From the course: CompTIA SecurityX (CAS-005) Cert Prep

Security program management

From the course: CompTIA SecurityX (CAS-005) Cert Prep

Start my 1-month free trial Buy for my team

Security program management

- A big aspect of security program management is security awareness and training, which can be done at all different phases, whether it be a joiner or a mover, and identity management. Security awareness and training is critical, and it is commonly underutilized, yet it can be overdone. Too many posters and mouse pads and coffee cups constantly reminding us of how we're just an unsecure employee. But it's important to choose the right modalities for the training. For example, what I'm doing right now in this training series would be considered a modality, okay? A mock phishing campaign is very common. So a successful mock phishing campaign would include clear objectives, defining the goals with your simulation, like testing employees' ability to recognize the attempts or just improving the overall awareness. Make sure you have a realistic scenario. It has to look like corporate email, it has to look very much like a constructed phishing attack, realistic. You want to mimic actual threats. And it will help you provide a candid look at your posture of your employees. And then targeted testing, maybe not one that affects all the employees, but target certain groups that a broad range of role and responsibilities are going to get those mock campaigns. You'll have to have tracking and reporting. So monitor the responses of the phishing emails, whether they're opened, whether they download PDF files, what links did they click on? Was any information shared? Did they send a copy of that email to one of their coworkers? You want to analyze the results, and the goal here is to identify areas for improvement. Like I said in the previous lesson, we don't do these mock fishing campaigns because we want to find a way to lay off a bunch of people. And then we have to have follow-up training, right, making sure that there's lessons learned and we continue to give awareness to our employees, everybody in the organization to be better at recognizing and knowing the weaknesses. And then reinforce good security practices. If you do a mock phishing campaign and everybody does a really good job, then maybe you want to have the carrot and not just the stick, maybe a pizza party or some type of Amazon gift card. A really serious aspect of phishing is BEC, Business Email Compromise. We need to have awareness of this because there's been organizations that have lost many millions of dollars on these types of attacks with impersonation techniques, social engineering tactics, we can call that hoaxing or pretexting, okay? These might be time-sensitive emails. Often the BEC attack, they're going to hoax or represent like a new employee at the law firm that you work with or the CPA firm. It may begin with a phone call and not just email. They're often urgent, quick, important reminder. They'll spoof email, obviously. The goal, if possible, is to do credential theft. So in some cases, the attacker might compromise an executive's actual email account, right, they've gotten access to that account. And then exploiting public information, taking advantage of what's on social media, what high-level employees put on LinkedIn, for example, maybe their Facebook pages, information like that. So the security training must include an awareness of the newest and most applicable social engineering attacks as well. And these are often the early phases of what we called an APT, an Advanced Persistent Threat, which we'll explore later on in this training series. So whenever you have a new application, a new mobile app, new technologies are introduced, they're going to expose new exploits. So some examples of social engineering, the one we've already talked about, the most common is phishing, pretexting and hoaxing where it's a fabricated scenario. Like I said, in the BEC, they're going to represent a law firm or a strategic partner, maybe somebody at a CPA firm. Baiting is where they entice your end users maybe with a promise to lure them into something, okay? Quid pro quo, basically Latin for offering a service or a benefit in exchange for data or information. We know that you can dumpster dive, that still happens. In fact, you can get more valuable things today dumpster diving than ever. So that needs to have physical security of those dumpsters and wherever you're shredding those papers. Shoulder surfing, with our mobile devices, that's more dangerous than ever. Even somebody sitting across from you in a building with a telescope can look and see your monitor if it faces the window. We know that somebody might try to get into the building through a tailgate or a piggyback where they just try to kind of sneak in on somebody else's badge or somebody else's using their token or credential. A watering hole attack is interesting. A classic example of this, if you're not aware of that, would be, let's say you have a class reunion, a high school class reunion, a college class reunion. These are typical, prototypical examples of these attacks where they put up an ad hoc website, and everybody who went to high school together gives all this information, all this personal information, when they sign up to go to that particular event. And it's on the website and somebody hacks that and they get all that information. Usually whoever puts those websites up, they're not super secure, maybe they're still using SSL or something like that, so that's a classic. And our phishing today is being powered by AI. And so those bots out there that are doing these AI-powered phishing attacks, those are often highly powerful and their spread is immense, so we have to deal with those. Along with AI and machine learning, we can have those deepfake scams where the cybercriminal actually does realistic audio or video of maybe somebody who's an executive or a family member. Disinformation as a service or misinformation as a service. We can see that today where you're spreading false information, often a competitor, for example, to attack your stock price or something like that, trying to bring you down. Voice phishing is called vishing. And then just total account takeover. With the increase of data breaches, attackers are using stolen credentials to take these over and build on those social engineering techniques. So be aware of those, and also having situational awareness. This is part of your security program so that employees know to remain