Security+: Security Training and Awareness (SY0-401)
Please note: this article is based on information about the previous version of the Security+ exam (SY0-401), which expired in May of 2018. For updated information, please see our up-to-date Security+ listing.
Workers must be aware of security to carry out their day-to-day tasks. Security training is essential and should be a part of a company’s security policies. Security training and awareness begin as soon as a worker is hired and it should be continued throughout the organization’s lifecycle. Security training and awareness can be provided through various techniques, including regular reminders, emails with security updates, intranet websites, newsletters, refresher seminars, and so on. The Security+ exam involves various other important techniques for security training and awareness that will be discussed in the subsequent sections.
Security Policy Training and Procedures
Behavior modification of workers is necessary for the successful implementation of any security solution. Users should learn three recognized learning levels for behavior modification. These learning levels include awareness, education, and training. User awareness has a crucial role in achieving security. Security awareness can easily thwart social-engineering attacks. Security education is imparted to the workers to guide them how to perform their everyday tasks securely. Security management often provides two types of in-house training: role-based and awareness training.
Role-based training aims at providing training to an individual in a specific role in the realm of organization’s IT security. That is, what he/she does regarding IT security within his/her organization, very specifically—not his/her job title, but the actual functions that he/she performs concerning IT security. If a user manages and operates an information system, he/she must understand the security responsibilities associated with his/her role. For example, if someone’s role is to log off the computer every time he/she leaves, then logging off will be his/her security responsibility because negligence may lead to data theft or damage.
In 2014, NIST released a document—coined Draft Special Publication 800- 16 Revision 1, a Role-based Model for governmental organizations as well as private companies to protect information. This document focuses on training that deals with each individual’s role within the organization.
Personally Identifiable Information (PII)
Personally Identifiable Information (PII), as used in privacy laws and information security, is information that can help to identify an individual or to locate a single person under consideration. PII may include individual’s name, date of birth, social security number, employment information and so on. The protection of PII is a significant part of organization’s IT security environment because the unauthorized release of PII could result in serious consequences for an individual whose PII has been compromised. PII abuse also tarnishes the image of the organization in IT market. While drafting the security policy, the organization should add strict measures including penalties regarding PII violations.
NIST Special Publication 800-122 includes the detailed description of Personally Identifiable Information (PII).
Classification means labeling or marking objects. These objects may include information, data, assets, and so on. Once an object is classified, all the workers must read and respect its assigned label. Labeling and marking ensure that each object receives an appropriate level of protection. Information classification is a key part of the ISO-270001 standard. The main objective of information classification is to ensure that information receives the necessary protection. Information classification involves several levels, which are described below.
High: it’s the highest level of classification and involves top-secret information, such as information about national security.
Medium: It often involves information of a restricted nature. Policy or law protect the restricted level of information (such as personal or confidential) and it requires the highest level of access control.
Low: It is used for data that is neither classified nor sensitive. The disclosure of low-level data doesn’t cause any damage or compromise confidentiality.
Confidential: Confidential information has utmost importance and sensitivity. The disclosure of confidential information can have grave repercussions for the organization.
Private: This level is used for data having a private or personal nature, such as personally identifiable information (PII). The disclosure of private information can compromise individual’s privacy.
Public: Anyone can see public information, so it doesn’t cause any harm to the business.
Data Labeling, Handling, and Disposal
Three types of the subject (such as user, owner, and custodian) are used to perform operations on objects (such as data or information).
- A user accesses objects and performs some actions on them.
- An owner has the responsibility to classify and label objects and to store and protect data.
- A custodian has the day-to-day responsibility for storing and protecting objects properly.
Data handling is the process that determines how used storage media and printed material will be handled after their functional lifetime. It is often defined in organization’s security policy.
Data disposal is a technique used to dispose of data once its purpose has been achieved. Secure destruction and disposal of printed materials often involve incineration and shredding.
Compliance with Laws, Best Practices, and Standards
Compliance checking, also known as compliance testing, ensures that all important elements of security solutions are properly deployed. For an efficient security deployment, workers must comply with laws, policies, guidelines, best practices, and standards.
User habits basically involve modification of users’ behavior, which is known as behavior modification. In addition to technology, user habits are prerequisites to implement proper security in any organization. When discussing user habits, behavior modification must be a part of the organization’s security policy. Several behavior modifications are discussed below.
Password behaviors: Passwords are used for authentication. Weak passwords are vulnerable to various attacks, including password guessing, login spoofing, dictionary attacks, and so on. An organization should implement multifactor authentication to thwart password attacks. Using strong passwords should also be a part of security training.
Data handling: Data handling requires some good practices. For example, the user should not attach any unsecured or risky removable media to a system where sensitive data is stored. The user should also not install any software without authorization because malware-infected software can damage or lead to the theft or sensitive data. Moreover, data should not be transmitted through an unsecured channel, such as an infected network, email, or peer-to-peer file sharing.
Clean-desk policies: These policies are used to guide users as to why and how to clean off their desks at the end of the working day. The purpose of clean-desk policies is to protect sensitive information, such as financial records, passwords, and confidential staff. Workers must place all sensitive record in a lockable desk at the end of the day.
Prevent tailgating: Tailgating is when an unauthorized person enters a facility under the authorization of a legitimate employee but without his/her knowledge. An employee can prevent tailgating by properly closing or relocking the door every time he/she comes inside.
Personally owned devices: A user may bring any personally owned device (s) into the organization. Personal devices include cellular phones, digital cameras, audio players, and other portable electronic devices. These devices can be used to steal sensitive information. Therefore, fair usage of personally owned devices must be a part of the organization’s security policy.
New Threats and New Security Trends/Alerts
Threats are dynamic in nature and are being created every day. Users must perform daily research about newly emerging threats, especially viruses and phishing attacks. Zero-day attacks are also used to exploit vulnerabilities in a target system. Security management must use vulnerability scanners and updated antivirus programs to avoid zero-day attacks.
Use of Social Networking and P2P
Social networks and P2P (peer-to-peer) file sharing can be unsafe activities. Social networking is more of a waste of the organization’s resources. Moreover, viruses and malware can quickly be dispatched through P2P file sharing. Therefore, P2P should be blocked altogether.
Follow Up and Gather Training Metrics to Validate Compliance and Security Posture
Following up and gathering training metrics to validate compliance and security posture are important parts of the long-term success of a security endeavor. Security management should never underestimate the fact that workers gradually become lazy in their job tasks and may even forget their security responsibilities. In order to deal with this problem, security management must perform due diligence in assessing the security compliance of workers as well as in improving the security posture of the company as a whole. Doing so requires providing refreshment training, monitoring of work activities, and performing regular audits.
InfoSec Security+ Boot Camp
If you’re ready for security+ certification training material, the InfoSec Institute offers a Security+ Boot Camp that teaches you information theory and reinforces that theory with hands-on exercises that help you learn by doing. Fill out the brief form above for course details/pricing.
Moreover, the InfoSec Institute has been one of the most awarded (42 industry awards) and trusted information security training vendors for 17 years.
InfoSec also offers thousands of articles on all manner of security topics.