Time
3 hours 47 minutes
Difficulty
Beginner
CEU/CPE
3

Video Description

As a continuation of our discussion on the Importance of Security, we look at why security awareness training is essential for both the technical professional and the end user. For example, if there is a policy in place that users are constantly breaching, a security or IT professional must be able to identify this and training users on what the policy is, why a give procedure is in place, what they subject themselves and the company to by the explore they engage it and how they can still achieve what they need with proper guidance on how to do that in a safe and secure manner. [toggle_content title="Transcript"] We also should prevent tailgating; tailgating is when someone else follows another individual closely to gain access into a facility. May be user A has a swipe card, a card with which they swipe into the facility but somebody else walks in behind them closely. Some people can catch the door with their feet and walking behind you or they meet you in the car park and engaging in a beautiful conversation so that they're able to gain access into the facility. So our staff should be trained on these strategies so they know how to prevent steal get in. It is also possible to implement strategies to prevent steal get in; here we could do what is called a man trap, a man trap is a system of two doors when the user approaches the first the door they swipe in or they punch in the pin before the door is open they go in that way the door will close behind them. If that door closes the next door opens this way we can ensure that only one person goes in at the time. We could also implement thump styles. When we implement thump styles, it allows only one person to go in at a time. So yes we could train our stuff to prevent tailgating but we could also do put in controls to facilitate limits tailgating. Our users need to be trained on the use of personally owned devices. These include mobile phones, digital cameras, electronic picture frames, and all sorts of devices that could act as a storage device or so or recording device. These are possible avenues for data to leak from the organization, the use of USB's, U.S.B thumb drives, external hard drives, digital cameras, mobile phones. Sometimes within some organization these devices are prohibited because there are devices that could allow for data leakage. People could come in and record maybe I want to record, where do we have C.C.T.V. cameras here? Now someone else is having access or knowledge of where the C.C.T.V camera's now knows how to bypass such cameras. So we have to limit the use of personally owned devices. Some people could come to work with the electronic picture frame oh they want to see their loved ones every time while they're at work so the pictures are skipping from one to the other but that is a storage device that is a device with which data could be moved out of the organization. What about U.S.B. thumb drives? It's a storage device information could be moved out of the organization using such devices. So some of organizations prohibit the use of personally owned devices because sometimes these devices do not even support encryption. What if you lose them with the company data on it? Now anybody having access to such a device has access to your data so it could cause data to leak if you lose it or it could be used these could be used to steal data from the organization so, sometimes we prohibit the use of personally owned devices. These days we have also wearable technology where someone could come in with a wrist band but it's a U.S.B. device someone can could come in with a pendant it's a U.S.B. device, earrings U.S.B. device, what of glasses? U.S.B. devices. This should be carefully monitored. It becomes very tedious or difficult to monitor these devices because people put on jewelry to beautify themselves. How do you easily identify what is this storage device? Best practice could be just to disable your U.S.B. ports if your U.S.B ports are disabled even if we come in with wearable technology we can't steal data of the networks. New threats anti-security trends or alerts; we have to educate our users for new threats. Every day new viruses are being released out there. Educate your users and not only your users sometimes it is our responsibility to educate our customers. If you have customers that too service from your networks educate your customers as well. A lot of bank these days see it as their responsibility to educate their customers. We will not collect private information from you via email, do not click on this link or click on that link if it is within your email. So we have to educate our users for new viruses. What they should do and what they should not do. How they should respond or not respond to these viruses. We also should educate our users for phishing attacks. What is a phishing attack? A phishing attack is a social engineering via e-mail. In the e-mail malicious persons will try to scare you and they also give you a link they want you to click on that link. Using that link you're able to arrive at a Website. They send you an e-mail within that e-mail there's a link you click on that link it takes you to a dummy Website where they aim to collect your credentials. Now this is unauthorized disclosure of your credentials to them. You put it this could be the first attempt maybe they take you to their another side again a dummy site. This is the second attempt, finally they take you to the real site where you're able to log on and you see that all is well. But what have you done? You've provided your e-mail