IT Security analyst Ben Tomhave calls himself an infosec obsessive and I admire his insightful analyses when they appear. This time he commented on the recent attacks that followed the Verizon Data Breach reports.
His blog post is an excellent perspective on the current state of security and he broke it apart in three sections. The first is about the woes of patching and he nails it. The second is about people and I'll quote him here:
"The second major theme from DBIR and myriad other reports is that people continue to be the weakest link in security models. Now, this is for a number of reasons, most of which revolve around the fact that we give them easily exploited systems and then somehow expect them to magically protect these vulnerable boxen without any tools for self-defense.
"So, ultimately, as infosec and IT professionals, it's our fault that people suck, because we're making them suck. Think about that the next time you want to mutter "stupid users" over the latest compromise.
"Beyond the fundamental failures of expecting people to not get pwnd in a vulnerable environment, there are other things that can and should be done. Doing security awareness in the traditional, stupid, CBT-driven way is not it. Instead, we need to do a far better job engaging our target audience and embed practices and awareness into their DNA.
"You cannot do this in one standard cookie cutter manner, but instead must invest in more progressive methods."
I could not agree more. I have worked very hard the last five years to provide you with a platform you can use to better manage the problem of social engineering and is also easy, affordable and fun to use. Check the all the features here:
https://www.knowbe4.com/security-awareness-training-2016-features/
The third part of Tomhave's analysis relates to the controversy about the source data used for the Verizon report, and is very entertaining just by itself. Warmly Recommended!
http://www.secureconsulting.net/2016/05/dbir-2016-lots-of-noise-and-dr.html
