L5 Security Operations https://md2pdf.netlify.app/L5 Security Operations https://md2pdf.netlify.

app/

might indicate “minor, may disrupt some processes” while a more extreme one might be

L5 Security Operations “grave, could lead to loss of life or threaten ongoing existence of the organization.” These
descriptions should reflect the ways in which the organization has chosen (or been mandated)
to characterize and manage risks. The immediate benefit of classification is that it can lead to
more efficient design and implementation of security processes, if we can treat the protection
Module 1: Understand Data Security
needs for all similarly classified information with the same controls strategy.
Domain D5.0, D5.1.1, D5.1.2, D5.1.3 Labeling: security labels are part of implementing controls to protect classified information.
It is reasonable to want a simple way of assigning a level of sensitivity to a data asset, such
Hardening is the process of applying secure configurations (to reduce the attack surface) and
that the higher the level, the greater the presumed harm to the organization, and thus the
locking down various hardware, communications systems and software, including the operating
greater security protection the data asset requires. This spectrum of needs is useful, but it
system, web server, application server and applications, etc. This module introduces configuration
should not be taken to mean that clear and precise boundaries exist between the use of “low
management practices that will ensure systems are installed and maintained according to industry
sensitivity” and “moderate sensitivity” labeling, for example.
and organizational security standards.
Data Sensitivity Levels and Labels: unless otherwise mandated, organizations are free to
Data Handling create classification systems that best meet their own needs. In professional practice, it is
typically best if the organization has enough classifications to distinguish between sets of
Data itself goes through its own life cycle as users create, use, share and modify it. The data
assets with differing sensitivity/value, but not so many classifications that the distinction
security life cycle model is useful because it can align easily with the different roles that people
between them is confusing to individuals. Typically, two or three classifications are
and organizations perform during the evolution of data from creation to destruction (or
manageable, and more than four tend to be difficult.
disposal). It also helps put the different data states of in use, at rest and in motion, into context.
Highly restricted: Compromise of data with this sensitivity label could possibly put the
All ideas, data, information or knowledge can be thought of as going through six major sets of
organization’s future existence at risk. Compromise could lead to substantial loss of life, injury
activities throughout its lifetime. Conceptually, these involve:
or property damage, and the litigation and claims that would follow. Moderately restricted:
1. Creating the knowledge, which is usually tacit knowledge at this point. Compromise of data with this sensitivity label could lead to loss of temporary competitive
2. Storing or recording it in some fashion (which makes it explicit). advantage, loss of revenue or disruption of planned investments or activities. Low sensitivity
(sometimes called “internal use only”): Compromise of data with this sensitivity label could
3. Using the knowledge, which may cause the information to be modified, supplemented or
cause minor disruptions, delays or impacts. Unrestricted public data: As this data is already
partially deleted.
published, no harm can come from further dissemination or disclosure.
4. Sharing the data with other users, whether as a copy or by moving the data from one location
to another. Retention: Information and data should be kept only for as long as it is beneficial, no more
5. Archiving the data when it is temporarily not needed. and no less. Certain industry standards, laws and regulations define retention periods, when
6. Destroying the data when it is no longer needed. such external requirements are not set, it is an organization’s responsibility to define and
implement its own data retention policy. Data retention policies are applicable both for hard
Data Handling Practices copies and for electronic data, and no data should be kept beyond its required or useful life.
Security professionals should ensure that data destruction is being performed when an
Classification: classifications dictate rules and restrictions about how that information can be asset has reached its retention limit. For the security professional to succeed in this
used, stored or shared with others. All of this is done to keep the temporary value and assignment, an accurate inventory must be maintained, including the asset location, retention
importance of that information from leaking away. Classification of data, which asks the period requirement, and destruction requirements. Organizations should conduct a periodic
question “Is it secret?” determines the labeling, handling and use of all data. Classification is review of retained records in order to reduce the volume of information stored and to ensure
the process of recognizing the organizational impacts if the information suffers any security that only necessary information is preserved.
compromises related to its characteristics of confidentiality, integrity and availability.
Information is then labeled and handled accordingly. Classifications are derived from laws, Records retention policies indicate how long an organization is required to maintain information
regulations, contract-specified standards or other business expectations. One classification and assets. Policies should guarantee that: * Personnel understand the various retention

