Hello, everyone. And welcome back to Sai Berries and user Physical Security. Course I'm your instructor. Corey holds er and this lesson starts module for is 4.1 and user responsibilities.
I have three learning objectives for this lesson. First, we're gonna talk about your responsibilities as an end user.
Then we'll talk about what to do when something goes wrong.
And lastly, we're gonna also talk about how to respond in a crisis situation
because these are things that happen. We can't avoid them.
We hope that they don't happen, but they do
as it as an end user rises employee or contractor with the company, there are certain expert
there are certain expectations of you and how you should conduct yourself. We want you to abide by company policy, and we want you to remain vigilant to
everything going on around. You are most things at least.
We do not want you to cut corners. The rules air there, and the policies are in place and they should be followed us. Such We shouldn't try to do things.
You cut corners or, you know, like letting someone borrow your bed, for example, or maybe not letting someone go to the bathroom by themselves instead of escorting the visitor properly. And we don't want you to put yourself at risk. That's the job for security. But if you see someone
or something, say something.
That's that's what we expect of you. We don't expect you to
be a superhero or or
to take on the responsibility off
tailing some, observing someone or following where they go.
If you see something that looks doesn't look right, tell someone and let them do their job the way it's supposed to be done
now tell Gating, is actually one example of something that
And it is. It is something. It is part of social engineering. So it's it's important. Security, peace and tailgating or piggybacking is. Also referred to is a physical security breach in which an unauthorized person will follow in behind someone who has, let's say, badges in.
They'll follow right in behind them so they don't actually record their own bed sweat because they don't have one. So
let me let me show you here.
So we have on the right hand side of this picture someone's entering in through the door. Excuse me, and then there's if you can see, I know it's a little a little blurry, but there's a person there holding the door open. Letting everyone walk through
that is that is a big no, no. When it comes to security,
let each person swipe in like they're supposed to.
Challenging people in a polite way in the in that regard
discourteous, but it is making sure that people who were there have the proper authentication, that they present themselves
to be a have a reason to be there.
Another thing we deal with and this is something to be cognizant off is reversed. Social engineering. Now this. You know, we've heard we hear social enduring a lot, but this is an indirect way
of actually trying to gain information
on includes sabotage, advertising and assisting. Um,
a person can just stand there and listen to you. And maybe as you're talking with a co worker about some aspect of the business now, they can,
they're gaining intelligence and information that they need without actually
having to do anything on their own. Another example to is trying to get you then this gets into fishing as well to get you to divulge information that you might not really want to divulge or even realize you're divulging. But it gives them the opportunity.
Teoh. Use it and take advantage of the knowledge
don't share your badge. This is
I can't see how many times I've seen it, and a lot of times it's just the person might stand there pretend, you know, like they're looking for their badge, patting, patting down their pockets, maybe turning their pockets out and they can't find it. And
our natural habit as were raised to be good people like, Well, when I got that for you, I'll swept the veg or they might have their hands full. That's it. That's a common tactic as well.
Don't share information unless you know that person has a need to know and be aware of your surroundings. Don't divulge. Don't talk about information outside the office that really shouldn't be discussed because it's sensitive
and then be very constant. Don't succumb to social engineering of other kinds,
and the most important do not is don't try to intercede by yourself. That's not your job.
cause aware of what's going on, but we don't want you to put yourself in unnecessary risk
things. You do say something. I've said this before. You even heard you've heard it in this lesson already. Report suspicious or loitering individuals report faulty security measures that aren't working the way they're They're supposed to,
uh, as an example. Let's say there's, ah, door with the key pet, but the keypad doesn't work, so someone is. Usually they're opening the door for people, letting anybody just walk in. That's not the right answer, because now there's no paper trail. There's no ordered. I discussed this back in
module 3.3. A big part of this is
a big part of badging, and using that system is it creates a paper trail to know where people are, and it's important when it comes to security. In the case of a disaster on like which, which I'll touch on later as well.
