was asked a really interesting question in an interview yesterday: given a budget, which areas of security spending produce the greatest and worst (or negative) ROI?
my answer:
positive: SSO/OAuth, hardware keys
worst: DAST, DLP, honorable mention to poorly configured IDS’s
what’s your answer?
=> More informations about this toot | More toots from april@macaw.social
@april kinda surprised "patching / update enforcement" wasn't in your "so cheap it should be illegal" positive side
=> More informations about this toot | More toots from mikeymikey@hachyderm.io
@mikeymikey that’s a good one too. i’ve never really had to buy it (at least for the client-side) since it’s usually something owned by IT and not security.
on the code and server side, the products available are certainly a mixed bag.
=> More informations about this toot | More toots from april@macaw.social
@april positive : yearly security training, SAST, SCA, patching
worst: random phishing "tests”
Of course, in order to get a lot of those positives, you need proper policies with enforcement. SAST/SCA can be a huge plus, but only if their use is enforced.
=> More informations about this toot | More toots from XenoPhage@infosec.exchange
@XenoPhage
@april
That's odd. I haven't been on the IT/cybersecurity career path for over a decade now, but as a user with SOME background in the field, I thought the phishing tests at my company have been very good outreach to users about taking security threats seriously.
I'm guessing our disagreement stems from a difference in perspective, so I'm curious to hear more about your thoughts on the practice.
I do know that a couple of my phishing attempt reports have gotten exasperated "This is official communication from our company..." in response, to which my obvious retort is "Then why does our official communication look so much like phishing?"
=> More informations about this toot | More toots from squeakyears@meow.social
@XenoPhage
@april
In other words, don't automatically send out emails of the form, "Hey, there's an important new policy that you need to know about! Click here to learn more: "
=> More informations about this toot | More toots from squeakyears@meow.social
@squeakyears @XenoPhage phishing exercises erode people’s trust in their security departments while also providing dubious long-term benefits of any kind.
=> More informations about this toot | More toots from april@macaw.social
@april @squeakyears @XenoPhage It’s a fool’s errand to think that “getting good at spotting phishing” is something to aspire to. It only sets folks up to fail given that normal legit comms are often more sketchy looking that actual phishing emails. Semi-hyperbolically, my phishing training slide (singular) would be:
=> More informations about this toot | More toots from ptoomey3@mastodon.social
@ptoomey3 @april @squeakyears @XenoPhage Strong agree with every word Patrick said.
=> More informations about this toot | More toots from rmondello@hachyderm.io
@rmondello @ptoomey3 @april @squeakyears ditto. Additionally, I’ve had incredible success with security awareness training (including what phishing/smishing/etc) is, but skipping over the part where intentionally try to trick our employees. Instead, I replaced that with positive reinforcement for literally anything reported and a willingness to teach wherever needed.
=> More informations about this toot | More toots from XenoPhage@infosec.exchange
@squeakyears @XenoPhage @april
You can train people to be good at the game of "spotting emails from our training partner", but in my experience that doesn't translate very well into real-life situations.
If you are interested in the literature, check these:
Benjamin Reinheimer et al., An investigation of phishing awareness and education over time: When and how to best remind users, 2020
Daniele Lain et al., Phishing in Organizations: Findings from a Large-Scale and Long-Term Study, 2021
=> More informations about this toot | More toots from weddige@gruene.social
@squeakyears @XenoPhage @april in summary: most people forget really quick (repeat every 4-6 month), some people never learn and the exercises have even negative side-effects.
My recommendation: basic security awareness ("bad people exist"), crowd-sourcing the phishing detection (a report phishing button and someone who reacts to the reports quickly) and every technical way that helps that your users don't even have to deal with phishing themselves.
=> More informations about this toot | More toots from weddige@gruene.social
@weddige @squeakyears @april Yes, totally agree here.
=> More informations about this toot | More toots from XenoPhage@infosec.exchange
@weddige @squeakyears @april I might also add here, if you're going to retrain every 4-6 months, change the training format! Don't keep throwing the same videos at them, they'll just learn to tune them out. Gotta keep it fresh.
And a regular cadence (once a month is more than enough) of security-specific emails helps as well. Short, simple, tips-style emails. Don't turn it into a long-winded mailing list.
=> More informations about this toot | More toots from XenoPhage@infosec.exchange
@april
Maybe not qualified enough opinions, ops background with security interest instead of workinh fully in the field. But:
Greatest: unattended-upgrades or otherwise fully automating installing security updates. Positive both for security and for ops.
Worst: Working with and certifying for a heavier framework than the business warrants (e.g. ITIL, 27000 etc for a small shop where failure means "mildly inconveniences a moderate number of people").
=> More informations about this toot | More toots from maswan@mastodon.acc.sunet.se
@april I think it depends a bit on where you start from and how big the budget is with respect to what would be necessary.
For example, pentests can have a great ROI if and only if you already have some baseline and the budget to fix the findings that will inevitably come up.
If the budget is extremely tight, it may be best to do nothing (new) and instead give your admin(s) some slack to catch up on their day-to-day tasks.
=> More informations about this toot | More toots from weddige@gruene.social
@april pentests without the budget to fix any of the findings might be an example of a negative ROI: You have the same problems as before, but now more people (including your own employees, that got the report) know about them.
=> More informations about this toot | More toots from weddige@gruene.social
@april best: org specific tweaks on existing stuff
Worst: buy and forget
=> More informations about this toot | More toots from buherator@infosec.place
@april
Best: password manager, fido
Worst: most endpoint protection software
=> More informations about this toot | More toots from jschauma@mstdn.social
@april
Great question, and great answer.
On the good side, I'd add company wide license for password manager (yes, in addition to SSO/hardware keys, which are also an excellent investment) and funding/process for an updated and current asset inventory, with responsible businesses and technical owners.
Yes, this is a security feature. :-)
=> More informations about this toot | More toots from pseudonym@mastodon.online
@april "turning old/little used stuff off & migrating people to your current systems".
=> More informations about this toot | More toots from bert_hubert@fosstodon.org
@april @pseudonym this is a great post — can it be redone with an expansion of the initials?
=> More informations about this toot | More toots from whophd@ioc.exchange
@april I'm curious, why DAST on the negative list? Just poor results compared to amount of money spent or other reasons?
=> More informations about this toot | More toots from thepwnicorn@infosec.exchange This content has been proxied by September (ba2dc).Proxy Information
text/gemini