1
00:00:00,103 --> 00:00:02,105
<v ->Now we've already talked about user education</v>

2
00:00:02,105 --> 00:00:03,070
throughout this course,

3
00:00:03,070 --> 00:00:04,146
but in this lesson,

4
00:00:04,146 --> 00:00:05,678
I want to talk about three different terms

5
00:00:05,678 --> 00:00:07,919
that are used for user training and awareness

6
00:00:07,919 --> 00:00:09,192
that you might come across

7
00:00:09,192 --> 00:00:11,701
and each one means a slightly different thing.

8
00:00:11,701 --> 00:00:13,715
They are security awareness training,

9
00:00:13,715 --> 00:00:16,483
security training, and security education.

10
00:00:16,483 --> 00:00:17,316
So the first type of training

11
00:00:17,316 --> 00:00:19,452
is known as security awareness training

12
00:00:19,452 --> 00:00:22,204
and it's used to reinforce the importance of having users

13
00:00:22,204 --> 00:00:25,356
help you secure the organizations valuable resources.

14
00:00:25,356 --> 00:00:27,752
This includes things like educating your end users

15
00:00:27,752 --> 00:00:29,631
on the current threats facing the organization,

16
00:00:29,631 --> 00:00:32,581
phishing campaigns, how to protect their passwords,

17
00:00:32,581 --> 00:00:35,213
as well as what to do in the event of an incident.

18
00:00:35,213 --> 00:00:36,889
Now all of your employees should attend

19
00:00:36,889 --> 00:00:39,569
security awareness training at least annually,

20
00:00:39,569 --> 00:00:40,757
that's once a year.

21
00:00:40,757 --> 00:00:42,693
Studies have shown that this is by far,

22
00:00:42,693 --> 00:00:45,041
the best return on investment a company can make

23
00:00:45,041 --> 00:00:48,100
into their security policies and security of their networks

24
00:00:48,100 --> 00:00:50,323
because users are one of the largest vulnerabilities

25
00:00:50,323 --> 00:00:52,394
in most organizational networks.

26
00:00:52,394 --> 00:00:53,957
This is the type of training I was discussing

27
00:00:53,957 --> 00:00:55,709
when we talked about user training

28
00:00:55,709 --> 00:00:57,375
back in social engineering.

29
00:00:57,375 --> 00:00:59,845
Now security training is our second category

30
00:00:59,845 --> 00:01:01,919
and it's used to teach the organizations personnel

31
00:01:01,919 --> 00:01:03,983
the skills they need to perform their job

32
00:01:03,983 --> 00:01:05,559
in a more secure manner.

33
00:01:05,559 --> 00:01:08,052
So this training is usually going to be focused on IT staff

34
00:01:08,052 --> 00:01:10,848
and administrators as well as other technical employees.

35
00:01:10,848 --> 00:01:13,459
For example, let's say I sat my system administrators

36
00:01:13,459 --> 00:01:15,766
down to get some training to learn in the most secure way

37
00:01:15,766 --> 00:01:18,131
to set up a user account and create passwords

38
00:01:18,131 --> 00:01:20,727
and this training would be a form of security training.

39
00:01:20,727 --> 00:01:22,259
Maybe this was very specific

40
00:01:22,259 --> 00:01:23,647
and it was telling them the procedures

41
00:01:23,647 --> 00:01:26,303
and the techniques they should do to be able to do this

42
00:01:26,303 --> 00:01:29,636
inside of a Windows 2016 Server environment.

43
00:01:29,636 --> 00:01:32,265
That would be the idea of this type of security training.

44
00:01:32,265 --> 00:01:34,479
Now when I get to security education,

45
00:01:34,479 --> 00:01:36,084
this is more general in nature.

46
00:01:36,084 --> 00:01:37,166
This course you're taking

47
00:01:37,166 --> 00:01:39,259
is an example of security education.

48
00:01:39,259 --> 00:01:41,398
It's designed for cybersecurity professionals

49
00:01:41,398 --> 00:01:43,667
to gain more expertise to better manage

50
00:01:43,667 --> 00:01:45,733
the security programs at their organizations

51
00:01:45,733 --> 00:01:49,144
but it's less procedural and it's much more generalized.

52
00:01:49,144 --> 00:01:50,804
So we're not going to be talking specifically

53
00:01:50,804 --> 00:01:53,365
about do steps one, two, three, and four

54
00:01:53,365 --> 00:01:54,834
to set up this user account.

55
00:01:54,834 --> 00:01:56,628
Or, here's exactly how you should configure

56
00:01:56,628 --> 00:01:58,731
your policies in your organization.

57
00:01:58,731 --> 00:02:01,422
This class is a great example of security education

58
00:02:01,422 --> 00:02:05,195
because it is that generalized security focused mindset.