1 of 13 12/16/2023, 9:07 PM2 of 13 12/16/2023, 9:07 PM

L5 Security Operations https://md2pdf.netlify.app/L5 Security Operations https://md2pdf.netlify.app/

requirements for data of different types throughout the organization. * The organization the type of computer system.
appropriately documents the retention requirements for each type of information. * The systems,
processes and individuals of the organization retain information in accordance with the required Major controls frameworks emphasize the importance of organizational logging practices.
schedule but no longer. * A common mistake in records retention is applying the longest retention Information that may be relevant to being recorded and reviewed include (but is not limited to):
period to all types of information in an organization. This not only wastes storage but also user IDs, system activities, dates/times of key events (e.g., logon and logoff), device and location
increases risk of data exposure and adds unnecessary “noise” when searching or processing identity, successful and rejected system and resource access attempts, system configuration
information in search of relevant records. It may also be in violation of externally mandated changes and system protection activation and deactivation events.
requirements such as legislation, regulations or contracts (which may result in fines or other Logging and monitoring the health of the information environment is essential to identifying
judgments). Records and information no longer mandated to be retained should be destroyed in inefficient or improperly performing systems, detecting compromises and providing a record of
accordance with the policies of the enterprise and any appropriate legal requirements that may how systems are used. Robust logging practices provide tools to effectively correlate
need to be considered. information from diverse systems to fully understand the relationship between one activity and
another.
Destruction: Data that might be left on media after deleting is known as remanence and may
be a significant security concern. Steps must be taken to reduce the risk that data remanence Log reviews are an essential function not only for security assessment and testing but also for
could compromise sensitive information to an acceptable level. This can be done by one of identifying security incidents, policy violations, fraudulent activities and operational problems
several means: near the time of occurrence. Log reviews support audits – forensic analysis related to internal and
Clearing the device or system, which usually involves writing multiple patterns of external investigations – and provide support for organizational security baselines. Review of
historic audit logs can determine if a vulnerability identified in a system has been previously
random values throughout all storage media. This is sometimes called “overwriting” or
exploited.
“zeroizing” the system, although writing zeros has the risk that a missed block or storage
extent may still contain recoverable, sensitive information after the process is completed. It is helpful for an organization to create components of a log management infrastructure and
Purging the device or system, which eliminates (or greatly reduces) the chance that determine how these components interact. This aids in preserving the integrity of log data from
residual physical effects from the writing of the original data values may still be recovered, accidental or intentional modification or deletion and in maintaining the confidentiality of log data.
even after the system is cleared. Some magnetic disk storage technologies, for example,
can still have residual “ghosts” of data on their surfaces even after being overwritten Controls are implemented to protect against unauthorized changes to log information. Operational
multiple times. Magnetic media, for example, can often be altered sufficiently to meet problems with the logging facility are often related to alterations to the messages that are
security requirements; in more stringent cases, degaussing may not be sufficient. recorded, log files being edited or deleted, and storage capacity of log file media being exceeded.
Organizations must maintain adherence to retention policy for logs as prescribed by law,
Physical destruction of the device or system is the ultimate remedy to data remanence.
regulations and corporate governance. Since attackers want to hide the evidence of their attack,
Magnetic or optical disks and some flash drive technologies may require being
the organization’s policies and procedures should also address the preservation of original logs.
mechanically shredded, chopped or broken up, etched in acid or burned; their remains
Additionally, the logs contain valuable and sensitive information about the organization.
may be buried in protected landfills, in some cases.
Appropriate measures must be taken to protect the log data from malicious use.
In many routine operational environments, security considerations may accept that
clearing a system is sufficient. But when systems elements are to be removed and
Event Logging Best Practices
replaced, either as part of maintenance upgrades or for disposal, purging or destruction
may be required to protect sensitive information from being compromised by an attacker. Different tools are used depending on whether the risk from the attack is from traffic coming into
or leaving the infrastructure.
Logging and Monitoring Security Events
Ingress monitoring refers to surveillance and assessment of all inbound communications traffic
Logging is the primary form of instrumentation that attempts to capture signals generated by and access attempts. Devices and tools that offer logging and alerting opportunities for ingress
events. Events are any actions that take place within the systems environment and cause monitoring include: Firewalls, Gateways, Remote authentication servers, IDS/IPS tools, SIEM
measurable or observable change in one or more elements or resources within the system. solutions, Anti-malware solutions.
Logging imposes a computational cost but is invaluable when determining accountability.
Proper design of logging environments and regular log reviews remain best practices regardless of Egress monitoring is used to regulate data leaving the organization’s IT environment. The term

