Fine, fine. I'll do this year's training my damned self.
Hello, and welcome to your company's oh-so-very-shitty Security Awareness Training. I'm Chief Cloud Economist Corey Quinn of the Duckbill Group, today I'm your Acting CISO while your actual CISO is out finding which bars are open at 9:30 in the morning, and I'll be delivering this training for you because I was absolutely NOT the lowest bidder.
Thread begins here...
The whole point of security awareness is to protect company information. That's what they say, anyway.
Here in reality we're going to reference back to the things I spew at you rapid fire and blame you for our institutional shortcomings once we get breached. As your company's CISO, the most unkind yet accurate adjective people will ever apply to me is "ablative."
Confidentiality is important. Assume that people will read what you write. I know, it's a heavy lift for some of you who haven't figured out that the failure mode of "being clever on the internet" is "being a huge asshole," but pretend it'll be read.
In open court.
By a sobbing child.
Who's somehow on your Board of Directors.
Don't share private information.
Information should be presumed private until demonstrated otherwise. Don't assume that someone emailing you is who they claim to be. And don't insist on GPG signed email unless you never want to receive email again--wait.
WAIT.
brb generating a GPG key.
You probably also don't want to install a bunch of sketchy apps, browser extensions, or weird trinkets from dodgy vendors. If you're unsure, ask someone steeped in that area.
If they're rude dicks to you ("I work in infosec" being an unfortunately accurate early warning sign), pivot immediately to plotting their downfall instead and find a better trusted source.
You'll deal with a lot of information. Some of it is confidential. Some of it is public. If you're unsure, default to assuming confidential; it's less unfortunate for you that way.
The truth is, it's nearly impossible to listen your way into trouble, whereas running your big dumb mouth is going to end in tears before bedtime.
Be wary of phishing emails. Why's that? Because we collectively suck at computers to the point where you clicking the wrong link can take down Maersk for months, but somehow we're going to act like that's your fault.
If it's important and urgent, it shouldn't be an email out of hours.
Unusual senses of urgency, a CEO suddenly unclear how to spell their own name, and instructions to do things out of the ordinary are red flags unless your company is owned by Elon Musk.
Ask the requestor for confirmation on Slack, Teams, or some other side channel before doing something ill-considered. Delays are always better than mistakes.
If your boss texts you to buy some iTunes giftcards or whatnot to deal with a client emergency, it's either a phishing attack or you work for some kind of moron and you should find another place to be immediately.
The one time I had to have someone buy a whole mess of Amazon gift codes (for re:Invent swag) I told them to do it in person and explained my logic. Next year I'll do Google Cloud credits if AWS doesn't want to play ball...
Physical security is important. You're an accountant who's 5'4" and 105 lbs soaking wet, but you're somehow expected to stop and aggressively interrogate anyone who attempts to follow you into a secured area since the company can't afford security guards after paying my usurious fee for this presentation?
This is fantasyland horseshit that will not happen here in reality.
Some companies require staff to wear badges. This is where the terribleness of scale starts in many places. My choice is usually to leave before companies get that big. If you make different choices, don't share badges with colleagues.
Oh, and I don't care that you work at Google; nobody thinks you're cool for wearing your badge in public. It's not a fashion accessory, it's a cry for help.
That said, many of us are remote these days, so "physical security" takes on a different context. It's your home, I'm not fool enough to tell you how to live your life there.
If someone is, begin plotting their downfall while making plans to destroy their home life instead. Boundary issues can absolutely cut both ways.
Data privacy is super important. Maybe keep the sensitive customer data contained to a small place, and if you don't need it, don't collect it?
People get upset when you leak their info--particularly if they didn't choose to give it to you in the first place, Facebook.
Some places tell you not to use "unapproved software." And you're never to do any personal work on company machines.
Be certain to raise your hand and ask permission before going to the bathroom if that's your workplace.
I spent too long in IT seeing pictures of employees that I wish I could burn out of my brain to believe that anyone obeys this rule, so let's stop pretending otherwise.
If your company asks you to install their corporate spyware on your personal device, the correct answer is "LOL no." If it's that important that they reach you at all times (spoiler, it is not or they'd staff multiple shifts), they can give you a corporate phone, laptop, and car.
Forget to charge all of these should you want a moment of peace.
No one is going to email you to give you money, sell you reputable pharmaceuticals, or blackmail you. No, they didn't watch you flog your dolphin via your webcam, and no they will not send video of it to your friends and family unless you pay them. (If someone ever gets a video of me flogging my metaphorical dolphin, my greatest fear will be them releasing it to the public without letting me narrate it first.)
If someone somehow does get compromising video of you, narrate it.
These scams invariably involve cryptocurrency, the trusted nightmare scam currencies of grifters everywhere. Just like the VISA logo demonstrates security and convenience, cryptocurrency demonstrates you're about to be bamboozled out of a bunch of money.
It's 2023; the grift is obvious by now.
Make sure that your computer hard drives have full disk encryption turned on; it's the difference between "your company has to replace a $2K laptop" and "your company is now in the headlines."
Increasingly you have to go out of your way to NOT do this.
Use multi-factor authentication, like a Yubikey. When pressed for time, you can whack the button on the device to let it name an AWS service right before it launches.
Failing that, an email code, an authy or similar time based code app, or at last resort an SMS or phone call will suffice.
Use a password manager because you're bad at passwords. Trust me on this one. I like 1Password but there are lots of others that are absolutely not LastPass that are well respected.
If your password manager is reluctant to fill in your password on a site, believe it. Similarly, it's very hard to be conned out of a password you don't actually know.
You should know fewer than three to five passwords yourself.
