Chapter 5 - 04 - Learn to Conduct Diff Types of Sec and Awareness Training - 02_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Employee Awareness and Training: Physical Security @ I Proper training should be given to educate employees on physical security m Training increases the knowledge and awareness about 11 physical security Ev Training should educate employees about how to: @ Minimize breaches @ Identify the elements that are more prone to hardware theft @ Assess the risks handling sensitive data @ Ensure physical security at the workplace Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited Employee Awareness and Training: Physical Security Well-trained and skilled personnel can minimize the risk of a physical security threat to a great extent. An organization should provide proper physical security awareness training to all its employees. Training increases the knowledge and awareness about physical security. Training should educate employees about how to: = Minimize breaches = |dentify the elements that are more prone to hardware theft = Assess the risks handling sensitive data = Ensure physical security at the workplace The training or awareness program should = Provide methods to reduce attacks; = Examine all devices and the chances of a data attack; = Teach the risks of carrying sensitive information; = Teach the importance of having security personnel; = |Inform employees about whom should report to about suspicious activities; = Teach what to do when employees leave systems and workplaces unattended; and = Teach the disposal procedures for disposing critical paper documents and storage media. Module 05 Page 610 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Employee Awareness and Training: Social Engineering Train employee on possible social engineering techniques and how to combat these techniques Areas of Risk Phone Dumpsters Attack Techniques. Impersonation Dumpster Diving Train employee/Help Desk on: * Not providing any confidential information, if this has occurred * Not throwing sensitive documents in the trash * Shredding document before putting into the trash * Erasing magnetic data before putting into the trash « Email Phishing, malicious attachment > | Differentiating between legitimate email and a targeted phishing email * Not downloading malicious attachment — Copyright © by EC L All Rights Reserved. Reproduction is Strictly Prohibited. Employee Awareness and Training: Social Engineering A simple social engineering awareness training can be cost-effective. It is useful in reminding employees about an organization’s policies, which can ultimate help employees recognize and prevent social engineering attacks. Employees must be trained on possible social engineering techniques and how to combat social engineering techniques. Areas of Risk Phone | Attack Techniques Impersonation Dumpsters Dumpster Diving Phishing, malicious Email mal attachment Train employee/Help Desk on: = Not providing any confidential information, if this has occurred = Not throwing sensitive documents in the trash = Shredding document before putting into the trash = Erasing magnetic data before putting into the trash = Differentiating between legitimate email and a = targeted phishing email Not downloading malicious attachment Table 5.9: Social Engineering Attack Awareness and Training Some of the social engineering techniques the employees should be aware of include: = Physical social engineering (tail-gaiting, piggy-backing); = Changing passwords (attacker poses as an authority and asks to change the username and password); = Name-drop (using the higher authority’s name to gain access to something); Module 05 Page 611 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 = Relaxing conversation (trying to build up a rapport with the employee); and = New hire (attacker poses as a new employee to take a tour around the office). Module 05 Page 612 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Employee Awareness and Training: Data Classification O Organization should train employees on how to tell if information is confidential Areas of Risk Office Attack Techniques Train employee/Help Desk on How to classify and mark document-based classification levels and keep sensitive document in secured place Stealing sensitive information Typical Top Secret (TS) ln.fon::ion m Confidential Secret classification levels: E Restricted Unclassified QO Security labels are used to mark the security level requirements for the information assets and controls access to it QO Organizations use security labels to manage access clearance to their information assets Copyright © by EC-{ el All Rights Reserved. Reproduction s Strictly Prohibited Employee Awareness and Training: Data Classification Organization should train employees on how to tell if information is confidential. Security labels are used to mark the security level requirements for the information assets and controls access to it. Organizations use security labels to manage access clearance to their information assets. Security labels are used to restrict access to information in high and low security areas as a part of mandatory access control decisions. This enables easy understanding for users with and without permission to access and easy clearance of a large group of users. It defines the sensitivity of the data or the object and authorizations required for accessing the object or data. It provides a list of users who can access the document or the device and enables the user to understand the documents that they can access. Areas of Risk. Office Attack Techniques Stealing sensitive.. information Train employee/Help Desk on How to classify and mark document-based classification.. levels and keep sensitive document in secured place Table 5.10: Data Classification Training and Awareness: Security labels are categorized into different types based on who can access the data or object. * Unclassified: No access permissions are required in order to documents. Any person at any level may access these documents. = Restricted: Only a few people can access the data or object. Sensitive data may be restricted for use in an organization because of its technical, access business, unclassified and personal issues. Module 05 Page 613 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls = Confidential: Confidential data or objects exposed may lead to financial or legal issues in an organization. Documents may be highly confidential or only confidential. Revealing these data—whether information. = Exam 212-82 confidential or highly confidential—will lead to loss of critical Secret: Users authorized to access secret files may access secret, confidential, restricted, and unclassified data. Users cannot access documents or objects labeled as top secret, as it requires a higher clearance level. = Top Secret: Users accessing top secret documents may access top secret, secret, confidential, restricted, and unclassified data. Module 05 Page 614 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.