Preview Mode Links will not work in preview mode

Jun 6, 2017


This week, we invited Ms. Jessy Irwin (@jessysaurusrex) on to discuss the issues Small and medium businesses and startups have with getting good training, training that is effective and what can be done to address these issues.

We also go through several ideas for training subjects that should be addressed by training, and what maybe would be addressed by policy.



Upcoming BrakeSec Podcast training:

Ms. Sunny Wear - Web App Security/OWASP

14 June - 21 June - 28 June at 1900 Eastern (1600 Pacific, 2300 UTC)

$20 USD on Patreon to attend the class

$9 USD for just the videos to follow along in class



If you want the videos and don’t care about the class, they will be released a week after class is over for free.



Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017



Join our #Slack Channel! Sign up at

#iHeartRadio App:


Comments, Questions, Feedback:

Support Brakeing Down Security Podcast on #Patreon:

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM :

#Stitcher Network:

#TuneIn Radio App:


Show Notes:

I don’t trust articles written with a survey created by a company that is touting their new education track at the bottom of the article. -- brbr

“So sick of the tired narrative that sec awareness is just about phishing when there are ~10 basic skills we need to be educating people on”

What are the ~10 things?

First off, most corporate security training misses the incentive mark by a mile. If training were refocused in a way that showed the incentives to improving personal safety, we might get somewhere. Teaching people how to take care of themselves first works-- those habits carry over into their work life, not usually the other way around.


  1. Passwords
  2. Multifactor authentication
  3. Device encryption
    1. Ad blocking
    2. Browser hardening via extension/plugin
  4. Safe browsing (this breaks into a few different topics)
    1. Phishing doesn't just happen via email anymore: social media inboxes, text message inboxes, messaging apps, etc.
    2. Most users won't come to social engineering defenses on their own-- important to educate and give alternatives that encourage them to confirm information out of band or navigate to a site in their browser
  5. Social engineering (this breaks into a few different topics)
  6. Segmentation/compartmentalizing data + communications
  7. Secure storage(local vs cloud data)
  8. Media storage safety (thumbdrives! Charge-only cables for mobile devices!)
    1. Google Apps + Slack allow for OAuth; most people set it and forget it, don't review what apps can act on their behalf until it's too late
  9. Regularly reviewing permissions granted to apps through oAuth
  10. Backups

The report goes onto say that security awareness professionals with more technical backgrounds are more keen to recognizing behaviors that might bring risk, however, at times communications training is critical given that human interaction soft skills make changing risky employee behavior. They know what behaviors are the most effective in managing those risks. Often however, the challenge is that these same individuals often lack the skills or training to effectively communicate those risks and engage employees in a manner that effectively changes behavior.”  summed up our entire industry in this paragraph --brbr

^^^^ saw this on Twitter yesterday -brbr


Key takeaways:


The study recommends the following for addressing communications:


  • Communicate to leadership monthly about your security awareness program -- in a way that business leaders will value.
  • Find a strong champion within leadership, and ask them to help relay the program value to other leaders, or assist with message crafting.
  • Partner with those in the org that you've found to appreciate and adhere to security awareness inputs, especially those who can help partner on better communications.
  • Take communications training; they can be easily developed with the right focus.
  • Align with human resources to ensure an awareness program is tied into company culture.
  • Keep an eye on your audience, as it grows and shift, and recognize that the same message that works for developers may not be effective for marketing, and vice versa. A one-size-fits-all communications approach can be limiting. 


You writing a book?


I've been working on a book about security that's focused on education and communication. We do such a horrible job at this-- we don't do very much that helps the average person or our non-technical, non-expert colleagues have a chance at being successful online. Our terms are too technical, our framing is unbelievably negative and toxic, and the lack of empathy for the people at the other end of the computer is absolutely astounding. It is entirely fixable, but we all have to stop contradicting one another and really start working together. :)


You make it sound so bleak and self-destructive :|

I would like to hope that we can get better.


Oh yea, the echo chamber, “who has the right answer?” no one, we all just have pieces...

Yes! And sometimes the right answer changes very, very quickly! It's less about the silver bullet answer and more about what we’re defending from and hoping to accomplish.


Are SMBs the issue?

Are they more insecure than bigger companies?

Or do bigger companies get more media coverage?


Are bigger companies any better at training employees?

Or are they better at ‘checking’ the box?


If we take the statement ‘paid for security training sucks’ as a given, what do we do about it?

What trainings should we be giving?


And what training should actually be policy driven? (make it a requirement to follow)

Clean desk

Password manager

Coding practices

Acceptable use

Device encyption



What training do infosec people need? How important are the soft skills to help with communicating?