank. It's not being "rich", it's being debt free.
There is nothing wrong with using credit and loans as long as they are used responsibly.
Funny that you believe you should have to pay a bank money, just for the "privilege" of spending money. You already earned your pay, but you think you should pay a bank so that you can spend it? This is exactly what I was referring to about people not understanding the scam.
1. A credit history. That's not necessarily debt, it is a history of handling small debts that you've paid off.
This is what I said. If you pay your phone bill every month, you don't get extra points. If you pay your phone bill with a credit card, you will get extra points IF and only IF you pay just the minimum payment (mostly interest to prolong your debt). If you pay it off in full, you may receive negative points. If you don't pay your bill on time you can be reported for negative points as well. Doing the right thing and paying on time the full amount to the company will not help your credit.
Your item 2 has a hell of a lot to do with item 1. If people want you indebted longer, they will target you for additional debt. Banks can somehow take back any property you gained, get insurance money for losses, and receive handouts from the Government for doing just that.
Nobody can force you to go into debt.
True. At the same time if a bank forces you to have a particular credit score to get a loan (as most do) the only way to get the credit score is to live in constant debt paying interest payments. Go ahead and try buying a house with a low credit score. Even if you don't need to be in debt people use credit cards for this exact reason. Hence, why I claim it's a scam.
The whole point of a "credit score" is horribly broken. In order to get approved for debt, you must have debt. If you have money in the bank and no monthly debt payments you have a reduced score. It's a SCAM! A scheme to make sure that you are constantly in debt, and yet it's perfectly legal. Living in debt constantly costs you money, and for what? So that you can have more debt? Wow!
The fact that people don't get this, or simply don't care, is very telling.
Personally I have almost no debt, just my car payment. I don't have a lot of debt so have a laughably low credit score. If I don't have cash I can wait to buy something. Actually since I manage my personal finances very well purchasing something I want is never an issue.
And I already stated in my first reply that IMHO your success has little to do with the training and a lot to do with the continuous follow-ups you do. Also with an environment that is not business-focussed.
This does not match what you state later, which is in essence claims that all 3,000 people in your company need in depth knowledge of your security policy. That is, plainly, nonsense.
Corporate "Security Awareness Training" has to address the needs of _many_, and not everyone needs that level of detail. In fact very few do, and a small percentage could even understand them. Which could explain your repeated claims of bad experiences.
Jane and John, the new accountants, need to know what Phishing is, not what your encryption policy for tape back up is. You previously complained that for you it was redundant so "stupid" (your words). Stop moving the goal post.
What I mean is that we replace actual security with trainings and think it's a solution.
Security awareness training is not a replacement for security. If a Company believes it does, this matches what I stated repeatedly about a broken culture. Not a Security or Training deficiency.
Sure I have my own view and experiences and my attitude is the result of what I've seen and what I think about it. Also the result of knowing a lot of people in the IT consulting business privately, where they tell you what they really think.
I know plenty that underscore how bad corporate cultures are and can be. Any Corporate level trainer will tell you the same thing. You have to train everyone in the basics. After they have a grasp of basics, reminders and nudges from audits work. A reminder about phishing attacks will be ignored by people that don't know what phishing is or how it works. Reminders to follow the password policy will be ignored by people that don't know the policy.
Finally, as stated previously, there are plenty of people that contribute to poor culture. The guys that talk smack about the training because they know it all are a huge issue. You have to build a culture of security if you want to be secure. That will never happen with a crew of sexual intellects (F'king know it all's) discouraging knowledge sharing and personal growth.
You should really qualify "The Press" in these types of statements. The Press could be ABC, NBC, CBS, BBC, and many more who today claimed an 82 year old man shot a pregnant woman as a headline, when the person was both not pregnant and also committing armed robbery for at least the 2nd time against the same 82 year old man who was beaten as well as robbed. The Press could be the same crew that edited audio to make it look like a guy on neighborhood watch simply claimed to the Police that he was following a Black guy where the full audio shows he is responding to a 9/11 operator asking what race he believes the suspect was. The same media claimed that that guy was White when he's Hispanic, and portrayed the victim in a 7 year old picture to make it appear like the guy shot a little kid instead of a 6'1" nearly legal adult. All to sway public opinion (that one was for numerous purposes). The same media that interrupted a Congresswoman discussing the NSA for "breaking news" that Justin Beiber was arrested, and ensured that a twerk skank received more air time than dialogue about numerous political issues.