3 of 13 12/16/2023, 9:07 PM4 of 13 12/16/2023, 9:07 PM

L5 Security Operations https://md2pdf.netlify.app/L5 Security Operations https://md2pdf.netlify.app/

currently used in conjunction with this effort is data loss prevention (DLP) or data leak protection. iii. Change Control: An update process for requesting changes to a baseline, by means of
The DLP solution should be deployed so that it can inspect all forms of data leaving the making changes to one or more components in that baseline. A review and approval
organization, including: Email (content and attachments), Copy to portable media, File Transfer process for all changes. This includes updates and patches.
Protocol (FTP), Posting to web pages/websites, Applications/application programming interfaces iv. Verification & Audit: A regression and validation process, which may involve testing and
(APIs). analysis, to verify that nothing in the system was broken by a newly applied set of
changes. An audit process can validate that the currently in-use baseline matches the sum
Encryption Overview total of its initial baseline plus all approved changes applied in sequence.

Almost every action we take in our modern digital world involves cryptography. Encryption Effective use of configuration management gives systems owners, operators, support teams and
protects our personal and business transactions; digitally signed software updates verify their security professionals another important set of tools they can use to monitor and oversee the
creator’s or supplier’s claim to authenticity. Digitally signed contracts, binding on all parties, are configuration of the devices, networks, applications and projects of the organization.An
routinely exchanged via email without fear of being repudiated later by the sender. organization may mandate the configuration of equipment through standards and baselines. The
use of standards and baselines can ensure that network devices, software, hardware and
Cryptography is used to protect information by keeping its meaning or content secret and making
endpoint devices are configured in a consistent way and that all such devices are compliant with
it unintelligible to someone who does not have a way to decrypt (unlock) that protected
the security baseline established for the organization. If a device is found that is not compliant
information. The objective of every encryption system is to transform an original set of data, called
with the security baseline, it may be disabled or isolated into a quarantine area until it can be
the plaintext, into an otherwise unintelligible encrypted form, called the ciphertext.
checked and updated.
Properly used, singly or in combination, cryptographic solutions provide a range of services that
Inventory: Making an inventory, catalog or registry of all the information assets is the first
can help achieve required systems security postures in many ways:
step in any asset management process. You can’t protect what you don’t know you have.

**confidentiality**: Cryptography provides confidentiality by hiding or obscuring a message so that it cannotBaselines: The baseline is a total inventory of all the system’s components, hardware,
**integrity**: hash functions and digital signatures can provide integrity services that allow a recipient tosoftware, data, administrative controls, documentation and user instructions. All further

comparisons and development are measured against the baselines. When protecting assets,
baselines can be particularly helpful in achieving a minimal protection level of those assets
Module 2: Understand System Hardening based on value. If classifications such as high, medium and low are being used, baselines
could be developed for each of our classifications and provide that minimum level of security
Domain D5.2.1 required for each.

