Certified Cybersecurity Technician Exam 212-82 PDF

Summary

This document details security awareness training for employees in a cybersecurity context. It covers different types of training, including classroom style, online, and round table discussions. The training's goal is to teach employees about security policies and procedures.

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Module Discuss Various Regulatory Frameworks, Laws, and Acts Flow | /@ Understand Information Security “] Governance and Compliance ’ Program Learn to Design and Develop Security Policies ’ A Learn to Conduct Different Types of Security and Awareness Training L All Rights Reserved. Reproduction is Strictly Prohibited Learn to Conduct Different Types of Security and Awareness Training Employee and user training play an important part in the governance of the overall security of an organization. An untrained employee or user can pose a considerable risk to an organization. Hence, it is important to make them aware about security policies and conduct other awareness training programs to maintain organization security. This section explains the importance of conducting security awareness trainings and keys aspects to be covered in different types of training. Module 05 Page 605 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Employee Awareness and Training O An organization need to provide formal security awareness training for its employees when they join and periodically thereafter, so employees = Know how to defend themselves and the organization against threats = Follow security policies and procedures for working with IT = Know whom to contact if they discover a security threat = (Canidentify the nature of the data based on data classification = Protect physical and informational assets of that organization | o Security awareness website Classroom style training Q Different methods to train employees are: Online training Round table discussions oo Q T e @ F@. Copyright © by EC ¢ Providing hint Providing hints * Making short films * Conducting seminars IL All Rights Reserved. Reproductionis Strictly Prohibited. Employee Awareness and Training Employees are one of the primary assets of an organization and can be part of an organization’s attack surface. The actions of an employee—such as negligence, errors, susceptibility to social engineering, or clicking spam links—can lead to an attack. An employee awareness training initiated during orientation and periodically thereafter can enhance protection. The training is typically related to the knowledge and attitudes of employees tasked with the security of physical and informational assets. Expertise to defend themselves and an organization against threats; Follow security policies and procedures for working with information technology; Know whom to contact if they discover a security threat; Should be able to identify the nature of data based on data classification; Protect the physical and informational assets of an organization when the employees come into contact with them—for example, contacting with secrets, privacy concerns, and classified information; Know how to handle critical information such as review of employee agreements; nondisclosure Know the proper methods for protecting critical information on systems with password policy and the use of two-factor authentication; Know the consequences of failing to secure information, which may result in employment loss; and An organization should provide security awareness training to employees to meet regulatory requirements if they want to comply with a certain regulatory framework. Module 05 Page 606 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 The different methods to train employees include: Classroom style training Online training Round table discussions Security awareness website Providing hints Making short films Conducting seminars Simulation employee training Hands-on training Lectures Coaching/mentoring Case studies Management specific activities Group discussions and activities Module 05 Page 607 Certified Cybersecurity Technician Copyright © by EG-Gouneil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Employee Awareness : and v Training: Security Policy s > Security policy training teaches employees how el d to peu:form Fheir duties and to comply with the security policy - Organizations should train new employees before granting them access to the network or provide limited access until the completion of their training Advantages ® Effective implementation of a security policy © Policies are followed and not just enforced ® (1) Creates awareness on compliance issues Helps an organization enhance its network security Copyright © byY EC-Council All Rights Reserved. yrig L Reproduction is Strictly Yy Prohibited. Employee Awareness and Training: Security Policy Security policy training teaches employees how to perform their duties and to comply with the security policy. Organizations should train new employees before granting them access to the network or provide limited access until the completion of their training. Security policy training and procedures are required to ensure security and effective network management. = The security policy training program helps employees appropriately recognize and respond to security threats in real time. The training teaches employees understand the importance of data on their devices or systems. Employees adapt themselves to secure computing habits. = The security policy training makes employees aware of new vulnerabilities that can occur if they do not follow the policies. = Security policy training and awareness helps minimize security breaches in organization. Early identification of a breach decreases the cost to an organization. = Security policy awareness among users helps notify them about new security policies through published policy documentation and descriptive security documentation for users, for example. = Employees following the security potential fines or legal actions. = An effective training program will help employees monitor their computing behavior and inform their security concerns to management. The training will enhance the overall compliance with the company’s security policies and procedures. Module 05 Page 608 updates on probable an policy reduce their possibility of being subject to Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Advantages = Effective implementation of a security policy = Policies are followed and not just enforced = (Creates awareness on compliance issues = Helps an organization enhance its network security Module 05 Page 609 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Employee Awareness and Training: Physical Security @ I Proper training should be given to educate employees on