vigilant and aware of, let's say, people walking around that they don't recognize, or somebody that doesn't have a guest badge on or doesn't have an accompaniment of some other employee, somebody from HR. Just being aware of the operational environment, understanding the current physical landscape, looking for suspicious activities, not necessarily getting involved and confronting that person, but knowing who to call at the security desk in the SOC, the operation center, or security guards. It's crucial for maintaining a strong security posture. You want to empower employees and they're going to buy in with a more secure environment by knowing their responsibilities. Staying informed about the latest security threats. So the situational awareness is often an update in your security awareness training, new types of suspicious behavior. And so we have enterprise privacy programs. Remember that privacy is a subset of confidentiality. Confidentiality is broader, privacy is more about people, right? If you have a robotic system and it's sending telemetry information, yes, you may want to keep that data in transit confidential, but it's not personal information. That robot is not a person yet, so privacy's not involved unless it's going to be sending information about people, PII, PHI. PIA, as we look at this slide, the Privacy Impact Assessment, that comes from the Department of Homeland Security. So those are assessments to evaluate your potential privacy risks with any new project, any new program, any new system or application. Data subject rights management, those are processes to manage and respond to data subject requests. So that might be something that involves our privileged account management or privileged identity management for some ad hoc privileges for those special situations. We'll talk more about that later as well. And then, do you have a response plan for data breach or data loss? That's pretty important. We know that training and awareness is critical, so privacy also is going to be involved in that training. We also have to look at risk dealing with third parties, our third-party vendors, outsourcing contractors. And since 2020, we have more and more teleworkers and contractors than ever. Privacy by design is an interesting term. Actually, it's said that Ann Cavoukian, who was the former information and privacy commissioner of Ontario, Canada, came up with that term and then it kind of got taken by the GDPR. So privacy by design basically means it's involved in every aspect, it's your default mode of operation, okay? Privacy by design. And then, of course, maybe monitoring and auditing because you have to be compliant with laws, regulations, and even your own internal policies. Operational security, or OpSec, is designed to protect sensitive information and critical assets. These are programs that involve practices and processes to assess and mitigate risk, making sure that your organization has a strong maturity for organizational operations. So that you need to have clear and consistent communication, all employees are included and concise. And remember your target audience. We don't have the same type of communication for our SOC that we do, let's say, for the receptionist and the executive secretaries. Regular updates on current threats and how your organization plans to handle them. You have to be transparent. You want to foster trust by sharing insights on new incidents. So we don't keep those things secret. And sometimes the law says if you have a data breach or a credit card breach, you have to make that public, of course. Collaborative platforms. So using internal communication tools, taking advantage of your intranet, things like Microsoft Teams, right, those types of tools, to make sure that we have effective communication. And then there has to be some type of feedback mechanism, right? We want to continually improve, we want to have those lessons learned, so feedback. And then the more interactive your training modules are, the more effective they're going to be, which means using things like gamification, kind of try to make it fun. When you're doing security awareness training, make it like a game of jeopardy or something like that. Gamification can really help with that interactive aspect to security programs. You got to have a commitment, right, by management buy-in, by your upper C-suite or C-team and all the employees as well. You want management support to get the resources you need, the right budget, the right personnel. It may be hiring some new people, it may be borrowing some new people that you need. And that's going to foster a culture of security throughout the organization. Top-down approach, right? Get management involvement from the outgo or the outset for that. And also a strong commitment, right? Regular reviews, updates, continual improvement, that ITIL 4 kind of mentality. Now, you may be using, let's say, if you have in-house trainers, you may use the Apple NPS, which is a Net Promoter Score. That might be a good evaluation tool, part of your reporting process. So whatever modality you're using for your security awareness training, maybe use the NPS, right? So you get those peer and supervisory evaluations, creating a score between 0 and 100. And not just evaluating the training, but evaluating any types of assessments you do. If you do any kind of surveys, if you do tests, little pop quizzes with your training, you want to go ahead and make sure that you're including that in the NPS score. And then finally, we want to be aware of the RACI or the RACI chart. So you want to know the roles and responsibilities. In this standpoint, we're talking about our security program. So in this particular diagram here, this is for doing a migration to, let's say, Google Cloud. You're going to migrate your Oracle database up to the cloud. It doesn't really matter what the initiative of the program is, but the four elements are the same. Let's say we're going to apply this to our security management program. You have one and only one accountable party. You have one or more responsible parties, and the accountable and responsible could be the same, like the security team. Then you have one optional consulted party, which means kind of a two-way communication. You're expecting to get feedback, you're expecting to get some advice back from the legal team. And then informed is just a notification. So we'll also revisit the RACI or the RACI chart throughout as we apply this to a wide variety of different programs in our SecurityX training.

Contents