1. Security+ Guide to Network Security Fundamentals, Fifth Edition
Chapter 14
Risk Mitigation
Chapter 14
Risk Mitigation

2. Objectives Explain how to control risk
List the ways in which security policies can reduce risk
Describe how awareness and training can provide increased security
Objectives
Explain how to control risk
List the ways in which security policies can reduce risk
Describe how awareness and training can provide increased security
Security+ Guide to Network Security Fundamentals, Fifth Edition

3. Introduction Risk is at heart of information security
Some risks have small impact and can be easily managed, other risks can threaten very existence of business
Multifaceted approach to managing risk in information security:
Control risk
Develop security policy
Maintain user awareness and training
Introduction
Risk is at heart of information security
Some risks have small impact and can be easily managed, other risks can threaten very existence of business
Multifaceted approach to managing risk in information security:
Control risk
Develop security policy
Maintain user awareness and training
Security+ Guide to Network Security Fundamentals, Fifth Edition

4. Controlling Risk
Risk - Situation that involves exposure to some type of danger
Not all events that first appear to be risk may actually result in a risk:
False positive - Event considered be a risk yet turns out not to be one
False negative - Event that does not appear to be risk but actually turns out to be one
Controlling Risk
Risk - Situation that involves exposure to some type of danger
Not all events that first appear to be risk may actually result in a risk:
False positive - Event considered be a risk yet turns out not to be one
False negative - Event that does not appear to be risk but actually turns out to be one
Security+ Guide to Network Security Fundamentals, Fifth Edition

5. Risk Classifications (Table 14-1)
A table with three columns and eight rows. The first row is composed of column headers: Risk category, Description, and Example. Row 2. Risk category: Strategic Description: Action that affects the long-term goals of the organization Example: Theft of intellectual property, not pursuing a new opportunity, loss of a major account, competitor entering the market Row 3. Risk category: Compliance Description: Following (or not following) a regulation or standard Example: Breach of contract, not responding to the introduction of new laws Row 4. Risk category: Financial Description: Impact of financial decisions or market factors Example: Increase in interest rates, global financial crisis Row 5. Risk category: Operational Description: Events that impact the daily business of the organization Example: Fire, hazardous chemical spill, power blackout Row 6. Risk category: Environmental Description: Actions related to the surroundings Example: Tornado, flood, hurricane Row 7. Risk category: Technical Description: Events that affect information technology systems Example: Denial of service attack, SQL injection attack, virus Row 8. Risk category: Managerial Description: Actions related to the management of the organization Example: Long-term illness of company president, key employee resigning
Security+ Guide to Network Security Fundamentals, Fifth Edition

6. Reducing Risk: Modify Response
Several different approaches used to reduce risk
Can modify the response to the risk instead of merely accepting the risk
Different risk responses:
Transference - Make third party responsible for the risk
Risk avoidance - Identifying the risk and making the decision not engage in activity.
Mitigation - Address the risk by making it less serious
Reducing Risk: Modify Response
Several different approaches used to reduce risk
Can modify the response to the risk instead of merely accepting the risk
Different risk responses:
Transference - Make third party responsible for the risk
Risk avoidance - Identifying the risk and making the decision not engage in activity.
Mitigation - Address the risk by making it less serious
Security+ Guide to Network Security Fundamentals, Fifth Edition

7. Reducing Risk: Simple Risk Model
Simple Risk Model organizes risks as:
Preventive - Considered most effective since they minimize possibility of loss by preventing the risk from occurring
Detective - Least effective but most often used that identify event after has occurred
Corrective- Minimize impact by restoring system to its state at point before event; may still result in some degree of loss
Reducing Risk: Simple Risk Model
Simple Risk Model organizes risks as:
Preventive - Considered most effective since they minimize possibility of loss by preventing the risk from occurring
Detective - Least effective but most often used that identify event after has occurred
Corrective- Minimize impact by restoring system to its state at point before event; may still result in some degree of loss
Security+ Guide to Network Security Fundamentals, Fifth Edition