The media we normally see and hear IS on the same team as the government, make no mistake.
As such, I continuously wonder if there were just as many secrets before, but it's just faster to find out about their existence nowadays
To some extent I agree that this, but up until 20 years ago we had some real journalism. Nation wide every station lost their "investigative reporters" within the same couple years, and that was the end of any real journalism with any of the 3 letter media outlets.
With rare exceptions today, the only thing that get air time is propaganda.
I don't work there anymore, but I've been in the security industry long enough to know a number of companies, as well as the uncomfortable squirming that follows if you ask security training providers for independent evidence supporting their claims.
As stated several times alrady, this is a culture problem with a company. Not an issue of security or training.
I never said security is stupid. I am saying security awareness trainings are a waste of time, by and large.
Your opinion vocalized will ensure that it is a waste of time. I gave an example of ensuring it's not. Hell, I'm not a security trainer. I provide data to ours, and work extensively securing systems and networks. When we have training I nudge people to listen instead of making it a "waste of time" or a "coffee break" as you claim the training is.
Most people are not experts, and most people don't deal with risks every day. Showing them "hacking" is like magic to an accountant, and it's a pretty effective way of teaching.
Tell me, how many people have you had in those trainings you thought before they went in that giving your password to random strangers is a good idea? 90% of the content of these trainings is either boring because everyone knows it already or boring because it's too technical and not interesting that they filter it out.
Wrong question to ask, followed by more of the same rubbish perpetuating your opinion.
There are numerous ways to get people involved and interested in training. Showing them a hack in progress or playing recorded calls of phishing attacks, let them put their hands on a hacking device or operate a key logger on a demo PC.
I've had the responsibility of writing or reworking existing IT security policies, and my advise has always been to make them as short and simple as possible. I've seen a multinational corporation vomit up a 300 page security policy, which was really great from an ISO 270xx POV, but aside from the guys in the security department who wrote it, I'm fairly certain I was the only other human being who actually read all of it, ever.
Writing policy is not the same as educating people. Two different skill sets. It's interesting that you claim to have so much knowledge yet hate to teach listen to shared knowledge, from a psychological stand point.
I'll hear you whine about depth of security policies after you have built and secured NISPOM/JFAN compliant networks. Knowing the policy is required to set them up, audit them, and maintain them. Once again, you bring up people not following or using policies which is a Culture issue and not a security or training issue.
I love security. But I think our industries approach to users and security is fundamentally flawed and trainings are a band-aid on a broken arm - placebo treatments that don't even touch the real issues.
Because everyone is exposed to and knows as much about security as you do right? Rhetorical question, don't answer it. Your problem with security awareness training is related to your own psychological problems. We all have them, I don't intend that as an insult. I work on mine every day.
I would agree with this if, and only if, the tax is a unilateral tax and not a weapon of control by large corporations. The weaponization of taxes was used in Australia and in the US for purposes other than discouraging the use of fossil fuels.
Kraus is arguing about people preemptively ditching carbon taxes in the US which are written to primarily fund large corporations and punish smaller corporations.
Kraus is also notorious for being a bigot and a pawn for NWO the agenda, so can rot for all I care. He is one of many that perpetuate the "blame religion" mentality instead of fixing issues, while of course he gets paid speaking gigs and TV appearances.
I've seen first hand that many employees consider those security trainings either a waste of their time or a coffee break.
Ahh, so you work at one of those places with horrible culture.
or all I know, the only people who think that security awareness training increases the number of people who give a fuck are the marketing drones selling security awareness trainings. People who cared before the training will get information. People who didn't care before will not care after. Why should they?
Got it, you are a lively participant in the horrible culture and happy to propagate the culture.
If you've managed to get your people to reliably report incidents, you've managed something that a lot of companies struggle with.
In 30 years of working IT (right after college which was right after the military) I have seen both good and bad. You are in a bad place with a bad culture, period. It usually takes a whole lot of new-hires and terminations to change a culture (depending on the size of the company).
