The Official (ISC)2 SSCP CBK Reference. Mike Wills
Чтение книги онлайн.
Читать онлайн книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills страница 42
Название: The Official (ISC)2 SSCP CBK Reference
Автор: Mike Wills
Издательство: John Wiley & Sons Limited
Жанр: Зарубежная компьютерная литература
isbn: 9781119874874
isbn:
Let's start with awareness—the informed recognition that a set of topics, ideas, and issues exists and is important. Awareness shines a different light on the day-to-day, triggering moments of recognition. Awareness shatters the false myths, the explanations that everybody “knows” but have never tested for validity. Simple but compelling examples can do this; even something as simple as “fake phishing” attack emails that you send to your own workforce can, over time, increase the percentage of that workforce that get better at spotting a possible attack and dealing with it immediately and correctly.
Education explains concepts and links them to awareness. Education can be formal, focused around an identified body of content or aimed at the student attaining a credential of some kind attesting to their accomplishment. Informal education can be just as effective and often is well suited to rapidly evolving situations. Education stimulates thinking and creativity. A short course in root cause analysis can start with getting students to recognize the power of simple, open-ended questions.
Training teaches skills and guides learners in becoming increasingly proficient in applying them to realistic situations. Training activities that use “spotters' guides,” for example, can demonstrate packet sniffing and filtering or anti-phishing email screening techniques and then use checklist approaches as the frameworks of labs and exercises to enhance learners' abilities to recognize concepts in action and make informed decisions regarding actions to take.
Competency as the Criterion
It's well worth the investment of time and thought to create a short list of the key information security competencies that different subgroups of your workforce need, if they are going to be able to make real contributions to improving information security for the team as a whole. The larger your organization and the more diverse the individual workgroups are in terms of tasks, context, and the sensitivities of the information they work with, the greater the likelihood that you'll need numerous short lists of such competencies. This is okay; make this manageable by starting with the groups that seem to need even a small step-change in security effectiveness and work with them to identify these core competencies.
By the way, some education and training program professionals will refer to this core competencies approach as a needs assessment. The name does not matter; the results do. Both should produce as an outcome a list of tangible, clear statements of what learners need to learn and the standards by which they must be assessed to demonstrate the success of that learning.
It's likely that your company or organization has trainers and human resources developer talent within the HR or personnel department. Find them; get them involved. Get their help in translating these first few sets of core competencies into the next layer of detail: the activities that learners have to perform well at to demonstrate that they've successfully learned that competency to the required degree of rigor. Get them to help you find teaching and learning assets and materials that the company already has; or, get them to help you find other assets. Reuse what you can find, learning from how well it works, before spending the time to develop something custom-made for your situations, people, mission, and needs.
Build a Security Culture, One Awareness Step at a Time
You've successfully engaged others in the company to take on the tasks of selecting or developing the teaching and learning assets, structuring the courses, and finding the right people to act as trainers and teachers. You've got them managing the identification of which employees need what levels of learning, how often they need it, and when they need to get the learning accomplished. As the on-shift or day staff security administrator, that's a great segregation of duties to achieve! Now what?
Walk the hallways of the company's campus or locations; keep your eyes and ears open for signs that awareness, learning, and skills-building are happening. Look for signs of trouble that suggest it isn't working fast enough or well enough. Step into those situations informally and casually, and lead by example and inspire by action and word. Suggest to people in these problematic contexts, be they workers, supervisors, or mid-level managers, that they've got the opportunity to empower themselves, and you can help them.
Too many organizations fall into the administratively simple task of regularly scheduling repetitive training activities. These could be messaging opportunities that strengthen each worker's future with the company by enhancing the organization's survival and success. Instead, they oftentimes turn them into tick-the-box, square-filling exercises in futility. If this is happening in your organization, shine some light on it; help others become aware of the need to turn that messaging around. Quickly.
PARTICIPATE IN PHYSICAL SECURITY OPERATIONS
Information security specialists, such as SSCPs, need to be aware of all threats to the information systems in their care and be able to assist, advise, and take action as required across many functional areas in their organization. If your company is truly cloud-based, with no data center of its own, you've still got threats in the physical domain to contend with. Remember, too, that your attacker could turn out to be an insider who turns against your team for any number of political, financial, emotional, or personal reasons.
Physical Access Control
If the attackers can get to your systems, they've got a chance to be able to get into them. This starts in the physical domain, where access includes physical contact at Layer 1 network systems, at the USB ports or memory card slots on your endpoints and other devices. It includes being able to see the blinking LEDs on routers (which blink with each 1 or 0 being sent down the wire), and it includes being bold as brass and just walking into your office spaces as if they're a pizza delivery person or business visitor. And although we've not yet seen it reported, it won't be long now before we do see an attacker using hobbyist-grade UAVs to carry out intrusion attempts.
Chapter 2 will look at the concept of defense in depth, integrating a variety of deterrence, prevention, and detection capabilities to defend the points of entry into your systems. Threat modeling, done during the risk assessment and vulnerability assessment phases (which Chapter 3 examines in more detail), have given you maps of your systems architecture, which show it at the data, control, and management planes as well as in the physical dimension. Start at the outermost perimeter in those four planes and put on your penetration-tester hat to see these control concepts in action.
One major caution: What you are about to do is tantamount to penetration testing, and to keep that testing ethical, you need to first make sure that you're on the right side of law and ethics. Before you take any action that might be construed as an attempted penetration of an organization's information systems or properties under their control, gain their owners and senior managers permission in writing. Lay out a detailed plan of what you are going to attempt to do, why you propose it as worthwhile, and what you anticipate the disruptions to normal business operations might be. Work with them to specify how you'll monitor and control the penetration test activities and how you'll suspend or terminate them immediately if required. As you learn with each step, err on the side of caution and go back to that management team and ask for their written permission to take the next step.
At СКАЧАТЬ