1 00:00:00,005 --> 00:00:02,005 - [Instructor] In addition to understanding how strong 2 00:00:02,005 --> 00:00:05,008 security habits can improve information security, 3 00:00:05,008 --> 00:00:10,000 users should also understand how attackers target users 4 00:00:10,000 --> 00:00:13,000 to undermine an organization's security. 5 00:00:13,000 --> 00:00:16,008 Security education programs should include coverage 6 00:00:16,008 --> 00:00:20,007 of user-based security threats. 7 00:00:20,007 --> 00:00:22,006 Phishing is one of the most common 8 00:00:22,006 --> 00:00:25,007 user-based threats facing organizations. 9 00:00:25,007 --> 00:00:27,001 In a phishing attack, 10 00:00:27,001 --> 00:00:29,009 attackers send legitimate looking messages 11 00:00:29,009 --> 00:00:32,004 to end users seeking to get them 12 00:00:32,004 --> 00:00:34,009 to disclose sensitive information, 13 00:00:34,009 --> 00:00:38,007 or perform another action that undermines security. 14 00:00:38,007 --> 00:00:41,005 These messages can appear very realistic 15 00:00:41,005 --> 00:00:44,007 using corporate logos and terminology. 16 00:00:44,007 --> 00:00:47,002 The example phishing message shown here 17 00:00:47,002 --> 00:00:50,005 was used to impersonal Citibank. 18 00:00:50,005 --> 00:00:54,001 While phishing uses messages targeted at end users, 19 00:00:54,001 --> 00:00:57,002 it's only one example of a category of attacks 20 00:00:57,002 --> 00:00:59,002 known as social engineering. 21 00:00:59,002 --> 00:01:01,008 In social engineering, attackers attempt 22 00:01:01,008 --> 00:01:05,007 to manipulate individuals into undermining security. 23 00:01:05,007 --> 00:01:07,006 Security awareness efforts 24 00:01:07,006 --> 00:01:10,008 should inform users that social engineering 25 00:01:10,008 --> 00:01:14,003 isn't limited to email and that they should be wary 26 00:01:14,003 --> 00:01:16,008 of suspicious requests that they receive 27 00:01:16,008 --> 00:01:21,003 by telephone, letter, or even in person. 28 00:01:21,003 --> 00:01:24,004 Users should also understand that attackers create 29 00:01:24,004 --> 00:01:27,002 new malicious code every day 30 00:01:27,002 --> 00:01:30,004 and that they may fall victim to these new viruses 31 00:01:30,004 --> 00:01:33,008 and zero-day attacks if they don't properly maintain 32 00:01:33,008 --> 00:01:36,004 their computers and mobile devices, 33 00:01:36,004 --> 00:01:39,001 both at home and in the office. 34 00:01:39,001 --> 00:01:41,001 You'll learn more about this topic 35 00:01:41,001 --> 00:01:44,006 in the Zero-Days and Advanced Persistent Threat video 36 00:01:44,006 --> 00:01:49,001 of the Security + Threats and Vulnerabilities course. 37 00:01:49,001 --> 00:01:52,004 Educating users about the types of threats targeting them 38 00:01:52,004 --> 00:01:55,009 helps limit the effectiveness of user-based attacks. 39 00:01:55,009 --> 00:01:57,009 The more that you can spice this training up 40 00:01:57,009 --> 00:02:00,006 with examples from your own organization, 41 00:02:00,006 --> 00:02:03,006 the more likely it is that the training will be effective.