September's NoticeBored security awareness module is rapidly falling into place with lots of juicy content for all three streams already:
- For the general/staff audience, we'll be giving an overview, an outline of the main information risks and information security controls, and promoting ethics;
- For professionals, there's a bit more technical content, still without giving too much away (we're trying to encourage people to control against, not commit, hacking!);
- For management, we've updated the anti-hacking policy template to mention the bug bounty idea;
- All three streams emphasize the need for detective and corrective controls, supplementing the preventive controls because they are fallible.
The sheer variety of risks and controls is overwhelming, so we'll pick out a few topical aspects to discuss, such as using bug bounties as a technique to both encourage (ethical) disclosure and improve information security, a nice combination.
Hardware hacking will make an appearance too. Over the weekend I've been reading about a hobbyist reconstructing a DEC PDP/11 using modern programmable chips to replicate the original, and last month I was fascinated by a project to rebuild the lunar lander guidance system - not a replica but an original test system. Amazing stuff!