A look at Security Theater and how it applies to modern security philosophy. This is presented to the Oklahoma Information Warfare Summit #9 October 5 2016
Setting Priorities and Using To-Do Lists in your Internet MarketingTrevor Dumbleton
It's far too easy to drift through life and internet marketing without a plan. Setting priorities for the things on your to-do list and actually to-doing them helps. A lot.
A empresa de tecnologia anunciou um novo smartphone com câmera aprimorada, maior tela e melhor desempenho. O dispositivo também possui um preço mais acessível em comparação aos modelos anteriores para atrair mais consumidores. O lançamento ocorrerá no próximo mês e a empresa espera que o novo smartphone ajude a aumentar suas vendas e participação no mercado.
Setting Priorities and Using To-Do Lists in your Internet MarketingTrevor Dumbleton
It's far too easy to drift through life and internet marketing without a plan. Setting priorities for the things on your to-do list and actually to-doing them helps. A lot.
A empresa de tecnologia anunciou um novo smartphone com câmera aprimorada, maior tela e melhor desempenho. O dispositivo também possui um preço mais acessível em comparação aos modelos anteriores para atrair mais consumidores. O lançamento ocorrerá no próximo mês e a empresa espera que o novo smartphone ajude a aumentar suas vendas e participação no mercado.
La empresa busca candidatos para cinco posiciones diferentes: técnicos ambientales, personal de logística, diseñadores de interiores, guías turísticos y personal de apoyo para proyectos ambientales.
Este horario escolar muestra las horas de clase de la Escuela Primaria Otilio Montaño los días de la semana, con el profesor Juan Pérez a cargo e identificado con la clave 12DPR2254.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsScyllaDB
ScyllaDB monitoring provides a lot of useful information. But sometimes it’s not easy to find the root of the problem if something is wrong or even estimate the remaining capacity by the load on the cluster. This talk shares our team's practical tips on: 1) How to find the root of the problem by metrics if ScyllaDB is slow 2) How to interpret the load and plan capacity for the future 3) Compaction strategies and how to choose the right one 4) Important metrics which aren’t available in the default monitoring setup.
Introducing BoxLang : A new JVM language for productivity and modularity!Ortus Solutions, Corp
Just like life, our code must adapt to the ever changing world we live in. From one day coding for the web, to the next for our tablets or APIs or for running serverless applications. Multi-runtime development is the future of coding, the future is to be dynamic. Let us introduce you to BoxLang.
Dynamic. Modular. Productive.
BoxLang redefines development with its dynamic nature, empowering developers to craft expressive and functional code effortlessly. Its modular architecture prioritizes flexibility, allowing for seamless integration into existing ecosystems.
Interoperability at its Core
With 100% interoperability with Java, BoxLang seamlessly bridges the gap between traditional and modern development paradigms, unlocking new possibilities for innovation and collaboration.
Multi-Runtime
From the tiny 2m operating system binary to running on our pure Java web server, CommandBox, Jakarta EE, AWS Lambda, Microsoft Functions, Web Assembly, Android and more. BoxLang has been designed to enhance and adapt according to it's runnable runtime.
The Fusion of Modernity and Tradition
Experience the fusion of modern features inspired by CFML, Node, Ruby, Kotlin, Java, and Clojure, combined with the familiarity of Java bytecode compilation, making BoxLang a language of choice for forward-thinking developers.
Empowering Transition with Transpiler Support
Transitioning from CFML to BoxLang is seamless with our JIT transpiler, facilitating smooth migration and preserving existing code investments.
Unlocking Creativity with IDE Tools
Unleash your creativity with powerful IDE tools tailored for BoxLang, providing an intuitive development experience and streamlining your workflow. Join us as we embark on a journey to redefine JVM development. Welcome to the era of BoxLang.
The Department of Veteran Affairs (VA) invited Taylor Paschal, Knowledge & Information Management Consultant at Enterprise Knowledge, to speak at a Knowledge Management Lunch and Learn hosted on June 12, 2024. All Office of Administration staff were invited to attend and received professional development credit for participating in the voluntary event.
The objectives of the Lunch and Learn presentation were to:
- Review what KM ‘is’ and ‘isn’t’
- Understand the value of KM and the benefits of engaging
- Define and reflect on your “what’s in it for me?”
