Chapter 121 · Flashcards

User Training — Flashcards

Thirteen cards covering pre-access training requirements, situational awareness, insider threat controls, password management, removable media risks, social engineering defense, OPSEC principles, and remote work security. Click any card to flip it.

What is pre-access training and who must receive it?

Pre-access training: security training that must be completed before a user is granted access to organizational systems or networks. Not after onboarding completes — before access is granted. Who must receive it: employees (all new hires), but also third parties: contractors, business partners, and suppliers who will have access to organizational systems. The boundary is access, not employment status. Why before access: a user who does not understand the organization's security policies represents a risk from their first login. Pre-access training establishes baseline knowledge before any opportunity to cause harm. Documentation requirement: completion of pre-access training must be documented. Records prove that the training occurred and the user acknowledged their responsibilities. Critical for regulatory compliance and incident investigations. Role-based component: pre-access training should be tailored to the role being granted access; an IT administrator receives more technical training than a new sales hire. Exam: applies to ALL users including third parties, always before access.

What is situational awareness in user training and what does it cover?

Situational awareness: training users to notice and appropriately respond to both digital and physical security signals in their environment. Digital situational awareness: recognizing phishing emails (domain inconsistencies, urgency, credential requests); evaluating suspicious URLs before clicking; identifying SMS phishing (smishing) attempts; recognizing unexpected software installation prompts. Physical situational awareness: noticing a USB drive in an envelope left on a desk (could be a malware-loaded planted device); checking that doors close fully behind you in secure areas; recognizing tailgating attempts; questioning unfamiliar individuals in sensitive areas. Core principle: security threats exist in both digital and physical environments. Training users to be observant in both dimensions reduces the attack surface at the human layer. Why both matter: a technically secure network can be compromised by a user who picks up and plugs in a USB drive left in a parking lot. Exam: situational awareness = both digital AND physical threat recognition.

What are the risks of unknown USB drives and unknown cables?

Unknown USB drive risk: a USB drive found in a parking lot, received in an envelope, or left on a desk may contain malware that auto-executes when connected. Attack types: (1) Malware payload — drops malicious software onto the host on insertion; (2) BadUSB attack — a USB device with reprogrammed firmware that masquerades as a different device type (e.g., presents as a keyboard and types commands). Why dangerous: the trust model for USB is hardware-level. The OS trusts the device because it physically connected. Firmware can be reprogrammed to claim to be any device type. There is no reliable way to visually inspect a USB drive for malicious firmware. Unknown cable risk: cables can also contain embedded computing hardware (e.g., O.MG Cable) that performs HID (Human Interface Device) injection, acting as a keyboard to execute commands. A cable that looks like a standard charging cable may contain a malicious microcontroller. Training rule: never connect unknown USB drives or cables to work systems. Period.

What controls does user training cover for insider threat prevention?

Insider threat: a current or former employee, contractor, or partner who misuses their authorized access to cause harm, whether intentional (malicious insider) or unintentional (negligent insider). Training-covered controls: (1) Multiple approvals for critical processes: require two or more authorizations before high-impact actions (large wire transfers, production deployments, deletion of major data sets) so no single individual can act alone; (2) Active file monitoring: automated systems alert when unusual file access, copying, or exfiltration occurs; users should know this monitoring exists; (3) Least privilege: users only receive access rights necessary for their job; training covers why users should not request or use more access than needed; (4) Making unauthorized changes difficult: requiring change management tickets, multi-party authorization, and audit trails for system changes. Key insight: these controls work together to raise the cost and difficulty of insider abuse while also catching mistakes early. Exam: multiple approvals + monitoring + least privilege = insider threat prevention framework.

What does user training cover about password management?

