Fine, fine. I'll do this year's training my damned self.
Hello, and welcome to your company's oh-so-very-shitty Security Awareness Training. I'm Chief Cloud Economist Corey Quinn of the Duckbill Group, today I'm your Acting CISO while your actual CISO is out finding which bars are open at 9:30 in the morning, and I'll be delivering this training for you because I was absolutely NOT the lowest bidder.
Thread begins here...
The whole point of security awareness is to protect company information. That's what they say, anyway.
Here in reality we're going to reference back to the things I spew at you rapid fire and blame you for our institutional shortcomings once we get breached. As your company's CISO, the most unkind yet accurate adjective people will ever apply to me is "ablative."
Confidentiality is important. Assume that people will read what you write. I know, it's a heavy lift for some of you who haven't figured out that the failure mode of "being clever on the internet" is "being a huge asshole," but pretend it'll be read.
In open court.
By a sobbing child.
Who's somehow on your Board of Directors.
Don't share private information.
Information should be presumed private until demonstrated otherwise. Don't assume that someone emailing you is who they claim to be. And don't insist on GPG signed email unless you never want to receive email again--wait.
WAIT.
brb generating a GPG key.
You probably also don't want to install a bunch of sketchy apps, browser extensions, or weird trinkets from dodgy vendors. If you're unsure, ask someone steeped in that area.
If they're rude dicks to you ("I work in infosec" being an unfortunately accurate early warning sign), pivot immediately to plotting their downfall instead and find a better trusted source.
You'll deal with a lot of information. Some of it is confidential. Some of it is public. If you're unsure, default to assuming confidential; it's less unfortunate for you that way.
The truth is, it's nearly impossible to listen your way into trouble, whereas running your big dumb mouth is going to end in tears before bedtime.
Be wary of phishing emails. Why's that? Because we collectively suck at computers to the point where you clicking the wrong link can take down Maersk for months, but somehow we're going to act like that's your fault.
If it's important and urgent, it shouldn't be an email out of hours.
Unusual senses of urgency, a CEO suddenly unclear how to spell their own name, and instructions to do things out of the ordinary are red flags unless your company is owned by Elon Musk.
Ask the requestor for confirmation on Slack, Teams, or some other side channel before doing something ill-considered. Delays are always better than mistakes.
If your boss texts you to buy some iTunes giftcards or whatnot to deal with a client emergency, it's either a phishing attack or you work for some kind of moron and you should find another place to be immediately.
The one time I had to have someone buy a whole mess of Amazon gift codes (for re:Invent swag) I told them to do it in person and explained my logic. Next year I'll do Google Cloud credits if AWS doesn't want to play ball...
Physical security is important. You're an accountant who's 5'4" and 105 lbs soaking wet, but you're somehow expected to stop and aggressively interrogate anyone who attempts to follow you into a secured area since the company can't afford security guards after paying my usurious fee for this presentation?
This is fantasyland horseshit that will not happen here in reality.
Some companies require staff to wear badges. This is where the terribleness of scale starts in many places. My choice is usually to leave before companies get that big. If you make different choices, don't share badges with colleagues.
Oh, and I don't care that you work at Google; nobody thinks you're cool for wearing your badge in public. It's not a fashion accessory, it's a cry for help.
That said, many of us are remote these days, so "physical security" takes on a different context. It's your home, I'm not fool enough to tell you how to live your life there.
If someone is, begin plotting their downfall while making plans to destroy their home life instead. Boundary issues can absolutely cut both ways.
Data privacy is super important. Maybe keep the sensitive customer data contained to a small place, and if you don't need it, don't collect it?
People get upset when you leak their info--particularly if they didn't choose to give it to you in the first place, Facebook.
Some places tell you not to use "unapproved software." And you're never to do any personal work on company machines.
Be certain to raise your hand and ask permission before going to the bathroom if that's your workplace.
I spent too long in IT seeing pictures of employees that I wish I could burn out of my brain to believe that anyone obeys this rule, so let's stop pretending otherwise.
If your company asks you to install their corporate spyware on your personal device, the correct answer is "LOL no." If it's that important that they reach you at all times (spoiler, it is not or they'd staff multiple shifts), they can give you a corporate phone, laptop, and car.