confidential credentials, you've confirmed it so now they know your credentials. They could replay your credentials to the server and have access. This is an example of a phishing attack so it is the responsibility of administrators to educate their users not to click on links that are within the e-mails because these could be used as a form of phishing attacks. It is also the responsibility of organizations today like banks, they get their customers not only your stuff educate your customers. We will not collect credentials via e-mail, we will not collect credentials via telephone, so that when these things happen to customers they know how to respond, otherwise you could suffer the late financial loss in the form of lawsuits. Oh, you did not tell us you were never going to collect it via e-mail I thought it was something only from the bank. So best practice organizations should learn to protect themselves and their users and their customers by educating them how to respond to phishing attacks. We also have zero day exploit; organizations should ensure that their updates are most recent. What is a zero day exploit? A zeroed exploit is a type of attack you have never experienced before the first time it happens . . . The first time you experience it is the first time it happens. How do you protect against something you don't know about? The best way is to keep all your updates most recent, application updates most recent or operating system updates most recent, driver updates, virus updates keep everything most recent that way you're able to improve your immunity level starters to see that not just any type of attack can compromise you. So a zeroed attack is the type of attack you have never experience and for which you have no known solutions. So the only way to protect against this is to keep your updates to the most recent updates. Individuals should be responsible for making sure that applications and operating systems receive their patches. Keep them to the latest update. The use of social networking and peer to peer. Yes these days social networks school facilitate business processes that we use social networks they have instant messenger on these devices whereby we could easily chat real time with our colleagues on the other side of the network. It could facilitate business processes in that it makes us work and collaborate but the use of social networks is discouraging in certain environments because data could also leak via social networks. You have disabled your U.S.B's so nobody can copy of your networks anymore by the ports. But it is possible for people to move data across the network via instant messenger. Two: who is on the other side? Many of you have possibly experienced you're chatting with someone and you see when we chat with people we tend to let our guard's down. Oh, it is a contact that I know, can you physically see them? No, what if they had walked away and somebody else is by the system? That is possible data breach. You could be disclosing information to unauthorized persons. In some cases some people have also experienced you're chatting with four people at the same time. Person A, person B, person C. and person D. You're chatting with four people at the same time. What you are meant to tell C you go tell A, now A knows what they're not supposed to know. So it is possible that you compromise data confidentiality this way data leakage who is on the other side and you accidentally could tell. You accidentally could disclose information to unauthorized person. These are some risks with social networking. If we look at peer to peer; peer to peer means people or systems can connect to each other and usually when we do peer to peer settings especially the days of Napster where people were sharing music on the Internet. I would leave portion of my computer open so that some other people across the Internet can connect to me and pick my files music files. What if I don't know what to secure, what if I live all my computer open so somebody having access to music folder, also has access to your documents, your pictures and other portions of your system. So when do peer to peer there is possibility that we could have data leakage. Not everybody knows what to secure and that way you don't secure very confidential documents or files on your system and that could result in the risk of or the threats could be there that some other people are able to steal your data. Finally for this section we should follow up and gather training matrices to validate compliance and security postures. So we should have training matrices to see the users trained are they following the procedure. Are they in compliance with the standards so some administrators would even create fake phishing attacks. You create fake phishing attacks and sent it to your users and monitor who is clicking on those links. That means possibly those people don't understand the impact of the training they don't understand that they shouldn't click on those links, maybe they need retraining. So these are some of the matrices with which you could see that there is compliance because if you don't have matrices in place how do you gauge the effectiveness of your training. Your training could have been a perfect training beautiful everybody liked the instructor, everybody enjoyed the training, the coffee was good, the air conditioning was great, but people are still clicking on the links. So you should have matrices by which you can say oh the training is effective or people need more training and this is by testing the individuals that are involved. That is it for section 2.6. [/toggle_content]

