Category: Security Education

Millennials prove that tech savviness does not always equal security awareness

Millennials prove that tech savviness does not always equal security awareness

Bleeping Computer has published an article all about how millennials are more likely to be a victim of phishing and online scams than Baby Boomers (a.k.a. old people). I am taking this story with a few grains of salt because they gathered the data via a survey (in other words, there’s no hard data). But the result is really not that surprising.

Think about it this way: many Baby Boomers work in a corporate environment where they (hopefully) are inundated with a message of “don’t click that!” Even if someone doesn’t work in corporate America, they are probably more aware in general due to news coverage, etc. AND they have been around longer to get that message.

Millennials, on the other hand, are often not in bigger corp jobs, and they don’t consume media the same way the older generation does. And, of course, they haven’t been around for as long, so some of those messages haven’t got to them yet. Plus, they just want to do their social thing without hinderances. In general, Millennials are probably up for taking more chances.

This is all speculation on my part, of course. But it makes sense when viewed through the lense of generational differences. This is why I would advocate for security awareness training in high school and college (along with basic financial classes). Something that can give awareness without always focusing on tech (because that changes a lot). It should give young people a general sense of awareness and a healthy sense of paranoia – basically, something that will make them think twice. Combine that with PSAs that pop up as ads in social media, streaming apps, etc. And as parents, we should also be teaching that kind of awareness. It’s not an easy thing to tackle, and human nature is always going to make us susceptible to scams. Maybe as Millennials become more seasoned, they will start learning some of those lessons.

But we shouldn’t have to rely on life lessons to teach future generations. We have to start teaching security awareness proactively at a younger age, or the lessons are going to keep getting taught the hard way. The bad guys want it that way. So let’s start disappointing them.

So call to action: do you have formal programs in your educational system, school high school, college awareness? Do your computer science classes at any level include information/cyber security in the curriculum? If so, is it a small part or a whole semester? If not, what kind of proposals do you have to fix that? What can we do to influence educators? Who do you know who is actively trying to fix this now?

Let’s have a discussion and see if we can make some headway.

Pretty cool security awareness video

Pretty cool security awareness video

A fellow CISSP shared this link to a security awareness video his company produced.  It is well done, though some of the characters might not be familiar to anyone that is not a Gen X’er or older.  Restrictions for use should be nonexistent as well since they posted it on YouTube, but don’t quote me on that.  Take a look.

UPDATE: From the person who shared the video:

This video is free to use.
I would like to note that the Duh’s Video was inspired by Scott Pinzon and
the Watchguard Bud videos.


An Information Security Place Podcast – Episode 10!

An Information Security Place Podcast – Episode 10!


Link to MP3

Show Notes:

Episode 10!  We are in double digits!  W00T!  Thanks to Jim for all the hard work on getting these podcasts produced, for picking the music, for doing most of the talking, for… errr, what do I do around here anyway??

Segment 1: InfoSec News Update and some discussion about pinko commies

Segment 2:

  • Geek Toys – Jim has pretty much given up on trying to please Kirk because he is talking about non-security related toys AGAIN – a review of the Popcorn Hour A-110
  • Consultants Corner- Staying diligent during holidays
  • Further ranting – Jim says “LEAVE ME ALONE – I AM BUSY” to Q4 invitations to speak at conferences

Music Notes:

  • Intro/Outro – Digital Breaks – “Therapy”
  • Segway 1 – Naked Gun – “A.D.D.”
  • Segway 2 – Kickstart – “Bouncey”
New Orleans ISACA Chapter meeting

New Orleans ISACA Chapter meeting

Douglas Haider (Accuvant wireless guru) and I went to the New Orleans ISACA chapter meeting yesterday.  Douglas was doing a talk on wireless auditing and RFID.  Douglas did his usual great job, and we made some great contacts down there.  I am probably going to be going down next month to give them my talk about using blogs for security research.

But my point to this post is the chapter itself.  These are people who had some pretty bad things happen to them not too long ago.  The city itself is still rebuilding a lot, and here is this little ISACA chapter trying to build up and become a source of information security assistance for the area.  The people trying to get it started seemed to be very dedicated to the cause and were trying to get connected to local ISSA and Infragard chapters as well (I believe they said the local ISSA chapter was in Baton Rouge – about an hour to the west of The Big Easy) to get some kind of local conference going (I mentioned TRISC and how we might be able to give them some benefit of our experience).

I was really impressed by this small group of information security and auditing professionals.  They were extremely hospitable and thankful for Doug and I coming out.  They are really interested in getting speakers out to New Orleans so they can start drawing in more members (kinda the chicken and egg thing – get better speakers to draw more people so you can draw better speakers).  If you are interested in speaking at one of their meetings (usually the second Thursday of each month), let me know and I will get your contact info to them.  They are small (there were about 20 people attending) but passionate, and I think it would be worth your while to give them a shout.


