Episode Details

Back to Episodes
Course 7 - Secure SDLC (Software Development Life Cycle) | Episode 2: Malware, Social Engineering, GRC, and Secure Development Practices

Course 7 - Secure SDLC (Software Development Life Cycle) | Episode 2: Malware, Social Engineering, GRC, and Secure Development Practices

Published 6 months, 1 week ago
Description
In this lesson, you’ll learn about: Security Awareness Training — Secure SDLC Phase 1 1. Security Awareness Training (SAT) Fundamentals
  • SAT is the education process that teaches employees and users about cybersecurity, IT best practices, and regulatory compliance.
  • Human error is the biggest factor in breaches: 95% of breaches are caused by human error.
  • SAT reduces human mistakes, protects sensitive PII, prevents data breaches, and engages developers, network teams, and business users.
Topics covered in SAT:
  • Password policy and secure authentication
  • PII management
  • Phishing and phone scams
  • Physical security
  • BYOD (Bring Your Own Device) threats
  • Public Wi-Fi protection
Training delivery methods:
  • New employee onboarding
  • Online self-paced modules
  • Club-based training portals
  • Interactive video training
  • Training with certification exams
2. Malware & Social Engineering Threats Malware Classifications
  • Virus: Infects other files by modifying legitimate hosts (the only malware that infects files).
  • Adware: Exposes users to unwanted or malicious advertising.
  • Rootkit: Grants stealthy, unauthorized access and hides its presence; may require OS reinstallation to remove.
  • Spyware: Logs keystrokes to steal passwords or intellectual property.
  • Ransomware: Encrypts data and demands cryptocurrency payments, usually spread via Trojans.
  • Trojans: Malicious programs disguised as legitimate files or software.
  • RAT (Remote Access Trojan): Allows long-term remote control of systems without the user’s knowledge.
  • Worms: Self-replicating malware that spreads without user action.
  • Keyloggers: Capture keystrokes to steal credentials or financial information.
Social Engineering Attacks
  • Social engineering = manipulating people to obtain confidential information.
    Attackers target trust because it is easier to exploit than software.
5 Common Types:
  1. Phishing: Most common attack; uses fraudulent links, urgency, and fake messages.
    • 93% of successful breaches start with phishing.
  2. Baiting: Offers something attractive (free downloads/USBs) to trick users into installing malware or revealing credentials.
  3. Pretexting: Creates a false scenario to build trust and steal information.
  4. Distrust Attacks: Creates conflict or threatens exposure to extort money or access.
  5. Tailgating/Piggybacking: Attacker physically follows an authorized employee into a restricted area.
Defense strategies include:
  • Understanding the difference between phishing and spear phishing.
  • Recognizing that 53% of all attacks are phishing-based.
  • Using 10 email verification steps, including:
    • Check sender display name
    • Look for spelling errors
    • Be skeptical of urgency/threats
    • Inspect URLs before clicking
3. Governance, Risk, and Compliance (GRC) GRC Components:
  • Governance: Board-level processes to lead the organization and achieve business goals.
  • Risk Management: Predicting, assessing, and managing uncertainty and security risks.
  • Compliance: Ensuring adherence to laws, regulations, and internal policies.
Key compliance frameworks:
  • HIPAA — Healthcare data protection
  • SOX — Corporate financial reporting integrity
  • FISMA — Federal information system standards
  • PCI-DSS — Secure cardholder data; employees must acknowledge policies i
Listen Now

Love PodBriefly?

If you like Podbriefly.com, please consider donating to support the ongoing development.

Support Us