8. Reducing Risk: Risk Control Types
Management risk control types - Administrative in their nature and are laws, regulations, policies, practices, and guidelines that govern overall requirements and controls
Technical risk control types - Enforcing technology to control risk (Examples: antivirus software, firewalls, encryption)
Operational risk control types - Cover operational procedures to limit risk; may include using video surveillance systems and barricades to limit access to secure sites
Reducing Risk: Risk Control Types
Management risk control types - Administrative in their nature and are laws, regulations, policies, practices, and guidelines that govern overall requirements and controls
Technical risk control types - Enforcing technology to control risk (Examples: antivirus software, firewalls, encryption)
Operational risk control types - Cover operational procedures to limit risk; may include using video surveillance systems and barricades to limit access to secure sites
Security+ Guide to Network Security Fundamentals, Fifth Edition

9. Reducing Risk: Managerial Perspective
One approach looks at mitigating risk from managerial perspective
Most common elements:
Privilege management
Change management
Incident management
Various methods are used to calculate risk
Reducing Risk: Managerial Perspective
One approach looks at mitigating risk from managerial perspective
Most common elements:
Privilege management
Change management
Incident management
Various methods are used to calculate risk
Security+ Guide to Network Security Fundamentals, Fifth Edition

10. Privilege Management
Privilege management - Process of assigning and revoking privileges to objects and covers procedures of managing object authorizations
Privilege auditing - One element of privilege management that is periodic review of subject’s privileges over object
Auditing IT security functions serve to verify that organization’s security protections being enacted and that corrective actions can be swiftly implemented before an attacker exploits vulnerability
Privilege Management
Privilege management - Process of assigning and revoking privileges to objects and covers procedures of managing object authorizations
Privilege auditing - One element of privilege management that is periodic review of subject’s privileges over object
Auditing IT security functions serve to verify that organization’s security protections being enacted and that corrective actions can be swiftly implemented before an attacker exploits vulnerability
Security+ Guide to Network Security Fundamentals, Fifth Edition

11. Change Management
Change management - Methodology for making modifications and keeping track of changes
Ensures proper documentation of changes so future changes have less chance of creating a vulnerability
Involves all types of changes to information systems
Two major types of changes that need proper documentation:
Changes to system architecture
Changes to file or document classification
Change Management
Change management - Methodology for making modifications and keeping track of changes
Ensures proper documentation of changes so future changes have less chance of creating a vulnerability
Involves all types of changes to information systems
Two major types of changes that need proper documentation:
Changes to system architecture
Changes to file or document classification
Security+ Guide to Network Security Fundamentals, Fifth Edition

12. Change management team (CMT)
Change management team (CMT) - Body responsible for overseeing the changes
Composed of representatives from all areas of IT, network security, and upper-level management
Proposed changes must first be approved by CMT
CMT duties:
Review proposed changes
Ensure risk/impact planned change are understood
Recommend approval, disapproval, or deferral
Communicate proposed and approved changes to co-workers
Change management team (CMT)
Change management team (CMT) - Body responsible for overseeing the changes
Composed of representatives from all areas of IT, network security, and upper-level management
Proposed changes must first be approved by CMT
CMT duties:
Review proposed changes
Ensure risk/impact planned change are understood
Recommend approval, disapproval, or deferral
Communicate proposed and approved changes to co-workers
Security+ Guide to Network Security Fundamentals, Fifth Edition

13. Incident Management
Incident response - Components required to identify, analyze, and contain an incident
Incident handling - Planning, coordination, and communications functions needed to resolve incident in efficient manner
Incident management - The “framework” and functions required to enable incident response and incident handling within an organization
Objective of incident management is to restore normal operations quickly with least possible impact on business or users
Incident Management
Incident response - Components required to identify, analyze, and contain an incident
Incident handling - Planning, coordination, and communications functions needed to resolve incident in efficient manner
Incident management - The “framework” and functions required to enable incident response and incident handling within an organization
Objective of incident management is to restore normal operations quickly with least possible impact on business or users
Security+ Guide to Network Security Fundamentals, Fifth Edition