Password management training covers: (1) Length requirements: longer passwords are exponentially harder to crack; modern guidance (NIST SP 800-63B) recommends length over complexity; many organizations require 12+ characters minimum; (2) Complexity requirements: mix of uppercase, lowercase, numbers, and symbols increases the character set attackers must search; (3) No reuse: using the same password across multiple accounts means one breach compromises all accounts; password managers solve this by generating unique passwords for every site; (4) No sharing: sharing credentials defeats audit trails and enables insider abuse; each user must have individual accounts; (5) Group Policy enforcement: in Windows environments, password requirements (minimum length, complexity, history, expiration) are enforced via Group Policy Objects (GPOs) — policy is set centrally and applied automatically; users cannot bypass GPO password requirements. Exam point: Group Policy is the enforcement mechanism for Windows domain password policies. Training explains why; GPO enforces it.

What is social engineering and how does user training address it?

Social engineering: manipulation of people into divulging information or taking actions that compromise security, exploiting psychology rather than technology. Common techniques covered in training: (1) Pretexting: attacker fabricates a convincing scenario to extract information ("I'm from IT support, I need your password to fix your account"); (2) Urgency creation: "Your account will be deleted in 2 hours unless you act now" bypasses rational evaluation; (3) Impersonation: pretending to be a known authority figure (IT, HR, C-suite, vendor) to gain compliance; (4) Authority exploitation: "The CEO asked me to get this data right away." Why users are the last line of defense: technical controls cannot block a user who voluntarily hands over their credentials. Training must create habits of verification: call back the requester at a known-good number; verify unusual requests through a second channel; never share credentials by email or phone regardless of who asks. Exam: social engineering attacks the human layer; user training is the primary defense.

What is OPSEC (Operational Security) and what does user training teach about it?

OPSEC (Operational Security): a process for identifying and protecting sensitive information that could be used by an adversary to compromise security. Originally a military concept; now applied to business and personal security. Core principle: think from the attacker's perspective. What information, if known to an attacker, would help them attack you? Protect that information. OPSEC process: (1) Identify sensitive data; (2) Identify potential threats; (3) Identify vulnerabilities in how that data is exposed; (4) Assess the risk; (5) Apply countermeasures. Practical examples in training: do not post organizational network diagrams or system details on public forums even while seeking help; do not discuss sensitive projects in public spaces; be careful about what system details appear in job postings; avoid oversharing on professional networks. Passive reconnaissance connection: pen testers use OSINT to gather information that organizations inadvertently expose. OPSEC training teaches users to minimize that exposure. Exam: OPSEC = attacker perspective thinking + minimize information exposure.

What security requirements apply to remote and hybrid work?

Remote/hybrid work security training covers: (1) No family access to work devices: work laptops and phones must not be used by family members; children playing games or browsing on a work laptop create immediate malware and data exposure risk; (2) Endpoint security requirements: remote devices must have EDR (Endpoint Detection and Response) and/or MDM (Mobile Device Management) installed before connecting to corporate systems; these provide the same visibility into remote devices that on-premises systems have; (3) VPN required: all corporate system access from outside the office must go through VPN; this encrypts traffic on untrusted home/public networks and routes connections through organizational security controls; (4) Home network awareness: home routers may lack the security controls of corporate networks; keeping firmware updated, using WPA3, and not using the router's default credentials are baseline hygiene. Why it matters: remote work removes the physical security perimeter; the endpoint itself becomes the security boundary. Exam: VPN + EDR/MDM + no family access = remote work security triad.

Why must third-party users (contractors, partners, suppliers) receive security training?

Third-party training requirement: contractors, business partners, and suppliers who are granted access to organizational systems must receive the same pre-access security training as employees. Why: (1) Same access, same risk: a contractor with access to sensitive systems represents the same security risk as an employee with that access. Access level determines training requirement, not employment status; (2) Legal and regulatory compliance: HIPAA Business Associate requirements, PCI DSS, and GDPR all impose security obligations on third parties with access to regulated data; organizations that grant access without training can be held liable for third-party breaches; (3) Supply chain attacks: attackers increasingly target organizations through trusted third-party access (SolarWinds attack model); (4) Documentation: training completion by third parties must be documented just as it is for employees. Contractual enforcement: security training requirements should appear in vendor/contractor agreements as enforceable obligations. Exam rule: third-party access = training required. No exception for contractors.

