product iamge

Fighting Phishing: Everything You Can Do to Fight Social Engineering and Phishing

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Download
Search on Amazon

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

Keep valuable data safe from even the most sophisticated social engineering and phishing attacks Fighting Phishing: Everything You Can Do To Fight Social Engineering and Phishing serves as the ideal defense against phishing for any reader, from large organizations to individuals. Unlike most anti-phishing books, which focus only on one or two strategies, this book discusses all the policies, education, and technical strategies that are essential to a complete phishing defense. This book gives clear instructions for deploying a great defense-in-depth strategy to defeat hackers and malware. Written by the lead data-driven defense evangelist at the world's number one anti-phishing company, KnowBe4, Inc., this guide shows you how to create an enduring, integrated cybersecurity culture. • Learn what social engineering and phishing are, why they are so dangerous to your cybersecurity, and how to defend against them • Educate yourself and other users on how to identify and avoid phishing scams, to stop attacks before they begin • Discover the latest tools and strategies for locking down data when phishing has taken place, and stop breaches from spreading • Develop technology and security policies that protect your organization against the most common types of social engineering and phishing Anyone looking to defend themselves or their organization from phishing will appreciate the uncommonly comprehensive approach in Fighting Phishing.

Author(s): Roger A. Grimes
Edition: 1
Publisher: Wiley
Year: 2024

Language: English
Commentary: Publisher's PDF
Pages: 448
City: Hoboken, NJ
Tags: Security; Information Security; Social Engineering; Phishing; Email; Forensic Examination