14. Risk Calculation
Qualitative risk calculation - Uses an “educated guess” based on observation
Quantitative risk calculation - Attempts to create “hard” numbers associated with risk of an element in system by using historical data
Quantitative risk calculations can be divided into the likelihood of risk and impact of risk being successful
Risk Calculation
Qualitative risk calculation - Uses an “educated guess” based on observation
Quantitative risk calculation - Attempts to create “hard” numbers associated with risk of an element in system by using historical data
Quantitative risk calculations can be divided into the likelihood of risk and impact of risk being successful
Security+ Guide to Network Security Fundamentals, Fifth Edition

15. Risk Likelihood
Historical data valuable in providing information on risk likelihood
Mean Time To Failure (MTTF) - Basic measure of reliability for systems that cannot be repaired and is average amount of time expected until first failure of equipment
Failure In Time (FIT) - Can report number of expected failures per one billion hours of operation for device
Annualized Rate of Occurrence (ARO) - Likelihood of risk occurring within one year
Risk Likelihood
Historical data valuable in providing information on risk likelihood
Mean Time To Failure (MTTF) - Basic measure of reliability for systems that cannot be repaired and is average amount of time expected until first failure of equipment
Failure In Time (FIT) - Can report number of expected failures per one billion hours of operation for device
Annualized Rate of Occurrence (ARO) - Likelihood of risk occurring within one year
Security+ Guide to Network Security Fundamentals, Fifth Edition

16. Risk Impact
Single Loss Expectancy (SLE) - Expected monetary loss every time a risk occurs; computed by multiplying Asset Value (AV) by Exposure Factor (EF), which is proportion of an asset’s value that is likely to be destroyed by particular risk
Annualized Loss Expectancy (ALE) - Expected monetary loss be expected for asset due to risk over a one-year period; computed by multiplying SLE by ARO, which is the probability that a risk will occur in a particular year
Risk Impact
Single Loss Expectancy (SLE) - Expected monetary loss every time a risk occurs; computed by multiplying Asset Value (AV) by Exposure Factor (EF), which is proportion of an asset’s value that is likely to be destroyed by particular risk
Annualized Loss Expectancy (ALE) - Expected monetary loss be expected for asset due to risk over a one-year period; computed by multiplying SLE by ARO, which is the probability that a risk will occur in a particular year
Security+ Guide to Network Security Fundamentals, Fifth Edition

17. Reducing Risk Through Policies
Security policy is another means of reducing risks
Important considerations regarding security policies:
Understanding what it is
Knowing how to balance trust and control
Understanding the process for designing a policy
Knowing what the different types of policies are
Reducing Risk Through Policies
Security policy is another means of reducing risks
Important considerations regarding security policies:
Understanding what it is
Knowing how to balance trust and control
Understanding the process for designing a policy
Knowing what the different types of policies are
Security+ Guide to Network Security Fundamentals, Fifth Edition

18. What Is a Security Policy?
Security policy - Written document states how an organization plans to protect company's information technology assets
Outlines protections that should be enacted to ensure that organization’s assets face minimal risks
Security policy can serve several functions
What Is a Security Policy?
Security policy - Written document states how an organization plans to protect company's information technology assets
Outlines protections that should be enacted to ensure that organization’s assets face minimal risks
Security policy can serve several functions
Security+ Guide to Network Security Fundamentals, Fifth Edition

19. Security Policy Functions
Documents management’s overall intention and direction
Details specific risks and how to address them
Provides controls to direct employee behavior
Helps create a security-aware organizational culture
Helps ensure employee behavior is directed and monitored
Security Policy Functions
Documents management’s overall intention and direction
Details specific risks and how to address them
Provides controls to direct employee behavior
Helps create a security-aware organizational culture
Helps ensure employee behavior is directed and monitored
Security+ Guide to Network Security Fundamentals, Fifth Edition

