Did you know Cybrary's video training is FREE? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
As a continuation of our discussion on the Importance of Security, we look at why security awareness training is essential for both the technical professional and the end user. For example, if there is a policy in place that users are constantly breaching, a security or IT professional must be able to identify this and training users on what the policy is, why a give procedure is in place, what they subject themselves and the company to by the explore they engage it and how they can still achieve what they need with proper guidance on how to do that in a safe and secure manner. [toggle_content title="Transcript"] We also should prevent tailgating; tailgating is when someone else follows another individual closely to gain access into a facility. May be user A has a swipe card, a card with which they swipe into the facility but somebody else walks in behind them closely. Some people can catch the door with their feet and walking behind you or they meet you in the car park and engaging in a beautiful conversation so that they're able to gain access into the facility. So our staff should be trained on these strategies so they know how to prevent steal get in. It is also possible to implement strategies to prevent steal get in; here we could do what is called a man trap, a man trap is a system of two doors when the user approaches the first the door they swipe in or they punch in the pin before the door is open they go in that way the door will close behind them. If that door closes the next door opens this way we can ensure that only one person goes in at the time. We could also implement thump styles. When we implement thump styles, it allows only one person to go in at a time. So yes we could train our stuff to prevent tailgating but we could also do put in controls to facilitate limits tailgating. Our users need to be trained on the use of personally owned devices. These include mobile phones, digital cameras, electronic picture frames, and all sorts of devices that could act as a storage device or so or recording device. These are possible avenues for data to leak from the organization, the use of USB's, U.S.B thumb drives, external hard drives, digital cameras, mobile phones. Sometimes within some organization these devices are prohibited because there are devices that could allow for data leakage. People could come in and record maybe I want to record, where do we have C.C.T.V. cameras here? Now someone else is having access or knowledge of where the C.C.T.V camera's now knows how to bypass such cameras. So we have to limit the use of personally owned devices. Some people could come to work with the electronic picture frame oh they want to see their loved ones every time while they're at work so the pictures are skipping from one to the other but that is a storage device that is a device with which data could be moved out of the organization. What about U.S.B. thumb drives? It's a storage device information could be moved out of the organization using such devices. So some of organizations prohibit the use of personally owned devices because sometimes these devices do not even support encryption. What if you lose them with the company data on it? Now anybody having access to such a device has access to your data so it could cause data to leak if you lose it or it could be used these could be used to steal data from the organization so, sometimes we prohibit the use of personally owned devices. These days we have also wearable technology where someone could come in with a wrist band but it's a U.S.B. device someone can could come in with a pendant it's a U.S.B. device, earrings U.S.B. device, what of glasses? U.S.B. devices. This should be carefully monitored. It becomes very tedious or difficult to monitor these devices because people put on jewelry to beautify themselves. How do you easily identify what is this storage device? Best practice could be just to disable your U.S.B. ports if your U.S.B ports are disabled even if we come in with wearable technology we can't steal data of the networks. New threats anti-security trends or alerts; we have to educate our users for new threats. Every day new viruses are being released out there. Educate your users and not only your users sometimes it is our responsibility to educate our customers. If you have customers that too service from your networks educate your customers as well. A lot of bank these days see it as their responsibility to educate their customers. We will not collect private information from you via email, do not click on this link or click on that link if it is within your email. So we have to educate our users for new viruses. What they should do and what they should not do. How they should respond or not respond to these viruses. We also should educate our users for phishing attacks. What is a phishing attack? A phishing attack is a social engineering via e-mail. In the e-mail malicious persons will try to scare you and they also give you a link they want you to click on that link. Using that link you're able to arrive at a Website. They send you an e-mail within that e-mail there's a link you click on that link it takes you to a dummy Website where they aim to collect your credentials. Now this is unauthorized disclosure of your credentials to them. You put it this could be the first attempt maybe they take you to their another side again a dummy site. This is the second attempt, finally they take you to the real site where you're able to log on and you see that all is well. But what have you done? You've provided