CompTIA Security+ SYO-401

Certification Training
9448 Learners
View Course Now!
33 Chapters +

Importance of Security Related Awareness and Training Tutorial

1 Importance of Security Related Awareness and Training

Screen 1: Introduction While conducting businesses, it is important to take some preventive actions to maintain security related awareness, and conduct trainings regarding security measures. In this lesson, we will learn why it is necessary to maintain security, how to maintain awareness, and classify different data or information. At the end of this lesson, you will be able to: • Explain the security policy training and procedures, • Describe Personally Identifiable Information, and classification of information, • Explain data labeling, handling, and disposal, • Describe compliance with laws, best practices, standards, and user training, • Describe new threats and new security, social networking and P2P issues, and • Explain the importance of follow up and gathered training metrics.

2 Security Policy and Training Procedures

In this topic, you will learn about different security policy and training procedures. Security isn’t something you can put in place and expect it to provide all protection. Security mechanisms should be based on the targeted attack vector, and should be capable of encountering the ever upgrading malicious attacks. One of the attack vectors attackers commonly use is the employee. You can counter this by providing proper training and awareness to employees. If you do not train your employees on appropriate procedures of handling and protecting data, then they are vulnerable and succumb to the compromise. Training and awareness should be clearly defined in the security policy, and there should be regular meetings at every employee level. This will make them aware of security practices that need to be in place at all times, and also of the current threats. With proper information, users can be equipped to recognize social-engineering attacks and also avoid taken in by them. Failure to maintain security awareness will lead to the decline of security measures practiced. In the next session, we will see the security policy and training procedures that can be followed to maintain awareness. To secure the network, you need awareness, training, and education. If you do not combine these when training your employees, then they are either the victim of social engineering or some other technical security risk. The first step of training is to have a security policy. The security policy should define methods of training, awareness, user education, and what is expected by the end users. This policy should be reviewed regularly, as it may change from time to time. Training and awareness involves training the user as per the actual policy. The next aspect to be considered is user awareness. Awareness is not necessarily trained in a classroom, but through the work environment. This can be generated through rallies, speeches, announcements, notices, posters, newsletters, screensavers, and things that bring relevant security issues to the fore. The issues users need to be aware include avoiding waste, fraud, and unauthorized activities. Education is a detailed attempt, and requires in depth focused review of policies and security measures. Education reinforces awareness and enhances training. It makes people secure, and informs them about security threats in detail. Education also means to educate the team on current trends and mitigation of security threats. Organization should also have formal training of new standards and security policies.

3 Role-Based Training

This is the process of training employees to perform tasks that comply with the security policies limited to their job roles. Additionally, new employees require certain training as per their defined job roles. Role-based training consists of the following categories: Organization, Management, and Technical Staff. This type of training is conducted across organizations, and provides education on security processes, current trends, and threats. During this training, it is mandatory to include content from the following genres: • Importance of security • Responsibilities of people in an organization • Policies and procedures • Usage policies • Account and password selection criteria • Social engineering and prevention The organization-wide training is done by the internal staff, or hiring a training professional. This type of training should be given during the hiring phase, as its concepts can be imbibed at the time the employees join. This builds a foundation that can be reinforced with awareness campaigns. It is highly important for managers to be aware of the global security issues. This includes enforcing and implementing security policies and procedures, and approving changes if necessary. Managers need to know the effects of security, how it works, and why it is necessary. They should have additional training on threats, exposures, and how to respond to an incident or event. Management should be concerned about the financial issues that arise due to risk and compromise. The technical staff needs to have specialized training and knowledge about the methods, controls, implementations, and capabilities of the systems that manage security. They need to know about the configuration and technologies that are implemented in the environment. Training during onboarding is not enough. It needs to be followed up regularly. Some companies have weekly or monthly security meetings and rallies. However, if you enforce training and build on it, your environment is more secure. Data that is considered highly sensitive is the Personally Identifiable Information or PII. This is the information related to your identity. This includes data such as date of birth, social security number, and driver’s license number. PII is used in industries such as medical and banking, but this information must be protected. Generally, PII is not protected in the United States, unless enforced. In these cases the company should clearly state what PII it collects from users in the Acceptable Use Policy (AUP), and how the collected information would be used and protected. Some other examples of PII are a person’s name, credit card number, patient record, or fingerprints. The best way to protect PII is through training. Users need to be aware of PII, and the best way to safeguard their data. This includes informing the staff about scams or other malicious tricks used to get PII. Obtaining PII by an attacker means they are pretending as an individual. Social engineering is an attack that targets the human aspect of IT, and manipulates the identity of existing people. One of the easiest way to set up PII, is setting it up unknowingly. Once an attacker has someone’s PII, they can imitate them to gain access to resources and cause security issues.