20. Balancing Trust and Control
Approaches to trust:
Trust everyone all of the time
Trust no one at any time
Trust some people some of the time
Security policy attempts to provide right amount of trust
Builds trust over time
Level of control must also be balanced
Balancing Trust and Control
Approaches to trust:
Trust everyone all of the time
Trust no one at any time
Trust some people some of the time
Security policy attempts to provide right amount of trust
Builds trust over time
Level of control must also be balanced
Security+ Guide to Network Security Fundamentals, Fifth Edition

21. Designing a Security Policy
Standard - Collection of requirements specific to system or procedure that must be met by everyone
Guideline - Collection of suggestions that should be implemented
Policy - Document that outlines specific requirements that must be met
Designing a Security Policy
Standard - Collection of requirements specific to system or procedure that must be met by everyone
Guideline - Collection of suggestions that should be implemented
Policy - Document that outlines specific requirements that must be met
Security+ Guide to Network Security Fundamentals, Fifth Edition

22. Characteristics of A Policy
Communicates a consensus of judgment
Defines appropriate user behavior
Identifies needed tools and procedures
Provides directives for Human Resource action in response to inappropriate behavior
Helps if necessary to prosecute violators
Characteristics of A Policy
Communicates a consensus of judgment
Defines appropriate user behavior
Identifies needed tools and procedures
Provides directives for Human Resource action in response to inappropriate behavior
Helps if necessary to prosecute violators
Security+ Guide to Network Security Fundamentals, Fifth Edition

23. Security Policy Cycle Three phases of the security policy cycle
Vulnerability assessment
Asset identification
Threat identification
Vulnerability appraisal
Risk assessment
Risk mitigation
Create the policy using information from risk management study
Review the policy for compliance
Security Policy Cycle
Three phases of the security policy cycle
Vulnerability assessment
Asset identification
Threat identification
Vulnerability appraisal
Risk assessment
Risk mitigation
Create the policy using information from risk management study
Review the policy for compliance
Security+ Guide to Network Security Fundamentals, Fifth Edition

24. Security Policy Cycle (Figure 14-2)
A circle that is labeled at the top “vulnerability assessment” pointing to “security policy” that is pointing to “compliance monitoring and evaluation” that is pointing to “vulnerability assessment.”
Security+ Guide to Network Security Fundamentals, Fifth Edition

25. Steps in Development
Security policy design should be the work of a team
Development team representatives
Senior level administrator
Member of management who can enforce the policy
Member of the legal staff
Representative from the user community
Team should first decide on policy goals and scope and how specific the policy should be
Steps in Development
Security policy design should be the work of a team
Development team representatives
Senior level administrator
Member of management who can enforce the policy
Member of the legal staff
Representative from the user community
Team should first decide on policy goals and scope and how specific the policy should be
Security+ Guide to Network Security Fundamentals, Fifth Edition

26. Policy must and should statements (Table 14-4)
A table with two columns and four rows. The first row is composed of column headers: Security policy must and Security policy should. Row 2. Security policy must: Be implementable and enforceable Security policy should: State reasons why the policy is necessary Row 3. Security policy must: Be concise and easy to understand Security policy should: Describe what is covered by the policy Row 4. Security policy must: Balance protection with productivity Security policy should: Outline how violations will be handled
Security+ Guide to Network Security Fundamentals, Fifth Edition

27. Due Care
Due care - Obligations imposed on owners and operators of assets
Owners must exercise reasonable care of assets and take precautions to protect them
Examples of due care policy statements:
Employees should exercise due care in opening attachments received from unknown sources
Technicians will exercise due care when installing new operating system on an existing computer
Students will exercise due care when using computers in a crowded lab setting
Due Care
Due care - Obligations imposed on owners and operators of assets
Owners must exercise reasonable care of assets and take precautions to protect them
Examples of due care policy statements:
Employees should exercise due care in opening attachments received from unknown sources
Technicians will exercise due care when installing new operating system on an existing computer
Students will exercise due care when using computers in a crowded lab setting
Security+ Guide to Network Security Fundamentals, Fifth Edition

