I got this email from Apple Support about my Apple ID. That’s not surprising since their developer site may (or may not) have been breached last Thursday (see here for details).
It was a little more surprising since I’m not an Apple developer and don’t have an Apple ID – but hell, I’m not going to argue; they might sue me.
But, despite the fear of being sued, I would suggest that Apple spends a little time on its grammar and style checker. The spelling’s not bad, but it doesn’t seem to understand the relationship between full-stops (or American periods) and spaces.
Oh, and that sentence. “We need your help in order to not be frozen your account,” is decidedly not Anglo-Saxon in structure.
So, Apple, until you can improve things, I don’t think I’m going to bother with you. But one last thing. Although you’ve got the link “update Now >” looking quite reasonable, I do suggest you change the name of your support site hidden beneath it. http:// e-kosmetyczka.waw . pl/404.html could almost look like a scam site.
Last month Bruce Schneier made an interesting comment:
I personally believe that training users in security is generally a waste of time and that the money can be spent better elsewhere… If four-fifths of company employees learn to choose better passwords, or not to click on dodgy links, one-fifth still get it wrong and the bad guys still get in.
On Security Awareness Training
My favourite riposte comes from Ira Winkler:
That argument basically says that if the bad guy gets in, all security countermeasures are irrelevant. By that measure, we should abandon security as a whole, since all countermeasures have and will fail.
Arguments Against Security Awareness Are Shortsighted
But Schneier has a point – training clearly isn’t working since (according to Trend Micro) more than 90% of successful APT attacks start from a spear-phishing success. But Winkler also has a point - all [technical and human] countermeasures have and will fail. Does that mean we should just give up on security in general and awareness training in particular?
Clearly not. Surely the solution is not to abandon what isn’t good enough, but to improve it until it is good enough. The question then becomes how do we make security training more efficient? Since the majority of breaches start from a phishing or spear-phishing attack, then phishing is where we should start. But if traditional awareness training isn’t working, perhaps we need to think of something new.
Wombat Security Technologies thinks it has the answer: simulated attack training. In a nutshell, this involves phishing your own staff. This has two huge advantages: it is teaching through experience rather than teaching through lectures (and practical always sticks better than theoretical); and it is measurable. If somebody falls for a phish, and gets sent to a benign destination with a company ‘gotcha’ message, he or she won’t want it to happen again. Secondly, however, it allows the company to measure the success of its training scheme.
If 20% (it will likely be more than 80% to start with) fall to the first phish, and then 25% fall to the next one, then clearly there is something wrong with the overall training package, and it needs to be re-evaluated. More likely, however, the number of victims will steadily decrease over time. Repetitive victims can then be pulled out for more targeted training; and super-repetitive victims can be assigned the gardening detail.
Wombat has published a new report based on the practical experience of several CSOs from major companies:A Security Officer Debate: Are simulated phishing attacks an effective approach to security awareness and training? It is well worth reading to see how simulated attack training works in practice; and what steps you need to take to get it started.
PS. Note that these are CSOs. Schneier is a CTO.