As stated in a previous post, this is all behavioral psychology. When management and IT dismiss security as "stupid" and pee away opportunities to share knowledge that is a problem with management and IT. Of course accountants don't care, you are teaching them not to! Instead of saying "this is stupid, I know this stuff" you could volunteer to help mentor people or simply grunt "yup, saw a guy get hacked by this once" instead of holding negativity.
Descartes primary body of work proves how wrong you are. Lacking physical evidence does not imply that something is impossible to prove, just that you can not prove something absolutely without physical evidence.
Given the political history of the person TFA is discussing (Franklin Coverup amongst numerous scandals), I think there is enough to question whether or not he is at a minimum a pedophile worthy of being labelled an "alien reptilian baby eater".
This is not about "Climate Change", it's about "Carbon Tax". Carbon Taxes have been used to stifle innovation and competition, and the players that should be paying the most have been immune to the tax. That's not an issue of a tax as much as issue of corruption. That said, while so many governments are grossly corrupt a "Tax" is not going to be the answer.
As long as people like you believe in a false paradigm blaming religion (or democrat vs. republican), no corrections will be made.
Security awareness training in companies is largely nonsense.
Rubbish! If you are starting from scratch you have to lay the foundation. Jumping right into impersonal communications shows that your security team does not care, therefor the amount of people with genuine concern will never increase.
Reminders are incredibly powerful, there's now a decent amount of psychological research to back that up.
That we agree on, but you are choosing to ignore all of the precursor psychology which is just as well documented.
And from your one incident I gather you also have a reporting culture where people are not afraid to report problems. Many companies don't have that, people constantly sweep problems under the rug because they're afraid it would damage their career to report them.
It's hard to tell if you were attempting to be condescending with that first sentence. I've been working in IT for 3 decades, so have much more experience than one incident. Going beyond one example is not necessary.
Re-read my last paragraph, I point out that in SV there is a culture issue to overcome. That said, where I work currently the culture is open and honest and is in SV. Corporations can change their culture, if they try to do so.
Going by personal history here, it's easy to mistake a "stupid phisher" for a syndicate. Often they operate the same, and the syndicates do test what they sell to the "stupid phishing" people.
I'm not against what you are doing at all, but pointing out the risk which you overlooked. Definitely not something a novice should attempt.
Which is fine until your IPs start to get extra attention for fucking with people. Avoiding drug dealers in a big city is not hard once you know what to look for. I'd not recommend that people start driving by and throwing eggs at them, eventually they will get pissed and shoot someone.
People misusing or abusing a proxy server (or any other service that can be used to increase security) is a totally separate issue. I laugh at anyone claiming it makes things slower too, because you are obviously not using a proxy properly if your internet slows down. Either that or you think a single cache drive is "enough" and skimped on scaling out the service properly.
Proxy logs are not magical things, they are actually very effective in determining users that followed a phishing link. Even if the user did not report the breach themselves, the security incident would have been found (though it may have taken an hour or two as opposed to minutes.
Sadly many people think a proxy is a bad thing and believe direct access is better.
As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable
I agree, but those are not people you want working for you if you are concerned about security.
Not that people are stupid - no, as far as I am concern, almost all who are working in the companies I mentioned above are above average in intelligence - but the one thing that is needed the most is not information, rather, it's intuition with a large bit of paranoia mixed in
I think that you and I have different definitions of intelligence (mine matches the dictionary). If a person does not care, or is lazy in terms of security, that has nothing to do with intelligence. An intelligent person that cares can easily learn. An intelligent person that does not care will perform questionable acts, and not just in terms of phishing campaigns. A lazy person will filter security messages to junk and never read them.
Making people care about security takes work, and making sure they review security bulletins takes work. Reward vs. punishment systems are a juggling act, but this is true in any behavioral science.