28. Policy Development Guidelines
Notify users in advance of development of and reasons for a new security policy
Provide affected users an opportunity to review and comment on policy prior to deployment
Give users with responsibility the authority to carry out their responsibilities
Security policies often broken down into subpolicies
Policy Development Guidelines
Notify users in advance of development of and reasons for a new security policy
Provide affected users an opportunity to review and comment on policy prior to deployment
Give users with responsibility the authority to carry out their responsibilities
Security policies often broken down into subpolicies
Security+ Guide to Network Security Fundamentals, Fifth Edition

29. Types of Security Policies (Table 14-5)
A table with two columns and rows. The first row is composed of column headers: Name of security policy and Description. Row 2. Name of security policy: Acceptable encryption policy Description: Defines requirements for using cryptography Row 3. Name of security policy: Antivirus policy Description: Establishes guidelines for effectively reducing the threat of computer viruses on the organization’s network and computers Row 4. Name of security policy: Audit vulnerability scanning policy Description: Outlines the requirements and provides the authority for an information security team to conduct audits and risk assessments, investigate incidents, ensure conformance to security policies, or monitor user activity Row 5. Name of security policy: Automatically forwarded policy Description: Prescribes that no will be automatically forwarded to an external destination without prior approval from the appropriate manager or director Row 6. Name of security policy: Database credentials coding policy Description: Defines requirements for storing and retrieving database usernames and passwords Row 7. Name of security policy: Demilitarized zone (DMZ) security policy Description: Defines standards for all networks and equipment located in the DMZ Row 8. Name of security policy: policy Description: Creates standards for using corporate Row 9. Name of security policy: retention policy Description: Helps employees determine what information sent or received by should be retained and for how long Row 10. Name of security policy: Extranet policy Description: Defines the requirements for third-party organizations to access the organization’s networks Row 11. Name of security policy: Information sensitivity policy Description: Establishes criteria for classifying and securing the organization’s information in a manner appropriate to its level of security Row 12. Name of security policy: Router security policy Description: Outlines standards for minimal security configuration for routers and switches Row 13. Name of security policy: Server security policy Description: Creates standards for minimal security configuration for servers Row 14. Name of security policy: VPN security policy Description: Establishes requirements for remote access virtual private network (VPN) connections to the organization’s network Row 15. Name of security policy: Wireless communication policy Description: Defines standards for wireless systems used to connect to the organization’s networks
Security+ Guide to Network Security Fundamentals, Fifth Edition

30. Acceptable Use Policy (AUP)
Acceptable Use Policy (AUP) - Policy that defines actions users may perform while accessing systems
Users include employees, vendors, contractors, and visitors
Typically covers all computer use
Generally considered most important information security policy
Acceptable Use Policy (AUP)
Acceptable Use Policy (AUP) - Policy that defines actions users may perform while accessing systems
Users include employees, vendors, contractors, and visitors
Typically covers all computer use
Generally considered most important information security policy
Security+ Guide to Network Security Fundamentals, Fifth Edition

31. Privacy Policy
Privacy policy - Outlines how organization uses personal information it collects
Privacy Policy
Privacy policy - Outlines how organization uses personal information it collects
Security+ Guide to Network Security Fundamentals, Fifth Edition

32. Privacy Policy (Figure 14-3)
Security+ Guide to Network Security Fundamentals, Fifth Edition

33. Data Policies
Data policies - Address different aspects of how data should be handled within an organization
Data storage policy - Set of procedures designed to control and manage data within organization by specifying data collection and storage
Data retention policy - Outlines how to maintain information in user’s possession for predetermined length of time
Data wiping and disposing policy - Addresses how and when data will ultimately be erased
Data Policies
Data policies - Address different aspects of how data should be handled within an organization
Data storage policy - Set of procedures designed to control and manage data within organization by specifying data collection and storage
Data retention policy - Outlines how to maintain information in user’s possession for predetermined length of time
Data wiping and disposing policy - Addresses how and when data will ultimately be erased
Security+ Guide to Network Security Fundamentals, Fifth Edition

