Blog:

After being involved in information security for over fifteen years, I have grown very passionate about "Securing The Human". There are several reasons for this, but the biggest is I feel the human is where we can make the greatest difference. Ever since the release of Windows XP Service Pack 2 in August, 2004, I've seen cyber threat's focus more and more on the human. The simplest way to own a network has become to own the employee. So why in the world is the information security community still so focused on technical issues? Go to any security conference or workshop, the talks are focused on

I just finished presenting Securing The Human at SANS Baltimore. This presentation defines the challenges in securing the human (primarily why we are so bad at judging risk) and the key steps to a successfull program to address these challenges (humans have vulnerabilities just like technology). As always, SANS has a great crowd. What I love best are not only the challenging questions, but the lessons learned others have to share. As promised, you can download the presentation here. Missed the presentation? I'll be presenting again next week in Albany, NY for the

Traditionally one of my favorite resources on social engineering (a common methods for exploiting the human) has been Kevin Mitnick's book The Art of Deception. In this book Kevin describes in detail many of the social engineering attacks he used in the past. While most of the attacks he describes do not use today's technology (he simply used a phone as opposed to today's Twitter, Facebook or Smartphone apps), he does a great job explaining how the attacks worked, especially his more sophisticated ones. Specifically he explains how he progressively built the trust of people within an organization with a series of short phone calls, and

One of the things I've been looking for is a good statistic that demonstrates just how actively targeted the human element has become. I've had several discussions about this topic with the malware community (not just anti-virus employees but researchers, operations, etc) and I knew the numbers were high. I often get estimates that up to 70% of malware can be totally dependent on exploiting just the human, while another percentage involves exploiting both the human and technical vulnerabilities. I just read a very interesting statistic from Symantec at Network World, where Symantec states that 97% of the malware they now

The Honeynet Project just released their latest forensic challenge. You have an opportunity to analyze a real VoIP attack and submit your analysis for judging. Your submission will then be compared and judged against your peers from around the world. This is an amazing opportunity to learn, as the top three submissions are shared with the world so we can all learn from each other. In addition, the challenge is also being offered in Simplified and Traditional Chinese, expanding the possible submissions to another 1 billion people. You can find more about the challenge at the Honeynet Project VoIP Challenge site.

Sometimes the most difficult people to reach about information security is management. They often do not have the time, nor interest, to learn more about these challenges. To help address this I'm playing with the idea of security training videos for decision makers. Below is my first attempt at this. In this video we explain to management why the human factor is important and what can be done about it (if you are going to explain a problem to management, be sure you also have a solution). Since management time is so short, I'm thinking its best to keep such videos under three minutes. Input appreciated, not only on how to improve these types of videos but suggestions for future topics.

[flowplayer src='http://www.securingthehuman.org/images/blog/2010/06/Honeytech-SecuringTheHuman-HD-640x360-Med.mov' width=540 height=310 splash='http://www.securingthehuman.org/images/blog/2010/06/SecuringTheHuman.jpg']