Schweitzer Fachinformationen
Wenn es um professionelles Wissen geht, ist Schweitzer Fachinformationen wegweisend. Kunden aus Recht und Beratung sowie Unternehmen, öffentliche Verwaltungen und Bibliotheken erhalten komplette Lösungen zum Beschaffen, Verwalten und Nutzen von digitalen und gedruckten Medien.
Keep valuable data safe from even the most sophisticated social engineering and phishing attacks
Fighting Phishing: Everything You Can Do To Fight Social Engineering and Phishing serves as the ideal defense against phishing for any reader, from large organizations to individuals. Unlike most anti-phishing books, which focus only on one or two strategies, this book discusses all the policies, education, and technical strategies that are essential to a complete phishing defense. This book gives clear instructions for deploying a great defense-in-depth strategy to defeat hackers and malware. Written by the lead data-driven defense evangelist at the world's number one anti-phishing company, KnowBe4, Inc., this guide shows you how to create an enduring, integrated cybersecurity culture.
Anyone looking to defend themselves or their organization from phishing will appreciate the uncommonly comprehensive approach in Fighting Phishing.
ROGER A. GRIMES has 35 years of experience in computer security and has authored 13 previous books on the topic. He is the Data-Driven Defense Evangelist at KnowBe4, a security awareness education company, and a senior computer security consultant and cybersecurity architect.
Introduction xiii
Part I Introduction to Social Engineering Security 1
Chapter 1 Introduction to Social Engineering and Phishing 3
What Are Social Engineering and Phishing? 3
How Prevalent Are Social Engineering and Phishing? 8
Chapter 2 Phishing Terminology and Examples 23
Social Engineering 23
Phish 24
Well- Known Brands 25
Top Phishing Subjects 26
Stressor Statements 27
Malicious Downloads 30
Malware 31
Bots 31
Downloader 32
Account Takeover 32
Spam 33
Spear Phishing 34
Whaling 35
Page Hijacking 35
SEO Pharming 36
Calendar Phishing 38
Social Media Phishing 40
Romance Scams 41
Vishing 44
Pretexting 46
Open- Source Intelligence 47
Callback Phishing 47
Smishing 49
Business Email Compromise 51
Sextortion 53
Browser Attacks 53
Baiting 56
QR Phishing 56
Phishing Tools and Kits 57
Summary 59
Chapter 3 3x3 Cybersecurity Control Pillars 61
The Challenge of Cybersecurity 61
Compliance 62
Risk Management 65
Defense-In-Depth 68
3x3 Cybersecurity Control Pillars 70
Summary 72
Part II Policies 73
Chapter 4 Acceptable Use and General Cybersecurity Policies 75
Acceptable Use Policy (AUP) 75
General Cybersecurity Policy 79
Summary 88
Chapter 5 Anti-Phishing Policies 89
The Importance of Anti-Phishing Policies 89
What to Include 90
Summary 109
Chapter 6 Creating a Corporate SAT Policy 111
Getting Started with Your SAT Policy 112
Necessary SAT Policy Components 112
Example of Security Awareness Training Corporate Policy 128
Acme Security Awareness Training Policy: Version 2.1 128
Summary 142
Part III Technical Defenses 145
Chapter 7 DMARC, SPF, and DKIM 147
The Core Concepts 147
A US and Global Standard 149
Email Addresses 151
Sender Policy Framework (SPF) 159
Domain Keys Identified Mail (DKIM) 165
Domain- based Message Authentication, Reporting, and Conformance (DMARC) 169
Configuring DMARC, SPF, and DKIM 174
Putting It All Together 175
DMARC Configuration Checking 176
How to Verify DMARC Checks 177
How to Use DMARC 179
What DMARC Doesn't Do 180
Other DMARC Resources 181
Summary 182
Chapter 8 Network and Server Defenses 185
Defining Network 186
Network Isolation 187
Network-Level Phishing Attacks 187
Network- and Server-Level Defenses 190
Summary 214
Chapter 9 Endpoint Defenses 217
Focusing on Endpoints 217
Anti- Spam and Anti- Phishing Filters 218
Anti- Malware 218
Patch Management 218
Browser Settings 219
Browser Notifications 223
Email Client Settings 225
Firewalls 227
Phishing- Resistant MFA 227
Password Managers 228
VPNs 230
Prevent Unauthorized External Domain Collaboration 231
DMARC 231
End Users Should Not Be Logged on as Admin 232
Change and Configuration Management 232
Mobile Device Management 233
Summary 233
Chapter 10 Advanced Defenses 235
AI- Based Content Filters 235
Single-Sign-Ons 237
Application Control Programs 237
Red/Green Defenses 238
Email Server Checks 242
Proactive Doppelganger Searches 243
Honeypots and Canaries 244
Highlight New Email Addresses 246
Fighting USB Attacks 247
Phone- Based Testing 249
Physical Penetration Testing 249
Summary 250
Part IV Creating a Great Security Awareness Program 251
Chapter 11 Security Awareness Training Overview 253
What Is Security Awareness Training? 253
Goals of SAT 256
Senior Management Sponsorship 260
Absolutely Use Simulated Phishing Tests 260
Different Types of Training 261
Compliance 274
Localization 274
SAT Rhythm of the Business 275
Reporting/Results 277
Checklist 277
Summary 278
Chapter 12 How to Do Training Right 279
Designing an Effective Security Awareness Training Program 280
Building/Selecting and Reviewing Training Content 295
Additional References 303
Summary 304
Chapter 13 Recognizing Rogue URLs 305
How to Read a URL 305
