Security Awareness Blog

Security Awareness Blog

Book Review - Leaders Eat Last

LeadersEatLastAs the book title sounds, "Leaders Eat Last" is a book on leadership. I read this book as it was recommended by several security awareness officers I know. Instead of a book on data driven management, the book focuses on the human element of leading. The book is fascinating as Simon Sinek goes into the biology of what drives people. He starts with the quote "Stress and anxiety at work have less to do with the work we do and more to do with weak management and leadership". He then goes into the feeling of safety and how it drives people. People have biologically developed to operate best when they feel protected by

...

2015 Verizon DBIR - From a Securing The Human Perspective

VerizonDBIRAfter reading the 2015 Verizon Data Breach Investigations Report (DBIR) I wanted to share with you my thoughts from a security awareness / human behavior perspective. Before I do, I just wanted to share a big thanks with Bob Rudis (@hrbrmstr) and the DBIR team, they did an amazing job. For those of you who are unfamiliar with the DBIR, this has become the industry standard for making data driven decisions on security. With that said, let's jump on in.

PHISHING (p16): The first thing that popped right out for me is phishing has its own, dedicated section. While the section does not cover anything dramatically new for those who have

...

Target: Healthcare Organization

Editor's Note: SANS & NH-ISAC have just released the whitepaper: The What, Where and How of Protecting Healthcare Data by authors James Tarala and Kelli K Tarala. Below is an excerpt, the full paper is available for download at: http://www.sans.org/u/3fO.

A healthcare organization is responsible for protecting a patient's most private information; their medical record. A healthcare organization also maintains the patient's financial information, as well as the organization's own intellectual property and that of its vendors and affiliates. These are among the most highly sought-after pieces of protected information for a hacker. In conventional data breaches, an individual's credit card number, bank account number or even Social Security Numbercan be reissued. In healthcare data breaches, an individual's medical record cannot be changed and stolen intellectual property cannot be recovered. This makes stolen healthcare

...

Can't Patch Stupidity? Look in the Mirror

A theme I sometimes hear from people in the the security community is you can't patch stupid. That "End Users" are too dumb or ignorant to be secured. Wow, I can't think of a more unfounded, prejudice statement. First, "End Users" are people like you and me, so I suggest we start calling them that. Second, many of the people I see organizations trying to secure are very intelligent. These organizations include people such as engineers, accountants, scientists, lawyers, researchers, doctors and a myriad of other smart people. In one extreme example I know a security awareness officer whose organization is so highly educated that the average employee has 2.5 PhDs. Finally, most people I talk to are motivated, they want to do the right thing and be secure. So if we are working with people who are both smart and motivated, what is the problem?

I think we the security community need to take a long look in the mirror. You will quickly see that we are the problem.

...

Securing the Software Development Lifecycle

SDLC

Editor's Note: Today's post is from Eric Johnson. Eric is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. In this post Eric replies to a question about what SDLC is and where people can learn more.

In a previous post, Beeker posted the comment, "What is a secure software development lifecycle"? This is an excellent question, and one that I receive quite often from organizations during an application security assessment. Let's quickly review the Software Development Lifecycle, also known as the SDLC. The goal of an SDLC is to

...