It takes a paranoid to be suspicious of everything - and in this social-media world that we have today, where everybody shares every bit of their own info to the world - paranoia is becoming a scarce resource
If the dangers of social media are not part of your security awareness campaigns in the office, you need to have your security team add this to their normal message campaigns. It does not take paranoia by end users to catch phishing attacks, it takes awareness. I.E. "Our company will never ask you for personal information on a social media site. We will never ask for your login name or password on the phone. If you receive such a request contact security at [some extension] immediately, preferably while the person making this request is on the phone." or how about "Want a free lunch? Report questionable content to security and if it's a campaign to cause damage we'll buy you lunch." and finally "Send suspect phishing emails to security, be entered for a raffle to win dinner with the CEO/attend a game in our suite at the Shark Tank, etc...." There are many ways to mold behavior.
Further if you are are a company that does take login names and passwords over the phone or asks for people's personal social media information, change your friggin policies immediately! That is not a problem with uneducated users, that is a problem with horrible company policies and practices.
No matter how much info we have shared with our colleagues, no matter how many times we have told them to be ultra careful, you bet someone will get phished, almost in a daily basis, and the local level network will get breached
I have seen too many examples where this is simply not true. Companies that skimp on acquiring and maintaining a good security team and enforcing internal training are the biggest victims. Where I work currently we have regular training, and even though we experience regular phishing attacks people are not giving out data. It's only 600 employees, but we still see 0 successful phishing attacks.
I'd be willing to bet that any company you claim is "good" yet gets regularly victimized by phishing attacks receives little to no regular security training. And "NO", an email from security that requires no follow up is not "training". Annual face to face meetings with security are similarly not training. Even in a place where users have been well trained quarterly is a minimum, and while working to train users this should be monthly at a minimum. Make the training mandatory, but buy your people lunch for attending. If you let people skip training you are teaching them that it does not matter, so your company needs to ensure a zero tolerance policy for this training. This is all pretty basic psychology for behavior training.
Sometimes yes, but not always true. Sure, "Free Porn" will get a whole lot of clicks, especially from uneducated people (who are usually schooled shortly thereafter by the spammer).
Professional phishing is geared to make it look like something the target company sent out. Working in DOD for about a decade, I saw some exceptional work. They register domains similar enough to the company and often related (support-raytheon for example) so that even people that look for questionable URLs can be fooled.
How are spammers successful so often? Simple, companies don't train people.
At the DOD site I worked at, it was a weekly training memo from our security team on the latest threats. Phishing was always a topic. People had to read the briefings or they could be terminated. 3-4 questions were enough to ensure people at least skimmed the content. Before you get anal about productivity, the email was a 2 minute read max, so even if you had to read it twice to answer the few questions it was a whopping 5 minutes out of your Friday.
We experienced numerous well crafted phishing attacks, and had 1 person out of 5,800 click the link. That person immediately contacted security, and we reset all of their account data. That was 1 out of 5,800 once, and we had professional campaigns run against us several times a year.
Now, take the average IT company in Silicon Valley which spends no time training on these issues (if your company has security awareness training I'm not referring to you, your company is not "average"). Since their people lack training, it's not uncommon to see 10% success in a phishing campaign. Compounding the problem, people often won't report the breach until it's too late if they report the incident at all (cultural issue with many companies in SV).
You do realize that it takes money to sue someone correct? Well, technically you could file yourself but you will quickly lose because a laymen is not going to understand the required procedures even assuming they could figure out the correct paperwork to file to get the case started.
Very few lawyers work pro bono. If any risk at all existed in the case (including to their reputation) lawyers can and often do refuse cases.
No, it's not practical for a homeless person to sue anyone. In a criminal case a lawyer must be provided if the person can not afford one, but that is not true with civil cases.
Why the summary munged Alexander's laughable salary request and a lawsuit by a journalist is a bit baffling.
First issue, the lawsuit. The NSA refused to provide under Federal Law. It should not come as a surprise to anyone that this agency is ignoring (or at least attempting to ignore) Federal Law. The right answer is to disband the NSA and hand SIGINT over to the Military which tends to follow the US Constitution a bit more closely. While we are disbanding things, we should also revamp the CIA, FBI, DHS, and TSA removing most of their powers and executives that also ignore the law.
