{"id":811,"date":"2018-10-08T14:48:18","date_gmt":"2018-10-08T14:48:18","guid":{"rendered":"https:\/\/securitycurve.com\/?p=811"},"modified":"2018-10-08T14:48:18","modified_gmt":"2018-10-08T14:48:18","slug":"ranting-about-cybersecurity-month-and-sausages","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=811","title":{"rendered":"Ranting about cybersecurity month (and sausages)"},"content":{"rendered":"

\"\"<\/a>What do sausage and cybersecurity have in common?\u00a0 The answer apparently is “October.”\u00a0 October is cybersecurity awareness month<\/a>; it’s also national sausage month<\/a>. One would assume that’s coincidence, but who knows what dark forces (with equally inexplicably motives) drive these things?<\/p>\n

What the hell is national sausage month, you ask?\u00a0 Started by the National Hot Dog and Sausage Council<\/a>, the description from the National Day Calendar<\/a> is:<\/p>\n

…an annual designation observed in October. This month, we celebrate everything people around the world love about this juicy, delicious meat! … Sausage dates all the way back to 8th century BC, when Homer wrote in \u201cThe Odyssey\u201d about his characters eating an early variation of the meaty meal. Now, you can find some variation of sausage in millions of restaurants all over the world.<\/p><\/blockquote>\n

Now, before I begin my ranting, in the spirit of transparency I will confess to you that cybersecurity awareness month irritates me.\u00a0 Why?\u00a0 Because it seems like everybody saves up their hyper-pedantic “advice” about cybersecurity basics to dump on the world come October.\u00a0 The trade media becomes – for exactly one month – a steaming pile of unsolicited, one size fits all, “guidance” about how you should be comport yourself security-wise, oh my brethren.\u00a0 \u00a0Which frankly, I find to be both trite and counterproductive.<\/p>\n

Note that I’m not trying to paint any and all guidance with the same brush here.\u00a0 There absolutely is interesting and useful guidance that comes out in October; some of it might even have been initially funded, sponsored, or given resources specifically because it is October and hence Cyber Awareness Month.\u00a0 But this stuff would be useful regardless of when it came out.\u00a0 Instead, I’m talking about the stuff the captain-obvious, eat-your-vegetables stuff that lays out (sometimes in excruciating detail) what every 8th-grader should know about security.\u00a0 You know the kind of thing I mean because I’m sure you’ve read 20 or so in the last week: the “pick good passwords”, “don’t write passwords down on a sticky note”, “try not to post your bank account number on Facebook” kind of advice.<\/p>\n

This stuff irritates me because fundamentally there are two possibilities for this advice is targeting: either the working security professional or the novice end user. Either one is problematic for it’s own special reason.\u00a0\u00a0If you’re in the business of securing an organization’s assets and the generic October advice is useful to you, you either need to rethink your career path or seriously bone up on the fundamentals.\u00a0 Like, it’s a bit scary if you’ve been in the business for twenty years and you walk away from an article like that going “damn, I guess I really should change the domain admin password to something other than 12345.”\u00a0 I guess it’s good that message is finally sinking it, but WTH have you been doing this whole time?\u00a0 Not to mention that guidance like that explicitly discounts risk-based decision-making.\u00a0 Meaning, maybe two factor auth is less important to a given organization because of what they do and how they do it;\u00a0 analyzing the risks involved and making an informed decision based on the threat scenarios and what’s important to the org is what the whole job is about.\u00a0 Anything else devices from normative standards of professional care (IMHO).<\/p>\n

By contrast, if you’re a novice home user, there’s no shame in needing to be reminded (or told for the first time) about this stuff.\u00a0 But these\u00a0basics are problematic when they’re time-constrained. Because attacks happen all year.\u00a0\u00a0If we’re keeping people waiting until October to tell them that you should “shore up your passwords” or “back stuff up”, that’s not good.\u00a0 Cramming it all into one month is, in fact, less useful than the alternative.\u00a0 Say for example you had $52,000 for publishing advice on how to secure one’s home PC.\u00a0 If costs are equal (say 1k per article), would it be better to: a) release one article per week or b) blow the whole wad on 52 articles in the month of October?\u00a0 You know the answer to this.<\/p>\n

If these things are true, the questions become “who is this stuff for” and “what is the net effect”?\u00a0 And, in fact, the only effects I can posit are negative ones.\u00a0 For example, it dilutes resources that might be applied to something more useful for practitioners. It occupies space that would otherwise be earmarked for something more directly practical.\u00a0 It time-constrains for end users what would be more effective if cadenced. Ad it increases the “noise” that people need to weed through to find what useful stuff there is.\u00a0 None of that is helpful.<\/p>\n

So how about this question?\u00a0 Would there be a positive impact on security efforts overall if October were\u00a0only<\/strong>\u00a0“sausage month” and we found a different, non-time-constrained way to advocate for security?\u00a0 I’m not sure it’s a clear “yes”, but the fact that it’s debatable means it’s worth discussing.<\/p>\n","protected":false},"excerpt":{"rendered":"

What do sausage and cybersecurity have in common?\u00a0 The answer apparently is “October.”\u00a0 October is cybersecurity awareness month; it’s also national sausage month. One would assume that’s coincidence, but who knows what dark forces (with equally inexplicably motives) drive these things? What the hell is national sausage month, you ask?\u00a0 Started by the National Hot […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[34,85,104],"class_list":["post-811","post","type-post","status-publish","format-standard","hentry","category-security","tag-cybersecurity-awareness-month","tag-october","tag-sausages"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/811","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=811"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/811\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=811"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=811"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=811"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}