The first post is about targeted social engineering. One of the more interesting aspects:

In one incident, an attacker used phrases directly taken from a public blog, as well as a cordial greeting that the blogger had used when writing about a personal topic. This made the message significantly more authentic to the target, who duly clicked on the attachment.

Pretty clever. Anything you can do to make people even subconsciously believe a message is legitimate will increase your success rate. It only takes one person to fall for it in most cases, to get a foothold that you can leverage for a deep internal attack.

The other post is simply a list of what NOT to do when it comes to IT security. Some of the highlights:

• Assume the users will read the security policy because you’ve asked them to.
• Assume that policies don’t apply to executives.
• Don’t review system, application, and security logs.
• Expect end-users to forgo convenience in place of security.

I’d add a couple of my own to the list:

• Assume that because you’ve never been compromised you’re secure
• Assume that you can prevent all compromises
• Protect only the perimeter
• Have no incident response plan