A security training and security awareness program helps reduce risks. If you’re planning to take the Security+ exam, you should have a basic understanding of the importance of security related awareness and training.
For example, can you answer this question?
Q. Personnel in an organization are sharing their access codes to cipher locks with unauthorized personnel. As a result, unauthorized personnel are accessing restricted areas of the building. What is the BEST response to reduce this risk?
A. Implement a management control.
B. Implement a technical control.
C. Implement an AUP.
D. Provide security training to personnel.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Risks with Cipher Locks
Cipher locks often have four or five buttons labeled with numbers. Employees press the numbers in a certain order to unlock the door. For example, the cipher code could be 1, 3, 2, 4. Users enter the code in the correct order to gain access. Cipher locks can be electronic or manual. An electronic cipher lock automatically unlocks the door after you enter the correct code into the keypad. A manual cipher lock requires the user to turn a handle after entering the code.
To add complexity and reduce brute force attacks, many manual cipher locks include a code that requires two numbers entered at the same time. Instead of just 1, 3, 2, 4, the code could be 1/3 (entered at the same time), then 2, 4, 5.
One challenge with cipher locks is that they don’t identify the users. Further, uneducated users can give out the cipher code to unauthorized individuals without understanding the risks. Shoulder surfers might attempt to discover the code by watching users as they enter it. Security awareness training can help reduce these risks.
Remember this
Cipher locks require users to enter a code to gain access. It’s important to provide training to users on the importance of keeping the code secure. This includes not giving it out to others and preventing shoulder surfers from seeing the code when users enter it. Cipher locks do not identify users.
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
Raising Security Awareness
Many organizations create a security education and awareness plan to identify methods of raising the security awareness of employees. The primary goal is to minimize the risk posed by users and help to reinforce user compliance with security policies.
Training is especially useful if technical controls are not available to enforce a security policy. For example, if employees are sharing cipher codes for restricted areas, a security control cannot stop them. However, by training the employees of the risks, they are more likely to comply with the security policies.
For example, many users are unaware of the risks associated with USB flash drives. They know that USB flash drives are very convenient and restricting their use sometimes makes it more difficult to do their job. However, they don’t always know that an infected USB drive may infect a system as soon as it’s plugged in, and an infected system will infect any other USB drives plugged into the system. With a little bit of training, users understand the risks and are more likely to comply with a restrictive USB flash drive policy.
The success of any security awareness and training plan is directly related to the support from senior management. If senior management supports the plan, middle management and employees will also support it. On the other hand, if senior management does not show support for the plan, it’s very likely that personnel within the organization will not support it either.
Security Policy Training and Procedures
Organizations often include sections on training and procedures within a security policy. This reminds personnel of the importance of security training and awareness programs. For example, security training isn’t a one-time event. Personnel are trained when they are hired and periodically afterwards. For example, it’s common to have annual refresher training. This informs personnel of current and updated threats and helps reinforce the importance of user compliance with existing policies.
Additionally, security awareness programs help to keep personnel aware of security risks. Posters and signs help people remember that security is everyone’s responsibility. Proxy servers and unified threat management (UTM) devices have URL filters that block access to prohibited sites, such as gambling sites. They typically display a message with the user’s name and account information, mention that access was blocked and logged, and remind users of the acceptable use policy.
Security and IT personnel occasionally send out emails when they learn of an emerging threat, such as a tricky phishing attack, or after an incident caused by someone not following established policies. Depending on the extent of the incident, management might require users to complete additional training.
Remember this
A security training and security awareness program helps reduce risks. Security awareness programs educate users about emerging threats and techniques attackers are currently using.
Q. Personnel in an organization are sharing their access codes to cipher locks with unauthorized personnel. As a result, unauthorized personnel are accessing restricted areas of the building. What is the BEST response to reduce this risk?
A. Implement a management control.
B. Implement a technical control.
C. Implement an AUP.
D. Provide security training to personnel.
Answer is D. The best response of those listed is to provide training to personnel on the importance of keeping access codes private.
Management controls include policies and assessments, but they won’t necessarily focus on sharing access codes.
Technical controls won’t do any good if personnel are bypassing them, which is the case in this scenario.
If an acceptable use policy (AUP) isn’t implemented, it would be a good idea to implement one. However, it addresses usage of systems, and not necessarily cipher access codes.
