Recently in Awareness Category

The month of April was a month in which I had three public speaking appearances. It started out on April 16 when I addressed the New York Higher Education Technology Forum at Hofstra University. The talk tried to drill home the point that all this Cloud stuff is all nice and fluffy, but that we, as cloud consumers, must make sure that our vendors deliver better service for less money. If we fail to do that, we are not making any progress, and Cloud will just be another concept that is doomed to fail.

The second talk was on April 20 at SOURCE Boston, where I was in the fortunate position to mentor a panel about career development, and especially about the role that mentors in that process.

In the third and final talk, on April 29, I addressed a gathering of non-technology people about the risks of social networking, and how to mitigate the risk for themselves. The most important point that I tried to make in that presentation was that on social networks, people may actually read what you write.

Both presentations are available for download, although they might not do you much good without the narrative.

I was recently asked to prepare a 30-40 minute lecture for high school students. The point of the lecture is to explain what we try to accomplish in information security, and to convince them to enroll in our Computer Science program. After thinking this over for a bit, I realized that presenting to high school kids is not that much different than presenting to c-level management. Here is my rationale:

• Short attention span
• Little or no interest in details
• Focus on outcome, rather than on how the outcome is created
  
• Think they already know all there is to know
  

So, taking these observations into account, I must divide my presentation in two or three subtopics, each of which does not exceed 10-15 minutes. I must focus primarily on the show effect (what vs. how) and I must work around the fact that they think they know everything, yet they do not.

When presenting, always ending with that one catch-phrase that you want the audience to remember is good practice. Whether that catch phrase is "give infosec more money" or "enroll in the program" is irrelevant.

Initially, I thought that a nice Metasploit demo might be just want we needed to end the presentation. What is cooler than showing how to own a networked box in under five minutes? Not much, right? Well; true as that may be, high school kids do not live in the world of complex command-line invocations and text-based output. Running a Metasploit demo is one thing, but explaining what it actually means is another. Would the audience, that is used to living in world that predominantly consists of Facebook, Twitter and text messaging, understand the coolness of complete pwnage via a text-based interface? Doubtful.

So, taking it from there, I moved to browser-based stuff. Everyone will be used to having a browser at their fingertips and demonstrating a SQL-injection attack that can be used to retrieve private information would be something they understand. Oh wait-- private information is mostly worthless for most teenagers. They'll pretty much tell you everything you want to know right on their public profiles. While the attack would be successful, and I would show how to list out people's home addresses and/or credit card numbers, that would be of little or no value to them.

Clearly, I need to spend more time on this. Password cracking? Maybe, if that password can be used to do stuff with their Facebook accounts. Denial-of-service? Now, there is an interesting one. Taking away their access may be one thing, but showing how to DoS an individual's cable modem may not be necessarily the wisest move to do.

Any suggestions among my readers? I'd love to hear your thoughts on this. What can you tell a 17-year old that would capture their interest in a way that would be sufficient to at least let them consider to enroll in your program?

TED is an awesome.

I enjoy watching TED talks for a number of reasons. First: the topics are almost invariably extremely interesting and the observations of the speakers are inspiring. Second: I believe that the more good presentations you view, the better your own presentations will become. Third: most presentations have some form of entertainment value.

Today I watched Dan Ariely's video on Why we think it's OK to cheat and steal (sometimes).

In the video, Ariely tries to answer the question if the probability of getting caught doing something wrong is related to the likelihood of cheating taking place. In other words: are people less likely to break the rules if their are more afraid of getting caught? The conclusion was something that should resonate very hard with information security professionals, and came a little bit as a surprise. The fear of getting caught does not apppear to have a very big impact on the probability of misuse taking place.

One of the hardest incident types for an incident handler to address are incidents in which a properly authenticated and duly authorized user decides to misuse her privileges.

Imagine a situation in which an employee has access to human resources records for legitimate reasons.

As an information security professional charged with protecting that information, the assessment if someone should be granted access (and if so, under which conditions) must be made by the information owner and not by me. In the example, if the owner of the HR database decides that a user has legitimate access, it is my job to provision that access in a controlled fashion.