The path to the Development of cissp (11): Security Awareness Education

In the previous article 《 Review information security governance (4)J0ker introduces the definitions and differences of various security documents in information security management (CBK. We all know that after the establishment of various security rules and regulations, every Member of the Organization must understand and consciously abide by the rules to play its due role. To achieve this goal, this document describes the Security Awareness Tool.

Security awareness education can be carried out as part of the organizational security program. Before designing and starting the security awareness education program, cissp should first determine the purpose of the security awareness education program. The purpose can be simply defined as "all organizational unit members must understand their most basic security responsibilities" or "organizational unit members must understand the information security threats facing the organizational unit, and develop good habits to defend against these risks and protect the Information System. "However, many times, setting more specific goals is more conducive to the development of security awareness education projects, the cissp official guide provides a specific sample:

Sample -- goal of Consciousness Education:

Enterprise Employees must be aware of the following items:
1. Security policies, standards, processes, bottom line and guidance
2. security threats to physical and information assets
3. Security Threats to the open network environment
4. Laws and regulations to be observed
5. Rules and regulations formulated by organizations or departments to be observed
6. How to identify and protect sensitive (or confidential) Information
7. How to store, tag, and transmit information
8. Who should I report to in case of a suspicious or confirmed security incident?
9. email and Internet security usage policies and procedures
10. Social Engineering

The goals of security awareness education should be in concert with the information security goals set by the Organization, and should be closely integrated with the Organization's information security plan. Otherwise, the expected results will not be achieved. The cissp exam does not examine the security awareness education chapter much, but friends still need to pay attention to the content of the 8 and 10 samples listed above. The report to whom in the 8 s mainly involves the concepts of security responsibilities and emergency response, while the social engineering in the 10 s is a very important concept. The official guide also provides a specific chapter for explanation, therefore, next, j0ker intends to introduce social engineering and related knowledge.

Information security, or more accurately, people engaged in information security, focuses on the availability, integrity, and confidentiality of information technology and assets (AIC triangle). We also know that, if a security project has a critical weakness, it is impossible to succeed in project implementation. At this point, information security can be explained by the iron chain theory or the bucket theory. The strength of the iron chain is determined by the weakest link on it, the amount of water that a bucket can hold is determined by the shortest plank.

We often see in security projects what software and hardware are required for project implementation, what technologies should be deployed, what vulnerabilities should be protected, and relevant security solutions and materials can be found from various sources, however, in the end, all components of these security projects are used, installed, deployed, and maintained by people. Therefore, apart from information security and technology-related aspects, people's behaviors should also be the key points of attention to information security. cissp CBK introduces wetware, a term used to refer to "people" as a key factor, social engineering is a specialized attack on people.

In the official guide, social engineering is defined as follows:
Successful or unsuccessful attempts to influence a person (s) into either revealing information or acting in a manner that wocould result in unauthorized access to, unauthorized use of, or unauthorized disclosure of an information system, A network, or data.

That is to say, the goal of social engineering attacks is to access, use, and leak information systems, networks, and data without authorization, the primary means is to cheat the target person (usually authorized legal users.

The official guide classifies social engineering attacks into three types: ego attack, sympathy attack, and intimidation attack, in ego attack, attackers often exploit the self-esteem and expressive desire of the target user to obtain the information they grasp. In sympathy attack, attackers may disguise themselves as new users or partners in the target organization, attackers can  by obtaining the trust of authorized users (the attacker's disguised identity level is usually lower than the target identity). In intimidation attack, attackers can disguise themselves as persons whose identity level is higher than the target, then ask the other party to provide the required information. Please note the differences between the three attack methods.

To defend against social engineering attacks, the most effective way is to standardize the daily operations of legal users through administrative means (administrative control, security policies, standards, and procedures, and strengthen the education of user security awareness. For more information, see the official guide.

So far, j0ker has basically finished introducing cissp's first CBK-information security management. The content of this chapter is not much in the cissp CBK system, but it is the basis of the whole cissp CBK knowledge system, the knowledge involved in the subsequent sections can be considered as serving the content mentioned in this chapter.

In the cissp examination, except for a few concepts that provide instance analysis in the official guide, it is possible to use instances for analysis, most of the other related questions focus on the meaning of concepts or terms and their significance in the information security system. Therefore, when reviewing this chapter, especially for technical friends, therefore, j0ker recommends that you read more relevant review materials and understand the relationships and differences between nouns and concepts. It is secondary to exercise more questions. Friends can also associate the content of this CBK with the content they come into contact with in their daily work, or apply it to their daily work, so that they can easily integrate the content of this CBK, after all, the content of cissp is for application. It is meaningless to simply prepare for the exam.

In addition, there is a tip during the review. You can print out the CBK points listed at the end of the Official Guide chapter and the quick tips at the end of the corresponding chapter in allin one, when you are free, you can take a look at it, which is very helpful for consolidating the key concept.