Spent some time looking for ideas on how to do a security training (compliance requirement) that didn’t suck. Cribbing from some reddit posts, I think I’m going to give everyone a notecard with something like “Is Bob Bobson a client here”, have them pair up, and do a little phone conversation roleplay where one person is a visher trying to trick the other into revealing the piece of information, while the other person gets practice saying “No.” Seemed like a good way to let the staff dip a toe into thinking like an attacker.

Yeah to be clear, I do not recommend my method and I don’t think it’s a good allocation of mental resources. I’m just stubborn :P

FWIW, I use Diceware for password generation; it’s good at making memorable yet still random passphrases.

The prospect of putting all my passwords in one big juicy target has always made me nervous. I go to great lengths to just memorize everything, but damn if it doesn’t take a toll.

Please tell me you have backups of that flash drive

“Matrix” is a pretty difficult-to-search name. What is it? Federated IRC?

Pretty normal for us over here

Had to invoke our Data Transmission policy’s AI clause for the first time

Well, no one else comments in these threads, might as well.

Every email client I can think of off the top of my head blocks images by default. And I don’t see how that relates to your criticism of the whole idea of anti-phishing training

Clicking the link hypothetically confirms to the spammer that yours is a valid and monitored email address, and that you’re a sucker suitable for more targeted phishing.

Of course, it seems like every random user will also happily type their password into any text box that asks for it, too.

One time I failed a phishing test because I did a message trace and confirmed that it originated from our own internal servers.

Nuthin, furloughed.

Inventory management. Can’t secure what you can’t see etc