Save up to 30% on Elsevier print and eBooks with free shipping. No promo code needed.
Save up to 30% on print and eBooks.
Building an Information Security Awareness Program
Defending Against Social Engineering and Technical Threats
1st Edition - August 7, 2014
Authors: Bill Gardner, Valerie Thomas
Language: English
Paperback ISBN:9780124199675
9 7 8 - 0 - 1 2 - 4 1 9 9 6 7 - 5
eBook ISBN:9780124199811
9 7 8 - 0 - 1 2 - 4 1 9 9 8 1 - 1
The best defense against the increasing threat of social engineering attacks is Security Awareness Training to warn your organization's staff of the risk and educate them on how to…Read more
Purchase options
LIMITED OFFER
Save 50% on book bundles
Immediately download your ebook while waiting for your print delivery. No promo code is needed.
The best defense against the increasing threat of social engineering attacks is Security Awareness Training to warn your organization's staff of the risk and educate them on how to protect your organization's data. Social engineering is not a new tactic, but Building an Security Awareness Program is the first book that shows you how to build a successful security awareness training program from the ground up.
Building an Security Awareness Program provides you with a sound technical basis for developing a new training program. The book also tells you the best ways to garner management support for implementing the program. Author Bill Gardner is one of the founding members of the Security Awareness Training Framework. Here, he walks you through the process of developing an engaging and successful training program for your organization that will help you and your staff defend your systems, networks, mobile devices, and data.
Forewords written by Dave Kennedy and Kevin Mitnick!
The most practical guide to setting up a Security Awareness training program in your organization
Real world examples show you how cyber criminals commit their crimes, and what you can do to keep you and your data safe
Learn how to propose a new program to management, and what the benefits are to staff and your company
Find out about various types of training, the best training cycle to use, metrics for success, and methods for building an engaging and successful program
Information Security practitioners, and an academic audience among information security majors. Corporate sales potential for IT Managers looking to implement Security Awareness training in their organizations
Dedications
Forewords
Preface
About the Authors
Acknowledgments
Chapter 1: What Is a Security Awareness Program?
Abstract
Introduction
Policy Development
Policy Enforcement
Cost Savings
Production Increases
Management Buy-In
Chapter 2: Threat
Abstract
The Motivations of Online Attackers
Money
Industrial Espionage/Trade Secrets
Hacktivism
Cyber War
Bragging Rights
Chapter 3: Cost of a Data Breach
Abstract
Ponemon Institute
HIPAA
The Payment Card Industry Data Security Standard (PCI DSS)
State Breach Notification Laws
Chapter 4: Most Attacks Are Targeted
Abstract
Targeted Attacks
Recent Targeted Attacks
Targeted Attacks Against Law Firms
Operation Shady RAT
Operation Aurora
Night Dragon
Watering Hole Attacks
Common Attack Vectors: Common Results
Chapter 5: Who Is Responsible for Security?
Abstract
Information Technology (IT) Staff
The Security Team
The Receptionist
The CEO
Accounting
The Mailroom/Copy Center
The Runner/Courier
Everyone Is Responsible For Security
Chapter 6: Why Current Programs Don't Work
Abstract
The Lecture is Dead as a Teaching Tool
Chapter 7: Social Engineering
Abstract
What is Social Engineering?
Who are Social Engineers?
Why Does It Work?
How Does It Work?
Information Gathering
Attack Planning and Execution
The Social Engineering Defensive Framework (SEDF)
Where Can I Learn More About Social Engineering?
Chapter 8: Physical Security
Abstract
What is Physical Security?
Physical Security Layers
Threats to Physical Security
Why Physical Security is Important to an Awareness Program
How Physical Attacks Work
Minimizing the Risk of Physical Attacks
Chapter 9: Types of Training
Abstract
Training Types
Formal Training
Informal Training
Chapter 10: The Training Cycle
Abstract
The Training Cycle
New Hire
Quarterly
Biannual
Continual
Point of Failure
Targeted Training
Sample Training Cycles
Adjusting Your Training Cycle
Chapter 11: Creating Simulated Phishing Attacks
Abstract
Simulated Phishing Attacks
Understanding the Human Element
Methodology
Open-Source Tool, Commercial Tool, or Vendor Performed?