What is role-based training and how does it differ from general security training?

Role-based training: security training content tailored to the specific responsibilities, access levels, and threat exposure of a particular job function. Goes beyond the minimum awareness baseline that all employees share. Why roles matter: a warehouse employee and a CFO face fundamentally different security threats. Generic training that covers everything shallowly is less effective than targeted training that covers the relevant risks deeply. Examples by role: IT administrators: privileged account security, change management procedures, secure configuration; Finance: business email compromise, wire transfer verification, invoice fraud; Executives: whaling attacks, personal device security, public exposure risks; HR: W-2 phishing attacks, sensitive employee data handling, background check data protection. Structure: all users share the minimum awareness baseline; role-based training adds depth specific to that role's threat landscape. Exam distinction: role-based training ≠ specialized technical security training. It is job-specific security awareness, not security operations training.

What is the BadUSB attack and why can't it be stopped by visual inspection?

BadUSB attack: a technique that exploits the reprogrammable nature of USB device firmware to make a USB device appear to be a different device type than it physically is. Classic example: a USB drive has its firmware reprogrammed to present itself to the host computer as a USB keyboard. When plugged in, the OS trusts it (keyboards don't need special permissions) and the device begins typing commands autonomously — in milliseconds, it can type commands that download and execute malware. Why visual inspection fails: firmware is inside the device controller chip; there is no visual difference between a clean USB drive and a BadUSB device. Even a USB drive that works normally as storage can simultaneously act as a keyboard. Related attack: HID (Human Interface Device) injection — any USB device that registers as a keyboard or mouse can inject keystrokes or mouse movements. This includes cables (O.MG Cable) as well as drives. Policy response: organizational policy must prohibit connecting unknown USB devices regardless of apparent type.

What is pretexting and how does user training defend against it?

Pretexting: a social engineering technique where the attacker fabricates a plausible false scenario (pretext) to manipulate the target into taking a security-compromising action. The attacker invents a context that makes the request seem legitimate. Examples: "I'm from IT support — we're having issues with your account and need your password to verify your identity" (IT will never ask for your password); "I'm a vendor and I need to access the server room to upgrade the hardware" (verify vendor identity independently); "The auditors need this financial data by end of business today" (verify the request through a known-good contact channel). Why pretexting works: humans are wired to be helpful and to comply with authority figures. A convincing pretext exploits these tendencies. Defense through training: establish clear policies that define what will and will never be requested by phone or email (passwords, MFA codes, data transfers without tickets); train users to verify unusual requests through a second, independent channel; create a culture where questioning authority is acceptable. Exam: pretexting = fabricated scenario to manipulate; defense = verify independently.

User training coverage areas: complete overview for the exam

Nine user training coverage areas: (1) Pre-access training: complete before any system access; includes employees and third parties; must be documented. (2) Policy guidance: acceptable use, data handling, incident reporting procedures. (3) Situational awareness: digital threats (phishing, suspicious URLs) and physical threats (USB devices, unlocked doors). (4) Insider threat: multiple approvals, active monitoring, least privilege, making unauthorized changes difficult. (5) Password management: length, complexity, no reuse, Group Policy enforcement. (6) Removable media: unknown USB drives and cables are prohibited; BadUSB and HID injection risks. (7) Social engineering: pretexting, urgency, impersonation; users are the last line of defense. (8) OPSEC: attacker's perspective, identify sensitive data, minimize exposure. (9) Remote/hybrid work: no family access to work devices, EDR/MDM required, VPN mandatory. Exam shortcut: if the scenario involves a human making a security mistake or being manipulated, one of these nine areas is the relevant control.