Blog: SANS Securing The Human

Blog: SANS Securing The Human

New Poster Helps Your IT Admins Become Human Sensors

Most security awareness training is focused on changing human behavior. People already know how to perform a specific skill, awareness simply teaches them how to perform it more securely, such as when using email. However there are times when you need to teach people new skills. While not designed for awareness training, a new poster recently created by the SANS Forensics instructors fits the bill perfectly. This two sided poster, called "Know Normal - Find Evil" documents different ways a forensics expert can identify if a system is compromised or not. While designed for forensic professionals, I feel this poster is a great resource for almost any IT admin, even if they have no security experience. The poster identifies system processes,

...

Job Description for Security Awareness Officer

Organizations around the world are beginning to address the human when securing their organization. The days of just compliance focused training are gone, we need to also effectively change behavior. To achieve that, you need the right person in charge. Below is an attempt to describe what the job description of a security awareness officer could look like.

Security Awareness Officer

This individual is overall responsible for our security awareness and education program. Ultimately this person's job is to reduce risk to our organization by ensuring all employees, staff and contractors know, understand and follow our security requirements and behave in a secure manner.

Our Security Awareness Program

...

Getting Support and Approval for Phishing Assessments

During my human metrics talk at RSA last month, a common question was how to get support for an internal phishing program. Phishing assessments are a powerful metric, not only do they measure a high human risk, but they are repeatable, quantifiable, actionable and low cost. This is why phishing has become one of the most common metrics within security awareness. In addition phishing is a powerful way to reinforce key human behaviors. When I first started in security awareness five years ago, phishing or any type of human assessments, were rare. Now a days, I would say roughly 30% of organizations I work with are doing some type of human assessments as part of their awareness program (surveys, phishing, checking on secured desktops

...

Why the 90 Day Rule for Password Changing?

I consistently find passwords one of the most challenging part of any awareness program as we have to teach people a patchwork of confusing rules. These rules can include always use long, complex passwords, never share your passwords, unique passwords for every account, never write your password down, be cautious of personal questions, and more. To make matters worse, not only are different people teaching different rules, but those rules change over time. *sigh*

One of the key guidelines of changing behavior is focus on the fewest behaviors that address the greatest risk. When you take this approach, you will soon find the hardest part about effective awareness is deciding what NOT to teach people. For example, a frustration of mine is the old adage always

...

March OUCH is Out - Windows XP

OUCH is a free, monthly security awareness newsletter developed by SANS Securing The Human and community volunteers. Our goal is to provide Ordinary Computer Users (OCUs) simple and actionable information on how to protect themselves online. Every month, led by a Guest Editor Subject Matter Expert, we cover a new topic in 1,000 words or less and translate that into over 20 languages. For March, we selected the topic of Windows XP, specifically how Microsoft will end support for it next month. We felt this topic was very important, as surprisingly almost 30% of computers still use Windows XP today. We encourage you to download, share and distribute OUCH with your friends, family and co-workers. Organizations are welcome to distribute OUCH as part of their

...