29,65 €*
Versandkostenfrei per Post / DHL
Lieferzeit 1-2 Wochen
A complete approach to defending yourself and your organization against phishing
Social engineering and phishing are involved in up to 90% of all successful hacker and malware attacks, making them by far the most common strategies. They are also the most dangerous, because they take advantage of the human element, manipulating individuals into willingly providing sensitive data like passwords. Fighting Phishing is about how you can better protect against these ever-evolving threats.
When it comes to stopping phishing, education is key, and inside you'll find detailed descriptions of how these attacks take place, along with valuable information on how to recognize them and take appropriate action before your systems are breached. However, for a comprehensive, defense-in- depth strategy, you will need to implement policies and technical defenses as well. This book is all about combining these elements to create a rock-solid anti-phishing posture.
Written by senior cybersecurity architect and defense evangelist Roger Grimes, this book draws on decades of expertise, as well as a thorough understanding of the newest scams--and the tools needed to stop them. As a leading media commentator, Grimes is well respected for his ability to clearly explain cybersecurity concepts and help organizations implement technical defenses. Inside, he offers wisdom that no one with an interest in cybersecurity can afford to ignore.
A complete approach to defending yourself and your organization against phishing
Social engineering and phishing are involved in up to 90% of all successful hacker and malware attacks, making them by far the most common strategies. They are also the most dangerous, because they take advantage of the human element, manipulating individuals into willingly providing sensitive data like passwords. Fighting Phishing is about how you can better protect against these ever-evolving threats.
When it comes to stopping phishing, education is key, and inside you'll find detailed descriptions of how these attacks take place, along with valuable information on how to recognize them and take appropriate action before your systems are breached. However, for a comprehensive, defense-in- depth strategy, you will need to implement policies and technical defenses as well. This book is all about combining these elements to create a rock-solid anti-phishing posture.
Written by senior cybersecurity architect and defense evangelist Roger Grimes, this book draws on decades of expertise, as well as a thorough understanding of the newest scams--and the tools needed to stop them. As a leading media commentator, Grimes is well respected for his ability to clearly explain cybersecurity concepts and help organizations implement technical defenses. Inside, he offers wisdom that no one with an interest in cybersecurity can afford to ignore.
ROGER A. GRIMES has 35 years of experience in computer security and has authored 13 previous books on the topic. He is the Data-Driven Defense Evangelist at KnowBe4, a security awareness education company, and a senior computer security consultant and cybersecurity architect.
Introduction xiii
Part I Introduction to Social Engineering Security 1
Chapter 1 Introduction to Social Engineering and Phishing 3
What Are Social Engineering and Phishing? 3
How Prevalent Are Social Engineering and Phishing? 8
Chapter 2 Phishing Terminology and Examples 23
Social Engineering 23
Phish 24
Well- Known Brands 25
Top Phishing Subjects 26
Stressor Statements 27
Malicious Downloads 30
Malware 31
Bots 31
Downloader 32
Account Takeover 32
Spam 33
Spear Phishing 34
Whaling 35
Page Hijacking 35