Second issue is that Alexander thinks he's brilliant enough to make a million a month telling people what most IT Security professionals can do for a much better rate. I'd do better than he does at securing a company, and I'll do it for much less. In fact I can think of a few dozen people I'd recommend for much less, and for a million a month I'd have a full staff doing audits _and_ consulting. You don't need to be a former General to be intelligent about security, you need knowledge.
In other words, if Alexander can get a million a month for consulting it sure as hell is not for security. It would be for cronyism.
Try being working or lower middle class and doing the same thing. When you can only save a few hundred a month for a house due to rent costing over 1.5 times a typical mortgage payment
I moved out of poverty and into the upper middle class over time. There is no silver spoon or handouts for the overwhelming majority of people that move out of poverty to a better income.
Being debt free gives me more cash than a person that has lots of debt. Their money goes to interest payments, mine stays in the bank. It's not being "rich", it's being debt free.
Not a fan of banks, but you are welcome to start your own bank.
You think a regulator would approve you if you didn't play the game? Come now, you know better.
There is nothing wrong with using credit and loans as long as they are used responsibly.
Funny that you believe you should have to pay a bank money, just for the "privilege" of spending money. You already earned your pay, but you think you should pay a bank so that you can spend it? This is exactly what I was referring to about people not understanding the scam.
1. A credit history. That's not necessarily debt, it is a history of handling small debts that you've paid off.
This is what I said. If you pay your phone bill every month, you don't get extra points. If you pay your phone bill with a credit card, you will get extra points IF and only IF you pay just the minimum payment (mostly interest to prolong your debt). If you pay it off in full, you may receive negative points. If you don't pay your bill on time you can be reported for negative points as well. Doing the right thing and paying on time the full amount to the company will not help your credit.
Your item 2 has a hell of a lot to do with item 1. If people want you indebted longer, they will target you for additional debt. Banks can somehow take back any property you gained, get insurance money for losses, and receive handouts from the Government for doing just that.
Nobody can force you to go into debt.
True. At the same time if a bank forces you to have a particular credit score to get a loan (as most do) the only way to get the credit score is to live in constant debt paying interest payments. Go ahead and try buying a house with a low credit score. Even if you don't need to be in debt people use credit cards for this exact reason. Hence, why I claim it's a scam.
The whole point of a "credit score" is horribly broken. In order to get approved for debt, you must have debt. If you have money in the bank and no monthly debt payments you have a reduced score. It's a SCAM! A scheme to make sure that you are constantly in debt, and yet it's perfectly legal. Living in debt constantly costs you money, and for what? So that you can have more debt? Wow!
The fact that people don't get this, or simply don't care, is very telling.
Personally I have almost no debt, just my car payment. I don't have a lot of debt so have a laughably low credit score. If I don't have cash I can wait to buy something. Actually since I manage my personal finances very well purchasing something I want is never an issue.
And I already stated in my first reply that IMHO your success has little to do with the training and a lot to do with the continuous follow-ups you do. Also with an environment that is not business-focussed.
This does not match what you state later, which is in essence claims that all 3,000 people in your company need in depth knowledge of your security policy. That is, plainly, nonsense.
Corporate "Security Awareness Training" has to address the needs of _many_, and not everyone needs that level of detail. In fact very few do, and a small percentage could even understand them. Which could explain your repeated claims of bad experiences.
Jane and John, the new accountants, need to know what Phishing is, not what your encryption policy for tape back up is. You previously complained that for you it was redundant so "stupid" (your words). Stop moving the goal post.
What I mean is that we replace actual security with trainings and think it's a solution.
Security awareness training is not a replacement for security. If a Company believes it does, this matches what I stated repeatedly about a broken culture. Not a Security or Training deficiency.
Sure I have my own view and experiences and my attitude is the result of what I've seen and what I think about it. Also the result of knowing a lot of people in the IT consulting business privately, where they tell you what they really think.
I know plenty that underscore how bad corporate cultures are and can be. Any Corporate level trainer will tell you the same thing. You have to train everyone in the basics. After they have a grasp of basics, reminders and nudges from audits work. A reminder about phishing attacks will be ignored by people that don't know what phishing is or how it works. Reminders to follow the password policy will be ignored by people that don't know the policy.
