Blog:

One of the things I absolutely love about security awareness is how I'm constantly learning about human behavior and the challenges when dealing with different cultures. One example is languages, many things we may take for granted in our native language can be very different in other languages or cultures. If you are a large organization, or if your security awareness program encompasses many different groups, these differences become a big issue. One of my favorite examples is the concept of Safety versus Security. In Englishthese two words address two different concepts. Safety is focused more on environmental or accidental threats, such as storms, earthquakes, car accidents, food poisoning, etc.

I've just finished updating the content for my upcoming two day class Securing The Human at Blackhat Vegas next month. If you or anyone you know is interested in learning how to address the human factor, this is the class for you. I've updated about 60% of the course with new content,based on lots of lessons learned in the past twelve month. If you have any questions about the class just email me. If you are not attending the class, but are still attending the conference let me know and lets meet up. Blackhat is one of the best places to meet other people in this field and learn from each

One of the key points I covered in my "Securing The Human" presentation at both SANS and NY was the idea of having a monthly or annual security awareness program. Specifically, which is a better approach, an annual program requiring all employees to go through full training once a year, or a monthly program were a new topic is covered every month? Each approach has its advantages and disadvantages.

Annual: An annual program is when all employees get training on all security topics in a single event (usually online training or an onsite workshop). In addition, this full training is usually required for any new hires. The advantage with this approach

I just finished presenting "Securing The Human" at the 13th Annual New York State Cyber Security Conference in Albany, NY. As promised, you can find the slides online here. If you have any questions about the presentation, I would love to hear from you, email me at lance.spitzner@honeytech.com.

After being involved in information security for over fifteen years, I have grown very passionate about "Securing The Human". There are several reasons for this, but the biggest is I feel the human is where we can make the greatest difference. Ever since the release of Windows XP Service Pack 2 in August, 2004, I've seen cyber threat's focus more and more on the human. The simplest way to own a network has become to own the employee. So why in the world is the information security community still so focused on technical issues? Go to any security conference or workshop, the talks are focused on

I just finished presenting Securing The Human at SANS Baltimore. This presentation defines the challenges in securing the human (primarily why we are so bad at judging risk) and the key steps to a successfull program to address these challenges (humans have vulnerabilities just like technology). As always, SANS has a great crowd. What I love best are not only the challenging questions, but the lessons learned others have to share. As promised, you can download the presentation here. Missed the presentation? I'll be presenting again next week in Albany, NY for the

Traditionally one of my favorite resources on social engineering (a common methods for exploiting the human) has been Kevin Mitnick's book The Art of Deception. In this book Kevin describes in detail many of the social engineering attacks he used in the past. While most of the attacks he describes do not use today's technology (he simply used a phone as opposed to today's Twitter, Facebook or Smartphone apps), he does a great job explaining how the attacks worked, especially his more sophisticated ones. Specifically he explains how he progressively built the trust of people within an organization with a series of short phone calls, and

One of the things I've been looking for is a good statistic that demonstrates just how actively targeted the human element has become. I've had several discussions about this topic with the malware community (not just anti-virus employees but researchers, operations, etc) and I knew the numbers were high. I often get estimates that up to 70% of malware can be totally dependent on exploiting just the human, while another percentage involves exploiting both the human and technical vulnerabilities. I just read a very interesting statistic from Symantec at Network World, where Symantec states that 97% of the malware they now

The Honeynet Project just released their latest forensic challenge. You have an opportunity to analyze a real VoIP attack and submit your analysis for judging. Your submission will then be compared and judged against your peers from around the world. This is an amazing opportunity to learn, as the top three submissions are shared with the world so we can all learn from each other. In addition, the challenge is also being offered in Simplified and Traditional Chinese, expanding the possible submissions to another 1 billion people. You can find more about the challenge at the Honeynet Project VoIP Challenge site.