Blog: SANS Securing The Human

Blog: SANS Securing The Human

Out-of-Band OUCH! - Heartbleed, Why Do I Care

A key step to protecting most operating systems is regularly patching and updating them. Some operating systems, such as Microsoft, are updated on a monthly basis, known as Patch Tuesday. However, every now and then a critical vulnerability is found, one that bad guys are actively exploiting. In these cases organizations like Microsoft release what is called an out-of-band patch, an emergency patch released outside of the normal patching schedule.

People are nothing more then another operating system, just like computers you and I store, process and transfer information. Just like computers people should be 'patched' monthly. To help organizations with their monthly HumanOS patching process we release the free, OUCH!


Guest Blog - Taking a Generational Approach to Security Awareness

Editorial Note: This is a guest blog post from Paula Fetterman <>. We feel she came up with an amazing idea and asked her to share it here.

In Feb 2014, I had the opportunity to attend the RSA Security Conference in San Francisco. While attending an early morning session (thank goodness for caffeine), I heard Todd Fitzgerald's presentation on "Generations Defined By Moments" and soon became very intrigued and engaged (yes...unusual for me at an early morning session). His premise was that each generation approaches security (and life) differently because of


Idea for Human Metrics - Tracking Updates

Its always challenging to find a good security awareness metric. By good, I mean not only does the metric need to measure a human behavior that I care about, but the metric is easy and low cost to repeatedly measure. So I'm always excited when I find what I feel is a good security awareness metric, and here is one I would like to share - updated devices.

The behavior we want to measure is are employees updating their devices? This is an important behavior, as we all know the more updated and current your devices are, the fewer vulnerabilities they have. For some organizations this is not an issue, as IT is responsible for keeping all the systems updated. However for other organizations, especially smaller ones, employees often update the


Trick for Rewarding Good Behavior

Just finished up SANS MGT433 class this week at SANS 2014 in Orlando. One of the things I love most about teaching is I always learn something new. One of the students had a great idea for rewarding. In general you want to avoid providing purely monetary awards for good behavior, you quickly run out of budget. Instead, recognition is not only cheaper, but often more effective. For example, if someone receives a "Microsoft Tech Support" phone call and stops the attack cold, an organization's first response is to often to reward the person with a gift card. Instead of providing just money make a hero out of the person, post a story about what she did, how she figured out the attack and where she reported it. Not only are you publicly recognizing the individual for their great work, but promoting and reinforcing the good behaviors that secure your organization.

One of our students took the idea one step further. Instead of just


Updating Your Awareness Training

A common mistake I often see organizations make with their security awareness program is failing to plan long term. Quite often organizations get caught up in the initial roll-out of their training, but forget to plan on updating their program at some point. Its key that you update your program at a minimum once a year. Some things to consider.

  1. If your only goal is to meet compliance requirements, keep in mind compliance standards are constantly changing, you need to update your program to stay current. In addition, which standards you fall under can also change. For example, while you may not think you fall under HIPPA, after a review of HR and accounts payable you may ...