End User Responsibilities

00:01

Hello, everyone. And welcome back to Sai Berries and user Physical Security. Course I'm your instructor. Corey holds er and this lesson starts module for is 4.1 and user responsibilities.

00:23

I have three learning objectives for this lesson. First, we're gonna talk about your responsibilities as an end user.

00:30

Then we'll talk about what to do when something goes wrong.

00:35

And lastly, we're gonna also talk about how to respond in a crisis situation

00:40

because these are things that happen. We can't avoid them.

00:44

We hope that they don't happen, but they do

00:49

so

00:50

as it as an end user rises employee or contractor with the company, there are certain expert

00:57

there are certain expectations of you and how you should conduct yourself. We want you to abide by company policy, and we want you to remain vigilant to

01:07

everything going on around. You are most things at least.

01:11

We do not want you to cut corners. The rules air there, and the policies are in place and they should be followed us. Such We shouldn't try to do things.

01:21

You cut corners or, you know, like letting someone borrow your bed, for example, or maybe not letting someone go to the bathroom by themselves instead of escorting the visitor properly. And we don't want you to put yourself at risk. That's the job for security. But if you see someone

01:40

or something, say something.

01:42

That's that's what we expect of you. We don't expect you to

01:46

to, um,

01:48

be a superhero or or

01:51

to take on the responsibility off

01:55

se

01:56

tailing some, observing someone or following where they go.

02:00

If you see something that looks doesn't look right, tell someone and let them do their job the way it's supposed to be done

02:08

now tell Gating, is actually one example of something that

02:14

people will do.

02:15

And it is. It is something. It is part of social engineering. So it's it's important. Security, peace and tailgating or piggybacking is. Also referred to is a physical security breach in which an unauthorized person will follow in behind someone who has, let's say, badges in.

02:34

They'll follow right in behind them so they don't actually record their own bed sweat because they don't have one. So

02:39

let me let me show you here.

02:42

So we have on the right hand side of this picture someone's entering in through the door. Excuse me, and then there's if you can see, I know it's a little a little blurry, but there's a person there holding the door open. Letting everyone walk through

02:57

that is that is a big no, no. When it comes to security,

03:00

let each person swipe in like they're supposed to.

03:04

Challenging people in a polite way in the in that regard

03:08

is not is not being

03:10

discourteous, but it is making sure that people who were there have the proper authentication, that they present themselves

03:20

to be a have a reason to be there.

03:23

Another thing we deal with and this is something to be cognizant off is reversed. Social engineering. Now this. You know, we've heard we hear social enduring a lot, but this is an indirect way

03:38

of actually trying to gain information

03:40

on includes sabotage, advertising and assisting. Um,

03:47

basically,

03:49

a person can just stand there and listen to you. And maybe as you're talking with a co worker about some aspect of the business now, they can,

03:59

uh,

04:00

they're gaining intelligence and information that they need without actually

04:06

having to do anything on their own. Another example to is trying to get you then this gets into fishing as well to get you to divulge information that you might not really want to divulge or even realize you're divulging. But it gives them the opportunity.

04:25

Teoh. Use it and take advantage of the knowledge

04:30

some other don't

04:31

don't share your badge. This is

04:34

I can't see how many times I've seen it, and a lot of times it's just the person might stand there pretend, you know, like they're looking for their badge, patting, patting down their pockets, maybe turning their pockets out and they can't find it. And

04:48

our natural habit as were raised to be good people like, Well, when I got that for you, I'll swept the veg or they might have their hands full. That's it. That's a common tactic as well.

04:59

Don't share information unless you know that person has a need to know and be aware of your surroundings. Don't divulge. Don't talk about information outside the office that really shouldn't be discussed because it's sensitive

05:13

and then be very constant. Don't succumb to social engineering of other kinds,

05:18

and the most important do not is don't try to intercede by yourself. That's not your job.

05:26

We want you to be

05:28

cause aware of what's going on, but we don't want you to put yourself in unnecessary risk

05:36

things. You do say something. I've said this before. You even heard you've heard it in this lesson already. Report suspicious or loitering individuals report faulty security measures that aren't working the way they're They're supposed to,

05:49

uh, as an example. Let's say there's, ah, door with the key pet, but the keypad doesn't work, so someone is. Usually they're opening the door for people, letting anybody just walk in. That's not the right answer, because now there's no paper trail. There's no ordered. I discussed this back in

06:10

module 3.3. A big part of this is

06:15

a big part of badging, and using that system is it creates a paper trail to know where people are, and it's important when it comes to security. In the case of a disaster on like which, which I'll touch on later as well.

