Blog:

I just finished presenting Securing The Human at SANS VA Beach. This is a brand new version of the presentation with a great deal of new content. One of the things I focused on was how organizations invest so much in protecting computers, and yet so little in protecting humans. However if you think about it, this just does not make sense. Humans are just like any other operating system; we store, process and transfer information. Just like any other operating system we have our own unique set of vulnerabilities. For example we are very bad at judging risk. In addition the Internet makes it very difficult for humans to authenticate who is communicating with us. Unfortunately, so little has been done to mitigate

I'll be presenting Securing The Human at SANS VA Beach this Sunday. If you are in the area, let me know and lets meet up. I'm always looking for suggestions, lessons learned or any other ideas related to security awareness and the human factor.

One of the challenges in any effective awareness program is how to communicate to your audience. There are some major challenges here to consider here. Two of the most common I run into is creating something that employees want to watch, and at the same time creating something that works regardless of nationality or culture.

1. Entertaining: We need a message that keeps people's attention. If they are bored or turned off from the medium, then they will not pay attention. Kind of hard for people to learn when they are not even listening to what you are saying. This is especially challenging with the new Web 2.0 or YouTube generation. They are used to fast and furious information in small sound

In my last post I covered some of the great work the team at social-engineer.org did with their Human Capture The Flag at Defcon this year. What better way to generate awareness about the human factor then to actually show real social engineering attacks live. What is amazing is not that all the attacks was successful, but that everyone was successful even though they had numerous legal and ethical rules and limitations applied, something no real attacker even considers. I asked Chris Hadnagy, the brains behind the event, some questions about the CTF and what he learned. This is what he had to share with the community. The one thing that surprised me the most, the success attackers had against male victims versus female. Sounds like us guys are much easier to sucker.

One of my favorite security events to attend every year is the Blackhat security conference. This is an annual event held every July/August in sunny Las Vegas, United States. Not only are there a tremendous number of talks from leading security researchers, but great opportunities to meet and network with your peers. In addition, with every Blackhat conference comes Defcon, the infamous underground event, which in many ways is a rite of passage for every security professional, you have to experience it at least once. What is great about Defcon is it provides the perfect venue to try out new idea. One really stood out for this year, the Social Engineering Capture the Flag, sponsored by the guys at Social- Engineer.org. Capture The Flag is a traditional event at Defcon where competing teams attempt to hack into networks (or each other). While this has been going on for years, this year's CTF event was the first were attackers used