Video Transcription

00:04
we also should prevent still getting tell. Getting is when someone else follows another interviewed while closely to gain access into a facility. Maybe use a has a swipe card, a card with which they swipe into the facility.
00:18
But somebody else walks in behind them closely. Some people can touch the door with their feet on working behind you, or they meet you in the car park on engaging a beautiful conversation so that they're able to gain access into the facility. So our stuff should be trained
00:37
on, uh,
00:38
this strategy so they know howto prevent till getting
00:43
it is also possible toe implement
00:47
strategy usedto prevent Still getting
00:49
here. We could do what is called a man trap. A man trap is a system of two doors
00:55
when they use up, which is the first door they swiping or the punching the pain the first opened, they go in
01:02
that way, the door wouldn't close behind that door. Close the next door open.
01:07
This way we can ensure that only one person goes in at the time.
01:11
We could also implement
01:14
Tom styles.
01:15
When we implement Aunt Dawn Stiles.
01:18
It allows only one person to go in at the time. So
01:22
yes, we could train our staff to prevent till getting. But we could also do put in controls to facilitate on limits.
01:33
Still, getting how I use us need to be trained
01:36
on the use off
01:38
personally owned devices.
01:41
These include
01:42
mobile phones,
01:45
digital cameras,
01:48
Elektronik picture frames
01:49
on all sorts of devices that could act as a storage device also or recording device.
01:56
These are possible avenues for data to leak
02:00
from the organization.
02:01
The use of US bees, USB thumb drives, external hard drives, digital cameras,
02:07
mobile phones.
02:10
Sometimes within some organizations, these devices are prohibited because they are devices that could allow for data leakage.
02:19
People could come in and record.
02:22
Maybe I want to record. Where do we have CCTV cameras here now someone else having access to or knowledge of where the CCTV cameras now knows how to bypass the cameras. So we have to limit deuce off personally owned devices. Some people could come to work with
02:38
Elektronik picture frame. Oh, they want to see their loved ones every time while they're at work that the pictures are skipping from one to the other. But that is a storage device
02:47
that is a device with which that will be moved out off the organization.
02:53
What about us be Tom drives stuff storage device.
02:57
Information could be moved out of the organization using such devices. So some organizations who he beat the use off personally owned devices because sometimes
03:07
these devices do not even support encryption.
03:09
What if you lose them with the company data on it? Now anybody having access to such device has access to your data, so it could cause data to leak.
03:21
If you lose it or it will be used, this will be used to steal that are from the organization. So sometimes we prohibit the use off personally owned devices.
03:31
These days, we have also variable technology
03:37
where someone could come in with the wristband. But it's a USB device.
03:42
Someone could come with dependent. It's a USB device
03:46
Airings, USB device What. Glasses? USB devices. So
03:51
this should be carefully monitored. It becomes very tedious or difficult to monitor these devices because
03:59
people put on jury to beautify themselves. How do you easily identify what is a storage device? Best practice could be just to disable your USB ports. If your USB ports are disabled. Even if we come in with wearable technology, we can't steal data off the networks.
04:15
The treads on security trends or alerts.
04:19
We have to educate our users for new threats
04:24
every day. New viruses are being released out there.
04:27
Educate your users are not only your users. Sometimes it is our responsibility to educate our customers.
04:34
If you have customers that pool service from your networks, educate your customers as well. A lot of banks these days see it as your responsibility to educate their customers. We will not collect
04:46
private information from you via email.
04:49
Do not click on this link or click on that link if it's within your email. So we have to educate our users for new viruses what they should do on what they should not do,
05:00
how they should respond or not respond to these viruses.
05:04
We also should educate our users for phishing attacks. What is a phishing attack? Efficient attack is a social engineering attack. Their email in the email. Malicious persons will try to scare you, and they also give you a link.
05:19
They want you to click on that link. Using that link, you are able to arrive at a website. So they send you an email.
05:28
Within that email, there's a link. You click on that link, it takes you to a dummy website where the aim to collect your credentials.
05:39
Now, this is unauthorized disclosure off your credentials to them.
05:44
You put it. This could be the first attempt.
05:46
Maybe they take you to the another side again. Don't decide.
05:49
This is the second attempt. Finally, they take you to the real sight
05:55
where you're able to log on and you see that all is well. But what have you done? You've provided your email confidential. Your credentials. You've confirmed it. So now they know your credentials there could replay your credentials to the server on have access. This is an example of efficient attack.
06:14
So it is the responsibility off administrators
06:16
to educate their users, not toe click on links that are within the emails. Because this could be used as a form of phishing attacks. It is also the responsibility off organizations today, like banks, they get their customers not only your stuff, and get your customers.