Before You Begin
Determine Attack Objective
Select Recipients
Select a Type of Phishing Attack
Composing the E-mail
Creating the Landing Page
Sending the E-mail
Tracking Results
Post Assessment Follow-up
Chapter 12: Bringing It All Together
Abstract
Create a Security Awareness Website
Sample Plans
Promoting Your Awareness Program
Chapter 13: Measuring Effectiveness
Abstract
Measuring Effectiveness
Measurements vs. Metrics
Creating Metrics
Additional Measurements
Reporting Metrics
Chapter 14: Stories from the Front Lines
Abstract
Phil Grimes
Amanda Berlin
Jimmy Vo
Security Research at Large Information Security Company
Harry Regan
Tess Schrodinger
Security Analyst at a Network Security Company
Ernie Hayden
Appendices
Appendix A: Government Resources
Appendix B: Security Awareness Tips
Appendix C: Sample Policies
Appendix D: Commercial Security Awareness Training Resources
Appendix E: Other Web Resources and Links
Security Awareness Posters
Appendix F: Technical Tools That Can Be Used to Test Security Awareness Programs
Appendix G: The Security Awareness Training Framework
Appendix H: Building A Security Awareness Training Program Outline
Appendix I: State Security Breach Notification Laws
Appendix J: West Virginia State Breach Notification Laws, W.V. Code §§ 46A-2A-101 et seq
Appendix K: HIPAA Breach Notification Rule
Notification by a Business Associate
Federal Trade Commission (FTC) Health Breach Notification Rule
Appendix L: Complying with the FTC Health Breach Notification Rule
Who's Covered by the Health Breach Notification Rule
You're Not a Vendor of Personal Health Records If You're Covered by HIPAA
Third-Party Service Provider
What Triggers the Notification Requirement
What to do If a Breach Occurs
Who You Must Notify and When You Must Notify Them
How to Notify People
What Information to Include
Answers to Questions About the Health Breach Notification Rule
We’re an HIPAA Business Associate, But We Also Offer Personal Health Record Services to the Public. Which Rule Applies to Us?
What’s The Penalty for Violating the FTC Health Breach Notification Rule?
Law Enforcement Officials Have Asked us to Delay Notifying People About the Breach. Whatshould we Do?
Where Can I Learn More ABout the FTC Health Breach Notification Rule? Visit www.ftc.gov/healthbreach.
Your Opportunity to Comment
Appendix L: Information Security Conferences
Appendix M: Recorded Presentations on How to Build an Information Security Awareness Program
Appendix N: Articles on How to Build an Information Security Awareness Program
Index
No. of pages: 214
Language: English
Edition: 1
Published: August 7, 2014
Imprint: Syngress
Paperback ISBN: 9780124199675
eBook ISBN: 9780124199811
BG
Bill Gardner
Bill Gardner is an Assistant Professor at Marshall University, where he teaches information security and foundational technology courses in the Department of Integrated Science and Technology. He is also President and Principal Security Consultant at BlackRock Consulting. In addition, Bill is Vice President and Information Security Chair at the Appalachian Institute of Digital Evidence. AIDE is a non-profit organization that provides research and training for digital evidence professionals including attorneys, judges, law enforcement officers and information security practitioners in the private sector. Prior to joining the faculty at Marshall, Bill co-founded the Hack3rCon convention, and co-founded 304blogs, and he continues to serve as Vice President of 304Geeks. In addition, Bill is a founding member of the Security Awareness Training Framework, which will be a prime target audience for this book.
Affiliations and expertise
Bill Gardner OSCP, i-Net+, Security+, Asst. Prof. at Marshall University
VT
Valerie Thomas
Valerie Thomas is a Senior Information Security Consultant for Securicon LLC that specializes in social engineering and physical penetration testing. After obtaining her bachelor's degree in Electronic Engineering, Valerie led information security assessments for the Defense Information Systems Agency (DISA) before joining private industry. Her skill set also includes intrusion detection, endpoint protection, data loss prevention, and mobile security. Throughout her career, Valerie has conducted penetration tests, vulnerability assessments, compliance audits, and technical security training for executives, developers, and other security professionals.
Affiliations and expertise
Valerie Thomas C|EH, Security+, Senior Security Consultant, Securicon LLC
Read Building an Information Security Awareness Program on ScienceDirect