From a5e7c7275b562ca24fc5f873b8168cb5c8831a14 Mon Sep 17 00:00:00 2001 From: John Benninghoff Date: Mon, 5 May 2025 12:52:21 -0500 Subject: [PATCH 1/3] bundle update --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 6b49680..712899d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -315,7 +315,7 @@ GEM regexp_parser (2.10.0) rexml (3.4.1) rouge (3.30.0) - rubocop (1.75.4) + rubocop (1.75.5) json (~> 2.3) language_server-protocol (~> 3.17.0.2) lint_roller (~> 1.1.0) From 2b623465164f24a5e3c081656340479601841524 Mon Sep 17 00:00:00 2001 From: John Benninghoff Date: Mon, 5 May 2025 14:54:02 -0500 Subject: [PATCH 2/3] Fix broken elevate URLs --- _posts/2024-05-28-phishing-training.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/_posts/2024-05-28-phishing-training.md b/_posts/2024-05-28-phishing-training.md index 1608650..2b05f6d 100644 --- a/_posts/2024-05-28-phishing-training.md +++ b/_posts/2024-05-28-phishing-training.md @@ -23,7 +23,7 @@ The paper also recommends providing a mechanism to report suspicious emails, lik What does the data say? Outside the academic literature, a series of reports by Cyentia and Elevate Security offer additional insights. -The [first report](https://elevatesecurity.com/resource/cyentia-elevating-human-attack-surface-management/), published in 2021, had a number of interesting findings: +The [first report](https://web.archive.org/web/20220728175509/https://elevatesecurity.com/wp-content/uploads/2021/05/Elevate_Human-Attack-Surface_Final_May4.pdf), published in 2021, had a number of interesting findings: - Completing training 1-3 times reduces average click rates, but performance gets progressively worse for 4 and 5 times; average training rates for 5 training sessions was *higher* than none at all! - Sending more simulation emails decrease average click rates, even at high numbers of simulations, but flattens out just below 5% @@ -32,7 +32,7 @@ Similar results are reported in the literature review paper: security fatigue is Importantly, the Cyentia/Elevate report also noted that 100% of organizations eventually click or are compromised - that is, no matter how much you train, someone within your organization will click the phishing link. -A [second report](https://elevatesecurity.com/resource/the-size-and-shape-of-workforce-risk/) studied the problem in greater detail, finding that: +A [second report](https://8218465.fs1.hubspotusercontent-na1.net/hubfs/8218465/Cyentia%20-%20The%20Size%20and%20Shape%20of%20Workforce%20Risk.pdf) studied the problem in greater detail, finding that: > - Some users get many more phishing emails than others (100s per year vs. a few). > - The more emails a department gets the better they are at blocking them. @@ -42,7 +42,7 @@ A [second report](https://elevatesecurity.com/resource/the-size-and-shape-of-wor What the analysis showed was that nearly 80% of users never click a phishing link, and 4% account for 80% of clicks - a small number of high-risk users are the biggest source of phishing clicks. -(A [third report](https://go.elevatesecurity.com/high-risk-users-and-where-to-find-them) studied the question of high-risk users in greater detail.) +(A [third report](https://8218465.fs1.hubspotusercontent-na1.net/hubfs/8218465/Elevate%20High%20Risk%20Users%20and%20Where%20to%20Find%20Them.pdf) studied the question of high-risk users in greater detail.) ## My Experience From 0854a66970f5cfa8421cb16fcfb515d62ffb542c Mon Sep 17 00:00:00 2001 From: John Benninghoff Date: Mon, 5 May 2025 15:18:22 -0500 Subject: [PATCH 3/3] New Post: Minnebar 19 --- .vscode/settings.json | 1 + _posts/2025-05-05-minnebar-19.md | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 _posts/2025-05-05-minnebar-19.md diff --git a/.vscode/settings.json b/.vscode/settings.json index f84a5ea..8a4482c 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -40,6 +40,7 @@ "lorin", "Magill", "Maguire", + "Minnebar", "Muhren", "Munjal", "Nemeth", diff --git a/_posts/2025-05-05-minnebar-19.md b/_posts/2025-05-05-minnebar-19.md new file mode 100644 index 0000000..ed0f4b8 --- /dev/null +++ b/_posts/2025-05-05-minnebar-19.md @@ -0,0 +1,28 @@ +--- +layout: post +title: Minnebar 19 +author: jabenninghoff +tags: ["Security Differently", "Talks"] +comments: true +--- +Last Saturday I spoke for the first time at [Minnebar](https://sessions.minnestar.org/events/45)! It was my second time attending, and I've found it to be both informative and entertaining! Where else can you attend talks on [selling as a founder](https://sessions.minnestar.org/sessions/1867), [moving past the metaphor of technical debt](https://sessions.minnestar.org/sessions/1851), [the development of the Atari 2600](https://sessions.minnestar.org/sessions/1716) (by an engineer who worked on it!), and [using open source in government](https://sessions.minnestar.org/sessions/1810)? + +I presented both on my own and was a contributor to Dan Lew's excellent talk on [How to (privately!) surf the internet](https://sessions.minnestar.org/sessions/1732), which was popular enough to draw the largest room (the theater)! My own talk, [You already know (most) of what you need to know about cybersecurity!](https://sessions.minnestar.org/sessions/1746) was also well attended, I got great questions and some nice feedback from the attendees! + +The talk consolidates ideas from my past work in a presentation geared towards a broad but still tech-savvy audience. The core ideas are simple: first, security isn't about avoiding negative outcomes (breaches), it's about improving security performance, and second, that most of the activities that improve security performance don't require security expertise. + +While my solo talk wasn't recorded, the slides are available [here](/assets/minnebar-2025-benninghoff.pdf). + +## Abstract + +You don't have to be Mr. Robot to be secure! While cybersecurity may seem mysterious and difficult, the most effective things you can do are like eating well and exercising: easy to understand, but sometimes hard to do. In the past 5 years, we've learned that much of the work needed to secure software-based systems are activities we already do, like regularly updating software and turning off services you don't need. + +I'll review what data-driven research says about what matters most in cybersecurity, bust myths about what doesn't matter, and when you really do need to call in the experts. Whether you write code, build infrastructure, run a startup, or just manage your home network, I'll share practical advice on what you can do to be secure and what you should leave to others. + +## Slides + +My slides with notes, including references, are [here](/assets/minnebar-2025-benninghoff.pdf). + +## Link + +Here is the link from the QR code at the end of my talk: .