Cover
Title Page
Copyright Page
Contents
Introduction
Who This Book Is For
What Is Covered in This Book
How to Contact Wiley or the Author
Part I Introduction to Social Engineering Security
Chapter 1 Introduction to Social Engineering and Phishing
What Are Social Engineering and Phishing?
How Prevalent Are Social Engineering and Phishing?
Social Engineering Statistics
The Solution
Summary
Chapter 2 Phishing Terminology and Examples
Social Engineering
Phish
Well-Known Brands
Top Phishing Subjects
Stressor Statements
Malicious Downloads
Malware
Bots
Downloader
Account Takeover
Spam
Spear Phishing
Whaling
Page Hijacking
SEO Pharming
Calendar Phishing
Social Media Phishing
Romance Scams
Vishing
Pretexting
Open-Source Intelligence
Callback Phishing
Smishing
Business Email Compromise
Sextortion
Browser Attacks
Baiting
QR Phishing
Phishing Tools and Kits
Summary
Chapter 3 3x3 Cybersecurity Control Pillars
The Challenge of Cybersecurity
Compliance
Risk Management
Assessing Risk Probability
Defense-In-Depth
3x3 Cybersecurity Control Pillars
Summary
Part II Policies
Chapter 4 Acceptable Use and General Cybersecurity Policies
Acceptable Use Policy (AUP)
General Cybersecurity Policy
Recommended Best Security Practices
Summary
Chapter 5 Anti-Phishing Policies
The Importance of Anti-Phishing Policies
What to Include
Introduction
Definitions
Training
Recognizing Common Signs of Social Engineering
Reporting
What to Do in the Event of Successful Phishing
Incident Response
Anti-BEC policies
Employee Monitoring
Summary
Chapter 6 Creating a Corporate SAT Policy
Getting Started with Your SAT Policy
Necessary SAT Policy Components
Policy Header Information
Goal
Control Mapping
Get Senior Management Approval and Sponsorship
Determine Where the SAT Program Originates
Scope
Definitions
Use Mostly Internal or External SAT Resources
Training Specifics
Simulated Phishing Campaigns
Platform Types
Content Types
Will You Have a Champions Program?
Expected Participant Behavior
Rewards and Consequences
Incident Response
Which Metrics to Use
SAT Policy Component Conclusion
Example of Security Awareness Training Corporate Policy
Acme Security Awareness Training Policy: Version 2.1
Scope
Policy Goal
Control Mapping
Definitions
Security Awareness Training Program Summary
Simulated Phishing Campaigns
Participant Requirements
Acme Champion Program
Rewards and Consequences
Incident Response
Reporting Metrics
Summary
Part III Technical Defenses
Chapter 7 DMARC, SPF, and DKIM
The Core Concepts
A US and Global Standard
Email Addresses
Friendly From Name
5322.From Name
5321.MailFrom Email Address
HELO Email Domain
Sender Policy Framework (SPF)
Domain Keys Identified Mail (DKIM)
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
DMARC Failed Email Treatment
DMARC Reporting
Configuring DMARC, SPF, and DKIM
Putting It All Together
DMARC Configuration Checking
How to Verify DMARC Checks
How to Use DMARC
What DMARC Doesn’t Do
Other DMARC Resources
Summary
Chapter 8 Network and Server Defenses
Defining Network
Network Isolation
Network-Level Phishing Attacks
Network- and Server-Level Defenses
Firewall
Use Phishing-Resistant MFA
HTTPS
Content-Filtering
Anti-Phishing Filters
Anti-Malware
Email Gateways
Email Servers/Service
Email Search and Destroy
Block Potentially Malicious File Attachments
Detonation Sandboxes
Anti-Domain Spoofing
Blocklists
Greylists
Reputation Services
DNS Lookups
Network Flow
Country-Blocks
Picture Badges
Summary
Chapter 9 Endpoint Defenses
Focusing on Endpoints
Anti-Spam and Anti-Phishing Filters
Anti-Malware
Patch Management
Browser Settings
Browser-Within-a-Browser
Full-Screen Mode
Browser Notifications
Email Client Settings
Firewalls
Phishing-Resistant MFA
Password Managers
VPNs
Prevent Unauthorized External Domain Collaboration
DMARC
End Users Should Not Be Logged on as Admin
Change and Configuration Management
Mobile Device Management
Summary
Chapter 10 Advanced Defenses
AI-Based Content Filters
Single-Sign-Ons
Application Control Programs
Red/Green Defenses
Email Server Checks
Proactive Doppelganger Searches
Honeypots and Canaries
Highlight New Email Addresses
Fighting USB Attacks
Phone-Based Testing
Physical Penetration Testing
Summary
Part IV Creating a Great Security Awareness Program
Chapter 11 Security Awareness Training Overview
What Is Security Awareness Training?
Goals of SAT
Senior Management Sponsorship
Absolutely Use Simulated Phishing Tests
Different Types of Training
Videos
Make Sure Content Is Up-to-Date
Posters and Newsletters
Games
Quizzes
Mobile Apps
Immediate Lessons upon Failure
Educate about the Signs of Social Engineering
Teach How to Recognize Rogue URLs
USB Key Attacks
Voice-Based Social Engineering
SMS-Based Phishing
Communication Tools
In-Person Attacks
Champion Programs
BEC Scams
Spear Phishing
Increase Sophistication and Maturity over Time
Train Like You Are Marketing
Compliance
Localization
SAT Rhythm of the Business
Reporting/Results
Checklist
Summary
Chapter 12 How to Do Training Right
Designing an Effective Security Awareness Training Program
Set Program Objectives
Getting Leadership Support
Form a Steering Committee
Training Frequency and Time Allocation
Audience Analysis
Accessibility
Assessment
Building/Selecting and Reviewing Training Content
Selecting Content
Create or Buy?
Review by Steering Committee
Interactivity
Learning Objectives
Reviewing Content
Communicating the SAT Plan
Deployment Tips
Ongoing Evaluation and Maintenance
Additional References
Summary
Chapter 13 Recognizing Rogue URLs
How to Read a URL
Protocol Moniker
Hostname
DNS Domain Name
Resource Name or Path
Variables
Most Important URL Information
Rogue URL Tricks
Look-Alike Domains
Strange Origination Domain
Hover, Bait, and Switch
Shortened URLs
URL Encoding
Malicious Open Redirects
Homoglyphs and Punycode Attacks
Summary
Chapter 14 Fighting Spear Phishing
Background
Spear Phishing Examples
Compromised Trusted Email Account
Spearphishing on Inside Confidential Information
Fake Job Offers
Fake Vendor Support
Credit Card Fraud Prevention
Personal to Company Attack
How to Defend Against Spear Phishing
Summary
Chapter 15 Forensically Examining Emails
Why Investigate?
Why You Should Not Investigate
How to Investigate
Examining Emails
Message Body
Disjointed Email Addresses
Strange Body or Attachments
Instructions to Ignore Warnings
Password-Protected File Attachments
Spotting Rogue URLs
File-Type Mismatches
Email Header Inspection
Clicking on Links and Running Malware
Submit Links and File Attachments to AV
The Preponderance of Evidence
A Real-World Forensic Investigation Example
Summary
Chapter 16 Miscellaneous Hints and Tricks
First-Time Firing Offense
Text-Only Email
Memory Issues
SAT Counselor
Annual SAT User Conference
Voice-Call Tests
Credential Searches
Dark Web Searches
Social Engineering Penetration Tests
Ransomware Recovery
Patch, Patch, Patch
CISA Cybersecurity Awareness Program
Passkeys
Avoid Controversial Simulated Phishing Subjects
Practice and Teach Mindfulness
Must Have Mindfulness Reading
Summary
Chapter 17 Improving Your Security Culture
What Is a Security Culture?
Seven Dimensions of a Security Culture
Attitudes
Behaviors
Cognition
Communication
Compliance
Norms
Responsibilities
Improving Security Culture
Baseline Measurement
Set a Goal
Identify Gaps and Apply Tactics
Remeasure Maturity Level
Other Resources
Summary
Conclusion
Acknowledgments
About the Author
Index
EULA