| Blog | https://johnopdenakker.com |
| Bluesky | https://bsky.app/profile/j-opdenakker.bsky.social |
| https://twitter.com/j_opdenakker |
The other day I saw someone chatgpt'ed themselves. So I gave it a go myself.
It's never been easier to get information about someone in a matter of seconds. Amazing times we live in.
I'm quite satisfied with chatgpt's summary.
How about yourself, happy about what you read?
I posted something on LinkedIn, might attract some phishing simulation vendor replies 😂
Any thoughts about this, agree or disagree? Let me know your thoughts
"I agree that security (awareness) training should be part of employee onboarding and an ongoing effort in your information security program, but...
...there's something that bothers me a little bit about it and how it's still perceived in the industry.
Phishing simulations are still often "sold" as a must-do activity or even far worse as the silver bullet.
If you believe phishing simulations will solve the phishing problem, it may be time to revisit that assumption.
They don't.
But hey, it's all about defense in depth, right?
Ok..., you can maybe reduce click rates and people might get used to reporting phishing content. So that's good right?
Well, it's still a simulation and doesn't tell you much about the click rate at real phishing attacks. The criminals always evolve their attacks, hopefully your simulated phishes can keep up with that (I'd rather guess they don't ;).
And, will your people also report the more advanced real phishing mails, how trustworthy is your simulated report rate?
But let's assume it's all very positive, you still can never get the click rate to zero, so you need additional defenses anyway.
So better assume your workforce will get phished, and if you have to prioritize where to put your money, rather invest in other technical controls that stop the attackers in their tracks.
Yes, do still learn people about phishing and how they can protect their professional AND personal accounts and data.
But also think very carefully about what you want to reach with phishing simulation programs and if it's worth your money."
I applaud this initiative from the Pajottenland (Belgian) police.
They are sharing tips on bread bags to help people protect themselves against internet crime.
In case you're bored...
Unfortunately these stupid password complexity requirements are still very common.
I'm my own worst critic. It's tiring. Very tiring...
No matter how much I try to convince myself that "good enough" is okay, I still don't act like it most of times.
I guess it's a long-time learning process.
Recognizable?
Dear network, I'm currently building out my side gig. If you are looking for some information security expertise or you know a company who does, please let me know.
I provide consultancy services, offering strategic and practical security advise tailored to your needs. Alternatively, we can target specific areas of your security posture, for example enhancing password and authentication security.
I've experience with creating and managing an ISO 27001 ISMS (including audits and certification) and all its corresponding clauses and controls. I lead a security champion and awareness program and and I am involved in appsec security programs and the corresponding security activities.
In any case, don't hesitate to reach out,we'll find out if there's a match!
Contact me via DM or johnopdenakker.com/contact/
Reposts appreciated!
A sad state of affairs if you ask me. There's a lot of work to be done and job security for those in the application security field and information security in general.
And like in the article, poor tooling is often a reason that things don't improve like they should. Developer alert fatigue is real.
A lot of tools are really crappy. And often, instead of looking which tool can be best integrated to support developers in secure coding, it's the other way round. Security tools become the goal instead of the means.
https://decrypt.lol/posts/2024/11/21/increase-in-leaked-secrets-reported-by-gitguardian-in-2023/
