Chapter 121 · Tricks

User Training — Tricks

Exam traps, memory shortcuts, and practice scenarios for pre-access training, insider threats, USB/cable risks, social engineering defense, OPSEC, and remote work security.

🎯

Trick 1: Pre-Access Training Applies to Third Parties Too

Pre-access training applies to ALL users who will receive access to organizational systems — employees, contractors, business partners, and suppliers. The boundary is access level, not employment status. Third parties who need access must complete training before access is granted.

Common Exam Trap: A question asks who must complete pre-access security training, and offers "employees only" or "employees and IT contractors only" as options. Both are wrong. Any individual who will access organizational systems — regardless of whether they are an employee, a contractor from a staffing firm, a business partner's staff member, or a supplier's technician — must complete pre-access training. The critical factor is system access, not the type of relationship.
Memory Hook: Access = training. No access = no training required. A vendor who never touches your systems doesn't need your security training. A vendor who connects to your network does. The access is the trigger.
🎯

Trick 2: Unknown USB Drives and Cables Are Unconditionally Prohibited

Never connect an unknown USB drive or cable to a work system. There is no safe visual inspection that can verify a USB device's firmware has not been reprogrammed for BadUSB or HID injection. The prohibition is unconditional: found in a parking lot, received in an envelope labeled with a familiar company name, or left on a conference room table.

Common Exam Trap: A question describes a USB drive found in the parking lot with the company's logo on it, and asks what the employee should do. "Plug it in to see if it's a company device" is always wrong. The correct response: do not connect it; report it to IT security. A company logo on a USB drive means nothing about its firmware contents. Attackers use this technique specifically because it creates a false sense of legitimacy.
Memory Hook: USB + unknown = unconditional no. You cannot look inside the firmware with your eyes. Treat any unknown USB device or cable as potentially hostile regardless of how it looks or what label is on it.
🎯

Trick 3: OPSEC = Think Like the Attacker Before Posting

OPSEC asks users to consider what information they are exposing and whether an attacker could use it. Before posting about technology systems, job postings, conference talks, or project details publicly, consider: "Could an attacker use this to build a reconnaissance profile or plan an attack?"

Common Exam Trap: A question describes an employee who posts detailed technical information about the company's network architecture on Reddit while seeking help with a configuration problem. Which security concern does this represent? The answer is OPSEC, not a compliance violation or a data classification failure. The employee didn't share classified or protected personal data; they shared technical system details that give an attacker reconnaissance intelligence. OPSEC is the framework for avoiding this.
Memory Hook: OPSEC = the attacker's wishlist. Every piece of system information you post publicly is a Christmas gift to a threat actor conducting passive reconnaissance. Ask before posting: "Would I be comfortable if a hacker read this?"
🎯

Trick 4: Remote Work Removes the Physical Perimeter

Remote work means the endpoint device itself is the security perimeter. Without the office network's security controls (firewall, IDS, NAC), the remote device must carry equivalent security. This requires: VPN (for encrypted, controlled access), EDR/MDM (for endpoint visibility and control), and no family member access to work devices.

Common Exam Trap: A question asks what the most important security control for remote workers is. "Using a strong Wi-Fi password at home" is a distractor. The correct answer involves VPN (encrypts all traffic over untrusted home/public networks and routes it through organizational security controls) and EDR/MDM (gives the security team visibility into what is happening on the remote device). Strong Wi-Fi is good hygiene but does not substitute for either control.
Memory Hook: In the office: building = perimeter. At home: laptop = perimeter. When the laptop is the perimeter, the laptop needs perimeter-level security tools: VPN + EDR/MDM.

Practice Scenarios

Scenario 1: A new contractor from a consulting firm is scheduled to begin work Monday. They will need access to the company's internal project management system and SharePoint to collaborate on documents. The project manager wants to give them access on day one without waiting for the security team's training process, which typically takes 2 days. What is the correct security policy response?
A. The project manager's request is reasonable. Contractors with limited access to collaboration tools (SharePoint, project management) represent minimal risk and can be onboarded immediately without completing security training, which is designed for employees with broader system access.
B. Pre-access training must be completed before access is granted, regardless of the urgency of the business need. The contractor's access level does not exempt them from training requirements. The project manager should plan contractor start dates with the 2-day training process in mind. If access is needed urgently, training can sometimes be expedited, but it cannot be skipped.
C. The contractor can receive temporary read-only access while completing training. Read-only access does not allow data modification and therefore does not require pre-access training completion.
Why B: Pre-access training is a prerequisite for any access, including read-only. The policy exists because even read-only access exposes users to sensitive information and creates opportunities for social engineering or accidental data exposure. The access level does not change the training requirement. Business urgency is a planning problem, not a policy exception trigger.
Scenario 2: An employee receives a phone call from someone claiming to be from the company's IT help desk. The caller says: "We've detected malware on your computer and need you to give us your current password so we can log in remotely and remove it before it spreads to your colleagues' systems. This is very urgent." The employee suspects something is wrong. What are the social engineering techniques being used, and what should the employee do?
A. The call uses urgency ("this is very urgent"), authority impersonation (IT help desk), and a false pretext (malware requiring password). The employee should: refuse to provide the password (legitimate IT will never ask for passwords); hang up; call the IT help desk at the known official number (not a number the caller provides) to verify whether this call was legitimate; report the incident to security.
B. The employee should ask the caller to prove their identity by providing the employee's username, which only a real IT staff member would know. If the caller provides the correct username, they are likely legitimate and the employee can provide the password.
C. The employee should provide the password but immediately change it after the call ends. If the caller was malicious, they will have had only brief access before the password change invalidates their access.
Why A: Legitimate IT staff never ask for passwords. The attacker knowing the employee's username is not verification (it is often publicly available or already known through prior reconnaissance). Changing the password after providing it is ineffective if the attacker immediately used it to establish persistence (create accounts, extract data, install malware). The correct response is always: refuse, hang up, call IT through a verified channel.
Scenario 3: A company discovers that a senior engineer posted detailed questions about their internal Kubernetes cluster configuration on a public developer forum, including the cluster's internal IP scheme, node counts, Kubernetes version, and the cloud provider used. No personal data or credentials were exposed. What type of security concern does this represent and what policy would prevent it?
A. This is a data breach. The engineer exposed internal system configuration data, which constitutes proprietary information and should be reported to regulators as a potential data breach requiring notification.
B. This is primarily a compliance violation. Posting system configuration data publicly may violate data classification policies, and the engineer should be disciplined under the acceptable use policy.
C. This is an OPSEC failure. The engineer exposed reconnaissance intelligence (infrastructure details, versions, cloud provider) that reduces the attacker's effort significantly. The specific Kubernetes version reveals applicable CVEs; the cloud provider reveals the attack surface. OPSEC training teaches users to recognize that technical system details are sensitive reconnaissance targets, even when they contain no personal data or credentials. Policy response: OPSEC awareness training + guidance on anonymizing system details before posting publicly.
Why C: No personal data = no data breach in the regulatory sense. The harm is intelligence disclosure: a threat actor now knows the Kubernetes version (can research CVEs), the cloud provider (can tailor attack tools), and the network structure. This is exactly what passive reconnaissance is designed to gather, and OPSEC is the framework for preventing it. Compliance violation framing misidentifies the issue.