your e-mail confidential credentials, you've confirmed it so now they know your credentials. They could replay your credentials to the server and have access. This is an example of a phishing attack so it is the responsibility of administrators to educate their users not to click on links that are within the e-mails because these could be used as a form of phishing attacks. It is also the responsibility of organizations today like banks, they get their customers not only your stuff educate your customers. We will not collect credentials via e-mail, we will not collect credentials via telephone, so that when these things happen to customers they know how to respond, otherwise you could suffer the late financial loss in the form of lawsuits. Oh, you did not tell us you were never going to collect it via e-mail I thought it was something only from the bank. So best practice organizations should learn to protect themselves and their users and their customers by educating them how to respond to phishing attacks. We also have zero day exploit; organizations should ensure that their updates are most recent. What is a zero day exploit? A zeroed exploit is a type of attack you have never experienced before the first time it happens . . . The first time you experience it is the first time it happens. How do you protect against something you don't know about? The best way is to keep all your updates most recent, application updates most recent or operating system updates most recent, driver updates, virus updates keep everything most recent that way you're able to improve your immunity level starters to see that not just any type of attack can compromise you. So a zeroed attack is the type of attack you have never experience and for which you have no known solutions. So the only way to protect against this is to keep your updates to the most recent updates. Individuals should be responsible for making sure that applications and operating systems receive their patches. Keep them to the latest update. The use of social networking and peer to peer. Yes these days social networks school facilitate business processes that we use social networks they have instant messenger on these devices whereby we could easily chat real time with our colleagues on the other side of the network. It could facilitate business processes in that it makes us work and collaborate but the use of social networks is discouraging in certain environments because data could also leak via social networks. You have disabled your U.S.B's so nobody can copy of your networks anymore by the ports. But it is possible for people to move data across the network via instant messenger. Two: who is on the other side? Many of you have possibly experienced you're chatting with someone and you see when we chat with people we tend to let our guard's down. Oh, it is a contact that I know, can you physically see them? No, what if they had walked away and somebody else is by the system? That is possible data breach. You could be disclosing information to unauthorized persons. In some cases some people have also experienced you're chatting with four people at the same time. Person A, person B, person C. and person D. You're chatting with four people at the same time. What you are meant to tell C you go tell A, now A knows what they're not supposed to know. So it is possible that you compromise data confidentiality this way data leakage who is on the other side and you accidentally could tell. You accidentally could disclose information to unauthorized person. These are some risks with social networking. If we look at peer to peer; peer to peer means people or systems can connect to each other and usually when we do peer to peer settings especially the days of Napster where people were sharing music on the Internet. I would leave portion of my computer open so that some other people across the Internet can connect to me and pick my files music files. What if I don't know what to secure, what if I live all my computer open so somebody having access to music folder, also has access to your documents, your pictures and other portions of your system. So when do peer to peer there is possibility that we could have data leakage. Not everybody knows what to secure and that way you don't secure very confidential documents or files on your system and that could result in the risk of or the threats could be there that some other people are able to steal your data. Finally for this section we should follow up and gather training matrices to validate compliance and security postures. So we should have training matrices to see the users trained are they following the procedure. Are they in compliance with the standards so some administrators would even create fake phishing attacks. You create fake phishing attacks and sent it to your users and monitor who is clicking on those links. That means possibly those people don't understand the impact of the training they don't understand that they shouldn't click on those links, maybe they need retraining. So these are some of the matrices with which you could see that there is compliance because if you don't have matrices in place how do you gauge the effectiveness of your training. Your training could have been a perfect training beautiful everybody liked the instructor, everybody enjoyed the training, the coffee was good, the air conditioning was great, but people are still clicking on the links. So you should have matrices by which you can say oh the training is effective or people need more training and this is by testing the individuals that are involved. That is it for section 2.6. [/toggle_content]