Most Important URL Information 313
Rogue URL Tricks 315
Summary 334
Chapter 14 Fighting Spear Phishing 335
Background 335
Spear Phishing Examples 337
How to Defend Against Spear Phishing 345
Summary 347
Chapter 15 Forensically Examining Emails 349
Why Investigate? 349
Why You Should Not Investigate 350
How to Investigate 351
Examining Emails 352
Clicking on Links and Running Malware 373
Submit Links and File Attachments to AV 374
The Preponderance of Evidence 375
A Real- World Forensic Investigation Example 376
Summary 378
Chapter 16 Miscellaneous Hints and Tricks 379
First- Time Firing Offense 379
Text- Only Email 381
Memory Issues 382
SAT Counselor 383
Annual SAT User Conference 384
Voice- Call Tests 385
Credential Searches 385
Dark Web Searches 386
Social Engineering Penetration Tests 386
Ransomware Recovery 387
Patch, Patch, Patch 387
CISA Cybersecurity Awareness Program 388
Passkeys 388
Avoid Controversial Simulated Phishing Subjects 389
Practice and Teach Mindfulness 392
Must Have Mindfulness Reading 393
Summary 393
Chapter 17 Improving Your Security Culture 395
What Is a Security Culture? 396
Seven Dimensions of a Security Culture 397
Improving Security Culture 401
Other Resources 404
Summary 404
Conclusion 405
Acknowledgments 407
About the Author 411
Index 413
Social engineering has been around since the beginning of humanity, and phishing has been around at least since the beginning of networked computers. I can remember my first brush with social engineering via computers in 1987. This was before most people had even heard of something called the Internet and before most people had personal computers. Many of us early adopters were on a precursor of the Internet called the FIDONet. Back in those days, you would use a 300 or 1200 BAUD or BPS (Bits Per Second) dial-up analog modem to call your local BBS (Bulletin Board System). This system would use a crude "store-and-forward" technology that would transmit and receive messages and files around the world in a day or so. We thought it all was pretty cutting-edge.
On one of the BBSs, I came across a downloadable text file named "How to Get a Free HST Modem." HST modems, made by US Robotics, were the fastest and best modems available at the time. They ran at an incredible 9600 BPS. They were expensive enough that only a few lucky, monied, people had them. They were mostly only used by Fortune 500 companies and well-funded universities. This file promised to tell anyone who read it how to obtain a free one. It was too enticing to pass up.
I opened up the file and inside it contained only text that said, "Steal One!" "Well, that was disappointing!," I thought. Then the very next keyboard key I pressed formatted (i.e., permanently erased) my hard drive and rendered my computer useless. Well, at least until I reinstalled the operating system and redid everything all over again. I lost all files.
It turns out the file was something called an "ansi-bomb." It was a malicious file that took advantage of a feature of a legitimate operating system file called ansi.sys. Ansi.sys was a part of Microsoft's DOS operating system, which most of us ran at the time. Ansi.sys was an optional file that allowed users to have extended, "cool," features for their screen and keyboard, such as displaying special graphics and characters on your screen. It also allowed savvy users to map sequences of commands to a single key on their keyboard. It was meant to allow people to create "macros"-an automated shortcut that triggered a longer sequence of key presses. You could hit one or two keys and automate what would otherwise be a bunch of other key presses. Some malicious jerk had created a malicious file that instructed ansi.sys to map all the keys on the user's keyboard to format the user's hard drive when the next key was pressed.
It was a lesson learned.
There are malicious people in the world who want to harm other innocent people for no other reason than they can. Not everyone in the world is friendly and helpful, especially to strangers.
Now, the impact of social engineering and phishing on cybercrime has been driven home to me tens of thousands of times during my career. Today, nearly everyone understands that social engineering and phishing are responsible for more cybercrime than any other single initial root cause method. No other root cause of hacking is even close. But just a decade ago, even though it was true then, it wasn't as well known by all cybersecurity defenders. I think everyone knew social engineering and phishing was a problem, but few knew exactly how big of a problem it was. Few defenders knew it was the number one problem by far. Even I didn't.
I worked as a Principal Security Architect for Microsoft Corporation for nearly 11 years, from 2007 to 2018. For much of that time, I did security reviews for customers and installed Public Key Infrastructures (PKI) and advanced security defense systems. I was promoted, usually well-liked by clients, and always installed systems on time and on budget, which isn't so normal in the computer industry. For years I felt like I was greatly helping to protect my customers.
