diff --git a/.vscode/settings.json b/.vscode/settings.json index f84a5ea..8a4482c 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -40,6 +40,7 @@ "lorin", "Magill", "Maguire", + "Minnebar", "Muhren", "Munjal", "Nemeth", diff --git a/Gemfile.lock b/Gemfile.lock index 6b49680..712899d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -315,7 +315,7 @@ GEM regexp_parser (2.10.0) rexml (3.4.1) rouge (3.30.0) - rubocop (1.75.4) + rubocop (1.75.5) json (~> 2.3) language_server-protocol (~> 3.17.0.2) lint_roller (~> 1.1.0) diff --git a/_posts/2024-05-28-phishing-training.md b/_posts/2024-05-28-phishing-training.md index 1608650..2b05f6d 100644 --- a/_posts/2024-05-28-phishing-training.md +++ b/_posts/2024-05-28-phishing-training.md @@ -23,7 +23,7 @@ The paper also recommends providing a mechanism to report suspicious emails, lik What does the data say? Outside the academic literature, a series of reports by Cyentia and Elevate Security offer additional insights. -The [first report](https://elevatesecurity.com/resource/cyentia-elevating-human-attack-surface-management/), published in 2021, had a number of interesting findings: +The [first report](https://web.archive.org/web/20220728175509/https://elevatesecurity.com/wp-content/uploads/2021/05/Elevate_Human-Attack-Surface_Final_May4.pdf), published in 2021, had a number of interesting findings: - Completing training 1-3 times reduces average click rates, but performance gets progressively worse for 4 and 5 times; average training rates for 5 training sessions was *higher* than none at all! - Sending more simulation emails decrease average click rates, even at high numbers of simulations, but flattens out just below 5% @@ -32,7 +32,7 @@ Similar results are reported in the literature review paper: security fatigue is Importantly, the Cyentia/Elevate report also noted that 100% of organizations eventually click or are compromised - that is, no matter how much you train, someone within your organization will click the phishing link. -A [second report](https://elevatesecurity.com/resource/the-size-and-shape-of-workforce-risk/) studied the problem in greater detail, finding that: +A [second report](https://8218465.fs1.hubspotusercontent-na1.net/hubfs/8218465/Cyentia%20-%20The%20Size%20and%20Shape%20of%20Workforce%20Risk.pdf) studied the problem in greater detail, finding that: > - Some users get many more phishing emails than others (100s per year vs. a few). > - The more emails a department gets the better they are at blocking them. @@ -42,7 +42,7 @@ A [second report](https://elevatesecurity.com/resource/the-size-and-shape-of-wor What the analysis showed was that nearly 80% of users never click a phishing link, and 4% account for 80% of clicks - a small number of high-risk users are the biggest source of phishing clicks. -(A [third report](https://go.elevatesecurity.com/high-risk-users-and-where-to-find-them) studied the question of high-risk users in greater detail.) +(A [third report](https://8218465.fs1.hubspotusercontent-na1.net/hubfs/8218465/Elevate%20High%20Risk%20Users%20and%20Where%20to%20Find%20Them.pdf) studied the question of high-risk users in greater detail.) ## My Experience diff --git a/_posts/2025-05-05-minnebar-19.md b/_posts/2025-05-05-minnebar-19.md new file mode 100644 index 0000000..ed0f4b8 --- /dev/null +++ b/_posts/2025-05-05-minnebar-19.md @@ -0,0 +1,28 @@ +--- +layout: post +title: Minnebar 19 +author: jabenninghoff +tags: ["Security Differently", "Talks"] +comments: true +--- +Last Saturday I spoke for the first time at [Minnebar](https://sessions.minnestar.org/events/45)! It was my second time attending, and I've found it to be both informative and entertaining! Where else can you attend talks on [selling as a founder](https://sessions.minnestar.org/sessions/1867), [moving past the metaphor of technical debt](https://sessions.minnestar.org/sessions/1851), [the development of the Atari 2600](https://sessions.minnestar.org/sessions/1716) (by an engineer who worked on it!), and [using open source in government](https://sessions.minnestar.org/sessions/1810)? + +I presented both on my own and was a contributor to Dan Lew's excellent talk on [How to (privately!) surf the internet](https://sessions.minnestar.org/sessions/1732), which was popular enough to draw the largest room (the theater)! My own talk, [You already know (most) of what you need to know about cybersecurity!](https://sessions.minnestar.org/sessions/1746) was also well attended, I got great questions and some nice feedback from the attendees! + +The talk consolidates ideas from my past work in a presentation geared towards a broad but still tech-savvy audience. The core ideas are simple: first, security isn't about avoiding negative outcomes (breaches), it's about improving security performance, and second, that most of the activities that improve security performance don't require security expertise. + +While my solo talk wasn't recorded, the slides are available [here](/assets/minnebar-2025-benninghoff.pdf). + +## Abstract + +You don't have to be Mr. Robot to be secure! While cybersecurity may seem mysterious and difficult, the most effective things you can do are like eating well and exercising: easy to understand, but sometimes hard to do. In the past 5 years, we've learned that much of the work needed to secure software-based systems are activities we already do, like regularly updating software and turning off services you don't need. + +I'll review what data-driven research says about what matters most in cybersecurity, bust myths about what doesn't matter, and when you really do need to call in the experts. Whether you write code, build infrastructure, run a startup, or just manage your home network, I'll share practical advice on what you can do to be secure and what you should leave to others. + +## Slides + +My slides with notes, including references, are [here](/assets/minnebar-2025-benninghoff.pdf). + +## Link + +Here is the link from the QR code at the end of my talk: .