06:28

And then, of course, do report any attempts to socially engineer you If someone is sending you letters to have you respond, usually emails is what they're going to do. But e mails, letters trying to get information from you

06:44

in whatever way possible. They're trying to find out about your Maybe they they might call and say, Hey, I'm trying to see if your business is the right business to do

06:53

X for me and then they'll have you tell them things and go into that sales pitch. But if that's not your job,

07:00

don't be be suspicious. People will be, Is Curtis's? They can be. They won't they don't wear a sign over their head that says, I am a person trying to steal your information. But

07:14

by looking at the letters, they write the emails, the phone calls

07:18

that should raise red flags. If they're asking about something that has nothing to do directly with your job or what you should be talking about, don't talk about it.

07:28

And and that should also be assigned to you that this is a social engineering attempt. Let somebody know there's a security manager in your building. Tell him if you receive what look like suspicious emails, tell them, because

07:43

maybe you're not. Do buy it.

07:45

But if if

07:46

you're turning over

07:50

a, um, spam

07:53

helps them to know that some help security know something's going they'll say something. Case in point.

08:00

I'm going back many years now. I've helped to install the company's first email system.

08:07

So, yes, I'm going back about almost almost 25 years

08:11

and, um,

08:13

the Melissa virus, which

08:16

was a, um, which was a simple virus. But the goal of it was to actually get people to open the email,

08:24

and then it would actually would look like it came from someone that, you know, and what it would then do is it would open up. It would infect your machine, and then it it propagated itself by getting a few names out of your address book and sending that same email to those other people. So to the recipient, it looks like a legitimate email.

08:45

But But it wasn't. And I heard about it. I was actually getting ready for work that that morning,

08:50

and there was, ah, news report about it, and the first thing I did was I jumped on my because I could. I had my personal email not actually my work email yet. We weren't that advanced yet,

09:03

and I sent an email out all the employees that were in my test group at the time, and I told them about this. I said, Be very careful.

09:11

Do you know when I got into the office,

09:13

I actually was

09:16

one of the one of the employees as part of our test group came up to me and she said, Do you know I almost clicked on that email? If I hadn't seniors first, I probably would have because it looked legitimate.

09:30

And that's the kind of thing that that your security or your I T departments can can get the word out to the users and can hopefully avoid something that could be even more malicious or more. Does you know or disastrous to your to your business?

09:48

Knowing and following the policies is critical.

09:52

You know, I've told throughout policies and sometimes the policies

09:56

you read them, and you don't quite appreciate why the policies there in the first But some of them are very obvious, and they make perfect sense. Some of them might be a little bit more, um,

10:09

custom customized to the to the business you're in.

10:13

Let's say it's, um,

10:16

the printing of people's P I information and how that p I I should be handled it. And by P I I you should mention in previous lessons is personally identifiable information. So knowing,

10:31

uh, how to properly handle that? Because maybe you're working in an insurance company, and you you're handling the personally identifiable information for not just your own workers but customers.

10:45

You need to know how to properly handle out how to pop properly, dispose of of documentation once it's been used in once, uh, reports that transaction has been completed. So we didn't understand your company policies. Ask questions,

11:01

understand them and ask questions If you don't, because if you don't that's once. That's when you will unintentionally cause harm because you don't follow the policy because you don't understand it.

11:13

Actors. You're expected to act. And if you see something wrong or something,

11:18

there's some floor in the system.

11:20

Bring it to someone's attention again. This is this is being

11:24

the responsible and user is telling somebody. Hey, this system is broken. It may have worked before, but the policy needs to be changed. And then the people who developed policies they can go and work on it and make it better.

11:41

Okay, so let's do a check on learning.

11:45

I'm going to read you the question in the four possible answers. I'll give you some time to think about it. And then I'll tell you why the right answers. You're right and the wrong answers are wrong.

11:54

When you see something suspicious, you should not do which of the following

11:58

report. Suspicious or loitering Individuals intercede by yourself,

12:03

report faulty security measures or report social engineering.

12:26

And the right answer is

12:30

okay, So the wrong answers were wrong because they're actually the things you're supposed to do. You are supposed to report something suspicious or lettering. Individuals. You're supposed to report faulty security measures and you're definitely so servers report social engineering attempts. But the one thing you don't do is intercede by yourself.

12:50

That's not

12:50

We don't want you putting yourself at risk,

12:54

let Security know and let them handle it. A court according to policy and

13:01

according to the way they know how and are trained to do

13:05

so. In this video we talked about your responsibilities of the end user.

13:11

We talked about what to do when something goes wrong or something isn't right.

13:15

And we also talked about how to fulfill policies.