Finally, as stated previously, there are plenty of people that contribute to poor culture. The guys that talk smack about the training because they know it all are a huge issue. You have to build a culture of security if you want to be secure. That will never happen with a crew of sexual intellects (F'king know it all's) discouraging knowledge sharing and personal growth.
You should really qualify "The Press" in these types of statements. The Press could be ABC, NBC, CBS, BBC, and many more who today claimed an 82 year old man shot a pregnant woman as a headline, when the person was both not pregnant and also committing armed robbery for at least the 2nd time against the same 82 year old man who was beaten as well as robbed. The Press could be the same crew that edited audio to make it look like a guy on neighborhood watch simply claimed to the Police that he was following a Black guy where the full audio shows he is responding to a 9/11 operator asking what race he believes the suspect was. The same media claimed that that guy was White when he's Hispanic, and portrayed the victim in a 7 year old picture to make it appear like the guy shot a little kid instead of a 6'1" nearly legal adult. All to sway public opinion (that one was for numerous purposes). The same media that interrupted a Congresswoman discussing the NSA for "breaking news" that Justin Beiber was arrested, and ensured that a twerk skank received more air time than dialogue about numerous political issues.
The media we normally see and hear IS on the same team as the government, make no mistake.
As such, I continuously wonder if there were just as many secrets before, but it's just faster to find out about their existence nowadays
To some extent I agree that this, but up until 20 years ago we had some real journalism. Nation wide every station lost their "investigative reporters" within the same couple years, and that was the end of any real journalism with any of the 3 letter media outlets.
With rare exceptions today, the only thing that get air time is propaganda.
I don't work there anymore, but I've been in the security industry long enough to know a number of companies, as well as the uncomfortable squirming that follows if you ask security training providers for independent evidence supporting their claims.
As stated several times alrady, this is a culture problem with a company. Not an issue of security or training.
I never said security is stupid. I am saying security awareness trainings are a waste of time, by and large.
Your opinion vocalized will ensure that it is a waste of time. I gave an example of ensuring it's not. Hell, I'm not a security trainer. I provide data to ours, and work extensively securing systems and networks. When we have training I nudge people to listen instead of making it a "waste of time" or a "coffee break" as you claim the training is.
Most people are not experts, and most people don't deal with risks every day. Showing them "hacking" is like magic to an accountant, and it's a pretty effective way of teaching.
Tell me, how many people have you had in those trainings you thought before they went in that giving your password to random strangers is a good idea? 90% of the content of these trainings is either boring because everyone knows it already or boring because it's too technical and not interesting that they filter it out.
Wrong question to ask, followed by more of the same rubbish perpetuating your opinion.
There are numerous ways to get people involved and interested in training. Showing them a hack in progress or playing recorded calls of phishing attacks, let them put their hands on a hacking device or operate a key logger on a demo PC.
I've had the responsibility of writing or reworking existing IT security policies, and my advise has always been to make them as short and simple as possible. I've seen a multinational corporation vomit up a 300 page security policy, which was really great from an ISO 270xx POV, but aside from the guys in the security department who wrote it, I'm fairly certain I was the only other human being who actually read all of it, ever.
Writing policy is not the same as educating people. Two different skill sets. It's interesting that you claim to have so much knowledge yet hate to teach listen to shared knowledge, from a psychological stand point.
I'll hear you whine about depth of security policies after you have built and secured NISPOM/JFAN compliant networks. Knowing the policy is required to set them up, audit them, and maintain them. Once again, you bring up people not following or using policies which is a Culture issue and not a security or training issue.
I love security. But I think our industries approach to users and security is fundamentally flawed and trainings are a band-aid on a broken arm - placebo treatments that don't even touch the real issues.
Because everyone is exposed to and knows as much about security as you do right? Rhetorical question, don't answer it. Your problem with security awareness training is related to your own psychological problems. We all have them, I don't intend that as an insult. I work on mine every day.
I would agree with this if, and only if, the tax is a unilateral tax and not a weapon of control by large corporations. The weaponization of taxes was used in Australia and in the US for purposes other than discouraging the use of fossil fuels.
Kraus is arguing about people preemptively ditching carbon taxes in the US which are written to primarily fund large corporations and punish smaller corporations.
