Thursday, June 19, 2008

Patching and updating

I recently performed a series of Nessus scans for a client who had acquired a competitor. I can't offer specifics but there was a bit of a shocking revelation for me. Some companies are still not actively patching there computers. There was a computer with no patches for an old Operating System.

Microsoft provides WSUS for free.

Patch your systems.

Patching is a base level activity - it needs to be done. You don't have to have a high end software solution for all of your applications. You can even use the Windows Update website to keep you up to date (or patched with the last patches for the OS)

Be safe out there.

Interesting series of events

I was driving back from a client sit on Tuesday and saw an event that unsettled me. As I came up I-35 into downtown Kansas City, I noticed that there was a car several hundred yards ahead of me pulled over on the side of the road. As I got closer I saw the driver get out and run around to the passenger side and yank the door open. The driver then pulled the passenger out of the car and ran back around to the driver side and drove off, leaving the passenger standing on the side of the highway.

I don't really have an insight as to what was going on other than what I observed. Two adults traveling down the road, one of them was apparently angry enough to leave the other on the side of the highway.
Does the driver feel justified leaving the passenger on the side of the road?
Does the driver believe that whatever happened just prior to pulling over was so bad that endangering the passenger by leaving them on the side of the highway was the right thing to do.

(this next section is not intended to minimize the seriousness of what happened but it was part of the thought process I had afterward)

How often do we make business decisions based upon a reaction to a situation without fully thinking through the ramifications? I will own up to being guilty of this and I am going to work on thinking about the ramifications of my action before acting.

How often do our users not think about the ramifications of what they are doing? "I just wanted to do a little shopping during my lunch hour" "I downloaded some videos while I was on the road, I didn't think it would be a problem to leave them on my laptop."

We need to start working with our users to get them thinking about their actions in terms of its effect on the company. Larry Pesce spoke on this on Episode 111 or PaulDotCom Security Weekly. Michael Santarcangelo has written a book on the subject and he and I are podcasting a series on using pop culture to relate security topics to other business users.

Be safe out there.

Friday, June 13, 2008

What don't your users understand and help explaining it to them

Do you know what your users are confused about?

Do you know which acronyms you use that they are confused about?

Are you not sure how to explain a topic to your user community?

Michael Santarcangelo and I started a new podcast series in May based on the peer to peer session I facilitated at RSA Conference 2008 entitled "Pop Culture Security Awareness; finding security in the movies, TV, and other media." The premise is to use pop culture references to explain more complex topics in a way that connects you to your users and provides them with greater understanding.

Michael and I want to bring this to a larger audience and here is how you can help us. We would like to know what questions are coming up for you that you would like a clearer way of explaining.