"My data is sensitive so it shouldn't live in a cloud provider" is naive in the extreme. They are better at protecting data than you are unless we're talking about Azure in which case all bets are off; those people apparently do not give a SHIT about cloud security.
The rest are great at it, whereas your datacenter's nighttime security guard is out drinking with your usual CISO and forgot to lock the door on their way out.
Don't share credentials with other people. They can get their own account. If your supervisor demands your credentials, be sure to get the request in writing first; the odds are terrific that a bunch of money is going to go missing and you're about to be the prime suspect.
Protect corporate money so it can instead be lost to a scam that starts with a "Contact Us" button on a pricing page, and ends with an enterprise sales team and a PowerPoint presentation.
This is the part where many companies will start emailing you fake phishing tests. This leads to just wonderful relationships between colleagues; I don't recommend doing it unless you're looking to nurture a culture of backstabbing and character assassination.
Personally I find it easier to just go work for some shithead founder's first startup.
@Quinnypig I have a question.
Is there some sort of trick to know when I'm getting a fake phishing test from security consultants using email on work's domain name, where if I respond I'll get fired, and when I'm getting totally legitimate emails from a service that the HR/Accounting/Marketing departments just started using to send surveys from some bonkers domain and if I don't respond I'll get fired?
@Quinnypig @sean This is the correct answer.
The only one I ever bit on was a phishing test *from our own domain.* This is in scope only for enormous idiots.
@mav @Quinnypig @sean my team has a security channel in Slack where members of sec-eng hang out. It's pretty common to see sketchy-looking emails posted there for advice.
I guess what I'm suggesting is use an out of band method to verify it.
@jamie You do make a good point, though; it's all rigged and inconsistent. I had a credit card get compromised last year. I hung up on their robocalls 3 times before I had to call (the number on my card) to find out what was going on.
"Why didn't you authenticate with our automated service?"
"Because it's indistinguishable from a phishing attack?"
"Oh, so you thought it was fake?"
"Well, how was I supposed to tell if it was fake or legit?"
"Okay. I'll write down 'confused'."
"🙄"
@sean @jamie Someone claiming to be from a pharmaceutical company called me and began asking for personal information. I told them I wasn’t going to give them information until they told me what it was in reference to, but they couldn’t tell me that until they confirmed my info. We went around like this for a bit, and then I said I would call them back after talking with my doctor.
It turned out to be a legit call. One of my doctors had them call me but failed to tell me to expect a call.
@ramsey @jamie My bank used to call me about a periodic payment registration problem I was having.
Their automated system would regularly call and ask me to authenticate. One of the options was multiple choice postal codes. "Press 1 if it's x, press 2 if it's y, 3 if it's z." It was 3 choices and I had 2 tries per call. I got it wrong twice on purpose. The next call they gave me the SAME 3 choices. So I authenticated with the information they'd given me.
My *BANK*.
Someone signed off on this.
@sean Roll the dice and see what happens... Seriously, though, just email HR and say "Are you serious with this phishy email?"
@Quinnypig I followed the advice from the *last* security training and made sure to never let anyone tailgate me through the office door. Now I've got a meeting from HR about "slamming the door in the CISO's face" and "laughing at him from the other side of the glass."
Anyway, how would you recommend I go about reporting HR for unsafe security practices?
@Quinnypig somehow I heard your thread on the so g beat from "everybody's free to wear sunscreen"
Brilliant training
@Quinnypig I still think there's value in these IF they're done correctly (most don't.)
Unsurprisingly to anyone who's ever had a dog, positive reinforcement helps. Make it a contest and give out prizes to people who report those phishing test emails.
@Quinnypig We screen shot that share the stupid phishing emails with other IT people and laugh about how horrible these tests are.
Especially funny when you check the registry information for the domains some of the phishing test companies use.
Not everyone is savvy, though, so a couple people are singled out and yelled at. The whole phishing testing thing is fishy.
@Quinnypig Any way, the easy solution to "fake phishing tests" is never to read emails on your own.
My colleagues already know that if they write me an email, it makes sense to bump in a secondary channel like Slack ("BTW, have you already read the email about …") or the daily ("Might it be that you missed my email?").
Perfect immunity to phishing emails.
@Quinnypig I work in .edu, where character assassination and backstabbing predated simulated phishing attempts by several centuries.
...and yes, the simulated phishing attempts began here in 2019. The Backstabbiness Meter barely ticked up, but ticked up nonetheless.
@sigi714 Fascinating; I don't believe that our policy does.
I'd auto-filter based upon the headers that let it bypass the spam filters, but that's just me being subversive again.
Jokes on you.
My most important accounts use impossible to remember passwords that are stored offsite and are cumbersome to use.
Jumpercable be damned
@jack @Quinnypig my take on that is a password manager in a very convenient place to keep those, and if it increases usage of MFA, it’s probably worthwhile.
If you have something that’s super sensitive, and you’d be worried that anyone accessing your passwords could do further damage, then consider keeping those separate.
I’m 😎 because my bank only allows SMS two factor so this isn’t a problem. 😢
Corey Quinn
Sean Coates
0xC0DEC0DE07EA
Matt Blank
mav 
Mike Garuccio
smartwatermelon 
Jamie Booth
Ben Ramsey
I AM BANKSY ☕ / 🗑🔥
Eli the Bearded
problemuser
Ysegrim
Colin
Locksmith
Ben Aveling
Kevin Highwater
hayden aiken 🇺🇲
Angela Glansbury 🚽
Andreas K
Danyd
Angie B
Ґрeйсі Джейн 🏳️⚧️ (Quuxum)
sigi714
Arclight
George William Herbert
青い暗闇
kieran
Skritch Monster Collie
Dennis Faucher 
Jesse Harris
Jack Scott
Space Invader