34. Security-Related Human Resource Policy
Security-related human resource policy - Include statements regarding how an employee’s information technology resources will be addressed
May include statements regarding:
Due process - The principle of treating all accused persons in an equal fashion, using established rules and procedures
Due diligence - Any investigation into suspicious employee conduct will examine all material facts
Covers actions to be taken if employee terminated
Security-Related Human Resource Policy
Security-related human resource policy - Include statements regarding how an employee’s information technology resources will be addressed
May include statements regarding:
Due process - The principle of treating all accused persons in an equal fashion, using established rules and procedures
Due diligence - Any investigation into suspicious employee conduct will examine all material facts
Covers actions to be taken if employee terminated
Security+ Guide to Network Security Fundamentals, Fifth Edition

35. Ethics Policy
Ethics - Study of what group of people understand be good and right behavior and how people make those judgments
Morals - Values are attributed to system of beliefs that help individual distinguish right from wrong
Ethics policy - Attempts to establish culture of openness, trust, and integrity in business practices
Ethics policies contain topics of executive commitment to ethics, employee commitment to ethics, how to maintain ethical practices, and penalties for unethical behavior
Ethics Policy
Ethics - Study of what group of people understand be good and right behavior and how people make those judgments
Morals - Values are attributed to system of beliefs that help individual distinguish right from wrong
Ethics policy - Attempts to establish culture of openness, trust, and integrity in business practices
Ethics policies contain topics of executive commitment to ethics, employee commitment to ethics, how to maintain ethical practices, and penalties for unethical behavior
Security+ Guide to Network Security Fundamentals, Fifth Edition

36. Password Management and Complexity Policy
Password management and complexity policy - Address how passwords are created and managed
Cover implementing controls through technology (such as setting passwords to expire after 60 days and not allowing them to be recycled)
Also include reminder to users on how to select and use passwords
Password Management and Complexity Policy
Password management and complexity policy - Address how passwords are created and managed
Cover implementing controls through technology (such as setting passwords to expire after 60 days and not allowing them to be recycled)
Also include reminder to users on how to select and use passwords
Security+ Guide to Network Security Fundamentals, Fifth Edition

37. Weak Password Information (Figure 14-4)
A figure that contains the text: “A weak password has the following characteristics. Contains fewer than 12 characters. Is a word found in a dictionary. Is a common usage word such as names of family, pets, friends, coworkers, fantasy characters, and so on, computer terms and names, commands, sites, companies, hardware, and software. Contains birthdays and other personal information such as addresses and phone numbers. Uses word or number patters like qwerty, , and so on. Includes any of the preceding spelled backward or preceded or followed by a digit (secret1, 1 secret).
Security+ Guide to Network Security Fundamentals, Fifth Edition

38. Awareness and Training
Providing users with security awareness training is key defense in information security
All computer users in organization have shared responsibility to protect assets of organization
Cannot be assumed that all users have knowledge and skill to protect assets
Awareness and training topics:
Compliance
Secure user practices
Awareness of threats
Awareness and Training
Providing users with security awareness training is key defense in information security
All computer users in organization have shared responsibility to protect assets of organization
Cannot be assumed that all users have knowledge and skill to protect assets
Awareness and training topics:
Compliance
Secure user practices
Awareness of threats
Security+ Guide to Network Security Fundamentals, Fifth Edition

39. Compliance Users should be informed regarding:
Security policy training and procedures
Personally identifiable information
Information classification
Data labeling, handling, and disposal
Compliance with laws, best practices, and standards
Compliance
Users should be informed regarding:
Security policy training and procedures
Personally identifiable information
Information classification
Data labeling, handling, and disposal
Compliance with laws, best practices, and standards
Security+ Guide to Network Security Fundamentals, Fifth Edition