Then I realized that every single customer I had, no matter what defenses we installed, was still falling prey to hackers and malware. This was despite installing the best computer security defense systems possible. Why? It was almost always due to social engineering (and, secondarily, unpatched software). Even though all my customers were spending hundreds of thousands to millions of dollars to protect themselves using the most advanced systems the industry could imagine and deliver, what was taking them down was the same things that were most often taking down companies since the beginning of computers-social engineering. And usually, phishing.
That realization occurred to me in about 2016. It made me depressed. Instead of seeing myself as part of the solution, I realized I wasn't really helping my clients to avoid hackers and malware. What I was doing was more smoke and mirrors. I was wasting their time and money. But it wasn't like I was alone. Most computer security companies and consultants did what I did, which was concentrating on everything but defeating social engineering and phishing, even though they were clearly the biggest problem by far. Still, it bothered me tremendously.
I eventually wrote the first edition of a book about my realization, A Data-Driven Defense: A Way to Improve Any Computer Defense (www.amazon.com/Data-Driven-Computer-Defense-Should-Using/dp/B0BR9KS3ZF) in 2018. The book sold over 50,000 copies (over three editions), and its premise-social engineering is most companies' biggest cybersecurity threat-led me to work for my current employer, KnowBe4.
www.amazon.com/Data-Driven-Computer-Defense-Should-Using/dp/B0BR9KS3ZF
The CEO of KnowBe4, Stu Sjouwerman, was one of the first people to read my book and understood its value in not only recognizing the importance of fighting phishing and social engineering but also in creating an effective cybersecurity defense using data. In April 2018, Stu offered me a job and I accepted. I was delighted. Not only was I going to start working for a leading firm in security awareness training, which is one of the best ways to fight social engineering and phishing, but I was also going to be able to concentrate on helping customers fight the biggest weakness in their cybersecurity defense as my primary job. I was pretty elated and remain so to this day.
In the over five years since, as KnowBe4's Data-Driven Defense Evangelist, I have taught hundreds of in-person presentations and online webinars. You can see many of my webinars here: www.knowbe4.com/webinar-library. You can download and read many of my whitepapers here: www.knowbe4.com/security-awareness-whitepapers. And you can request that I do a presentation to your company here: www.knowbe4.com/security-awareness-training-advocates. You can see dozens of my presentations for free on YouTube. I speak about a lot of topics beyond social engineering, including multifactor authentication, quantum, ransomware, passwords, password managers, nation-state hacking, and cryptocurrencies, but most of my presentations include something about fighting social engineering and phishing even if that isn't the primary topic. I never miss a chance to educate listeners about the importance of focusing on preventing social engineering and phishing.
www.knowbe4.com/webinar-library
www.knowbe4.com/security-awareness-whitepapers
www.knowbe4.com/security-awareness-training-advocates
There is nothing else most organizations could do better to reduce their existing cybersecurity risk than to reduce social engineering and phishing threats. This book is the best advice for today's world to help you fight social engineering and phishing. I don't know of another source that has more coverage and suggestions. Not humbly, I think I can best teach anyone how to reduce their social engineering and social engineering risk. I break down many of the necessary critical lessons and processes into the simplest recommendations and charts you'll see anywhere. I cover every policy, technical defense, and best practice education practice you should be doing to best stop social engineering and phishing.
Do you want to know how to best reduce cybersecurity risk from social engineering and phishing? Read this book.
This book is for anyone interested in fighting social engineering and phishing attacks-from entire organizations to single individuals, from dedicated anti-phishing employees to IT managers, and for any IT security practitioner. Because the book contains large, distinct, sections dedicated to policy and formal security awareness training programs, it can be argued that it is more appropriately focused on organizations, ranging in size from small businesses to the Fortune 500. But individuals and organizations of any size will benefit from learning the recommendations and best practices contained in this book. Many of the lessons in this book should be shared with friends and family, and many of them are universal. This is the book I wish I read when I first got into the industry.
Fighting Phishing: Everything You Need to Know to Fight Social Engineering and Phishing contains 17 chapters separated into 4 parts.
Dateiformat: ePUBKopierschutz: Adobe-DRM (Digital Rights Management)
Systemvoraussetzungen:
Das Dateiformat ePUB ist sehr gut für Romane und Sachbücher geeignet – also für „fließenden” Text ohne komplexes Layout. Bei E-Readern oder Smartphones passt sich der Zeilen- und Seitenumbruch automatisch den kleinen Displays an. Mit Adobe-DRM wird hier ein „harter” Kopierschutz verwendet. Wenn die notwendigen Voraussetzungen nicht vorliegen, können Sie das E-Book leider nicht öffnen. Daher müssen Sie bereits vor dem Download Ihre Lese-Hardware vorbereiten.Bitte beachten Sie: Wir empfehlen Ihnen unbedingt nach Installation der Lese-Software diese mit Ihrer persönlichen Adobe-ID zu autorisieren!
Weitere Informationen finden Sie in unserer E-Book Hilfe.