- Share actionable ways you can participate in Knowledge - - Capture & Transfer
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
"What does it really mean for your system to be available, or how to define w...Fwdays
We will talk about system monitoring from a few different angles. We will start by covering the basics, then discuss SLOs, how to define them, and why understanding the business well is crucial for success in this exercise.
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfleebarnesutopia
So… you want to become a Test Automation Engineer (or hire and develop one)? While there’s quite a bit of information available about important technical and tool skills to master, there’s not enough discussion around the path to becoming an effective Test Automation Engineer that knows how to add VALUE. In my experience this had led to a proliferation of engineers who are proficient with tools and building frameworks but have skill and knowledge gaps, especially in software testing, that reduce the value they deliver with test automation.
In this talk, Lee will share his lessons learned from over 30 years of working with, and mentoring, hundreds of Test Automation Engineers. Whether you’re looking to get started in test automation or just want to improve your trade, this talk will give you a solid foundation and roadmap for ensuring your test automation efforts continuously add value. This talk is equally valuable for both aspiring Test Automation Engineers and those managing them! All attendees will take away a set of key foundational knowledge and a high-level learning path for leveling up test automation skills and ensuring they add value to their organizations.
La empresa busca candidatos para cinco posiciones diferentes: técnicos ambientales, personal de logística, diseñadores de interiores, guías turísticos y personal de apoyo para proyectos ambientales.
Este horario escolar muestra las horas de clase de la Escuela Primaria Otilio Montaño los días de la semana, con el profesor Juan Pérez a cargo e identificado con la clave 12DPR2254.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsScyllaDB
ScyllaDB monitoring provides a lot of useful information. But sometimes it’s not easy to find the root of the problem if something is wrong or even estimate the remaining capacity by the load on the cluster. This talk shares our team's practical tips on: 1) How to find the root of the problem by metrics if ScyllaDB is slow 2) How to interpret the load and plan capacity for the future 3) Compaction strategies and how to choose the right one 4) Important metrics which aren’t available in the default monitoring setup.
Introducing BoxLang : A new JVM language for productivity and modularity!Ortus Solutions, Corp
Just like life, our code must adapt to the ever changing world we live in. From one day coding for the web, to the next for our tablets or APIs or for running serverless applications. Multi-runtime development is the future of coding, the future is to be dynamic. Let us introduce you to BoxLang.
Dynamic. Modular. Productive.
BoxLang redefines development with its dynamic nature, empowering developers to craft expressive and functional code effortlessly. Its modular architecture prioritizes flexibility, allowing for seamless integration into existing ecosystems.
Interoperability at its Core
With 100% interoperability with Java, BoxLang seamlessly bridges the gap between traditional and modern development paradigms, unlocking new possibilities for innovation and collaboration.
Multi-Runtime
From the tiny 2m operating system binary to running on our pure Java web server, CommandBox, Jakarta EE, AWS Lambda, Microsoft Functions, Web Assembly, Android and more. BoxLang has been designed to enhance and adapt according to it's runnable runtime.
The Fusion of Modernity and Tradition
Experience the fusion of modern features inspired by CFML, Node, Ruby, Kotlin, Java, and Clojure, combined with the familiarity of Java bytecode compilation, making BoxLang a language of choice for forward-thinking developers.
Empowering Transition with Transpiler Support
Transitioning from CFML to BoxLang is seamless with our JIT transpiler, facilitating smooth migration and preserving existing code investments.
Unlocking Creativity with IDE Tools
Unleash your creativity with powerful IDE tools tailored for BoxLang, providing an intuitive development experience and streamlining your workflow. Join us as we embark on a journey to redefine JVM development. Welcome to the era of BoxLang.
The Department of Veteran Affairs (VA) invited Taylor Paschal, Knowledge & Information Management Consultant at Enterprise Knowledge, to speak at a Knowledge Management Lunch and Learn hosted on June 12, 2024. All Office of Administration staff were invited to attend and received professional development credit for participating in the voluntary event.
The objectives of the Lunch and Learn presentation were to:
- Review what KM ‘is’ and ‘isn’t’
- Understand the value of KM and the benefits of engaging
- Define and reflect on your “what’s in it for me?”
- Share actionable ways you can participate in Knowledge - - Capture & Transfer
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
"What does it really mean for your system to be available, or how to define w...Fwdays
We will talk about system monitoring from a few different angles. We will start by covering the basics, then discuss SLOs, how to define them, and why understanding the business well is crucial for success in this exercise.
