According to the article, you really don't need to lock your car when at the mall or your house when you are away. There are still successful thefts taking place and we should work more towards coming up with better ways of preventing them since these are not 100% effective.
Training is NOT to make you completely immune, but to improve awareness and response. Having users act as a late(?) warning system on stuff that did get through but looks phishy is still better than them just trusting things and getting infected. In that eutopia, the end user would think that everything is clean and hackers can't get something past the sensors. Therefore EVERYTHING is safe to click on. Even the personal message from the company president asking you to click on the attachment to see naked pictures of his trophy wife. PCWorld should be ashamed of themselves for publishing such dribble. [email protected] made the following keystrokes: >Can I get an AMEN borthers and sisters!!! > > >Michael P. Blanchard >Senior Security Engineer, CISSP, GCIH, CCSA-NGX, MCSE >Office of Information Security & Risk Management >EMC =B2 Corporation >32 Coslin Drive >Southboro, MA 01772 > > >-----Original Message----- >From: [email protected] [mailto:[email protected]] On B= >ehalf Of Rob, grandpa of Ryan, Trevor, Devon & Hannah >Sent: Thursday, July 19, 2012 3:25 PM >To: [email protected] >Cc: [email protected] >Subject: [funsec] Security unawareness > >I really don't understand the people who keep yelling that security awarene= >ss is no = > >good. Here's the latest rant: > >http://www.pcworld.com/businesscenter/article/259461/why_you_shouldnt_train= >_e >mployees_for_security_awareness.html > >The argument is always the same: security awareness is not 100% foolproof = > >protection against all possible attacks, so you shouldn't (it is morally wr= >ong to?) = > >even try to teach security awareness in your company. > >This guys works for a security consultancy. He says that instead of teach= >ing = > >awareness, you should concentrate on audit, monitoring, protecting critical= > data, = > >segmenting the network, access creep, incident response, and strong securit= >y = > >leadership. (If we looked into their catalogue of seminars, I wonder what = >we would = > >find them selling?) > >Security awareness training isn't guaranteed to be 100% effective protectio= >n. = > >Neither is AV, audit, monitoring, incident response, etc. You still use th= >ose thing = > >even though they don't guarantee 100% protection. You should at least try = > >(seriously) to teach security awareness. Maybe more than just a single 4 h= >our = > >session. (It's called "defence in depth.") > >Tell you what: I'll teach security awareness in my company, and you try a s= >ocial = > >engineering attack. You may hit some of my people: people aren't perfect. = > But = > >I'll bet that at least some of my people will detect and report your social = > >engineering attack. And your data isolation won't. > >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D (quote = >inserted randomly by Pegasus Mailer) >[email protected] [email protected] [email protected] > Often the best way to win is to forget to keep score. > - Marianne Espinosa Murphy >victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links >http://blogs.securiteam.com/index.php/archives/author/p1/ >http://twitter.com/rslade >_______________________________________________ >Fun and Misc security discussion for OT posts. >https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >Note: funsec is a public and open mailing list. > >_______________________________________________ >Fun and Misc security discussion for OT posts. >https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
