Personnel security awareness training helps mitigate risk and reduce security incidents. If you’re planning to take the SY0-501 version of the Security+ exam, you should understand the importance of training related to organizational security.
See if you can answer this question?
Q. Social engineers have launched several successful phone-based attacks against your organization resulting in several data leaks. Which of the following would be MOST effective at reducing the success of these attacks?
A. Implement a BYOD policy.
B. Update the AUP.
C. Provide training on data handling.
D. Implement a program to increase security awareness.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Role-Based Awareness Training
Role-based awareness training is targeted to personnel based on their roles. The primary goal is to minimize the risk to the organization, and by giving users the training they need, they are better prepared to avoid threats.
The following roles often require role-based training:
• Data owner. Data owners need to understand their responsibilities related to data that they own. This includes ensuring that the data is classified correctly and ensuring that the data is labeled to match the classification. They are also responsible for ensuring adequate security controls are implemented to protect the data. While they often delegate day-to-day tasks to data custodians, they cannot delegate their responsibility.
• System administrator. System administrators are responsible for the overall security of a system. They often need technical training so that they understand the software capabilities and vulnerabilities, and how to ensure the system is operating in a secure state. As a simple example, if an organization purchases a new hardware firewall, system administrators need training to ensure they know how to implement it securely.
• System owner. A system owner is typically a high-level executive or department head who has overall responsibility for the system. While system owners won’t perform daily maintenance on their systems, they are responsible for ensuring that system administrators have the skills and knowledge to maintain them.
• User. Regular end users need to understand common threats, such as malware and phishing attacks. They also need to understand the risk posed by clicking an unknown link and how drive-by downloads can infect their system. Training can include a wide variety of topics depending on the organization and can be delivered via different methods. For example, security experts can send emails informing users of current threats. Some training is delivered via web sites, in a classroom, or informally by supervisors. Training is often included when users review and sign an organization’s AUP.
• Privileged user. A privileged user is any user with more rights and permissions than typical end users. Privileged users need training on the classification and labeling of data that they handle. Administrators are often required to use two accounts, one for regular use and one for administrative use. For administrators to follow this policy, they need to understand why it’s implemented and the potential repercussions if the administrator always uses the administrator account.
• Executive user. Executives need high-level briefings related to the risks that the organization faces, along with information on the organization’s overall information security awareness program. Additionally, executives should be trained on whaling attacks because attackers target executives with malicious phishing emails.
• Incident response team. An incident response team needs detailed training on how to respond to incidents. Even within the team, personnel might require different training. For example, security personnel responsible for forensic investigations need specialized forensic training.
The success of any security awareness and training plan is directly related to the support from senior management. If senior management supports the plan, middle management and employees will also support it. On the other hand, if senior management does not show support for the plan, it’s very likely that personnel within the organization will not support it either.
Continuing Education
Training is rarely a once and done event. Instead, personnel need to regularly receive additional training to ensure they are up to date on current threats, vulnerabilities, and technologies. If network administrators are still using the same practices and technologies they learned 10 years ago, their networks are very likely vulnerable to a multitude of attacks.
This concept is used in many different professions. For example, your doctor is required to regularly attend continuing education to update her knowledge. That’s a good thing. When you’re receiving medical treatment and advice, you don’t want treatment and advice that was valid a decade ago, but might not be valid today. Similarly, many certifications (including the CompTIA Security+ certification) have formal continuing education requirements.
Continuing education within an organization can take many forms. It’s often possible to send personnel to classes to update their knowledge. When many people need the same training, an organization will often bring in a trainer to teach a class in-house.
Q. Social engineers have launched several successful phone-based attacks against your organization resulting in several data leaks. Which of the following would be MOST effective at reducing the success of these attacks?
A. Implement a BYOD policy.
B. Update the AUP.
C. Provide training on data handling.
D. Implement a program to increase security awareness.
Answer is D. The best choice of the available answers is to implement a program to increase security awareness, and it could focus on social engineering attacks.
A bring your own device (BYOD) policy or an acceptable use policy (AUP) doesn’t apply in this scenario.
Training is useful, but training users on data handling won’t necessarily educate them on social engineering attacks.
See Chapter 11 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on implementing policies to mitigate risks.