40. User Practices (Table 14-6)
A table with two columns and six rows. The first row is composed of column headers: Category and Instruction. Row 2. Category: Password behaviors Instruction: Creating strong passwords that are unique for each account and properly protecting them serve as a first line of defense that all employees must practice. Row 3. Category: Data handling Instruction: No sensitive data may leave the premises without prior authorization. All data that is temporarily stored on a laptop computer must be encrypted. Row 4. Category: Clean desk policy Instruction: Employees are required to clear their workspace of all papers at the end of each business day. Row 5. Category: Prevent tailgating Instruction: Never allow another person to enter a secure area along with you without displaying their ID card. Row 6. Category: Personally owned devices Instruction: No personally owned devices, such as USB flash drives or portable hard drives, may be connected to any corporate equipment or network.
Security+ Guide to Network Security Fundamentals, Fifth Edition

41. Threat Awareness
Peer-to-peer (P2P) networks - Users connect directly to each other
Typically used for sharing audio, video, data files
Tempting targets for attackers
Viruses, worms, Trojans, and spyware can be sent using P2P
Most organizations prohibit use of P2P due to high risk of infection and legal consequences
Security+ Guide to Network Security Fundamentals, Fifth Edition

42. Social Networking
Social networking - Grouping individuals based on some sort of affiliation
Web sites that facilitate social networking called social networking sites
Social networking sites carry risks:
Personal data can be used maliciously.
Users may be too trusting
Accepting friends may have unforeseen consequences
Social networking security is lax or confusing
Social Networking
Social networking - Grouping individuals based on some sort of affiliation
Web sites that facilitate social networking called social networking sites
Social networking sites carry risks:
Personal data can be used maliciously.
Users may be too trusting
Accepting friends may have unforeseen consequences
Social networking security is lax or confusing
Security+ Guide to Network Security Fundamentals, Fifth Edition

43. Social Networking Defenses
Users should be cautious about what information posted
Users should be cautioned regarding who can view their information
Users should be instructed to pay close attention to information about new or updated security settings
Good idea to disable options and then enable them only as necessary
Social Networking Defenses
Users should be cautious about what information posted
Users should be cautioned regarding who can view their information
Users should be instructed to pay close attention to information about new or updated security settings
Good idea to disable options and then enable them only as necessary
Security+ Guide to Network Security Fundamentals, Fifth Edition

44. Facebook Features and Risks (Table 14-7)
A table with three columns and six rows. The first row is composed of column headers: Feature, Description, and Risks. Row 2. Feature: Games and applications Description: When your Facebook friends use games and applications, these can request information about friends like you, even if you do not use the application. Risks: Information such as your biography, photos, and places where you check in can be exposed. Row 3. Feature: Social advertisements Description: A "social ad" pairs an advertisement with an action that a friend has taken, such as “liking” it. Risks: Your Facebook actions could be associated with an ad. Row 4. Feature: Places Description: If you use Places, you could be included in a “People Here Now” list once you check in to a location. Risks: Your name and Facebook profile picture appear in the list, which is visible to anyone who checks in to the same location, even if he is not a friend. Row 5. Feature: Web search Description: Entering your name in a search engine like Google can display your Facebook profile, profile picture, and information you have designated as public. Risks: Any web user can freely access this information about you. Row 6. Feature: Photo albums Description: Photos can be set to be private but that may not include photo albums. Risks: The albums Profile Pictures, Mobile Uploads, and Wall Photos are usually visible to anyone.
Security+ Guide to Network Security Fundamentals, Fifth Edition

45. Recommended Facebook Profile Settings (Table 14-8)
A table with three columns and six rows. The first row is composed of column headers: Option, Recommended setting, and Explanation. Row 2. Option: Profile Recommended setting: Only my friends Explanation: Facebook networks can contain hundreds or thousands of users, and there is no control over who else joins the network to see the information. Row 3. Option: Photos or photos tagged of you Recommended setting: Only my friends Explanation: Photos and videos have often proven to be embarrassing. Only post material that would be appropriate to appear with a resume or job application. Row 4. Option: Status updates Recommended setting: Only my friends Explanation: Because changes to status such as “Going to Florida on January 28” can be useful information for thieves, only approved friends should have access to it. Row 5. Option: Online status Recommended setting: No one Explanation: Any benefits derived by knowing who is online are outweighed by the risks. Row 6. Option: Friends Recommended setting: Only my friends (minimum setting) Explanation: Giving unknown members of the community access to a list of friends may provide attackers with opportunities to uncover personal information through friends.
Security+ Guide to Network Security Fundamentals, Fifth Edition

