5.6 Security Awareness Flashcards
Phishing campaigns
How many employees would click a link in
a phishing email?
– There’s a way to find out
* Many companies will perform their own
phishing campaign
– Send a phishing email to your employees
* An automated process
– Centralized reporting for incorrect clicks
– Users can receive immediate feedback and
security training
– Some organizations will schedule in-person training
* Recognize a phishing attempt
– Spelling and grammatical errors
– Domain name and email inconsistencies
– Unusual attachments
– Request for personal information
* Respond to reported suspicious messages
– Email filtering can get the worst offenders
– Never click a link in an email
– Never run an attachment from an email
– All organizations should have a process for reporting
phishing
Anomalous behavior recognition
Risky behavior
– Modifying hosts file
– Replacing a core OS file
– Uploading sensitive files
* Unexpected behavior
– Logon from another country
– Increase in data transfers
* Unintentional behavior
– Typing the wrong domain name
– Misplacing USB drives
– Misconfiguring security settings
Reporting and monitoring
Track and analyze security awareness metrics
– Automated
– Phishing click rates
– Password manager adoption, MFA use,
password sharing
* Initial
– First occurrence is an opportunity for user training
– Work towards avoiding the issue in the future
* Recurring
– The value of long-term monitoring
– Identify high-frequency security issues
– Help users with multiple occurrences
Development
Create a Security Awareness team
– Determine roles for training, monitoring,
policy creation, etc.
* Establish a minimum awareness level
– Information delivery (emails, posters,
notices, training)
– Depth of training based on job function
* Integrate compliance mandates
– PCI DSS, HIPAA, GDPR, etc.
* Define metrics
– Assess the performance of security awareness
programs
– Make updates in lower-performing areas
Execution
Create the training materials
– Provided to users in different forms
* Document success measurements
– How will we know the awareness is working?
* Identify the stakeholders
– Provide ongoing metrics and performance data
* Deploy the training materials
– Classroom training, posters, weekly emails, etc.
* Track user training efforts
– Ongoing monitoring, usually with an automated
reporting system
User Training: Security awareness training
Before providing access, train your users
– Detailed security requirements
* Specialized training
– Each user role has unique security responsibilities
* Also applies to third-parties
– Contractors, partners, suppliers
* Detailed documentation and records
– Problems later can be severe for everyone
User guidance and training
Policy/handbooks
– Document all security requirements
– Provide access online in policy guidelines
– Reference the policies in the employee handbook
* Situational awareness
– Users should always be looking for threats
– Software attacks: Email links, attachments, unusual
URLs, text messages, etc.
– Physical attacks: USB drives in a FedEx envelope,
unlocked building doors, etc.
– Be ready for anything
* Insider threat
– Difficult to guard against
– Add multiple approvals for critical processes
– Monitor files and systems as much as possible
– It should be very difficult to make an unauthorized
change
* Password management
– Many standards to choose from
– Guide users with standard requirements
(length, complexity, etc.)
– This is often controlled using technology (Group Policy)
* Removable media and cables
– Unknown USB drives can contain malware
– Unknown cables can be connected to a
malicious system
* Social engineering
– Extensive and ongoing training
– The attackers are very good
– The users are your front line defense
* Operational security
– View security from the attacker’s perspective
– Users need to identify sensitive data
– Keep the sensitive data private
* Hybrid/remote work environments
– Working at home brings unusual security risks
– No access to family and friends
– Additional endpoint security
– Security policies for VPN access