4 Classification Systems

In this topic, we will learn the two main classification systems as well as the generic classification systems. Information classification is the process of labeling objects with sensitivity labels, and labeling users with clearance labels. Once a resource is classified, the users need to read and imbibe the assigned label. Thus, each object receives the security it needs. For example, someone with Top Secret clearance can access top secret data that is classified. This is found in mandatory access control. It will often use information classification to assign permissions to users, and prevent others from accessing data. Data or Information classification is used to determine how much effort, money, and resources are allocated to protect the data. The primary objective of data classification schemes is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity. Moreover, it provides security mechanisms for storing, processing, and transferring data, and how the data should be removed and destroyed. The criteria of classification can vary based on the type of data, and how the company does the classification. One of the overlooked aspects of data classification is declassification of data. When data is no longer valuable, it should be declassified. This means to lower the sensitivity of data or destroy it completely. The two most common classification systems are government or military classification, and commercial or business classification. This classification type includes the following five levels: • Top Secret – This is the highest level of classification. The unauthorized disclosure of top-secret data will have drastic effects and causes severe damage. • Secret – This is used for data of restricted nature, but it does not require the highest level of security. It amounts to critical damage or severe effects, if the data is disclosed to unauthorized access. • Confidential – This is used for private or confidential data. The unauthorized disclosure of this type of data leads to some serious damage and noticeable effects, but not as drastic as the top secret and secret levels. • Sensitive but unclassified – This is used for private data, whose disclosure will not cause severe harm. • Unclassified – This is the lowest level of classification, and used for data that is neither sensitive nor classified. Disclosure of this data would not compromise or cause any damage. The Commercial or Business sector classification for systems varies widely. This is because, they do not adhere to any regulation. The four levels of classification include, Confidential, Private, Sensitive, and Public. Here, the most sensitive data is Confidential, and the least sensitive, is Public. Although government or military terms, and business classification levels are useful, generic references can also be used. Some of the commonly used alternative classification terms are: High – In government or military terms, this is equivalent to top secret. Medium ¬¬– This is close to classified with respect to the government or military classification standards. Low – This level is close to unclassified, and has low impact if compromised. Confidential – This relates to the most valuable and sensitive data level in the business classification scheme. Private – This information is not open to public, but is not the most sensitive data either. This is often the internal data shared with employees. Public – This relates to the least sensitive data, and is often completely open to the public.

5 Data Labeling

To access the data, it is important to define some related aspects. Every data has a user, owner, and custodian. User is the one who can access the data. Owner is a person who is responsible for classifying and labeling objects, and determining how the data should be handled or destroyed. And, Custodian is a person who is assigned the day-to-day responsibility of protecting or managing the object. Security policies should even dictate how printed material and used storage media should be handled when they are no longer required. It explains disposal activities such as, incineration, physical crushing, magnetic destruction, or an acid bath. Undisposed items no longer in use, pose great security risks. Handling data should be taken seriously as being compliant to laws, best practices, and standards within a company. It is important to follow government regulations as well as industry standards. Failing to comply to laws can result in fines and penalties, or data breach and compromise. To ensure that companies and employees follow the rules, it is important to do regular compliance testing and maintenance. Compliance testing ensures all necessary and required elements of a security solution are properly deployed and continue to function as expected. If the compliance test fails, it leads to maintenance.

6 User Habits

The key aspects to secure a network is to know user habits, and implementing controls or training methods to change or modify their bad habits. In this topic, we will learn the practices to improve user habits. However complex you make a password, they are weak forms of authentication. Passwords too complex, lead to users writing them down, and then the possibility of compromise. Passwords not complex enough, enable a user to remember them easily, but are vulnerable to compromise through brute force cracking. The best way to prevent poor password behavior from a compromise to the network is to put in place stronger forms of authentication such as multifactor authentication. Writing down passwords must be prevented. It is important to train users to create passwords that are strong and easy to remember. This includes words that may be easy to remember, but replacing letters with characters and numbers, and in uppercase and lowercase. For example, if a user who wants train as a password, you have to instruct him to use Tr4!n$@2015 as a password. Bad password behaviors such as using the same password over and over again, not changing passwords regularly, and sharing passwords with coworkers should be changed. Such behaviors should be addressed in the security policy, with technology limitations and user training. Good password behavior includes the use of upper and lowercase, numbers, symbols, and at least 15 characters. Users should memorize their password, or use an encrypted password-storage tool with authorized permission. They should follow the password change rules or should enforce thorough controls on the network that doesn’t allow reusing the passwords on the same or different systems. Data handling is important because users are also known for failing to handle data properly. Users must be instructed where to keep data files. Removable media is a prime example of poor data handling and bad habits. Users will save data in USB drives, which is sensitive. The DLP technologies should be in place to prevent removable media. Also training programs should be conducted to explain the importance of proper removable media. There is also a technique used by malicious users in which the attacker drops a flash drive, or several removable media devices with contaminated software in the parking lot, or near the entrance. Curious employees would bring the device, plug it into their machine, and thereby infecting, or compromising the data on the system. Users who are allowed to carry data out of office in a portable computer or removable media should only take minimum amount of data required to perform tasks. And, there should be security technologies, processes, and controls in place to minimize the impact of an incident possible due to lost or stolen data. Clean-desk policies require users to keep their desk free of printed documentation so that no passer-by is able to see or gather any unauthorized Personally Identifiable Information. This also prevents someone from stealing documents with sensitive information while the user is away from the desk. Clean-desk policies also prevent users from writing down their passwords and leaving them on desks. To prevent tailgating, you must know what is tailgating. It is also known as piggybacking. Tailgating means when someone unauthorized is able to gain access to a building or room. Now let’s see an example of Tailgate prevention. If two users have to enter a room by unlocking the door, they should use their own access cards or keys. The first user should unlock the door, enter the room, and wait till the door is closed and locked. Then, the second user should repeat the process to enter the room. Attackers can gain access to restricted areas by feigning the need for assistance by holding a large box or paperwork, and asking someone to ‘hold the door.’ If someone asks for assistance before getting into a secured entry, the users should ask for clearance and proof of authorization, or to swipe the card on their behalf. Reinforcing behavior training on tailgating, mantraps, turnstiles, and security guards can help prevent piggybacking. Users need to be trained on the proper behavior to deal with personally owned devices. Connecting USBs can be a security threat, because they do not have the same security measures and controls at home as in the office. Any user device, including phones can contaminate the network with virus. Also, a camera that is used to take pictures of sensitive information can spread the virus.

