SANS evening session: "Patching your employee's brain" (by Pieter Danhieux)

by admin Email

Introduction

I wanted to see both talks during this SANS community night but due to traffic I missed half of Daan Raman?s talk. Even though the part of the talk I saw showed the research Daan did was sound and elaborate, I do not feel confident enough to correctly represent his work so I decided not to write a wrap up, sorry Daan, I hope I get there in time next time. Daan?s slide deck is available online for those interested in the research on Andoid malware

The second talk that evening was done by Pieter Danhieux and handled the education of people in the work place.


"Patching your employee's brain" (by Pieter Danhieux)

The slide deck can be found here. This was a largely non-technical talk about the different ways companies can instil a degree of security in their people, this talk is about making non security people more resilient against different types of attacks (such as choosing a good password, recognising a phishing email or call etc.). Pieter also included some good resources to find items like posters that are free to use.

The first part of the talk showed how easy it is to craft phishing emails and malware that are passing through the junk and anti-virus filters. Pieter also showed with some clear examples that humans are not good at evaluating risks, in fact the more uncommon risks are always perceived to be a lot more common than they are. Considering that most messages a normal users gets from anti-virus, firewall or browser are rather cryptic to them it is not surprising that they make the incorrect decision when these are presented, after all they could be missing out on a funny picture of a cat ;-)

During the second part of the talk it was made clear we need a roadmap for security awareness in most companies. This roadmap should detail a security awareness program. Such a program is iterative in nature; it keeps looping through the same phases:

Deliver key message

Reinforce that message

Measure the effectiveness

It iterates on two levels, this process is repeated for each key message and as soon as the metrics show a message from the past is deteriorating that message needs to be iterated again.

The last part of the talk was about the pitfalls and common mistakes, the most important one I noticed personally is that you need active support and backing from the complete management if you want a security awareness program to succeed.

A very nice and informative talk indeed J

Trackback address for this post

Trackback URL (right click and copy shortcut/link location)

Feedback awaiting moderation

This post has 2491 feedbacks awaiting moderation...