06:32
We will not collect credentials were email. We will not collect credentials where telephone so that when these things happen, toe customers, they know how to respond.
06:43
Otherwise, you could so far delayed financial loss in the form of lawsuits or you did not tell us you were never gonna collect it by email. I thought it was something in there from the bank.
06:51
So best practice organizations should learn to protect themselves on their users on customers by educating them how to respond. Toe phishing attacks. We also have zero day exploits. Zero day exploits
07:06
organizations shoot and sure that
07:10
their updates are the most recent. What is the zero day exploit? A zero day exploit is a type of attack you have never experienced before. The first time it happens,
07:21
the first time you experience it is the first time it happens. How do you protect against something you don't know about?
07:29
The best way is to keep all your updates. Most recent
07:31
application updates Most recent or pretty system updates. Most recent driver off this bios updates Keep everything most recent. That way you're able to improve your your your immunity level starters. So see that not just any type of attack can compromise you.
07:49
So zero day attack is the type of attack you have never experienced
07:54
on for which you have no known solution.
07:57
So the only way to protect against this is to keep your updates to the most recent update. Individual should be responsible for making sure that applications are operating systems received their patches, keep them
08:09
tow. The latest updates.
08:11
The use of social networking
08:15
on peer to peer. Yes,
08:16
these days social network school facilitated business processes
08:22
that we use social networks. You have instant messengers on these devices whereby we could easily chat real time with our colleagues on the other side of the network.
08:35
It could fascinated business processes in that it makes us work on collaborate.
08:39
But
08:41
the use of social networks is discouraging setting the environment because
08:46
that I could also seek their social networks.
08:50
You have the stables, your US bees, so nobody can copy off your networks anymore by the ports. But it is possible for people to move data across the network. They're instant messengers.
09:03
Two. Who is on the other side?
09:05
Many of you are possibly experienced. You are chatting with someone and you see, when we chat with people, we tend to let our guards down. Oh, it is a contact that I know. Can you physically see them? Know what? If they had walked away on somebody else's by the system,
09:22
that is possible that our breach you could be disclosing information toe unauthorized persons. In some cases, some people have also experienced You are chatting with four people at the same time.
09:35
Person a person. Be person. See, I'm person d
09:43
You are chatting with four people at the same time? What you're meant hotel. See you go tell a
09:48
ah, now it knows what they're not supposed to know. So it is possible that you compromise that our confidentiality this way that our leakage who is on the other side on you accidentally could tell
10:05
you accidentally could disclose information toe unauthorized person.
10:11
These are some risks with social networking.
10:16
If we look at peer to peer,
10:18
peer to peer means people or systems can't connect to each other. On usually when we do a pair, two pair settings,
10:26
especially the lives off Napster where people were sharing music on the Internet.
10:31
I was leave portions off my computer open so that some other people across the Internet can connect to me. I'm picked my files my music files. What if I don't know what to secure? What if I leave all my computer open? So somebody having access to
10:48
music for the also house as as to your documents,
10:50
your pictures
10:52
on other portions of your system? So when we do peer to peer, there's possibility that we could have that on leakage.
11:00
Not everybody knows what to secure, and that way you don't seek your very confidential documents or files on your system on. That could
11:09
result in the risk off. The threat could be there that somewhat our people are able to steal your data.
11:16
Finally, for the section, we should follow up on gather training mattresses to validate compliance and security posters. So we should have
11:26
training mattresses to see,
11:28
uh, the user's trained. They're following the procedure
11:33
I did in compliance with the standards, so some administrators would even create fake phishing attacks.
11:41
You create fake phishing attacks on send it to your users on monitor. Who is clicking on those links? That means possibly those people don't understand the impact off the training. They don't understand that the shooting train they shouldn't click on those links. Maybe they need retraining So these are some of the mattresses with which you could see
12:00
that day's compliance.
12:01
Because if you don't have mattresses in place, how do you gauge the effectiveness of your training? Your training could have been a perfect training. Beautiful. Everybody like to the instructor. Everybody enjoy the training. The coffee was good, the air conditioning was great. But
12:18
people are still clicking on the links, so you should have mattresses. By which you can say, Oh, the training is effective or people need more training. And this is by testing the individuals that are involved. That is it for Section 2.6.

Up Next

IT Security Governance

IT Security Governance is a type of risk management process that can be applied to business operations, identifying critical information and protecting that information from enemies

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor