Keep valuable data safe from even the most sophisticated social engineering and phishing attacks
Fighting Phishing: Everything You Can Do To Fight Social Engineering and Phishing serves as the ideal defense against phishing for any reader, from large organizations to individuals. Unlike most anti-phishing books, which focus only on one or two strategies, this book discusses all the policies, education, and technical strategies that are essential to a complete phishing defense. This book gives clear instructions for deploying a great defense-in-depth strategy to defeat hackers and malware. Written by the lead data-driven defense evangelist at the world's number one anti-phishing company, KnowBe4, Inc., this guide shows you how to create an enduring, integrated cybersecurity culture.
Learn what social engineering and phishing are, why they are so dangerous to your cybersecurity, and how to defend against them Educate yourself and other users on how to identify and avoid phishing scams, to stop attacks before they begin Discover the latest tools and strategies for locking down data when phishing has taken place, and stop breaches from spreading Develop technology and security policies that protect your organization against the most common types of social engineering and phishing
Anyone looking to defend themselves or their organization from phishing will appreciate the uncommonly comprehensive approach in Fighting Phishing.
By:
Roger A. Grimes
Imprint: John Wiley & Sons Inc
Country of Publication: United States
Dimensions:
Height: 229mm,
Width: 152mm,
Spine: 28mm
Weight: 476g
ISBN: 9781394249206
ISBN 10: 1394249209
Pages: 448
Publication Date: 15 February 2024
Audience:
General/trade
,
ELT Advanced
Format: Paperback
Publisher's Status: Active
Introduction xiii Part I Introduction to Social Engineering Security 1 Chapter 1 Introduction to Social Engineering and Phishing 3 What Are Social Engineering and Phishing? 3 How Prevalent Are Social Engineering and Phishing? 8 Chapter 2 Phishing Terminology and Examples 23 Social Engineering 23 Phish 24 Well- Known Brands 25 Top Phishing Subjects 26 Stressor Statements 27 Malicious Downloads 30 Malware 31 Bots 31 Downloader 32 Account Takeover 32 Spam 33 Spear Phishing 34 Whaling 35 Page Hijacking 35 SEO Pharming 36 Calendar Phishing 38 Social Media Phishing 40 Romance Scams 41 Vishing 44 Pretexting 46 Open- Source Intelligence 47 Callback Phishing 47 Smishing 49 Business Email Compromise 51 Sextortion 53 Browser Attacks 53 Baiting 56 QR Phishing 56 Phishing Tools and Kits 57 Summary 59 Chapter 3 3x3 Cybersecurity Control Pillars 61 The Challenge of Cybersecurity 61 Compliance 62 Risk Management 65 Defense-In-Depth 68 3x3 Cybersecurity Control Pillars 70 Summary 72 Part II Policies 73 Chapter 4 Acceptable Use and General Cybersecurity Policies 75 Acceptable Use Policy (AUP) 75 General Cybersecurity Policy 79 Summary 88 Chapter 5 Anti-Phishing Policies 89 The Importance of Anti-Phishing Policies 89 What to Include 90 Summary 109 Chapter 6 Creating a Corporate SAT Policy 111 Getting Started with Your SAT Policy 112 Necessary SAT Policy Components 112 Example of Security Awareness Training Corporate Policy 128 Acme Security Awareness Training Policy: Version 2.1 128 Summary 142 Part III Technical Defenses 145 Chapter 7 DMARC, SPF, and DKIM 147 The Core Concepts 147 A US and Global Standard 149 Email Addresses 151 Sender Policy Framework (SPF) 159 Domain Keys Identified Mail (DKIM) 165 Domain- based Message Authentication, Reporting, and Conformance (DMARC) 169 Configuring DMARC, SPF, and DKIM 174 Putting It All Together 175 DMARC Configuration Checking 176 How to Verify DMARC Checks 177 How to Use DMARC 179 What DMARC Doesn’t Do 180 Other DMARC Resources 181 Summary 182 Chapter 8 Network and Server Defenses 185 Defining Network 186 Network Isolation 187 Network-Level Phishing Attacks 187 Network- and Server-Level Defenses 190 Summary 214 Chapter 9 Endpoint Defenses 217 Focusing on Endpoints 217 Anti- Spam and Anti- Phishing Filters 218 Anti- Malware 218 Patch Management 218 Browser Settings 219 Browser Notifications 223 Email Client Settings 225 Firewalls 227 Phishing- Resistant MFA 227 Password Managers 228 VPNs 230 Prevent Unauthorized External Domain Collaboration 231 DMARC 231 End Users Should Not Be Logged on as Admin 232 Change and Configuration Management 232 Mobile Device Management 233 Summary 233 Chapter 10 Advanced Defenses 235 AI- Based Content Filters 235 Single-Sign-Ons 237 Application Control Programs 237 Red/Green Defenses 238 Email Server Checks 242 Proactive Doppelganger Searches 243 Honeypots and Canaries 244 Highlight New Email Addresses 246 Fighting USB Attacks 247 Phone- Based Testing 249 Physical Penetration Testing 249 Summary 250 Part IV Creating a Great Security Awareness Program 251 Chapter 11 Security Awareness Training Overview 253 What Is Security Awareness Training? 253 Goals of SAT 256 Senior Management Sponsorship 260 Absolutely Use Simulated Phishing Tests 260 Different Types of Training 261 Compliance 274 Localization 274 SAT Rhythm of the Business 275 Reporting/Results 277 Checklist 277 Summary 278 Chapter 12 How to Do Training Right 279 Designing an Effective Security Awareness Training Program 280 Building/Selecting and Reviewing Training Content 295 Additional References 303 Summary 304 Chapter 13 Recognizing Rogue URLs 305 How to Read a URL 305 Most Important URL Information 313 Rogue URL Tricks 315 Summary 334 Chapter 14 Fighting Spear Phishing 335 Background 335 Spear Phishing Examples 337 How to Defend Against Spear Phishing 345 Summary 347 Chapter 15 Forensically Examining Emails 349 Why Investigate? 349 Why You Should Not Investigate 350 How to Investigate 351 Examining Emails 352 Clicking on Links and Running Malware 373 Submit Links and File Attachments to AV 374 The Preponderance of Evidence 375 A Real- World Forensic Investigation Example 376 Summary 378 Chapter 16 Miscellaneous Hints and Tricks 379 First- Time Firing Offense 379 Text- Only Email 381 Memory Issues 382 SAT Counselor 383 Annual SAT User Conference 384 Voice- Call Tests 385 Credential Searches 385 Dark Web Searches 386 Social Engineering Penetration Tests 386 Ransomware Recovery 387 Patch, Patch, Patch 387 CISA Cybersecurity Awareness Program 388 Passkeys 388 Avoid Controversial Simulated Phishing Subjects 389 Practice and Teach Mindfulness 392 Must Have Mindfulness Reading 393 Summary 393 Chapter 17 Improving Your Security Culture 395 What Is a Security Culture? 396 Seven Dimensions of a Security Culture 397 Improving Security Culture 401 Other Resources 404 Summary 404 Conclusion 405 Acknowledgments 407 About the Author 411 Index 413
ROGER A. GRIMES has 35 years of experience in computer security and has authored 13 previous books on the topic. He is the Data-Driven Defense Evangelist at KnowBe4, a security awareness education company, and a senior computer security consultant and cybersecurity architect.