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfleebarnesutopia
So… you want to become a Test Automation Engineer (or hire and develop one)? While there’s quite a bit of information available about important technical and tool skills to master, there’s not enough discussion around the path to becoming an effective Test Automation Engineer that knows how to add VALUE. In my experience this had led to a proliferation of engineers who are proficient with tools and building frameworks but have skill and knowledge gaps, especially in software testing, that reduce the value they deliver with test automation.
In this talk, Lee will share his lessons learned from over 30 years of working with, and mentoring, hundreds of Test Automation Engineers. Whether you’re looking to get started in test automation or just want to improve your trade, this talk will give you a solid foundation and roadmap for ensuring your test automation efforts continuously add value. This talk is equally valuable for both aspiring Test Automation Engineers and those managing them! All attendees will take away a set of key foundational knowledge and a high-level learning path for leveling up test automation skills and ensuring they add value to their organizations.
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
In our second session, we shall learn all about the main features and fundamentals of UiPath Studio that enable us to use the building blocks for any automation project.
📕 Detailed agenda:
Variables and Datatypes
Workflow Layouts
Arguments
Control Flows and Loops
Conditional Statements
💻 Extra training through UiPath Academy:
Variables, Constants, and Arguments in Studio
Control Flow in Studio
Must Know Postgres Extension for DBA and Developer during MigrationMydbops
Mydbops Opensource Database Meetup 16
Topic: Must-Know PostgreSQL Extensions for Developers and DBAs During Migration
Speaker: Deepak Mahto, Founder of DataCloudGaze Consulting
Date & Time: 8th June | 10 AM - 1 PM IST
Venue: Bangalore International Centre, Bangalore
Abstract: Discover how PostgreSQL extensions can be your secret weapon! This talk explores how key extensions enhance database capabilities and streamline the migration process for users moving from other relational databases like Oracle.
Key Takeaways:
* Learn about crucial extensions like oracle_fdw, pgtt, and pg_audit that ease migration complexities.
* Gain valuable strategies for implementing these extensions in PostgreSQL to achieve license freedom.
* Discover how these key extensions can empower both developers and DBAs during the migration process.
* Don't miss this chance to gain practical knowledge from an industry expert and stay updated on the latest open-source database trends.
Mydbops Managed Services specializes in taking the pain out of database management while optimizing performance. Since 2015, we have been providing top-notch support and assistance for the top three open-source databases: MySQL, MongoDB, and PostgreSQL.
Our team offers a wide range of services, including assistance, support, consulting, 24/7 operations, and expertise in all relevant technologies. We help organizations improve their database's performance, scalability, efficiency, and availability.
Contact us: info@mydbops.com
Visit: https://www.mydbops.com/
Follow us on LinkedIn: https://in.linkedin.com/company/mydbops
For more details and updates, please follow up the below links.
Meetup Page : https://www.meetup.com/mydbops-databa...
Twitter: https://twitter.com/mydbopsofficial
Blogs: https://www.mydbops.com/blog/
Facebook(Meta): https://www.facebook.com/mydbops/
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
9. Your Security Theater
• Get in their head
• Never stop learning
• If something works…..
DO IT!
Editor's Notes
The term Security Theater is often credited as being coined by Bruce Schneier to describe the Transportation Security Administration (TSA) and its practices. Through the years we have generalized it, but for the most part, it is still based on the same principals. Essentially, this is practices that make people feel good about their situation through several processes. And I use processes because that is what they end up being. We give people the feeling that they are safe when flying by putting them through and overly bureaucratic process. People in essence feel secure because there are all these people doing things! And bonus… They are all doing the same kinds of things. If I fly from Stillwater I will go through the same process as someone who flys out of Alanta. This sameness, makes us feel secure. It is familiar… Unfortunately, the formulaic mode we have come to expect does very little for actual security. If every TSA agent is taught to look for zebras, we just dye it’s hair black and suddenly it is safe…
This approach costs us lots of money and in the end, we are getting very little for our money. Many reports over the summer indicated that failure rates as high as 95% were found in testing. This testing was not even doing anything like dying zebras, it was taking zebras through the checkpoints. So, from a classical cost benefit analysis, we are getting a really bad return on investment.
