The Reg takes the US government's insider threat training course.That's best addressed by looking at the fraud triangle: most people commit fraud if they're motivated, have the opportunity, and can rationalize what they're doing as not so wrong.
The biggest risk might seem to be success, if you do find yourself with a lot of hackers on staff who've taught themselves far too much about your systems.
Inside out thought bubbles fear not working how to#
You'll need different rules, the sort external pen testers work by, about what to do when vulnerabilities are discovered, and how to behave responsibly when given responsibility. You won't be able to fire people for poking around in your infrastructure, but you will if they do it, find something, and don't tell you. There are consequences to inculcating this mindset as widely as possible. It's an uncomfortable leap, offering vuln bounties in place of written warnings, but where would you be happier working? If you want to read the CEO's expense claims history, how would you go about it? Say that's not a lot more fun than asking how to protect the HR and finance systems, we double-dare you. Thinking about the kill chain, the pathway through a system that extracts the prize, is much more engaging. Thinking about security in depth as a set of components that have to be hardened, tested, maintained, is a whole heap of toil. Most people just need basic awareness, and that's good, but you can take the hacker mindset as deep as you like. But some will start to think creatively about security. It doesn't matter what technical skills or awareness people have, at the very worst they'll learn just as much as with the traditional way.
Lay out the principles of social engineering, and reward the best efforts. It's much better to teach people how to write phishing emails. Another chunk of that 80 percent gets wired in. The standard corporate approach to training non-infosec people to avoid phishing is to explain the principles, show some examples, perhaps run some faux phishing campaigns to shame those who don't "get it", and move on.
Teaching people to think like hackers is better than teaching them to fear the bogeyman, in many dimensions. It is playful, pattern matching, and problem solving. It's not a skill set, although it naturally evolves one. Hacking as a mindset is characterized by themes of curiosity, tenacity, imagination and the joys of discovery and invention. Reg readers will be in the second camp, and rightly. Hollywood and the daily media is in the first camp: online attackers are at best amoral thrill-seekers, but mostly they're quasi-criminals bent on mischief or actual crime. That may sound suicidal to those who think hacking is attacking, but less so to those who think hacking is a mindset.
0 kommentar(er)
