Preventions
- ID: PV012
- Created: 01st June 2024
- Updated: 01st June 2024
- Contributor: The ITM Team
End-User Security Awareness Training
Mandatory security awareness training for employees can help them to recognize a range of cyber attacks that they can play a part in preventing or detecting. This can include topics such as phishing, social engineering, and data classification, amongst others.
Sections
| ID | Name | Description |
|---|---|---|
| IF011 | Providing Access to a Unauthorized Third Party | A subject intentionally provides system or data access to a third party that is not authorized to access it. |
| ME005 | Removable Media | A subject can mount and write to removable media. |
| MT015 | Recklessness | The subject does not have a threatening motive. However, the subject under takes actions without due care and attention to the outcome, which causes an infringement. |
| PR022 | Social Engineering (Outbound) | A subject deceptively manipulates and/or persuades others in order to gain access to devices, systems or services that hold sensitive information, or to otherwise cause harm or undermine a target organization. |
| IF017 | Excessive Personal Use | A subject uses organizational resources, such as internet access, email, or work devices, for personal activities both during and outside work hours, exceeding reasonable personal use. This leads to reduced productivity, increased security risks, and the potential mixing of personal and organizational data, ultimately affecting the organization’s efficiency and overall security. |
| MT018 | Curiosity | A subject, motivated solely by personal curiosity, may take actions that unintentionally cause or risk harm to an organization. For example, they might install unauthorized software to experiment with its features or explore a network-attached storage (NAS) device without proper authorization. |
| MT019 | Rogue Nationalism | A subject, driven by excessive pride in their nation, country, or region, undertakes actions that harm an organization. These actions are self-initiated and conducted unilaterally, without instruction or influence from legitimate authorities within their nation, country, region, or any other third party. The subject often perceives their actions as acts of loyalty or as benefiting their homeland.
While the subject may believe they are acting in their nation’s best interest, their actions frequently lack strategic foresight and can result in significant damage to the organization. |
| ME018 | Aiding and Abetting | An individual or individuals knowingly assist a subject to gain access to devices, systems, or services that hold sensitive information, or otherwise contravene internal policies. |
| IF002.005 | Exfiltration via Physical Documents | A subject tansports physical documents outside of the control of the organization. |
| ME005.001 | USB Mass Storage | A subject can mount and write to a USB mass storage device. |
| ME005.002 | SD Cards | A subject can mount and write to an SD card, either directly from the system, or through a USB connector. |
| ME005.003 | Disc Media | A subject can mount and write to disc media including, CD-R, DVD and Blu-ray discs. |
| ME006.001 | Webmail | A subject can access personal webmail services in a browser. |
| ME006.002 | Cloud Storage | A subject can access personal cloud storage in a browser. |
| ME006.003 | Inappropriate Websites | A subject can access websites containing inappropriate content. |
| ME006.004 | Note-Taking Websites | A subject can access external note-taking websites (Such as Evernote). |
| ME006.005 | Messenger Services | A subject can access external messenger web-applications with the ability to transmit data and/or files. |
| MT012.001 | Social Engineering (Inbound) | A third party deceptively manipulates and/or persuades a subject to divulge information, or gain access to devices or systems, or to otherwise cause harm or undermine a target organization. |
| ME006.007 | Text Storage Websites | A subject can access external text storage websites, such as Pastebin. |