I attended the Rocky Mountain Information Security Conference a few weeks ago and out of the whole deal I think the most significant insight I got was from a talk by Chris Nickerson of Lares Consulting. The talk speaks for itself, and I’ve included it below. Chris and his team are awesome and fun to hang out with too. If you have 45-60 minutes to watch the video below, it’s worth your time.
Chris Nickerson – Layer 8 Attacks, Social Engineering
[flv width=“600” height=“480”]http://www.infoseczen.com/layer8.flv[/flv]
The possibly less obvious thing that occurred to me after listening to this talk was that in this time of tight budgets and changing attacks, our best avenue of counterattack may be user education. I’m a little mixed on this though – while I know that the day to day decisions which really impact your organizations security happen at the individual level, I’m not sure how much you can improve that situation through user training. Some folks just don’t get it. That said, if you can enroll everyone (ok, 80% of ‘em?) in understanding the ways an attacker might enter into what they personally do every day and take advantage of them, can they make a difference? I bet they can. As always, defense in depth is important here too.
The challenges of training users goes beyond budgets & technology into areas plenty of InfoSec folks are probably less comfortable – Marketing, Politics and process.
Marketing – get a message to folks that helps them understand why this matters to them. What can they really do? A lot. Tell them what those things are!
Politics – Sorry guys and gals, politics goes with InfoSec like grease and mechanics. It’s a necessary evil but is what eases the movement toward bigger change.
Process – Training & Testing. Policies and documents are great – but when Vinnie drops by the front desk to con his way in, nobody’s looking at a document to figure out how to respond. Training raises awareness & nobody wants to be “caught” not responding appropriately. It takes time but all those testing failures should lead to more interest in training. This, I think, is where the rubber meets the road.
Chris is teaching a Social Engineering course at ChicagoCon – hopefully we’ll see more of this stuff going forward.