Security Awareness Blog

Presenting Tip #8 - War Stories (or how I almost accidently hacked the US Army)

This is presenting tip #8 in a series of my lessons learned and mistakes made over the past years. Specifically war stories. Something you quickly learn, if you want to bore your audience to death, read the slides. If you want to engage your audience, share real incidents or lessons learned from your past. Once again, your slides are not the presentation, you are. Also, the most valuable stories are not about your successes but failures.

For example, in my early days at Sun Microsystem's I was doing an external network assessment for a bank in SE Asia. After I got the bank's IP addresses from the bank's networking team I did a complete scan and test of their firewall rulebase, only to discover later that the bank randomly picked their IP address range for their internal network. The IP's I thought had been assigned to the bank (and had just been testing) were actually assigned to someone else ... the US Army. Dooh!

Or the time I did a security awareness phishing assessment for an organization. Whenever doing a phishing assessment I always coordinate and test with the organization's security team's manager first. After coordinating several times with one organization and getting full permission from their security manager, I launched the assessment only to have all hell break loose. Turns out the security manager had forgotten to tell anyone on his security team about the upcoming test. Lessons learned for me in my past is never assume common sense, double check every. Sharing your own mistakes like this not only makes you more human and engaging, but can also loosen up the class as they start sharing their own stories also.