SEO Pharming 36
Calendar Phishing 38
Social Media Phishing 40
Romance Scams 41
Vishing 44
Pretexting 46
Open- Source Intelligence 47
Callback Phishing 47
Smishing 49
Business Email Compromise 51
Sextortion 53
Browser Attacks 53
Baiting 56
QR Phishing 56
Phishing Tools and Kits 57
Summary 59
Chapter 3 3x3 Cybersecurity Control Pillars 61
The Challenge of Cybersecurity 61
Compliance 62
Risk Management 65
Defense-In-Depth 68
3x3 Cybersecurity Control Pillars 70
Summary 72
Part II Policies 73
Chapter 4 Acceptable Use and General Cybersecurity Policies 75
Acceptable Use Policy (AUP) 75
General Cybersecurity Policy 79
Summary 88
Chapter 5 Anti-Phishing Policies 89
The Importance of Anti-Phishing Policies 89
What to Include 90
Summary 109
Chapter 6 Creating a Corporate SAT Policy 111
Getting Started with Your SAT Policy 112
Necessary SAT Policy Components 112
Example of Security Awareness Training Corporate Policy 128
Acme Security Awareness Training Policy: Version 2.1 128
Summary 142
Part III Technical Defenses 145
Chapter 7 DMARC, SPF, and DKIM 147
The Core Concepts 147
A US and Global Standard 149
Email Addresses 151
Sender Policy Framework (SPF) 159
Domain Keys Identified Mail (DKIM) 165
Domain- based Message Authentication, Reporting, and Conformance (DMARC) 169
Configuring DMARC, SPF, and DKIM 174
Putting It All Together 175
DMARC Configuration Checking 176
How to Verify DMARC Checks 177
How to Use DMARC 179
What DMARC Doesn't Do 180
Other DMARC Resources 181
Summary 182
Chapter 8 Network and Server Defenses 185
Defining Network 186
Network Isolation 187
Network-Level Phishing Attacks 187
Network- and Server-Level Defenses 190
Summary 214
Chapter 9 Endpoint Defenses 217
Focusing on Endpoints 217
Anti- Spam and Anti- Phishing Filters 218
Anti- Malware 218
Patch Management 218
Browser Settings 219
Browser Notifications 223
Email Client Settings 225
Firewalls 227
Phishing- Resistant MFA 227
Password Managers 228
VPNs 230
Prevent Unauthorized External Domain Collaboration 231
DMARC 231
End Users Should Not Be Logged on as Admin 232
Change and Configuration Management 232
Mobile Device Management 233
Summary 233
Chapter 10 Advanced Defenses 235
AI- Based Content Filters 235
Single-Sign-Ons 237
Application Control Programs 237
Red/Green Defenses 238
Email Server Checks 242
Proactive Doppelganger Searches 243
Honeypots and Canaries 244
Highlight New Email Addresses 246
Fighting USB Attacks 247
Phone- Based Testing 249
Physical Penetration Testing 249
Summary 250
Part IV Creating a Great Security Awareness Program 251
Chapter 11 Security Awareness Training Overview 253
What Is Security Awareness Training? 253
Goals of SAT 256
Senior Management Sponsorship 260
Absolutely Use Simulated Phishing Tests 260
Different Types of Training 261
Compliance 274
Localization 274
SAT Rhythm of the Business 275
Reporting/Results 277
Checklist 277
Summary 278
Chapter 12 How to Do Training Right 279
Designing an Effective Security Awareness Training Program 280
Building/Selecting and Reviewing Training Content 295
Additional References 303
Summary 304
Chapter 13 Recognizing Rogue URLs 305
How to Read a URL 305
Most Important URL Information 313
Rogue URL Tricks 315
Summary 334
Chapter 14 Fighting Spear Phishing 335
Background 335
Spear Phishing Examples 337
How to Defend Against Spear Phishing 345
Summary 347
Chapter 15 Forensically Examining Emails 349
Why Investigate? 349
Why You Should Not Investigate 350
How to Investigate 351
Examining Emails 352
Clicking on Links and Running Malware 373
Submit Links and File Attachments to AV 374
The Preponderance of Evidence 375
A Real- World Forensic Investigation Example 376
Summary 378
Chapter 16 Miscellaneous Hints and Tricks 379