Configuration Management Overview Updates: Such modifications must be acceptance tested to verify that newly installed (or
repaired) functionality works as required. They must also be regression tested to verify that
Configuration management is a process and discipline used to ensure that the only changes the modifications did not introduce other erroneous or unexpected behaviors in the system.
made to a system are those that have been authorized and validated. It is both a decision- Ongoing security assessment and evaluation testing evaluates whether the same system
making process and a set of control processes. If we look closer at this definition, the basic that passed acceptance testing is still secure.
configuration management process includes components such as identification, baselines,
updates and patches. Patches: The challenge for the security professional is maintaining all patches. Some patches
are critical and should be deployed quickly, while others may not be as critical but should
Configuration Management still be deployed because subsequent patches may be dependent on them. Standards such
i. Identification: baseline identification of a system and all its components, interfaces and as the PCI DSS require organizations to deploy security patches within a certain time frame.
documentation. An organization should test the patch before rolling it out across the organization. If the
ii. Baseline: a security baseline is a minimum level of protection that can be used as a patch does not work or has unacceptable effects, it might be necessary to roll back to a
reference point. Baselines provide a way to ensure that updates to technology and previous (pre-patch) state. Typically, the criteria for rollback are previously documented and
architectures are subjected to the minimum understood and acceptable level of security would automatically be performed when the rollback criteria were met. The risk of using
requirements. unattended patching should be weighed against the risk of having unpatched systems in the

5 of 13 12/16/2023, 9:07 PM6 of 13 12/16/2023, 9:07 PM

L5 Security Operations https://md2pdf.netlify.app/L5 Security Operations https://md2pdf.netlify.app/

organization’s network. Unattended (or automated) patching might result in unscheduled legal action. It should detail the appropriate and approved usage of the organization’s assets,
outages as production systems are taken offline or rebooted as part of the patch process. including the IT environment, devices and data. Each employee (or anyone having access to
the organization’s assets) should be required to sign a copy of the AUP, preferably in the
Module 3: Understand Best Practice Security Policies presence of another employee of the organization, and both parties should keep a copy of the
signed AUP.
Domain D5.3, D5.3.1, D5.3.2, D5.3.3, D5.3.4, D5.3.5, D5.3.6
Policy aspects commonly included in AUPs: Data access, System access, Data disclosure, Passwords,
An organization’s security policies define what “security” means to that organization, which in Data retention, Internet usage, Company device usage
almost all cases reflects the tradeoff between security, operability, affordability and potential risk
Bring Your Own Device (BYOD): An organization may allow workers to acquire equipment of
impacts. Security policies express or impose behavioral or other constraints on the system and its
their choosing and use personally owned equipment for business (and personal) use. This is
use. Well-designed systems operating within these constraints should reduce the potential of
sometimes called bring your own device (BYOD). Another option is to present the teleworker
security breaches to an acceptable level.
or employee with a list of approved equipment and require the employee to select one of the
Security governance that does not align properly with organizational goals can lead to products on the trusted list.
implementation of security policies and decisions that unnecessarily inhibit productivity, impose
Letting employees choose the device that is most comfortable for them may be good for
undue costs and hinder strategic intent.
employee morale, but it presents additional challenges for the security professional because it
means the organization loses some control over standardization and privacy. If employees are
Common Security Policies allowed to use their phones and laptops for both personal and business use, this can pose a
All policies must support any regulatory and contractual obligations of the organization. challenge if, for example, the device has to be examined for a forensic audit. It can be hard to
Sometimes it can be challenging to ensure the policy encompasses all requirements while ensure that the device is configured securely and does not have any backdoors or other
remaining simple enough for users to understand. vulnerabilities that could be used to access organizational data or systems.

