'orrible outsiders

Our security awareness materials this month concern myriad threats coming from outside the organization.  "'orrible outsiders" was an interesting awareness module to research and write since, although we have covered most if not all of the threats previously, this was the first time we had specifically looked into the full spectrum of external threats as a whole.

There appears to be a growing consensus in the information security community that external threats are not just more numerous than internal threats (which has long been recognized), but some of them are even more dangerous (which is relatively new).  I'm talking here not just about APTs (Advanced Persistent Threats - sophisticated malware), but about blended attacks in general using combinations of attack vectors, such as malicious website + email + malware + social engineering + strong encryption + physical penetration.  Such attacks succeed by peeling back the onion layers of the classical defense-in-depth approach, reminding us - yet again - that in security, standing still means falling behind.   

I remain convinced of the value of blended defense, in other words combining complementary and overlapping controls rather than putting one's faith entirely into one particular form of control (e.g. "technology", for one highly topical example!).  Being an information security awareness guy, it's obvious that I favor security awareness and training, but perhaps it's less obvious that I also believe passionately that we need technical controls such as firewalls and antivirus, plus compliance controls such as enforcement, and governance controls such as security strategies, plus ... well ... plus any other form of control that has some actual, provably beneficial effect on security.  

Personally I draw the line at Neuro Linguistic Programming but, hey, if you want to stick some magic crystals on top of your authentication server, be my guest. Cross your fingers. Touch wood.