Security Awareness – CompTIA A+ 220-802: 2.1

When training your end user community, there are a number of security concerns that must be considered. In this video, you’ll learn which user habits, threat prevention techniques, and business policies should be implemented to keep everyone’s data as safe as possible.

<< Previous Video: Digital Security TechniquesNext: Common Security Threats >>

One of the most important parts of any security policy is the users of the network, and making sure that they stop the security problems before they start. Of course, you have all of your security policies on the internet. People can download and read through them whenever they’d like, but of course nobody really spends time doing that.

So it’s not uncommon for organizations to put together mandatory training classes for the user community so that they know what those security policies are, that way they can put a name with the face, and they feel comfortable contacting you if they have any security questions. These security classes usually involve things like how to deal with viruses, or perhaps protect yourself from getting infected in the first place.

And of course you need to make people aware of what the company policies are. When a visitor walks into the lobby, what processes are in place? Should they have a badge, should they always be escorted? These are important things to understand, and it’s different at every single company.

There may be also a need to provide a specialized set of security training for certain users that are a little bit different than the normal user community, especially people that are mobile users. They may be located in a remote site, and maybe you set up a special training by department. The accounting department may have very specific security concerns that are very different than the shipping and receiving department.

It’s useful to explain to your users exactly how to manage their passwords. For instance, don’t write everything on a yellow sticky note and put it on your monitor. You need to make sure you keep that information safe. Also, how do you handle the data? Is it stored at a certain place on the network? Is there a share that should be used for that? Where are the public folders, and what type of information should you store in a public folder?

Some organizations have clean desk policies. So you have to train your users and make sure they’re aware that when they leave their desk, everything has to be put away. All of the drawers locked, so that if somebody was to walk by, they wouldn’t have access to any of that information. One of the challenges in most organizations these days are the personally owned devices.

It’s the bring your own device to work, where you have your own tablet, you have your own mobile device, and you’re connecting to the corporate network. There’s obviously an entirely different set of policies for that, and you need to make sure that your users are aware of those. A challenge also everywhere is tailgating. If somebody is entering the building, maybe you have a policy that everybody goes in one at a time.

The door closes and you have to badge in individually to get inside of the building. You can’t stop and leave it open. If somebody’s running in with some food or some doughnuts, although it looks fantastic, the policy is to close the door, and they have to use their credentials to get in. A lot of people in your user community don’t understand the threat associated with things like viruses.

There are thousands of new viruses a week, and now the malware’s become much smarter about finding and getting onto your computer. It’s a difficult challenge to maintain, and your end users have to be aware of the things they should be looking for. A significant concern these days is phishing, especially since the bad guys are finding ways to get inside of the organization with credentials that were simply given to them through these phishing attacks.

The phishing attacks are becoming a lot more directed. You have things called spear phishing, where they’re going after certain people in the organization in the hopes that they can gather phishing and other information from them. You also need to watch out for spyware. Users may be typing information onto their keyboard, and all of that information may be going to a third party outside the organization.

You need to make sure your users know what to look for, and things that they can do to help prevent any of that from occurring. A lot of the problems we have these days is with that malware and the spyware, we’re seeing more and more zero day exploits, which means there’s no known signature for this particular attack. That means we have to be especially careful about what we’re clicking on, the sites we visit, and how we’re authenticating to these websites.

Sometimes implementing security isn’t something technical, it’s more of a business process. We see this often in something called separation of duties. One type of separation of duty is called split knowledge. That’s where you’re taking information and you’re assigning it, or giving it to different people. Everybody gets a little bit of information, but nobody gets all of the information.

That way you’re protecting anyone from having too much information or being able to give out too much information, because they have a very limited piece of what’s available. Another type of separation of duties is dual control. This is where you have to have more than one person in order to perform a business function.

For instance, there may be a safe that has multiple keys, and the safe can only be opened if everyone shows up with their key, puts it in, and turns it. Without having everybody there, the safe won’t open. Another important security business process is least privilege. This means that you’ve been given rights and permissions that allow you to do your job, and that’s it. You don’t have rights and permissions that go beyond what you need to accomplish.

If you’re in shipping and receiving, you shouldn’t have access to the HR database. And if you’re in the HR department, you shouldn’t have access to financial information. So all of these work together to make sure that you’re limiting what people are able to do on the network. Management usually gets to decide who has rights to the different resources. That’s not usually done by the security department.

You have the business side determine what business requirements a user has, and then it’s up to the security team to make sure that user has those rights, and only those rights, and can’t have additional access. You want to be sure that least privilege is always in place.