Security Awareness Blog

Security Awareness Blog

2015 Verizon DBIR - From a Securing The Human Perspective

VerizonDBIRAfter reading the 2015 Verizon Data Breach Investigations Report (DBIR) I wanted to share with you my thoughts from a security awareness / human behavior perspective. Before I do, I just wanted to share a big thanks with Bob Rudis (@hrbrmstr) and the DBIR team, they did an amazing job. For those of you who are unfamiliar with the DBIR, this has become the industry standard for making data driven decisions on security. With that said, let's jump on in.

PHISHING (p16): The first thing that popped right out for me is phishing has its own, dedicated section. While the section does not cover anything dramatically new for those who have

...

Target: Healthcare Organization

Editor's Note: SANS & NH-ISAC have just released the whitepaper: The What, Where and How of Protecting Healthcare Data by authors James Tarala and Kelli K Tarala. Below is an excerpt, the full paper is available for download at: http://www.sans.org/u/3fO.

A healthcare organization is responsible for protecting a patient's most private information; their medical record. A healthcare organization also maintains the patient's financial information, as well as the organization's own intellectual property and that of its vendors and affiliates. These are among the most highly sought-after pieces of protected information for a hacker. In conventional data breaches, an individual's credit card number, bank account number or even Social Security Numbercan be reissued. In healthcare data breaches, an individual's medical record cannot be changed and stolen intellectual property cannot be recovered. This makes stolen healthcare

...

Can't Patch Stupidity? Look in the Mirror

A theme I sometimes hear from people in the the security community is you can't patch stupid. That "End Users" are too dumb or ignorant to be secured. Wow, I can't think of a more unfounded, prejudice statement. First, "End Users" are people like you and me, so I suggest we start calling them that. Second, many of the people I see organizations trying to secure are very intelligent. These organizations include people such as engineers, accountants, scientists, lawyers, researchers, doctors and a myriad of other smart people. In one extreme example I know a security awareness officer whose organization is so highly educated that the average employee has 2.5 PhDs. Finally, most people I talk to are motivated, they want to do the right thing and be secure. So if we are working with people who are both smart and motivated, what is the problem?

I think we the security community need to take a long look in the mirror. You will quickly see that we are the problem.

...

Securing the Software Development Lifecycle

SDLC

Editor's Note: Today's post is from Eric Johnson. Eric is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. In this post Eric replies to a question about what SDLC is and where people can learn more.

In a previous post, Beeker posted the comment, "What is a secure software development lifecycle"? This is an excellent question, and one that I receive quite often from organizations during an application security assessment. Let's quickly review the Software Development Lifecycle, also known as the SDLC. The goal of an SDLC is to

...

What Ideas do You Have to Secure Today's Kids?

STH-EndUser-Module19-ProtectingYourKidsOnlineFolks, I'm pumped to be part of something new at RSA this year, an event focusing on how the security community can best reach out to and help secure today's kids. I'll be part of a keynote panel with some absolutely amazing other folks to include Alicia Kozakiewicz (if you don't know who that is, stop reading this and take five minutes to read her story, its far more valuable then anything I can say here). In addition, RSA is hosting

...