Some great SANS course in the Dallas and Irving area

Some great SANS course in the Dallas and Irving area

Want some training on defeating rogue AP’s? Want to learn how to defend against Google hacking. Well, you’re in luck!! Douglas Haider is a buddy of mine, and he is and one of Accuvant’s Senior Wireless Security Consultants. He is teaching some SANS courses in the Dallas and Irving areas. This dude knows his stuff. You don’t want to miss these classes. Below is the information release on the courses.


The SANS Institute is pleased to bring the Stay Sharp training program
to Dallas and Irving! We invite you to participate in the following
classroom sessions with Stay Sharp Instructor Douglas Haider:

* Security 450: Defeating Rogue Access Points
Monday, May 7, 2007 – 6:00pm-9:00pm
Dallas, Texas

* Security 550: Google Hacking and Defense
Wednesday, May 30, 2007 – 9:00am-12:00pm
Irving, Texas

Register for both of the above classes and receive a 10% discount off
your tuition fees! Please e-mail for a discount code
BEFORE registering online as discounts are not retroactive.

Complete course descriptions and event details for these classes can be
found by clicking on the links above. Take advantage of small class
sizes and a convenient location to learn a specialized technical skill
in a single evening. Space for these classes is limited, so register
today while there are still seats available!

Alumni of SANS’ Stay Sharp Program agree on the value of this training:

“Very practical and to the point.” – Lyn Champagne, Dept of Justice

“A lot of information for an investment of just 3 hours.” – John
Broyski, Hudson Valley FCU

“Learned a great deal about tools I thought I already knew how to use.
Well worth my time.” – Frank Giachino, Rechitel

SANS Stay Sharp Program is bringing hands-on practical training right
to you! Don’t miss out on this great opportunity to build and maintain
your technical skills. We hope to see you there!

How do you put out a fire? You aim at the base

How do you put out a fire? You aim at the base

I just finished a post at my Computerworld blog about grassroots security. Basically, I am talking about securing the Internet by securing the typical user. So now, I am goign to say much the same thing, but I am going to use a different metaphor. It is in the title, but I will draw it out a bit here.

Have you ever worked at an organization that takes safety seriously? Or have you ever been a firefighter? What is one of the things they teach you about putting out a fire? That’s right – you aim at the base of the fire. Spraying water at the tips of the flames don’t do jack!

So this is what the Security Catalysts group is all about. A part of that initiative (actually, a really BIG part) is teaching the regular user what is going on with security and how they can secure themselves and help secure the community. So, starting out this initiative is Michael Santarcangelo’s first production of a series of vidcasts called the Family Security Series.

This is a very important first step in a very important project. Please think about ways you can help this effort, even if it is a local and independent movement. But I would also ask you to consider joining the Security Catalyst forums so we can pool our efforts. And even think about applying to join theTrusted Security Catalystss as well. It doesn’t cost anything. All you need is a good security background and a passion for security.

We are trying to make a difference. Consider joining the team.


Confidentiality, Integrity, and AVAILABILITY

Confidentiality, Integrity, and AVAILABILITY

So Determina released an advisory about a bug they found in IE in Vista. They ran a simple ActiveX fuzzer against it, and it crashed. They were surprised that it worked, and so am I. However, that is not the whole story.

When they mentioned the problem to MSFT, they came to the conclusion that it is just a stability problem and not worthy of fixing in a security release. Determina agreed by this statement in the advisory:

We have confirmed that this issue can be used to cause the instance of Internet Explorer to exit when viewing the specially crafted Web page. We have confirmed that there is no possibility to use the bug to do anything beyond that, e.g. execute code.

As such it is more along the lines of a stability issue and would be treated along similar issues reported into Microsoft using the Online Crash Analysis system.

OK, this just befuddles me. Since when did people start ignoring the “A” in the CIA Triad? Availability is essential to security. I made this point in an email discussion thread I am currently involved in:

Microsoft complained that the flaws that flaws HD Moore found in IE were stability problems and merely resulted in crashes rather than actual vulnerabilities. Remember the CIA triad, people. Confidentiality, Integrity, and AVAILABILITY. If a company relies on web applications for its livelihood, you can bring said company to its knees if you make IE unavailable. It is still a security problem.

Any stability problem deserves to be classified as a security problem if the possibility of denying access to data or services exists. And there are many compnaies out there that rely on web services for their livelihood.

Microsoft, FIX IT!

Determina, go take a class in security.



In training today and tomorrow

In training today and tomorrow

I will be in training today and tomorrow on Bluecoat. 

I am impressed thus far, but I am having some serious trouble staying focused  because I keep getting calls on the RFP I posted about yesterday.  Oh well, the life of a pre-sales SE.


A day in the life of a pre-sales security engineer…

A day in the life of a pre-sales security engineer…

I have decided to start putting down some of the day-to-day events with this new job.  I think it will actually help stir my mind to blog more since I have not been writing near enough lately.  So here goes.

I have actually been kinda bored since my recent job change.  Though I have been getting in contact with our vendor partners and getting setup for training on products, the real action is out there selling and designing and proposing.  I really want to get thrown into the fire. 

Part of the reason I’m not out there yet is we do not have a sales person dedicated to the Houston market.  We need someone badly because the guy selling in Houston is based in Dallas, and he has a lot to do up there as well as down here.  However, he finally got down here today, and it got crazy quickly (be careful what you ask for).

