Keep valuable data safe from even the most sophisticated social engineering and phishing attacks
Fighting Phishing: Everything You Can Do To Fight Social Engineering and Phishing serves as the ideal defense against phishing for any reader, from large organizations to individuals. Unlike most anti-phishing books, which focus only on one or two strategies, this book discusses all the policies, education, and technical strategies that are essential to a complete phishing defense. This book gives clear instructions for deploying a great defense-in-depth strategy to defeat hackers and malware. Written by the lead data-driven defense evangelist at the world’s number one anti-phishing company, Know Be4, Inc., this guide shows you how to create an enduring, integrated cybersecurity culture.
- Learn what social engineering and phishing are, why they are so dangerous to your cybersecurity, and how to defend against them
- Educate yourself and other users on how to identify and avoid phishing scams, to stop attacks before they begin
- Discover the latest tools and strategies for locking down data when phishing has taken place, and stop breaches from spreading
- Develop technology and security policies that protect your organization against the most common types of social engineering and phishing
Anyone looking to defend themselves or their organization from phishing will appreciate the uncommonly comprehensive approach in Fighting Phishing.
Содержание
Introduction xiii
Part I Introduction to Social Engineering Security 1
Chapter 1 Introduction to Social Engineering and Phishing 3
What Are Social Engineering and Phishing? 3
How Prevalent Are Social Engineering and Phishing? 8
Chapter 2 Phishing Terminology and Examples 23
Social Engineering 23
Phish 24
Well- Known Brands 25
Top Phishing Subjects 26
Stressor Statements 27
Malicious Downloads 30
Malware 31
Bots 31
Downloader 32
Account Takeover 32
Spam 33
Spear Phishing 34
Whaling 35
Page Hijacking 35
SEO Pharming 36
Calendar Phishing 38
Social Media Phishing 40
Romance Scams 41
Vishing 44
Pretexting 46
Open- Source Intelligence 47
Callback Phishing 47
Smishing 49
Business Email Compromise 51
Sextortion 53
Browser Attacks 53
Baiting 56
QR Phishing 56
Phishing Tools and Kits 57
Summary 59
Chapter 3 3×3 Cybersecurity Control Pillars 61
The Challenge of Cybersecurity 61
Compliance 62
Risk Management 65
Defense-In-Depth 68
3×3 Cybersecurity Control Pillars 70
Summary 72
Part II Policies 73
Chapter 4 Acceptable Use and General Cybersecurity Policies 75
Acceptable Use Policy (AUP) 75
General Cybersecurity Policy 79
Summary 88
Chapter 5 Anti-Phishing Policies 89
The Importance of Anti-Phishing Policies 89
What to Include 90
Summary 109
Chapter 6 Creating a Corporate SAT Policy 111
Getting Started with Your SAT Policy 112
Necessary SAT Policy Components 112
Example of Security Awareness Training Corporate Policy 128
Acme Security Awareness Training Policy: Version 2.1 128
Summary 142
Part III Technical Defenses 145
Chapter 7 DMARC, SPF, and DKIM 147
The Core Concepts 147
A US and Global Standard 149
Email Addresses 151
Sender Policy Framework (SPF) 159
Domain Keys Identified Mail (DKIM) 165
Domain- based Message Authentication, Reporting, and Conformance (DMARC) 169
Configuring DMARC, SPF, and DKIM 174
Putting It All Together 175
DMARC Configuration Checking 176
How to Verify DMARC Checks 177
How to Use DMARC 179
What DMARC Doesn’t Do 180
Other DMARC Resources 181
Summary 182
Chapter 8 Network and Server Defenses 185
Defining Network 186
Network Isolation 187
Network-Level Phishing Attacks 187
Network- and Server-Level Defenses 190
Summary 214
Chapter 9 Endpoint Defenses 217
Focusing on Endpoints 217
Anti- Spam and Anti- Phishing Filters 218
Anti- Malware 218
Patch Management 218
Browser Settings 219
Browser Notifications 223
Email Client Settings 225
Firewalls 227
Phishing- Resistant MFA 227
Password Managers 228
VPNs 230
Prevent Unauthorized External Domain Collaboration 231
DMARC 231
End Users Should Not Be Logged on as Admin 232
Change and Configuration Management 232
Mobile Device Management 233
Summary 233
Chapter 10 Advanced Defenses 235
AI- Based Content Filters 235
Single-Sign-Ons 237
Application Control Programs 237
Red/Green Defenses 238
Email Server Checks 242
Proactive Doppelganger Searches 243
Honeypots and Canaries 244
Highlight New Email Addresses 246
Fighting USB Attacks 247
Phone- Based Testing 249
Physical Penetration Testing 249
Summary 250
Part IV Creating a Great Security Awareness Program 251
Chapter 11 Security Awareness Training Overview 253
What Is Security Awareness Training? 253
Goals of SAT 256
Senior Management Sponsorship 260
Absolutely Use Simulated Phishing Tests 260
Different Types of Training 261
Compliance 274
Localization 274
SAT Rhythm of the Business 275
Reporting/Results 277
Checklist 277
Summary 278
Chapter 12 How to Do Training Right 279
Designing an Effective Security Awareness Training Program 280
Building/Selecting and Reviewing Training Content 295
Additional References 303
Summary 304
Chapter 13 Recognizing Rogue URLs 305
How to Read a URL 305
Most Important URL Information 313
Rogue URL Tricks 315
Summary 334
Chapter 14 Fighting Spear Phishing 335
Background 335
Spear Phishing Examples 337
How to Defend Against Spear Phishing 345
Summary 347
Chapter 15 Forensically Examining Emails 349
Why Investigate? 349
Why You Should Not Investigate 350
How to Investigate 351
Examining Emails 352
Clicking on Links and Running Malware 373
Submit Links and File Attachments to AV 374
The Preponderance of Evidence 375
A Real- World Forensic Investigation Example 376
Summary 378
Chapter 16 Miscellaneous Hints and Tricks 379
First- Time Firing Offense 379
Text- Only Email 381
Memory Issues 382
SAT Counselor 383
Annual SAT User Conference 384
Voice- Call Tests 385
Credential Searches 385
Dark Web Searches 386
Social Engineering Penetration Tests 386
Ransomware Recovery 387
Patch, Patch, Patch 387
CISA Cybersecurity Awareness Program 388
Passkeys 388
Avoid Controversial Simulated Phishing Subjects 389
Practice and Teach Mindfulness 392
Must Have Mindfulness Reading 393
Summary 393
Chapter 17 Improving Your Security Culture 395
What Is a Security Culture? 396
Seven Dimensions of a Security Culture 397
Improving Security Culture 401
Other Resources 404
Summary 404
Conclusion 405
Acknowledgments 407
About the Author 411
Index 413
Об авторе
ROGER A. GRIMES has 35 years of experience in computer security and has authored 13 previous books on the topic. He is the Data-Driven Defense Evangelist at Know Be4, a security awareness education company, and a senior computer security consultant and cybersecurity architect.