Forget to charge all of these should you want a moment of peace.
No one is going to email you to give you money, sell you reputable pharmaceuticals, or blackmail you. No, they didn't watch you flog your dolphin via your webcam, and no they will not send video of it to your friends and family unless you pay them. (If someone ever gets a video of me flogging my metaphorical dolphin, my greatest fear will be them releasing it to the public without letting me narrate it first.)
If someone somehow does get compromising video of you, narrate it.
These scams invariably involve cryptocurrency, the trusted nightmare scam currencies of grifters everywhere. Just like the VISA logo demonstrates security and convenience, cryptocurrency demonstrates you're about to be bamboozled out of a bunch of money.
It's 2023; the grift is obvious by now.
Make sure that your computer hard drives have full disk encryption turned on; it's the difference between "your company has to replace a $2K laptop" and "your company is now in the headlines."
Increasingly you have to go out of your way to NOT do this.
@Quinnypig not as obvious: the same thing can be true for everything with an USB plug attached to it, up to, and including, power cables.
We live in hell.
@Quinnypig
In the Before Time, I was at a meetup and someone told a story about their company mandating corp malware on your personal phone if you wanted corp email.
Weeks later on a Monday morning, Jdoe tells IT "I lost my phone", but they wipe _K_doe's phone.
VP Kdoe. Who had taken pictures of their kids at an event over the weekend and hadn't backed them up yet.
KDoe comes to IT, breathing fire, and next day, corp policy changed about needing their malware on your personal device.
@Quinnypig +9001%
I go even further:
I refuse to use my personal IT assets for job-related tasks.
And if they don't want to provide me equipment, I'll bill them in advance for said devices that I'll only use for work with them.
And yes, I do set my phone to "unavailable / silent" outside paid work / standby time.
@Quinnypig The only business app I feel comfortable asking people to install on a personal device is a two-factor token. It generates some random numbers.
Even for corporate phones, I try to avoid enabling excess location features for devices carried by individuals. We didn't get the dang thing to collect everyone's location history.
@Quinnypig Extend this rule to freelance sites asking designers to download โTime-Trackerโ screen-recording software to log billable project timeโฆ charging also optional ๐คฃ
@Quinnypig Always figured those unapproved software things and no personal stuff on company devices, when combined with giving everyone admin rights is just a way to always have an excuse to fire someone.
"You logged into your spotify account on your work laptop that's against our policy. You're fired for gross misconduct."
@Quinnypig possible exception, perhaps of the "work somewhere else" variety:
If there is a real chance your work computer will be subject to discovery, and your IT department has detailed runbooks labeled "legal hold assets"
@Quinnypig Better Idea: Refuse to use #NSABook / #StasiBook and it's services in the first place!
We can't babysit #Ignorants and #TechIlliterates 24/7 - we've to lead by example!
@Quinnypig my physical security in my home office is focused on keeping my cats away from my keyboard.
@DataChick @Quinnypig they generally prefer their own ThinkPads or my wife's surface.
They absolutely love to camera bomb my meetings, but they seem to have zero interest to touch anything on my desk besides my tchockes.
@Quinnypig We are told NOT to wear our badges in public, as this makes us a target for evil foreign spies who will seduce us. The threat of Natasha Fatale hanging around a McD's in rural KY just in case someone walks in wearing a badge identifying them as working as a government contractor is VERY REAL, dammit!
Look, I can hope, right?
Deon Moolman
Corey Quinn
Kevin Karhan 
Samantaz Fox
Jack
Sophie Schmieg
meowy catgirl
kira :3
Brad Ackerman
Lars Marowsky-Brรฉe ๐ท
Unixorn
ocdtrekkie
Synchroma
Phracker
Matthew Broberg
Bjรถrn ๐ธ Starkimarm
๐จ๐ปโ๐ปโ
JaneA Kelley (they/them)
Ian Ridgwell
Velux ฮฮ
Emily S
Douglas Kilpatrick
John A. Mulhall
Karen Lopez ๐๐ฉโ๐ป๐
Justin Dearing
nineball
johnkelly
Daniel Jay Haskin
Lizard
Matt Palmer