Ancestors

Written by April King on 2024-12-10 at 16:08

was asked a really interesting question in an interview yesterday: given a budget, which areas of security spending produce the greatest and worst (or negative) ROI?

my answer:

positive: SSO/OAuth, hardware keys

worst: DAST, DLP, honorable mention to poorly configured IDS’s

what’s your answer?

=> More informations about this toot | More toots from april@macaw.social

Written by XenoPhage :verified: on 2024-12-10 at 16:17

@april positive : yearly security training, SAST, SCA, patching

worst: random phishing "tests”

Of course, in order to get a lot of those positives, you need proper policies with enforcement. SAST/SCA can be a huge plus, but only if their use is enforced.

=> More informations about this toot | More toots from XenoPhage@infosec.exchange

Written by squeakyears on 2024-12-10 at 16:50

@XenoPhage

@april

That's odd. I haven't been on the IT/cybersecurity career path for over a decade now, but as a user with SOME background in the field, I thought the phishing tests at my company have been very good outreach to users about taking security threats seriously.

I'm guessing our disagreement stems from a difference in perspective, so I'm curious to hear more about your thoughts on the practice.

I do know that a couple of my phishing attempt reports have gotten exasperated "This is official communication from our company..." in response, to which my obvious retort is "Then why does our official communication look so much like phishing?"

=> More informations about this toot | More toots from squeakyears@meow.social

Toot

Written by April King on 2024-12-10 at 18:24

@squeakyears @XenoPhage phishing exercises erode people’s trust in their security departments while also providing dubious long-term benefits of any kind.

=> More informations about this toot | More toots from april@macaw.social

Descendants

Written by Patrick Toomey on 2024-12-10 at 21:39

@april @squeakyears @XenoPhage It’s a fool’s errand to think that “getting good at spotting phishing” is something to aspire to. It only sets folks up to fail given that normal legit comms are often more sketchy looking that actual phishing emails. Semi-hyperbolically, my phishing training slide (singular) would be:

• Use a password manager/passkeys
• Never type/copy paste your passwords..let autofill do its thing
• if autofill doesn’t work, reach out to security/IT to double check what’s up.

=> More informations about this toot | More toots from ptoomey3@mastodon.social

Written by Ricky Mondello on 2024-12-10 at 21:43

@ptoomey3 @april @squeakyears @XenoPhage Strong agree with every word Patrick said.

=> More informations about this toot | More toots from rmondello@hachyderm.io

Written by XenoPhage :verified: on 2024-12-11 at 00:00

@rmondello @ptoomey3 @april @squeakyears ditto. Additionally, I’ve had incredible success with security awareness training (including what phishing/smishing/etc) is, but skipping over the part where intentionally try to trick our employees. Instead, I replaced that with positive reinforcement for literally anything reported and a willingness to teach wherever needed.

=> More informations about this toot | More toots from XenoPhage@infosec.exchange