First- Time Firing Offense 379
Text- Only Email 381
Memory Issues 382
SAT Counselor 383
Annual SAT User Conference 384
Voice- Call Tests 385
Credential Searches 385
Dark Web Searches 386
Social Engineering Penetration Tests 386
Ransomware Recovery 387
Patch, Patch, Patch 387
CISA Cybersecurity Awareness Program 388
Passkeys 388
Avoid Controversial Simulated Phishing Subjects 389
Practice and Teach Mindfulness 392
Must Have Mindfulness Reading 393
Summary 393
Chapter 17 Improving Your Security Culture 395
What Is a Security Culture? 396
Seven Dimensions of a Security Culture 397
Improving Security Culture 401
Other Resources 404
Summary 404
Conclusion 405
Acknowledgments 407
About the Author 411
Index 413
Erscheinungsjahr: | 2024 |
---|---|
Fachbereich: | Datenkommunikation, Netze & Mailboxen |
Genre: | Informatik |
Rubrik: | Naturwissenschaften & Technik |
Medium: | Taschenbuch |
Inhalt: | Introduction xiiiPart I Introduction to Social Engineering Security 1Chapter 1 Introduction to Social Engineering and Phishing 3What Are Social Engineering and Phishing? 3How Prevalent Are Social Engineering and Phishing? 8Chapter 2 Phishing Terminology |
ISBN-13: | 9781394249206 |
ISBN-10: | 1394249209 |
Sprache: | Englisch |
Einband: | Kartoniert / Broschiert |
Autor: | Grimes, Roger A. |
Hersteller: | John Wiley & Sons Inc |
Maße: | 228 x 152 x 27 mm |
Von/Mit: | Roger A. Grimes |
Erscheinungsdatum: | 15.02.2024 |
Gewicht: | 0,644 kg |
ROGER A. GRIMES has 35 years of experience in computer security and has authored 13 previous books on the topic. He is the Data-Driven Defense Evangelist at KnowBe4, a security awareness education company, and a senior computer security consultant and cybersecurity architect.
Introduction xiii
Part I Introduction to Social Engineering Security 1
Chapter 1 Introduction to Social Engineering and Phishing 3
What Are Social Engineering and Phishing? 3
How Prevalent Are Social Engineering and Phishing? 8
Chapter 2 Phishing Terminology and Examples 23
Social Engineering 23
Phish 24
Well- Known Brands 25
Top Phishing Subjects 26
Stressor Statements 27
Malicious Downloads 30
Malware 31
Bots 31
Downloader 32
Account Takeover 32
Spam 33
Spear Phishing 34
Whaling 35
Page Hijacking 35
SEO Pharming 36
Calendar Phishing 38
Social Media Phishing 40
Romance Scams 41
Vishing 44
Pretexting 46
Open- Source Intelligence 47
Callback Phishing 47
Smishing 49
Business Email Compromise 51
Sextortion 53
Browser Attacks 53
Baiting 56
QR Phishing 56
Phishing Tools and Kits 57
Summary 59
Chapter 3 3x3 Cybersecurity Control Pillars 61
The Challenge of Cybersecurity 61
Compliance 62
Risk Management 65
Defense-In-Depth 68
3x3 Cybersecurity Control Pillars 70
Summary 72
Part II Policies 73
Chapter 4 Acceptable Use and General Cybersecurity Policies 75
Acceptable Use Policy (AUP) 75
General Cybersecurity Policy 79
Summary 88
Chapter 5 Anti-Phishing Policies 89
The Importance of Anti-Phishing Policies 89
What to Include 90
Summary 109
Chapter 6 Creating a Corporate SAT Policy 111
Getting Started with Your SAT Policy 112
Necessary SAT Policy Components 112
Example of Security Awareness Training Corporate Policy 128
Acme Security Awareness Training Policy: Version 2.1 128
Summary 142
Part III Technical Defenses 145
Chapter 7 DMARC, SPF, and DKIM 147
The Core Concepts 147
A US and Global Standard 149
Email Addresses 151
Sender Policy Framework (SPF) 159
Domain Keys Identified Mail (DKIM) 165
Domain- based Message Authentication, Reporting, and Conformance (DMARC) 169
Configuring DMARC, SPF, and DKIM 174
Putting It All Together 175
DMARC Configuration Checking 176
How to Verify DMARC Checks 177
How to Use DMARC 179
What DMARC Doesn't Do 180