46. Training Opportunities
Opportunities for security education and training
When new employee is hired
After computer attack has occurred
When employee promoted
During annual department retreat
When new user software is installed
When user hardware is upgraded
Training Opportunities
Opportunities for security education and training
When new employee is hired
After computer attack has occurred
When employee promoted
During annual department retreat
When new user software is installed
When user hardware is upgraded
Security+ Guide to Network Security Fundamentals, Fifth Edition

47. Traits of Learners and Learning Styles
Learner traits impact how people learn
Training styles:
Pedagogical approach - Classic teaching method
Andragogical approach - Art of helping an adult learn
Learning styles:
Visual
Auditory
Kinesthetic
Role-based training - Specialized training customized to specific role an employee holds
Traits of Learners and Learning Styles
Learner traits impact how people learn
Training styles:
Pedagogical approach - Classic teaching method
Andragogical approach - Art of helping an adult learn
Learning styles:
Visual
Auditory
Kinesthetic
Role-based training - Specialized training customized to specific role an employee holds
Security+ Guide to Network Security Fundamentals, Fifth Edition

48. Traits of Learners (Table 14-9)
A table with three columns and five rows. The first row is composed of column headers: Year born, Traits, and Number in U.S. population. Row 2. Year born: Prior to 1946 Traits: Patriotic, loyal, faith in institutions Number in U.S. population: 75 million Row 3. Year born: 1946–1964 Traits: Idealistic, competitive, question authority Number in U.S. population: 80 million Row 4. Year born: 1965–1981 Traits: Self-reliant, distrustful of institutions, adaptive to technology Number in U.S. population: 46 million Row 5. Year born: 1982–2000 Traits: Pragmatic, globally concerned, computer literate, media savvy Number in U.S. population: 76 million
Security+ Guide to Network Security Fundamentals, Fifth Edition

49. Approaches To Training (Table 14-10)
A table with three columns and five rows. The first row is composed of column headers: Subject, Pedagogical approach, and Andragogical approach. Row 2. Subject: Desire Pedagogical approach: Motivated by external pressures to get good grades or pass on to next grade Andragogical approach: Motivated by higher self-esteem, more recognition, desire for better quality of life Row 3. Subject: Student Pedagogical approach: Dependent on teacher for all learning Andragogical approach: Self-directed and responsible for own learning Row 4. Subject: Subject matter Pedagogical approach: Defined by what the teacher wants to give Andragogical approach: Learning is organized around situations in life or at work Row 5. Subject: Willingness to learn Pedagogical approach: Students are informed about what they must learn Andragogical approach: A change triggers a readiness to learn or students perceive a gap between where they are and where they want to be
Security+ Guide to Network Security Fundamentals, Fifth Edition

50. Summary
A risk is the likelihood that a threat agent will exploit a vulnerability
Privilege management and change management are risk management approaches
A security policy states how an organization plans to protect its information technology assets
Development and maintenance of a security policy follows a three-phase cycle
Security+ Guide to Network Security Fundamentals, Fifth Edition

51. Summary (cont’d.) Security policies are often broken into subpolicies
Acceptable use policy
Privacy policy
Password management and complexity policy
Disposal and destruction policy
Classification of information policy
Ongoing awareness training provides users with knowledge and skills necessary to support information security
Security+ Guide to Network Security Fundamentals, Fifth Edition

52. Security+ Guide to Network Security Fundamentals, Fifth Edition
Chapter 14
Risk Mitigation
Chapter 14
Risk Mitigation