7 New Threats, Security Trends and Alerts

People are working day and night to prevent attacks, threats, and vulnerabilities. But, there are also people who work day and night to create new attacks, threats, and vulnerabilities. In this topic, we will learn about new threats, security trends, and alerts. Have you come across a situation where multiple empty folders are created in your system? If yes, your system was compromised by a virus infection. There are literally thousands of viruses released daily. Like any software application, even viruses are released in new versions. You will often find an old virus revisiting your system, and is changed to bypass scanners and defenses. Mitigation of viruses can be handled using an Antivirus Scanner. There should be a scanner on each device, and if possible, one network scanner to scan the traffic before it reaches the desired host. Additionally, there should be real-time protection to regularly monitor devices, and scheduled scans to review systems at a deeper level. Another way of avoiding new viruses is user training. Users should be able to identify the difference between acceptable and unacceptable behavior. Poor browsing habits and questionable websites, or being tricked into clicking links not legitimate can lead to virus contamination. Users need to be trained against this behavior. Phishing attacks are a form of social engineering. They are used to steal the credentials and other PIIs from a potential target. These attacks can occur on social media, email, live discussion boards, instant messengers, and so on. On the flipside, such attacks appear to be legitimate entities requesting your PII for a genuine purpose. Users need to be trained to not click a link provided in an email or Instant Messenger. Instead, visit the supposed site by searching for the site by name. Phishing sites will often put a false link that takes the user to a replica page asking for their contact information to log in. If such phishing is discovered, then it should be reported to the target organization. For example, users may get a PayPal email asking them to sign in. In real, the user is entering credentials into a redirected fake website, which sends the credentials to the attacker. These are exploits that target unknown or undisclosed flaws and vulnerabilities to the general public. They are security flaws discovered by hackers not thoroughly addressed by the security community. There are two reasons for systems affected by such vulnerabilities. One – There is a delay between the discovery of a new type of attack, and releasing corresponding counter measures of patches and firmware upgrades. Two – Due to administrators’ laziness to update the network systems with the latest antivirus updates. Moreover, it is vital to have a strong patch-management policy and training in your IT department on how to follow the said policy. File sharing has a network of P2P or Peer-to-Peer machines’ technology that share files with one another without a structure. P2P file sharing is a terrible compromise to the network because it allows downloading of information into your network without authorization, and runs silently in the background. Also, there are no checks and balances to ensure the downloaded information from P2P networks is not malicious in nature. People often place Trojans and other viruses in the shared software. P2P networks and traffic should be blocked, as it often is a legal liability due to file sharing and theft. Social media can be just as risky for most organizations because it allows for the movement, transfer, and theft of unauthorized data. Security posture is the current state of your network security. Is your security strict or lax? Is it compliant and follows best practices? These things define the security posture. You need to gather the user perspectives and information during trainings. You should never assume that users understand the given training, and they will perform their tasks within the boundaries of security. You need to get user feedback and detailed documented success of user training and compliance to validate your security posture. This also allows you to see what areas need more focus and additional training.

9 Summary

• Awareness, training, and education is important to secure human aspects of your organization’s network. • Role-based training is the process of training employees to perform tasks that comply with the security policies limited to their job roles. • Personally Identifiable Information or PII should be secured, because attackers can imitate them to gain access to resources and cause security issues. • The two most common classification systems are government or military classification, and commercial business or private sector classification. • Generic terms for classification of information are High, Medium, Low, Confidential, Private, and Public. • Data labeling involves aspects such as user, owner, and custodian. • Security policies should dictate how printed material and used storage media should be handled when they are no longer required. • User training should focus on user habits to avoid internal compromises or incidents. With this, we conclude the lesson, ‘Explain the Importance of Security Related Awareness and Training.’ The next lesson is, ‘Compare and Contrast Physical Security and Environmental Controls.’

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*