Other DMARC Resources 181
Summary 182
Chapter 8 Network and Server Defenses 185
Defining Network 186
Network Isolation 187
Network-Level Phishing Attacks 187
Network- and Server-Level Defenses 190
Summary 214
Chapter 9 Endpoint Defenses 217
Focusing on Endpoints 217
Anti- Spam and Anti- Phishing Filters 218
Anti- Malware 218
Patch Management 218
Browser Settings 219
Browser Notifications 223
Email Client Settings 225
Firewalls 227
Phishing- Resistant MFA 227
Password Managers 228
VPNs 230
Prevent Unauthorized External Domain Collaboration 231
DMARC 231
End Users Should Not Be Logged on as Admin 232
Change and Configuration Management 232
Mobile Device Management 233
Summary 233
Chapter 10 Advanced Defenses 235
AI- Based Content Filters 235
Single-Sign-Ons 237
Application Control Programs 237
Red/Green Defenses 238
Email Server Checks 242
Proactive Doppelganger Searches 243
Honeypots and Canaries 244
Highlight New Email Addresses 246
Fighting USB Attacks 247
Phone- Based Testing 249
Physical Penetration Testing 249
Summary 250
Part IV Creating a Great Security Awareness Program 251
Chapter 11 Security Awareness Training Overview 253
What Is Security Awareness Training? 253
Goals of SAT 256
Senior Management Sponsorship 260
Absolutely Use Simulated Phishing Tests 260
Different Types of Training 261
Compliance 274
Localization 274
SAT Rhythm of the Business 275
Reporting/Results 277
Checklist 277
Summary 278
Chapter 12 How to Do Training Right 279
Designing an Effective Security Awareness Training Program 280
Building/Selecting and Reviewing Training Content 295
Additional References 303
Summary 304
Chapter 13 Recognizing Rogue URLs 305
How to Read a URL 305
Most Important URL Information 313
Rogue URL Tricks 315
Summary 334
Chapter 14 Fighting Spear Phishing 335
Background 335
Spear Phishing Examples 337
How to Defend Against Spear Phishing 345
Summary 347
Chapter 15 Forensically Examining Emails 349
Why Investigate? 349
Why You Should Not Investigate 350
How to Investigate 351
Examining Emails 352
Clicking on Links and Running Malware 373
Submit Links and File Attachments to AV 374
The Preponderance of Evidence 375
A Real- World Forensic Investigation Example 376
Summary 378
Chapter 16 Miscellaneous Hints and Tricks 379
First- Time Firing Offense 379
Text- Only Email 381
Memory Issues 382
SAT Counselor 383
Annual SAT User Conference 384
Voice- Call Tests 385
Credential Searches 385
Dark Web Searches 386
Social Engineering Penetration Tests 386
Ransomware Recovery 387
Patch, Patch, Patch 387
CISA Cybersecurity Awareness Program 388
Passkeys 388
Avoid Controversial Simulated Phishing Subjects 389
Practice and Teach Mindfulness 392
Must Have Mindfulness Reading 393
Summary 393
Chapter 17 Improving Your Security Culture 395
What Is a Security Culture? 396
Seven Dimensions of a Security Culture 397
Improving Security Culture 401
Other Resources 404
Summary 404
Conclusion 405
Acknowledgments 407
About the Author 411
Index 413
Erscheinungsjahr: | 2024 |
---|---|
Fachbereich: | Datenkommunikation, Netze & Mailboxen |
Genre: | Informatik |
Rubrik: | Naturwissenschaften & Technik |
Medium: | Taschenbuch |
Inhalt: | Introduction xiiiPart I Introduction to Social Engineering Security 1Chapter 1 Introduction to Social Engineering and Phishing 3What Are Social Engineering and Phishing? 3How Prevalent Are Social Engineering and Phishing? 8Chapter 2 Phishing Terminology |
ISBN-13: | 9781394249206 |
ISBN-10: | 1394249209 |
Sprache: | Englisch |
Einband: | Kartoniert / Broschiert |
Autor: | Grimes, Roger A. |
Hersteller: | John Wiley & Sons Inc |
Maße: | 228 x 152 x 27 mm |
Von/Mit: | Roger A. Grimes |
Erscheinungsdatum: | 15.02.2024 |
Gewicht: | 0,644 kg |