Which part was the bullshit? I’m not sure which part it was. Are we trying to raise awareness for users of Intranet services? Which security issues?
Are the users part of a SaaS model or outsourced application? An Internet application?
How old are the users? What backgrounds do they have?
I’m all for education of security concepts, but I think it should be done in the age 10-20 range or with people who want to get involved. There should be plenty of corporate programs to help users who want to be there. Forced training goes nowhere. Even formal training is too much. What the average, age 21-65 crowd needs in the corporate world are a bunch of Lunch’N Learn sessions that provide resources such as Wikipedia, Digg, Reddit, and Del.icio.us links about security issues facing their day-to-day use of applications/software. They need to get on Google Apps, News, Reader, Alerts, and Blogs. They need to know how to educate themselves - not be told how to make a good password.
Awareness at the C-Level usually comes in the form of Core Impact, W3AF (or WebInspect, AppScan, or Hailstorm), CANVAS, or Metasploit (or Kismet). This is also totally strange. Every company with a $75M market cap or more needs to follow SOX 404 (or as some say to non-public companies - “follow it anyways”) and PCI-DSS. Every CSO should already know about all the attack tools. He/she should know when/where they need to be run - only in labs; not in production.
February 18, 2008 at 10:02 pm
Hi Mark,
The second link seems to be broken. Can you repost?
TIA
February 20, 2008 at 12:35 am
Which part was the bullshit? I’m not sure which part it was. Are we trying to raise awareness for users of Intranet services? Which security issues?
Are the users part of a SaaS model or outsourced application? An Internet application?
How old are the users? What backgrounds do they have?
I’m all for education of security concepts, but I think it should be done in the age 10-20 range or with people who want to get involved. There should be plenty of corporate programs to help users who want to be there. Forced training goes nowhere. Even formal training is too much. What the average, age 21-65 crowd needs in the corporate world are a bunch of Lunch’N Learn sessions that provide resources such as Wikipedia, Digg, Reddit, and Del.icio.us links about security issues facing their day-to-day use of applications/software. They need to get on Google Apps, News, Reader, Alerts, and Blogs. They need to know how to educate themselves - not be told how to make a good password.
Awareness at the C-Level usually comes in the form of Core Impact, W3AF (or WebInspect, AppScan, or Hailstorm), CANVAS, or Metasploit (or Kismet). This is also totally strange. Every company with a $75M market cap or more needs to follow SOX 404 (or as some say to non-public companies - “follow it anyways”) and PCI-DSS. Every CSO should already know about all the attack tools. He/she should know when/where they need to be run - only in labs; not in production.