The sales guy flew in at 9am this morning at IAH (Houston Intercontinental), but he didn’t get in my car (I was chauffeur today) until 9:25am, and we had an appointment in SW Houston at 10am.  For those of you who know Houston, IAH is on the far north side of Houston, and Houston is BIG.  I made the trip in about 25 minutes, which I was proud of.

Anyway, the talk was basically an introduction to Accuvant and what we could offer.  This was my first real meeting with the sales pitch thrown to a client, so I learned a lot (I learned even more through the day).  But to be honest, I think of the term “sales pitch” as negative.  What we did today was, technically, selling Accuvant.  However, Accuvant really has differentiated itself quite a bit from most “security” companies because of the unique approach to the industry.  I have talked about it before, but Accuvant just seems to do things right.  Yes, there are always going to be internal problems, but Accuvant just seems to be a company that takes customers seriously and at face value.  We don’t want to walk in and just sell a box then walk out until it’s time for a maintenance renewal.  We want to partner and grow with our clients, and this is no BS.  I am really impressed by Accuvant, and I know this compnay is going to succeed even more in the coming years.

OK, sorry.  Anyway, the meeting went well.  We have some strong offerings in compliance and assessment, and the client seemed to take to that well (we were talking to IT risk manager and audit types, so they loved the ControlPath product we offer for keeping track of compliance, risk, etc.).

The next client is looking at implementing Infoblox, which is a pretty sweet product in my estimation.  Infoblox offers simple and secure DNS, DHCP, IPAM, and RADIUS services in an appliance.  I have seen the box and how it works.  It is very simple.  Many companies are replacing their Microsoft-based DNS, DHCP, and RADIUS with this product, and I am seeing some great results. 

The next client was a partial introduction – I had previously worked at this client, so the intro was more for the sales guy and Accuvant in broader terms.  They are a property-management company who delas almost exclusively with apartments.  They are looking at wireless access for their tenants in new complexes, which is going to be fairly daunting for a lot of reasons that I won’t get into.  Suffice it to say that they want a lot for little.

So after that client, we went to an established client that is looking into SIM / SEM (some call it SIEM) for capturing very specific events in remote offices and centralize it to corporate (insert Rothman negative comment here).  We are putting Network Intelligence in front of them for the scalability and sheer EPS (events per second).  To put it simply, I like this product.  I might get into that at a later date.

Anyway, we left that client, located in Downtown Houston, at almost exactly 5PM.  Not a good time in Houston.  The sales guy’s plane left at 7pm, so, needless to say (but I am going to say it anyway), we were a bit rushed.  However, we found out after we got on the road that, due to a LOT of storms down here today, his flight was delayed for over an hour, so we calmed down.  Then, wouldn’t you you know it, we still made it to the airport in plenty of time for the original flight time.  I guess being relaxed during the drive helped me just go with the flow better, so driving was a lot quicker than I expected.

So, that’s my day.  It was very busy and crazy, but I finally got in the mix.  I have a lot of “action items” from these meetings, so that is going to help me get even more familiar with the products we sell.  These meetings also helped me get down our philosophy (I think that sounds better than “sales pitch”), so I will be better prepared for future meetings with clients (especially since I know I will be mostly on my own until we get a sales person down here).  Things are starting to pick up, so I got out of the house, and I am glad for that.  I love my wife and kids, and they love me (or so they tell me), but we are all getting a little tired of each other right now!

More later.


On the SSAATY Podcast – Selling Security UP!

On the SSAATY Podcast – Selling Security UP!

I forgot to mention that I was a guest panelist on Alan Shimel’s SSAATY podcast last night.  This was a great panel.  I had a great time, and I think we really hit some key points and offered some solutions to security admins and managers out there that need some help selling security to execs.

The panel consisted of yours truly along with Martin McKeay (Network Security Blog, ComputerWorld), Bobby Dominguez (Sykes) and Mike Rothman (SecurityIncite, NetworkWorld).  It was hosted by Alan and Mitchell, two of the best podcast hosts I know, and though I have never met either face to face, I know they are both good guys.

One person that was scheduled but ran into some emergency security management duties was Michael from  I understand why he couldn’t be there, but I really missed his insight.  I would have loved to hear some of his horror stories.

BTW, I was VERY impressed by Bobby Dominguez.  I have never talked to Bobby, but I figured out very quickly yhat he has a vast amount of experience, expertise, and just plain ol’ smarts.  You REALLY need to listen to this guy.  Hopefully he will start a blog soon himself.  He has a lot to offer the community.

Martin is always good to have on a discussion like this because he has a lot of experience in this area.  He never ceases to impress.

And Mike Rothman, well…, he’s Mike.  What else need be said?  And we actually agreed on something in the podcast, if you can believe it!  Actually, Mike and I agree on a lot of things.  We just like to disagree to make it exciting.

And of course, there’s me.  ‘Nuff said! 🙂

Anyway, the podcast should be up soon.  Go look for it in the next few days at Alan’s blog.