physical security m Training increases the knowledge and awareness about 11 physical security Ev Training should educate employees about how to: @ Minimize breaches @ Identify the elements that are more prone to hardware theft @ Assess the risks handling sensitive data @ Ensure physical security at the workplace Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited Employee Awareness and Training: Physical Security Well-trained and skilled personnel can minimize the risk of a physical security threat to a great extent. An organization should provide proper physical security awareness training to all its employees. Training increases the knowledge and awareness about physical security. Training should educate employees about how to: = Minimize breaches = |dentify the elements that are more prone to hardware theft = Assess the risks handling sensitive data = Ensure physical security at the workplace The training or awareness program should = Provide methods to reduce attacks; = Examine all devices and the chances of a data attack; = Teach the risks of carrying sensitive information; = Teach the importance of having security personnel; = |Inform employees about whom should report to about suspicious activities; = Teach what to do when employees leave systems and workplaces unattended; and = Teach the disposal procedures for disposing critical paper documents and storage media. Module 05 Page 610 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Employee Awareness and Training: Social Engineering Train employee on possible social engineering techniques and how to combat these techniques Areas of Risk Phone Dumpsters Attack Techniques. Impersonation Dumpster Diving Train employee/Help Desk on: * Not providing any confidential information, if this has occurred * Not throwing sensitive documents in the trash * Shredding document before putting into the trash * Erasing magnetic data before putting into the trash « Email Phishing, malicious attachment > | Differentiating between legitimate email and a targeted phishing email * Not downloading malicious attachment — Copyright © by EC L All Rights Reserved. Reproduction is Strictly Prohibited. Employee Awareness and Training: Social Engineering A simple social engineering awareness training can be cost-effective. It is useful in reminding employees about an organization’s policies, which can ultimate help employees recognize and prevent social engineering attacks. Employees must be trained on possible social engineering techniques and how to combat social engineering techniques. Areas of Risk Phone | Attack Techniques Impersonation Dumpsters Dumpster Diving Phishing, malicious Email mal attachment Train employee/Help Desk on: = Not providing any confidential information, if this has occurred = Not throwing sensitive documents in the trash = Shredding document before putting into the trash = Erasing magnetic data before putting into the trash = Differentiating between legitimate email and a = targeted phishing email Not downloading malicious attachment Table 5.9: Social Engineering Attack Awareness and Training Some of the social engineering techniques the employees should be aware of include: = Physical social engineering (tail-gaiting, piggy-backing); = Changing passwords (attacker poses as an authority and asks to change the username and password); = Name-drop (using the higher authority’s name to gain access to something); Module 05 Page 611 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 = Relaxing conversation (trying to build up a rapport with the employee); and = New hire (attacker poses as a new employee to take a tour around the office). Module 05 Page 612 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Employee Awareness and Training: Data Classification O Organization should train employees on how to tell if information is confidential Areas of Risk Office Attack Techniques Train employee/Help Desk on How to classify and mark document-based classification levels and keep sensitive document in secured place Stealing sensitive information Typical Top Secret (TS) ln.fon::ion m Confidential Secret classification levels: E Restricted Unclassified QO Security labels are used to mark the security level requirements for the information assets and controls access to it QO Organizations use security labels to manage access clearance to their information assets Copyright © by EC-{ el All Rights Reserved. Reproduction s Strictly Prohibited Employee Awareness and Training: Data Classification Organization should train employees on how to tell if information is confidential. Security labels are used to mark the security level requirements for the information assets and controls access to it. Organizations use security labels to manage access clearance to their information assets. Security labels are used to restrict access to information in high and low security areas as a part of mandatory access control decisions. This enables easy understanding for users with and without permission to access and easy clearance of a large group of users. It defines the sensitivity of the data or the object and authorizations required for accessing the object or data. It provides a list of users who can access the document or the device and enables the user to understand the documents that they can access. Areas of Risk. Office Attack Techniques Stealing sensitive.. information Train employee/Help Desk on How to classify and mark document-based classification.. levels and keep sensitive document in secured place Table 5.10: Data Classification Training and Awareness: Security labels are categorized into different types based on who can access the data or object. * Unclassified: No access permissions are required in order to documents. Any person at any level may access these documents. = Restricted: Only a few people can access the data or object. Sensitive data may be restricted for use in an organization because of its technical, access business, unclassified and personal issues. Module 05 Page 613 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls = Confidential: Confidential data or objects exposed may lead to financial or legal issues in an organization. Documents may be highly confidential or only confidential. Revealing these data—whether information. = Exam 212-82 confidential or highly confidential—will lead to loss of critical Secret: Users authorized to access secret files may access secret, confidential, restricted, and unclassified data. Users cannot access documents or objects labeled as top secret, as it requires a higher clearance level. = Top Secret: Users accessing top secret documents may access top secret, secret, confidential, restricted, and unclassified data. Module 05 Page 614 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.