We put out faith in systems that feel good. We trust doors and gates to keep out the bad guys, who may not even think of the device. I will often to just to the side of a gate and look to see the quality of the fence. Often times it is not very good. When I teach escape and evasion I tell people that might find themselves locked in a typical office room to simply break through the wall. Sheetrock is easier to go through than a wooden or metal door…
We often spend large amounts of money on the latest greatest locks. Again, the lock is only as good as the system that surrounds it, but even when all else is good, even the best physical locks have been picked by someone. What we end up creating is keyrings with tons of keys to be carted around.
Key pad or key cards? Better, right? High tech is always better… Unfortunately, at security conference after conference we hear talks from people who have been able to quickly and easily bypass these systems.
Another thing we do to feel more secure is higher security guards. We go to banks and if they are any size at all there is the guard. Some places I visit also have them in grocery stores, drug stores, etc. Are they effective? They are wearing a uniform, therefore they must be professionals…
Poll Title: When required to change passwords <=90 days what do you do?
https://www.polleverywhere.com/multiple_choice_polls/MFPnYcXT1l1Ssba
Text CRAIGBUCHANAN717 to 37607 once to join, then A,B,C,D, or E
PCI requires:
7 characters
Numbers and letter
Not same as previous passwords
No 2 passwords the same in the system for new passwords
Require change after temp password
Lock after 6 attempts
Lock after 15 minutes idle
Crypographic encryption on transfer
Best Practice recommendation (i.e. will get gigged but not necessary loose your ability to process)
Change every 90 days
http://pcipolicyportal.com/blog/pci-compliance-password-requirements-best-practices-know/
CJIS
8 characters
Not in dictionary nor proper name
Not = User ID
Expires within 90 days
Not identical to previous 10
Not transmitted without encryption
Not displayed when entered
https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
Probably the #1 thing we as system admins do to make security less secure in the name of FEELING more secure is set these stupid password policies. Sure, getting people away from using dictionary words, their legal name, their nickname, their user ID, etc. is a good idea, requiring needlessly long and complicated passwords that change every 90 or worse yet 30 days is just bad security. By making the password too hard for the person to remember without spending time (and we are giving them less than 90 days here) to memorize it. The reasoning seems to be that if passwords are obtained that the bad guys only have so long to use them.
Research has shown us this is a wrong approach. In probably the best run research in to this subject University of North Carolina at Chapel Hill studied the password histories from their university (Zhang, Y., Monrose, F., Reiter, M., 2010). (https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf) What they found was that about 50% of the people would resort to making some kind of pattern to remember their passwords. Adding a number at one end or the other, changing a letter, ETC. This allowed them to create algorithms that were pretty successful at breaking passwords over successive changes once they had broken any one password. Other researchers have found that another common approach is that users will write it down. Considering the poor state of physical security, what this means is that anyone we let in to our “secure” spaces and have a treasure trove of passwords. Many pin testers will tell you this is easier and quicker than trying to brute force encrypted passwords.. Lastly, others will simply change their passwords enough time to get around the counter.
We are also seeing an increase in the use of biometrics. Almost all phones now have some kind of fingerprint reader and/or facial recognition system. These systems give a false sense of security for people as I am sure most of us know. At these and other similar conferences over the last couple of years there is almost always at least one person giving a presentation on how to defeat these with very simple hacks. (pictures of the person in question, photo copies! of someone's fingerprint, etc)
Now that we have poked fun at the problem what is the solution? We need to reexamine how it is that we look at security. We have been playing lip service to security for so long that we need to step back and look at what experience and social sciences tell us about what people really do.
When I was in the infantry I was taught how to guard facilities as part of our core training. We were taught by the book but where then told that we need to use our intuition. Over the years working with security companies, private security contractors, and law enforcement, I can attest that this is in fact the best first defense. Empower the humans in your system to question the motives of those they encounter. We have seen that social engineering is the easiest way to defeat a lock, so make social engineering part of your training! Teach employees at all levels that it is Ok to not be customer service oriented if they get uneasy about a person. We can not be afraid to profile. It makes no sense to be afraid to ask questions of someone who is statistically likely to be a criminal and give the 3rd degree to someone who is not.
