|
|
Edited by Dinesh Vishwakarma at 2019-04-11 12:09
[div]A cyberattack is a malicious and deliberate attempt by an individual or organization to breach the information system of another individual or organization. Usually, the attacker seeks some type of benefit from disrupting the victim’s network.[br][/div][p][br]
[br][p][br][h3]Training?[/h3][p][strong]Security Awareness Training [/strong]starts with the organization's acknowledgement that their employees are the weakest cybersecurity link. Conversely, they're also the first line of defense against cyber attacks. Security Awareness Training provides every employee with a fundamental understanding that there are imminent and ongoing cyber threats, preparing enterprise employees for common cyber attacks and threats.[p]Security Awareness Training generally consists of repetitive training and ongoing, sometimes random, testing in the following areas of exploitation. The most prevalent [strong]IT security threats[/strong] (and thus the most up-to-date cybersecurity training) include:[ul][li][strong]Spam[/strong]. Not limited to direct email, spam is now one of the main methods of attack via social media. When someone "invites" you to connect on LinkedIn, for example, that invitation may arrive in your email, but its effectiveness is directly related to your trust of various social media sites. Cyber criminals can even embed password-stealing malware from a simple LinkedIn invitation.[/li][li][strong]Phishing[/strong]. Phishing is a common practice whereby hackers go after a broad target of users with emails that look genuine, but are actually intended to lead the uneducated user to click on dangerous links — possibly divulging usernames, passwords, personally identifiable information, even financial information. Phishing is akin to throwing out a wide net full of bait and pulling in whatever you catch.[/li][li][strong]Spear phishing[/strong]. While phishing schemes cast a wide net, spear phishing takes a highly targeted approach to attacking specific individuals. The most infamous spear phishing attack in recent history was on John Podesta, then-chairman of the Hillary Clinton presidential campaign. Spear phishing attacks target high-profile individuals or people with access to valuable digital assets. The email usually hand crafted, and uses all available information to make the email read exactly like an actual email from a friend or colleague.[/li][li][strong]Malware[/strong]. Short for "malicious software", malware refers to any type of software designed to cause harm to a device such as viruses, rootkits, spyware, worms and Trojan horses. Advanced[a href="https://www.secureworks.com/blog/advanced-malware-vs-malware"] [/a]Malware has a specific target and mission typically aimed at an organization or enterprise. In 2017, the malware program known as WannaCry spread throughout the world, crippling hundreds of organizations.[/li][li][strong]Ransomware[/strong]. Similar to malware, ransomware is used by attackers to extort money (or possibly other resources) from the target organization. In June 2017 NotPetya infected accounting software prevalent in the Ukraine. It encrypts files on the drive, requests $300 in bitcoin, attempts to steal credentials in the memory and attempts to propagate through the network using stolen credentials or exploits.[/li][li][strong]Social engineering[/strong]. This practice is simpler than it sounds. If you've seen the movie [em]Catch Me If You Can[/em], you've witnessed one highly effective example of social engineering. Tripwire assessed the most prevalent types of social-engineering attacks in 2015, at its core, social engineering occurs when one person fools another into giving up access to a resource. Social engineers use a variety of tools and resources to gain access to targeted resources, but the one-on-one direct attack remains the same.[/li][/ul][h3]Security Awareness Training Best Practices[/h3][p]however, each offers a unique strategy to create a culture of security within an organization. These cybersecurity best practices include:[ol][li]Complying with all local and federal laws and regulations[/li][li]Getting everyone on board — the entire organization, all or nothing[/li][li]Establishing a required baseline of assessment[/li][li]Creating a system of very clear communication about the program[/li][li]Making the training intriguing and at least a bit entertaining[/li][li]Enforcing, reviewing and repeating. No "set it and forget it" or "one and done"[/li][li]Creating a culture of reinforcement and motivation for constant vigilance and learning[/li][/ol][p]These seven points might be used as something of a template or starting point for developing your organization's security awareness education program. Every organization's individual needs are unique; however, the goals for any security awareness training program are usually quite similar.[h3]The Goals and Objectives of Security Awareness Training[/h3][p]The reasons behind developing your own security awareness program for employees are best understood in the simplest of terms: security. If your organization holds or has access to sensitive data, then the security of that data is paramount to your organization's success and future. And because people are the most common target of hackers, it is essential for employees to have proper training to recognize the threats to the organization. That's the reason for creating, growing and maintaining a solid security awareness training program for your employees.[p]The goals and objectives will — or should — serve to uphold the reason for creating the program. It is at this point that your goals and objectives for your organizational program will be unique to your organization. The ultimate goal should be 100% awareness of every threat that exists to your organization's electronic data and computer network. But you have to start somewhere, with that goal in mind at all times.[p]In the beginning, the goals should be simple: creation, delivery and evaluation. Over time, the ongoing quarterly and annual goals of the program will become increasingly directly tied to the frequency and severity of actual incidents that occur within the organization. Criminal cyber hackers are constantly seeking new methods to exploit the weaknesses in any organization, and your security awareness program will often be reacting to the latest successful exploit within your industry or market space.[h3]How to Start a Security Awareness Training Program[/h3][p]The steps below can serve as a general roadmap for starting your organization's unique security awareness training program.[ol][li]Identify your organization's security requirements as they apply to individual employees.[/li][li]Determine how best to deliver the training, e.g., in person, video, online, hands-on, etc.[/li][li]Create the appropriate content for the desired training medium. This content is the training curriculum, to be delivered by a respected security professional within the organization. Material can range from free security awareness training posters, email phish testing software that train and evaluate employees, to on-site training presentations and testing.[/li][li]Set expectations for all employees as to the requirements, timing, delivery, method and expected results.[/li][li]Schedule multiple training sessions according to general availability of the organization's employees, with the understanding that every employee has different daily priorities and that exigent circumstances happen in people's lives.[/li][li]Deliver the training according to the expectations set prior to and during scheduling.[/li][li]Capture feedback on the training itself from as many employees as possible.[/li][li]Conduct post-training assessments of all employees to determine how effective the training was.[/li][li]Re-evaluate the training and training medium for effectiveness, and adapt accordingly. Security training is not a "set it and forget it" approach. Both the curriculum and employees must be updated constantly and regularly.[/li][li]Correlate the implementation of training with the frequency of security-related incidents to determine the practical impact on the organization's security health.[/li][/ol][p]It's important for employees to have a positive experience for such a requirement. Otherwise, the training will be seen as a necessary evil instead of a vital means of protecting the organisation's brand and health.[p][br][h5]Credits: [/h5][h5]• Secureworks[/h5] |
|
发表于 2019-04-10 14:38:11
收藏
Like
Stick Card
Jack
楼主
