You are here: Home / SERVICES / Security Training

Security Training

Security Skills Assessment and Appropriate Training to Fill Gaps is #20 of the Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines and the last of the five not directly supported by automated measurement and validation. Cymbel provides professional services in support of all five.

Security Skills Assessment and Appropriate Training to Fill Gaps as introduced by the SANS 20 Critical Security Controls:

Five groups of people are constantly being tested by exploitation attempts by attackers:

  1. End users are fooled via social engineering scams, in which they are tricked into providing passwords, opening attachments, loading software from untrusted sites, or visiting malicious web sites.
  2. System administrators are also fooled in the same manner as normal users but are also tested when attackers attempt to trick the administrator into setting up unauthorized accounts.
  3. Security operators and analysts are tested with new and innovative attacks introduced on a continual basis.
  4. Application programmers are tested by criminals who find and exploit the vulnerabilities in the code that they write.
  5. To a lesser degree, system owners are tested when they are asked to invest in cyber security but are unaware of the devastating impact a compromise and data exfiltration or data alteration would have on their mission.

Any organization that hopes to be ready to find and respond to attacks effectively owes it to their employees and contractors to find the gaps in their knowledge and to provide exercises and training to fill those gaps. A solid security skills assessment program can provide actionable information to decision makers about where security awareness needs to be improved, and can also help determine proper allocation of limited resources to improve security practices.

Cymbel can help you meet these SANS 20 Critical Security Controls prescribed standards:

  • Develop security awareness training for various personnel job descriptions. The training should include specific, incident-based scenarios showing the threats an organization faces. The training should reflect proven defenses for the latest attack techniques.
  • Devise periodic security awareness assessment quizzes, to be given to employees and contractors on at least an annual basis, determining whether they understand the information security policies and procedures for the organization, as well as their role in those procedures.
  • Conduct periodic exercises to verify that employees and contractors are fulfilling their information security duties, by conducting tests to see whether employees will click on a link from suspicious e-mail or provide sensitive information on the telephone without following appropriate procedures for authenticating a caller.