Kraus is also notorious for being a bigot and a pawn for NWO the agenda, so can rot for all I care. He is one of many that perpetuate the "blame religion" mentality instead of fixing issues, while of course he gets paid speaking gigs and TV appearances.
I've seen first hand that many employees consider those security trainings either a waste of their time or a coffee break.
Ahh, so you work at one of those places with horrible culture.
or all I know, the only people who think that security awareness training increases the number of people who give a fuck are the marketing drones selling security awareness trainings. People who cared before the training will get information. People who didn't care before will not care after. Why should they?
Got it, you are a lively participant in the horrible culture and happy to propagate the culture.
If you've managed to get your people to reliably report incidents, you've managed something that a lot of companies struggle with.
In 30 years of working IT (right after college which was right after the military) I have seen both good and bad. You are in a bad place with a bad culture, period. It usually takes a whole lot of new-hires and terminations to change a culture (depending on the size of the company).
As stated in a previous post, this is all behavioral psychology. When management and IT dismiss security as "stupid" and pee away opportunities to share knowledge that is a problem with management and IT. Of course accountants don't care, you are teaching them not to! Instead of saying "this is stupid, I know this stuff" you could volunteer to help mentor people or simply grunt "yup, saw a guy get hacked by this once" instead of holding negativity.
Actually it's a post ordering thing. It shows _below_ your post after reloading the page, but when I added comments it was showing above your post.
Descartes primary body of work proves how wrong you are. Lacking physical evidence does not imply that something is impossible to prove, just that you can not prove something absolutely without physical evidence.
Given the political history of the person TFA is discussing (Franklin Coverup amongst numerous scandals), I think there is enough to question whether or not he is at a minimum a pedophile worthy of being labelled an "alien reptilian baby eater".
This is not about "Climate Change", it's about "Carbon Tax". Carbon Taxes have been used to stifle innovation and competition, and the players that should be paying the most have been immune to the tax. That's not an issue of a tax as much as issue of corruption. That said, while so many governments are grossly corrupt a "Tax" is not going to be the answer.
As long as people like you believe in a false paradigm blaming religion (or democrat vs. republican), no corrections will be made.
Security awareness training in companies is largely nonsense.
Rubbish! If you are starting from scratch you have to lay the foundation. Jumping right into impersonal communications shows that your security team does not care, therefor the amount of people with genuine concern will never increase.
Reminders are incredibly powerful, there's now a decent amount of psychological research to back that up.
That we agree on, but you are choosing to ignore all of the precursor psychology which is just as well documented.
And from your one incident I gather you also have a reporting culture where people are not afraid to report problems. Many companies don't have that, people constantly sweep problems under the rug because they're afraid it would damage their career to report them.
It's hard to tell if you were attempting to be condescending with that first sentence. I've been working in IT for 3 decades, so have much more experience than one incident. Going beyond one example is not necessary.
Re-read my last paragraph, I point out that in SV there is a culture issue to overcome. That said, where I work currently the culture is open and honest and is in SV. Corporations can change their culture, if they try to do so.
Going by personal history here, it's easy to mistake a "stupid phisher" for a syndicate. Often they operate the same, and the syndicates do test what they sell to the "stupid phishing" people.
I'm not against what you are doing at all, but pointing out the risk which you overlooked. Definitely not something a novice should attempt.
I would surely hope that is not true. Perhaps there is a segment that doesn't care
Which is fine until your IPs start to get extra attention for fucking with people. Avoiding drug dealers in a big city is not hard once you know what to look for. I'd not recommend that people start driving by and throwing eggs at them, eventually they will get pissed and shoot someone.
Or install ad-block and no-script and don't show her how to disable them
People misusing or abusing a proxy server (or any other service that can be used to increase security) is a totally separate issue. I laugh at anyone claiming it makes things slower too, because you are obviously not using a proxy properly if your internet slows down. Either that or you think a single cache drive is "enough" and skimped on scaling out the service properly.
As I replied above, it's much simpler than that. Proxy logs are used to determine who clicked a bad link.
Proxy logs are not magical things, they are actually very effective in determining users that followed a phishing link. Even if the user did not report the breach themselves, the security incident would have been found (though it may have taken an hour or two as opposed to minutes.