Access control needs to reach a balance between ease of use and security. Having 30 keys to every employee to do their job might not make the most sense. If you have to have many zones, look at technological solutions and manage them correctly. Management needs to be brought in to the loop so they can see the real cost benefit to purchasing the correct setup for their organization and then making sure that it gets used. A state of the art access control system is worthless if all the doors get propped open because it is not set up correctly and too frustrating for employees.
Similarly, if money is spent on the correct camera system for a given location it will make it far more effective. Finding the technology that provides the correct level of coverage can greatly reduce overall man power. This is one of those areas where good money spent up front can save on labor costs and down time frustrations.
On the computer side of the equation we need to reevaluate if what we are doing is for feeling or effect. Again, policies need to take a realistic view of what people are likely to do in regard to our policies. We have to stop forcing employees to do things that to them make little or no sense because they will not put for the effort. We as policy makers should have written policies that we can then pick apart and decide what works and what does not. Get rid of the bad and keep the good. AND if you have any power over it at all, start with passwords. If there is no breach or other indications that passwords have been compromised, don’t make people change them. Once we are not changing passwords at impractically short intervals, we can then require stronger passwords.
For those things that need extra security move to 2 or 3 factor with systems that are easy for employees to do right. My overriding philosophy when it comes to policies is make it easiest for employees to do the right thing.
The next phase of this process is the one that almost nobody thinks of and that is training. Even when we decide to train, we end up against the realities of the cost of training. These costs are no insubstantial when you consider the costs of trainers, facilities, missed work, disruption in process… Where you make back your money is in making your entire workforce security officers. Once they know the reasons why they are required to do the things for security they are doing, they are going to be (on average) more likely to follow through.
The last piece is probably the hardest. You have to empower your employees to do what you need them to do. People need to know that when they question a vendor, customer, or fellow employee that management is not going to come down on them. They need to know that making a mistake will not get them fired, but instead will be a learning experience.
Now let us bring this full circle. While it is fun to poke fun at security that does not actually secure things, we have to ask ourselves why it is done in the first place… Well, because in some cases it does work and in others it makes people feel better… On the latter, that might not be a bad thing.
We as an enterprise need to get better at being in others heads. (Both our enemies and our employees.) We need to learn from other security experts, psychologists, social scientists, and even magicians what works. I would submit that just because something is not providing true security is not a reason to not do it. The goal of terrorist is to disrupt our sense of security and for the vast majority of the people (i.e. those not in the security industry) security theater does just that, it makes people feel more secure. Israel has been successfully engaging in security theater for years to great success. It is all in how you apply it. I will leave you with a few …
Fake cameras. When I upgrade a facility from analog to digital I will often keep the old big analog cameras in place. If I auction them off I will not get much in return and because on average they are big they are noticeable. If people see a camera, they are more likely to have a change in behavior. (This is a form of the Hawthorne effect.) This change is normally for the better as people being watched tend to do things that they think will leave a positive impression. It can also be that some will delay or even stop an illegal act if they believe it will be observed by an outside party
Bonus tip… Even posters with eyes that watch an area make people less likely to engage in negative behaviors…
Signs. Reminding people that they are being recorded has also been shown to reduce criminal activity. In my own case, I had a series of buildings that were being broken in to on nearly a weekly bases. Put up signs indicating that things were being recorded, and the break-in's stopped. Even in places where no actual cameras were installed.
Uniforms. It is amazing what the simple presence of uniforms can do. Studies have show than employees who wear a uniform act more professional and also that people who see an official looking uniform are less likely to engage in negative behavior. In Israel where you see uniforms everywhere, these individuals are often the first to be attacked. This does however give others the chance to avoid lethal injuries.
The bad guys are always probing, exploring, and learning. We as defenders have to do the same thing. This is an active battle but more akin to Go than Chess. The battle is as much about having a large breadth of knowledge and improvisation as it is about strategy. Even if you are not certified, consider those things that give CPE’s and do them. Teaching college or votech security classes can also help as the new students can keep you on your toes.
And lastly, I want to say that you should seek out those things and work and do more of it. This may seem like common sense, but there can be monumental pressure, epically from sales people and consultants, to change for the sake of “staying nimble”. This is the same fallacy that gave us changing passwords, but hold steady. If you have a system that is keeping you safe and your employees productive stick with it, and focus your efforts on detection of threats.
Question/Answer by John Langdon
http://www.anopticalillusion.com/2014/09/questionanswer-by-john-langdon/#respond