And then, of course, do report any attempts to socially engineer you If someone is sending you letters to have you respond, usually emails is what they're going to do. But e mails, letters trying to get information from you
in whatever way possible. They're trying to find out about your Maybe they they might call and say, Hey, I'm trying to see if your business is the right business to do
X for me and then they'll have you tell them things and go into that sales pitch. But if that's not your job,
don't be be suspicious. People will be, Is Curtis's? They can be. They won't they don't wear a sign over their head that says, I am a person trying to steal your information. But
by looking at the letters, they write the emails, the phone calls
that should raise red flags. If they're asking about something that has nothing to do directly with your job or what you should be talking about, don't talk about it.
And and that should also be assigned to you that this is a social engineering attempt. Let somebody know there's a security manager in your building. Tell him if you receive what look like suspicious emails, tell them, because
maybe you're not. Do buy it.
helps them to know that some help security know something's going they'll say something. Case in point.
I'm going back many years now. I've helped to install the company's first email system.
So, yes, I'm going back about almost almost 25 years
the Melissa virus, which
was a, um, which was a simple virus. But the goal of it was to actually get people to open the email,
and then it would actually would look like it came from someone that, you know, and what it would then do is it would open up. It would infect your machine, and then it it propagated itself by getting a few names out of your address book and sending that same email to those other people. So to the recipient, it looks like a legitimate email.
But But it wasn't. And I heard about it. I was actually getting ready for work that that morning,
and there was, ah, news report about it, and the first thing I did was I jumped on my because I could. I had my personal email not actually my work email yet. We weren't that advanced yet,
and I sent an email out all the employees that were in my test group at the time, and I told them about this. I said, Be very careful.
Do you know when I got into the office,
one of the one of the employees as part of our test group came up to me and she said, Do you know I almost clicked on that email? If I hadn't seniors first, I probably would have because it looked legitimate.
And that's the kind of thing that that your security or your I T departments can can get the word out to the users and can hopefully avoid something that could be even more malicious or more. Does you know or disastrous to your to your business?
Knowing and following the policies is critical.
You know, I've told throughout policies and sometimes the policies
you read them, and you don't quite appreciate why the policies there in the first But some of them are very obvious, and they make perfect sense. Some of them might be a little bit more, um,
custom customized to the to the business you're in.
the printing of people's P I information and how that p I I should be handled it. And by P I I you should mention in previous lessons is personally identifiable information. So knowing,
uh, how to properly handle that? Because maybe you're working in an insurance company, and you you're handling the personally identifiable information for not just your own workers but customers.
You need to know how to properly handle out how to pop properly, dispose of of documentation once it's been used in once, uh, reports that transaction has been completed. So we didn't understand your company policies. Ask questions,
understand them and ask questions If you don't, because if you don't that's once. That's when you will unintentionally cause harm because you don't follow the policy because you don't understand it.
Actors. You're expected to act. And if you see something wrong or something,
there's some floor in the system.
Bring it to someone's attention again. This is this is being
the responsible and user is telling somebody. Hey, this system is broken. It may have worked before, but the policy needs to be changed. And then the people who developed policies they can go and work on it and make it better.
Okay, so let's do a check on learning.
I'm going to read you the question in the four possible answers. I'll give you some time to think about it. And then I'll tell you why the right answers. You're right and the wrong answers are wrong.
When you see something suspicious, you should not do which of the following
report. Suspicious or loitering Individuals intercede by yourself,
report faulty security measures or report social engineering.
And the right answer is
okay, So the wrong answers were wrong because they're actually the things you're supposed to do. You are supposed to report something suspicious or lettering. Individuals. You're supposed to report faulty security measures and you're definitely so servers report social engineering attempts. But the one thing you don't do is intercede by yourself.
We don't want you putting yourself at risk,
let Security know and let them handle it. A court according to policy and
according to the way they know how and are trained to do
so. In this video we talked about your responsibilities of the end user.
We talked about what to do when something goes wrong or something isn't right.
And we also talked about how to fulfill policies.
I'm your instructor, Corey. Hold, sir, Thank you for taking time for the joining for this lesson. I look forward to seeing you in the next one