Sadly many people think a proxy is a bad thing and believe direct access is better.
As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable
I agree, but those are not people you want working for you if you are concerned about security.
Not that people are stupid - no, as far as I am concern, almost all who are working in the companies I mentioned above are above average in intelligence - but the one thing that is needed the most is not information, rather, it's intuition with a large bit of paranoia mixed in
I think that you and I have different definitions of intelligence (mine matches the dictionary). If a person does not care, or is lazy in terms of security, that has nothing to do with intelligence. An intelligent person that cares can easily learn. An intelligent person that does not care will perform questionable acts, and not just in terms of phishing campaigns. A lazy person will filter security messages to junk and never read them.
Making people care about security takes work, and making sure they review security bulletins takes work. Reward vs. punishment systems are a juggling act, but this is true in any behavioral science.
It takes a paranoid to be suspicious of everything - and in this social-media world that we have today, where everybody shares every bit of their own info to the world - paranoia is becoming a scarce resource
If the dangers of social media are not part of your security awareness campaigns in the office, you need to have your security team add this to their normal message campaigns. It does not take paranoia by end users to catch phishing attacks, it takes awareness. I.E. "Our company will never ask you for personal information on a social media site. We will never ask for your login name or password on the phone. If you receive such a request contact security at [some extension] immediately, preferably while the person making this request is on the phone." or how about "Want a free lunch? Report questionable content to security and if it's a campaign to cause damage we'll buy you lunch." and finally "Send suspect phishing emails to security, be entered for a raffle to win dinner with the CEO/attend a game in our suite at the Shark Tank, etc...." There are many ways to mold behavior.
Further if you are are a company that does take login names and passwords over the phone or asks for people's personal social media information, change your friggin policies immediately! That is not a problem with uneducated users, that is a problem with horrible company policies and practices.
No matter how much info we have shared with our colleagues, no matter how many times we have told them to be ultra careful, you bet someone will get phished, almost in a daily basis, and the local level network will get breached
I have seen too many examples where this is simply not true. Companies that skimp on acquiring and maintaining a good security team and enforcing internal training are the biggest victims. Where I work currently we have regular training, and even though we experience regular phishing attacks people are not giving out data. It's only 600 employees, but we still see 0 successful phishing attacks.
I'd be willing to bet that any company you claim is "good" yet gets regularly victimized by phishing attacks receives little to no regular security training. And "NO", an email from security that requires no follow up is not "training". Annual face to face meetings with security are similarly not training. Even in a place where users have been well trained quarterly is a minimum, and while working to train users this should be monthly at a minimum. Make the training mandatory, but buy your people lunch for attending. If you let people skip training you are teaching them that it does not matter, so your company needs to ensure a zero tolerance policy for this training. This is all pretty basic psychology for behavior training.
Sometimes yes, but not always true. Sure, "Free Porn" will get a whole lot of clicks, especially from uneducated people (who are usually schooled shortly thereafter by the spammer).
Professional phishing is geared to make it look like something the target company sent out. Working in DOD for about a decade, I saw some exceptional work. They register domains similar enough to the company and often related (support-raytheon for example) so that even people that look for questionable URLs can be fooled.
How are spammers successful so often? Simple, companies don't train people.
At the DOD site I worked at, it was a weekly training memo from our security team on the latest threats. Phishing was always a topic. People had to read the briefings or they could be terminated. 3-4 questions were enough to ensure people at least skimmed the content. Before you get anal about productivity, the email was a 2 minute read max, so even if you had to read it twice to answer the few questions it was a whopping 5 minutes out of your Friday.
We experienced numerous well crafted phishing attacks, and had 1 person out of 5,800 click the link. That person immediately contacted security, and we reset all of their account data. That was 1 out of 5,800 once, and we had professional campaigns run against us several times a year.
Now, take the average IT company in Silicon Valley which spends no time training on these issues (if your company has security awareness training I'm not referring to you, your company is not "average"). Since their people lack training, it's not uncommon to see 10% success in a phishing campaign. Compounding the problem, people often won't report the breach until it's too late if they report the incident at all (cultural issue with many companies in SV).