Security Awareness - CompTIA Security+ SY0-701 - 5.6

00:01

So let's say you're working for a company,

00:04

and you're wondering, how many employees

00:06

would click a phishing link inside of a corporate email?

00:10

If you're not sure, there is a way to figure this out.

00:14

You would run your own phishing campaign.

00:17

You would send emails to your user community

00:19

and see who clicks on those emails.

00:22

This might be a phishing system that you've built internally,

00:25

but there are also many third-party sources

00:28

who can provide this phishing campaign for you.

00:31

This is usually an automated process that reports opens,

00:34

clicks, and any interaction with that phishing email

00:37

to a central reporting console.

00:39

If a user does click a phishing link,

00:42

they receive an automated email stating

00:44

that they made a mistake when they clicked that link,

00:47

and they would need to go to additional training.

00:49

This training may be something the user can perform online,

00:53

or there may be in-person training

00:55

at the corporate facilities.

00:57

We want our users to recognize when a phishing link might

01:01

be inside of an email.

01:02

They should be looking for any spelling or grammatical errors

01:05

within the message itself and within the link that they're

01:09

clicking.

01:09

We want our users to look at the domain name associated

01:12

with that link, and they should look

01:14

to see if there are inconsistencies in how

01:16

this email is constructed.

01:18

There might be unusual attachments connected

01:21

to the email, which would certainly

01:23

be a sign of phishing, and we should

01:25

see if the email is requesting any personal information

01:28

or login credentials.

01:30

If you're receiving these phishing attempts from outside,

01:33

this is also a good chance to see if your email filtering

01:36

process is working the way you would expect.

01:39

Ideally, that filter would be blocking any of these phishing

01:42

attempts before they ever made it into a user's inbox.

01:46

We should also make sure that our users know

01:48

to never click a link inside of an email

01:50

and to never run an attachment from inside of an email.

01:54

We want to make sure that everyone in the organization

01:57

understands what a phishing email looks like and are

02:00

able to recognize if they happen to see one in their inbox.

02:03

There should also be a well-known process

02:06

within your organization for reporting any suspected

02:09

phishing emails to the IT security team.

02:13

If your email filter is working properly,

02:15

then your phishing attempt will probably

02:17

look something like this.

02:18

This phishing attempt was pulled directly from my spam folder,

02:21

and you can see it's from the United Nation slash

02:25

IMF, the International Monetary Fund.

02:27

You can also see that the email associated with the "United

02:31

Nation" is [email protected],

02:38

and in this case, the Gmail filter has successfully

02:41

identified this as a phishing campaign,

02:43

and it clearly says that this message seems dangerous.

02:48

Not only are we looking for phishing attempts,

02:50

we're also looking for anything that

02:52

might be unusual on a user's workstation.

02:55

We refer to this as "Anomalous behavior recognition,"

02:59

and we can start with looking for any type of risky behavior.

03:03

This could include a person or a service

03:05

modifying a host file on that device.

03:07

Perhaps, it's replacing a core operating system file,

03:11

or perhaps, sensitive files may be uploaded from that device.

03:15

We're also looking for behavior that would be unexpected.

03:18

Someone logging in from another country

03:21

is certainly something that's not normal,

03:23

and an increase in the amount of data transfers from a device

03:26

would certainly be unexpected.

03:28

And then, of course, we want to look for any behavior that

03:31

may be unintentional.

03:33

For example, someone typing in the wrong domain name

03:35

would simply be an unintentional mistake.

03:38

The same thing might apply to someone who had their USB drive

03:41

and now has misplaced where that drive happens to be,

03:45

or perhaps, the security settings on a device

03:47

have been misconfigured.

03:48

All of these are human error and would clearly

03:51

be put into the category of unintentional behavior.

03:55

A security team is not going to be aware of these issues,

03:58

unless they're constantly monitoring and reporting

04:01

on these types of events.

04:02

This needs to be an automated process, where alerts

04:05

are automatically sent to the security team,

04:08

and reports are generated automatically, every day.

04:11

This might include information about phishing

04:13

click rates, password manager adoption, multifactor

04:17

authentication use, and other important security metrics.

04:20

The first time someone clicks a phishing link

04:23

or does some other type of risky behavior,

04:25

we can address that with user training.

04:28

The goal would be to make the user aware

04:30

of this particular issue, so that they don't

04:32

have that issue occur again.

04:34

And if we're constantly monitoring,

04:36

we could see if these particular security events occur again.

04:40

This would point us towards users

04:42

that need extended training, and we

04:44

might want to add or change security configurations

04:47

for that particular user.

04:50

The process of monitoring, reporting,

04:52

and training the users would commonly

04:55

be done by the security awareness team.

04:57

This would be a specialized team in IT

05:00

that focuses on these types of user issues.

05:03

The security team is responsible for letting

05:06

everyone in the user community know about these security

05:09

issues.

05:09

So they might create emails, posters,

05:12

or some type of training to let people

05:14

know where these security problems might be.

05:17

They can also create customized training

05:19

depending on the job function for that particular individual.

05:22

If the organization has a group of mandated compliance

05:26

requirements, they can create customized training that

05:29

focuses on that specific compliance,

05:32

and they can use these automated reporting

05:34

systems to create detailed metrics that

05:36

can be tracked over time.

05:38

That way, they'll know if their efforts are making

05:40

a difference in the security of the organization,

05:42

or if there's a particular area where they

05:45

need to have an extra emphasis.

05:48

The security awareness team would

05:49

be responsible for creating the training materials for IT

05:52

security, and they'll present them online or in person.

05:56

They'll also create detailed metrics

05:58

that show the rest of IT how our security controls may

06:02

be working.

06:02

There's usually a group of managers or stakeholders

06:05

that are associated with the success of the security

06:08

awareness team, and they'll want to know

06:10

how these metrics associate back to the overall security

06:14

of the organization.

06:15

You'll see the results of these efforts

06:17

in many office buildings, where you'll

06:19

find classroom training, posters, and information

06:22

that tells you more about security

06:24

concerns for that organization.

06:26

And since there are detailed metrics

06:27

for all of this information, you'll

06:29

be able to correlate your training efforts back

06:32

to the overall security of the company.