Here are six common security-related policies that exist in most organizations. All employees must read and agree to adhere to this policy before any access to the systems,
network and/or data is allowed. If and when the workforce grows, so too will the problems with
Data Handling Policy: Appropriate use of data: This aspect of the policy defines whether data BYOD. Certainly, the appropriate tools are going to be necessary to manage the use of and security
is for use within the company, is restricted for use by only certain roles or can be made public around BYOD devices and usage. The organization needs to establish clear user expectations and
to anyone outside the organization. In addition, some data has associated legal usage set the appropriate business rules.
definitions. The organization’s policy should spell out any such restrictions or refer to the legal
definitions as required. Proper data classification also helps the organization comply with Privacy Policy: Often, personnel have access to personally identifiable information (PII) (also
pertinent laws and regulations. For example, classifying credit card data as confidential can referred to as electronic protected health information [ePHI] in the health industry). It is
help ensure compliance with the PCI DSS. One of the requirements of this standard is to imperative that the organization documents that the personnel understand and acknowledge
encrypt credit card information. Data owners who correctly defined the encryption aspect of the organization’s policies and procedures for handling of that type of information and are
their organization’s data classification policy will require that the data be encrypted according made aware of the legal repercussions of handling such sensitive data. This type of
to the specifications defined in this standard. documentation is similar to the AUP but is specific to privacy-related data.

Password Policy: Every organization should have a password policy in place that defines The organization’s privacy policy should stipulate which information is considered PII/ePHI, the
expectations of systems and users. The password policy should describe senior leadership's appropriate handling procedures and mechanisms used by the organization, how the user is
commitment to ensuring secure access to data, outline any standards that the organization expected to perform in accordance with the stated policy and procedures, any enforcement
has selected for password formulation, and identify who is designated to enforce and validate mechanisms and punitive measures for failure to comply as well as references to applicable
the policy. regulations and legislation to which the organization is subject. This can include national and
international laws, such as the GDPR in the EU and Personal Information Protection and Electronic
Acceptable Use Policy (AUP): The acceptable use policy (AUP) defines acceptable use of the Documents Act (PIPEDA) in Canada; laws for specific industries in certain countries such as HIPAA
organization’s network and computer systems and can help protect the organization from and Gramm–Leach–Bliley Act (GLBA); or local laws in which the organization operates.

7 of 13 12/16/2023, 9:07 PM8 of 13 12/16/2023, 9:07 PM

L5 Security Operations https://md2pdf.netlify.app/L5 Security Operations https://md2pdf.netlify.app/

The organization should also create a public document that explains how private information is completed. These generally include: Scheduling the change, Testing the change, Verifying the
used, both internally and externally. For example, it may be required that a medical provider rollback procedures, Implementing the change, Evaluating the change for proper and effective
present patients with a description of how the provider will protect their information (or a operation, and Documenting the change in the production environment. Rollback authority would
reference to where they can find this description, such as the provider’s website). generally be defined in the rollback plan, which might be immediate or scheduled as a subsequent
change if monitoring of the change suggests inadequate performance.
Change Management Policy: Change management is the discipline of transitioning from the
current state to a future state. It consists of three major activities: deciding to change, making
the change, and confirming that the change has been correctly accomplished. Change
Module 4: Understand Security Awareness Training
management focuses on making the decision to change and results in the approvals to
Domain D5.4, D5.4.1, D5.4.2, D5.3.2
systems support teams, developers and end users to start making the directed alterations.
To reduce the effectiveness of certain types of attacks (such as social engineering), it is crucial
Throughout the system life cycle, changes made to the system, its individual components and its
that the organization informs its employees and staff how to recognize security problems and
operating environment all have the capability to introduce new vulnerabilities and thus undermine
how to operate in a secure manner. While the specifics of secure operation differ in each
the security of the enterprise. Change management requires a process to implement the necessary
organization, there are some general concepts that are applicable to all such programs.
changes so they do not adversely affect business operations.

