Hello, and welcome to our company's oh-so-very-shitty Security Awareness Training. I'm Chief Cloud Economist Corey Quinn of the Duckbill Group, and I'll be delivering this training for you because I was absolutely NOT the lowest bidder for a change.
The whole point of security awareness is to protect company information. That's what they say, anyway. Here in reality we're going to reference back to the things I spew at you rapid fire and blame you for our institutional shortcomings once we get breached.
Confidentiality is important. Assume that people will read what you write. I know, it's a heavy lift for some of you who haven't figured out that the failure mode of "clever on Twitter" is "being a huge asshole," but pretend it'll be read.
Don't share private information. Don't assume that someone emailing you is who they claim to be. And don't insist on GPG signed email unless you-- wait, if you do that nobody will email you anymore. BRB generating a GPG key.
You probably also don't want to install a bunch of sketchy apps, browser extensions, or weird trinkets from dodgy vendors. If you're unsure, ask someone steeped in that area. If they're rude dicks to you, pivot immediately to plotting their downfall.
You'll probably deal with a lot of information. Some of it is confidential. Some of it is public. If you're unsure, default to assuming confidential; it's less unfortunate for you that way.
Be wary of phishing emails. Why's that? Because we collectively suck at computers to the point where you clicking the wrong link can take down Maersk, but somehow we're going to act like that's your fault.
Unusual senses of urgency, a CEO suddenly unclear how to spell their own name, and instructions to do things out of the ordinary are red flags. Ask them on Slack, Teams, or some other side channel before doing something ill considered.
If your boss texts you to buy some iTunes giftcards or whatnot to deal with a client emergency, it's either a phishing attack or you work for some kind of moron and you should find another place to be immediately.
There's usually a sense of urgency behind phishing attacks, because they don't want you thinking clearly. You will not be threatened in an email by your colleagues at any reasonable workplace. If you are, you have better options. Begin plotting their downfall.
Physical security is important. You're an accountant who's 5'4" and 105 lbs soaking wet, but you're expected to stop and aggressively interrogate anyone who attempts to follow you into a secured area since the company can't afford security guards after paying my usurious fee.
Some companies require staff to wear badges. This is where the terribleness of scale starts in many places. My choice is usually to leave. If you make different choices, don't share badges. Nobody thinks you're cool for wearing it in public anyway.
That said, we're all remote these days, so "physical security" takes on a different context. It's your home, I'm not fool enough to tell you how to live your life there. If someone is, begin plotting their downfall.
Data privacy is super important. Maybe keep it contained to a small place, and if you don't need it, don't collect it? People get upset when you leak their info, particularly if they didn't choose to give it to you in the first place, Facebook.
Some places tell you not to use "unapproved software." And you're never to do any personal work on company machines. Be certain to raise your hand and ask permission before going to the bathroom if that's your workplace.
If your company asks you to install their spyware on your personal device, the correct answer is "LOL no." If it's that important that they reach you, they can give you a corporate phone, laptop, and car.
If you find random USB sticks, don't plug them into a computer. Holy hell, what's with you? You should also be sure not to jam a fork into a power outlet as well.
No one is going to email you to give you money, sell you reputable pharmaceuticals, or blackmail you. No, they didn't watch you flog your dolphin via your webcam, and no they will not send video of it to your friends and family unless you pay them.
This invariably involves #Bitcoin, the trusted nightmare scam currency of grifters everywhere. Just like the VISA logo demonstrates security and convenience, cryptocurrency demonstrates you're about to be had.
If someone does get compromising video of you, narrate it.
If someone does get compromising video of you, narrate it.
Make sure that your computer hard drives have full disk encryption turned on; it's the difference between "your company has to replace a $2K laptop" and "your company is now in the headlines."
Encryption at rest inside of a cloud provider's environment is dumb but it's easier to click the button than fight about it.
Some places will insist you rotate passwords every 60-90 days. Some places also make you pee in bottles.
Some places will insist you rotate passwords every 60-90 days. Some places also make you pee in bottles.
Use multi-factor authentication, like a Yubikey. When pressed for time, you can whack the button on the device to let it name an AWS service right before it launches.
Use a password manager because you're bad at passwords. Trust me on this one. I like 1Password but there are lots of others that are well respected.
"My data is sensitive so it shouldn't live in a cloud provider" is naive in the extreme. They are better at protecting data than you are unless we're talking about @Azure in which case all bets are off; those people apparently do not give a SHIT about cloud security.
Follow @SwiftOnSecurity for real-world infosec tips, delightful banter, and for some reason periodic pictures of airplanes that make me uncomfortable in my pants.
Understand that nobody is going to devote massive computing resources to breaking into your system; at most they'll devote ten minutes to hitting you with some jumper cables until you sobbingly tell them the password.
Don't share credentials with other people. They can get their own account. If your supervisor demands your credentials, be sure to get the request in writing first.
This more or less wraps up the Security Awareness Training. Please consider the environment then print this thread and hang it on your wall. In lieu of a test that insults your intelligence, I will now field your questions while awaiting payment.
If companies send you emails attempting to trick you into clicking on things, you can safely assume from that point forward that they will lie to you via email. Respond accordingly.
https://twitter.com/jbrodley/status/1453221841737158659?s=20
The best way to get a dumb policy overturned is to follow it to the absolute letter. "Exceptions require VP approve" requires you to bust into the bathroom stall to get a signature.
https://twitter.com/jbrodley/status/1453222282197827584?s=20
Yes, seriously use a password manager. Humans reuse passwords.
I recommend not using it to store the MFA codes, because that reduces it to a single factor, but you do you.
I recommend not using it to store the MFA codes, because that reduces it to a single factor, but you do you.
https://twitter.com/tommyontea/status/1453221513033777152?s=20
This is the kind of scam email I'm talking about. No, they do not have this information, or they would have included a picture or two to demonstrate it. In my case, they would have certainly highlighted the fact that I yell my own name at orgasm. 
Unless you’re SolarWinds who apparently employs ablative interns.
https://twitter.com/jbrodley/status/1453228516795994114
• • •
Missing some Tweet in this thread? You can try to
force a refresh