59
00:02:05,195 --> 00:02:07,561
Now, security awareness training should be developed

60
00:02:07,561 --> 00:02:09,470
based on your intended audience

61
00:02:09,470 --> 00:02:11,033
and there's going to be multiple different versions

62
00:02:11,033 --> 00:02:12,241
of the training.

63
00:02:12,241 --> 00:02:13,569
So when I talk about that annual training

64
00:02:13,569 --> 00:02:15,012
that I'm going to give to all of my users,

65
00:02:15,012 --> 00:02:17,383
I might break that up into three or four different levels.

66
00:02:17,383 --> 00:02:20,654
I might have one for my managers, one for the general staff

67
00:02:20,654 --> 00:02:22,750
and one for the information technicians, right?

68
00:02:22,750 --> 00:02:24,908
And the reason is, there's different risks that are faced

69
00:02:24,908 --> 00:02:27,609
by each job role within the organization.

70
00:02:27,609 --> 00:02:29,860
As a manager, their going to face different risks

71
00:02:29,860 --> 00:02:31,407
than somebody who works in accounting.

72
00:02:31,407 --> 00:02:32,809
And that person is going to have different risks

73
00:02:32,809 --> 00:02:34,590
than somebody who works in IT.

74
00:02:34,590 --> 00:02:35,586
So during this training,

75
00:02:35,586 --> 00:02:37,488
you want to make sure that you're focusing it

76
00:02:37,488 --> 00:02:39,211
on those specific groups.

77
00:02:39,211 --> 00:02:41,418
Also, you want to make sure you're covering your organizations

78
00:02:41,418 --> 00:02:43,625
policies and procedures such as all of those

79
00:02:43,625 --> 00:02:46,154
that we've been covering inside this section of the course.

80
00:02:46,154 --> 00:02:47,866
This is going to make sure your users understand

81
00:02:47,866 --> 00:02:48,875
what's expected of them

82
00:02:48,875 --> 00:02:51,788
and what the proper policies are that they need to follow.

83
00:02:51,788 --> 00:02:54,080
Additionally, you can have specialized training

84
00:02:54,080 --> 00:02:55,707
that's developed for your organization

85
00:02:55,707 --> 00:02:57,995
based on the applicable laws, regulations,

86
00:02:57,995 --> 00:03:00,191
or business model that you have as well.

87
00:03:00,191 --> 00:03:01,111
So if you're a healthcare company,

88
00:03:01,111 --> 00:03:03,213
you might want to talk more about HIPAA.

89
00:03:03,213 --> 00:03:04,740
If you're a financial services company,

90
00:03:04,740 --> 00:03:07,411
you might want to talk more about GLBA.

91
00:03:07,411 --> 00:03:09,159
Training for management should also include

92
00:03:09,159 --> 00:03:12,001
discussions of policies, guidelines and standards.

93
00:03:12,001 --> 00:03:13,322
Whereas, your technical staff

94
00:03:13,322 --> 00:03:14,769
may need to be given more training

95
00:03:14,769 --> 00:03:17,019
on how to best identify when an attack is occurring

96
00:03:17,019 --> 00:03:19,343
and what regulations are applicable to them

97
00:03:19,343 --> 00:03:22,013
and when breach reporting is necessary.

98
00:03:22,013 --> 00:03:24,115
Finally, as you're conducting security audits

99
00:03:24,115 --> 00:03:25,152
of the organization,

100
00:03:25,152 --> 00:03:27,046
you want to feed the lessons learned from that

101
00:03:27,046 --> 00:03:28,895
back into the training pipeline.

102
00:03:28,895 --> 00:03:30,367
So let me give you a good example of this.

103
00:03:30,367 --> 00:03:32,179
Let's say you hired me to do a pen test

104
00:03:32,179 --> 00:03:34,616
and I found out that I was able to phish your employees

105
00:03:34,616 --> 00:03:36,994
and get 30% of your employees to click links

106
00:03:36,994 --> 00:03:38,581
in a phishing email.

107
00:03:38,581 --> 00:03:39,414
What should you do?

108
00:03:39,414 --> 00:03:40,916
Well, you should probably be providing them

109
00:03:40,916 --> 00:03:43,711
annual training against clicking on phishing links

110
00:03:43,711 --> 00:03:45,974
inside of your security awareness training, right?

111
00:03:45,974 --> 00:03:48,834
Now, let's say I went and I found a bunch of weak passwords.

112
00:03:48,834 --> 00:03:50,253
Well, then we want to train employees

113
00:03:50,253 --> 00:03:52,349
on how to create a more secure password.

114
00:03:52,349 --> 00:03:54,578
Anything we find that's repetitive issues

115
00:03:54,578 --> 00:03:56,215
inside the networks through our audits,

116
00:03:56,215 --> 00:03:58,061
we want to feed that back into the training

117
00:03:58,061 --> 00:04:00,446
at either the management level, the staff level,

118
00:04:00,446 --> 00:04:02,331
or the administrator level.

119
00:04:02,331 --> 00:04:05,164
(technical music)