Purpose
Common Security Policies Deeper Dive
The purpose of awareness training is to make sure everyone knows what is expected of them,
Policies will be set according to the needs of the organization and its vision and mission. Each of
based on responsibilities and accountabilities, and to find out if there is any carelessness or
these policies should have a penalty or a consequence attached in case of noncompliance. The first
complacency that may pose a risk to the organization. We will be able to align the information
time may be a warning; the next might be a forced leave of absence or suspension without pay,
security goals with the organization’s missions and vision and have a better sense of what the
and a critical violation could even result in an employee’s termination. All of this should be
environment is.
outlined clearly during onboarding, particularly for information security personnel. It should be
made clear who is responsible for enforcing these policies, and the employee must sign off on
them and have documentation saying they have done so. This process could even include a few
What is Security Awareness Training?
questions in a survey or quiz to confirm that the employees truly understand the policy. These Let’s start with a clear understanding of the three different types of learning activities that
policies are part of the baseline security posture of any organization. Any security or data handling organizations use, whether for information security or for any other purpose:
procedures should be backed up by the appropriate policies.
Education: The overall goal of education is to help learners improve their understanding of
Change Management Components these ideas and their ability to relate them to their own experiences and apply that learning
in useful ways.
The change management process includes the following components.
Training: Focuses on building proficiency in a specific set of skills or actions, including
Documentation: All of the major change management practices address a common set of core sharpening the perception and judgment needed to make decisions as to which skill to use,
activities that start with a request for change (RFC) and move through various development and when to use it and how to apply it. Training can focus on low-level skills, an entire task or
test stages until the change is released to the end users. From first to last, each step is subject to complex workflows consisting of many tasks.
some form of formalized management and decision-making; each step produces accounting or log
entries to document its results. Awareness: These are activities that attract and engage the learner’s attention by acquainting
them with aspects of an issue, concern, problem or need.
Approval: These processes typically include: Evaluating the RFCs for completeness, Assignment to
the proper change authorization process based on risk and organizational practices, Stakeholder You’ll notice that none of these have an expressed or implied degree of formality, location or
reviews, resource identification and allocation, Appropriate approvals or rejections, and target audience. (Think of a newly hired senior executive with little or no exposure to the specific
Documentation of approval or rejection. compliance needs your organization faces; first, someone has to get their attention and make them
aware of the need to understand. The rest can follow.)
Rollback: Depending upon the nature of the change, a variety of activities may need to be

9 of 13 12/16/2023, 9:07 PM10 of 13 12/16/2023, 9:07 PM

L5 Security Operations https://md2pdf.netlify.app/L5 Security Operations https://md2pdf.netlify.app/

Security Awareness Training Examples inexpensive investment with a potentially very high payoff. Social engineering, applied over time,
can extract significant insider knowledge about almost any organization or individual.
Let’s look at an example of security awareness training by using an organization’s strategy to
improve fire safety in the workplace: One of the most important messages to deliver in a security awareness program is an
understanding of the threat of social engineering. People need to be reminded of the threat and
Education may help workers in a secure server room understand the interaction of the various fire types of social engineering so that they can recognize and resist a social engineering attack.
and smoke detectors, suppression systems, alarms and their interactions with electrical power,
lighting and ventilation systems. Training would provide those workers with task-specific, detailed Most social engineering techniques are not new. Many have even been taught as basic fieldcraft
learning about the proper actions each should take in the event of an alarm, a suppression system for espionage agencies and are part of the repertoire of investigative techniques used by real and
going off without an alarm, a ventilation system failure or other contingency. This training would fictional police detectives. A short list of the tactics that we see across cyberspace currently
build on the learning acquired via the educational activities. Awareness activities would include not includes:
only posting the appropriate signage, floor or doorway markings, but also other indicators to help
Phone phishing or vishing: Using a rogue interactive voice response (IVR) system to re-create a
workers detect an anomaly, respond to an alarm and take appropriate action. In this case,
legitimate-sounding copy of a bank or other institution’s IVR system. The victim is prompted
awareness is a constantly available reminder of what to do when the alarms go off.
through a phishing email to call in to the “bank” via a provided phone number to verify
Translating that into an anti-phishing campaign might be done by: information such as account numbers, account access codes or a PIN and to confirm answers to
security questions, contact information and addresses. A typical vishing system will reject logins
Education may be used to help select groups of users better understand the ways in which social continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several
engineering attacks are conducted and engage those users in creating and testing their own different passwords. More advanced systems may be used to transfer the victim to a human posing
strategies for improving their defensive techniques. Training will help users increase their as a customer service agent for further questioning.
proficiency in recognizing a potential phishing or similar attempt, while also helping them practice
the correct responses to such events. Training may include simulated phishing emails sent to users Pretexting: The human equivalent of phishing, where someone impersonates an authority figure or
on a network to test their ability to identify a phishing email. Raising users’ overall awareness of a trusted individual in an attempt to gain access to your login information. The pretexter may claim
the threat posed by phishing, vishing, SMS phishing (also called “smishing) and other social to be an IT support worker who is supposed to do maintenance or an investigator performing a
engineering tactics. Awareness techniques can also alert selected users to new or novel approaches company audit. Or they might impersonate a coworker, the police, a tax authority or some other
that such attacks might be taking. Let’s look at some common risks and why it’s important to seemingly legitimate person. The goal is to gain access to your computer and information. Quid
include them in your security awareness training programs. pro quo: A request for your password or login credentials in exchange for some compensation,
such as a “free gift,” a monetary payment or access to an online game or service. If it sounds too
Phishing good to be true, it probably is. Tailgating: The practice of following an authorized user into a
restricted area or system. The low-tech version of tailgating would occur when a stranger asks you
The use of phishing attacks to target individuals, entire departments and even companies is a
to hold the door open behind you because they forgot their company RFID card. In a more
significant threat that the security professional needs to be aware of and be prepared to defend
sophisticated version, someone may ask to borrow your phone or laptop to perform a simple
against. Countless variations on the basic phishing attack have been developed in recent
action when he or she is actually installing malicious software onto your device. Social engineering
years, leading to a variety of attacks that are deployed relentlessly against individuals and networks
works because it plays on human tendencies. Education, training and awareness work best to
in a never-ending stream of emails, phone calls, spam, instant messages, videos, file attachments
counter or defend against social engineering because they help people realize that every person in
and many other delivery mechanisms.
the organization plays a role in information security.
Phishing attacks that attempt to trick highly placed officials or private individuals with sizable
assets into authorizing large fund wire transfers to previously unknown entities are known as Password Protection
whaling attacks . We use many different passwords and systems. Many password managers will store a user’s
passwords for them so the user does not have to remember all their passwords for multiple
Social Engineering
systems. The greatest disadvantage of these solutions is the risk of compromise of the password
Social engineering is an important part of any security awareness training program for one very manager.
simple reason: bad actors know that it works. For the cyberattackers, social engineering is an

11 of 13 12/16/2023, 9:07 PM12 of 13 12/16/2023, 9:07 PM

L5 Security Operations https://md2pdf.netlify.app/

These password managers may be protected by a weak password or passphrase chosen by the
user and easily compromised. There have been many cases where a person’s private data was
stored by a cloud provider but easily accessed by unauthorized persons through password
compromise.

Organizations should encourage the use of different passwords for different systems and should
provide a recommended password management solution for its users.

Examples of poor password protection that should be avoided are:

Reusing passwords for multiple systems, especially using the same password for business and
personal use. Writing down passwords and leaving them in unsecured areas. Sharing a password
with tech support or a co-worker.

13 of 13 12/16/2023, 9:07 PM