Security Awareness For Dummies
eBook - ePub

Security Awareness For Dummies

  1. English
  2. ePUB (mobile friendly)
  3. Available on iOS & Android
eBook - ePub

Security Awareness For Dummies

About this book

Make security a priority on your team

Every organization needs astrongsecurity program. One recent study estimated that a hacker attack occurs somewhere every 37 seconds. Since security programs are only as effective as a team's willingness to follow their rules and protocols, it'sincreasingly necessarytohave not just awidely accessible gold standard of security, but alsoa practical plan for rolling it outand getting others on board with following it. Security AwarenessForDummies gives you the blueprint for implementing this sort of holistic and hyper-secureprograminyour organization.

Written by one of the world's most influential security professionals—and an Information Systems Security Association Hall of Famer—this pragmatic andeasy-to-followbook provides a frameworkfor creatingnew and highly effective awareness programs fromscratch, as well assteps to taketoimprove on existingones. It also covershow to measure andevaluate the successofyourprogramandhighlightits valueto management.

  • Customize and create your own program
  • Make employees aware of the importance of security
  • Develop metrics for success
  • Follow industry-specific sample programs

Cyberattacks aren't going away anytime soon: get this smart, friendly guideon how to get a workgroup on board with their role in securityand save your organization big moneyin the long run.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Security Awareness For Dummies by Ira Winkler in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
For Dummies
Year
2022
Print ISBN
9781119720928
eBook ISBN
9781119720942
Edition
1
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science
Part 1

Getting to Know Security Awareness

IN THIS PART …
See what makes security awareness work.
Avoid the pitfalls that cause security awareness programs to fail.
Get the most from what science shows about human behavior.
Chapter 1

Knowing How Security Awareness Programs Work

IN THIS CHAPTER
Bullet
Recognizing the importance of security awareness
Bullet
Working with a security awareness program
Bullet
Knowing where awareness fits within a security program
Bullet
Getting why the so-called “human firewall” doesn’t work
A successful security awareness program motivates people to behave according to defined practices that decrease risk. Creating a program that successfully changes behavior throughout an organization involves more than simply communicating a bunch of facts about security awareness. Just because people are aware of a problem doesn’t mean they will act on their awareness. In other words, awareness doesn’t guarantee action. (Everyone knows that fast food isn’t the healthiest choice, but most people still eat it.) This chapter sets the foundation for understanding the issues and the solutions.

Understanding the Benefits of Security Awareness

The thinking behind security awareness is that if people are aware of a problem, they’re less likely to contribute to the problem — and more likely to respond appropriately when they encounter it.
Users who are aware don’t pick up USB drives on the street and insert them into their work computers. They’re aware of their surroundings and ensure that nobody is looking over their shoulders while they’re working. They don’t connect to insecure Wi-Fi networks. They’re less likely to fall victim to phishing attacks. Essentially, users who are aware don’t initiate losses for their organizations.
Organizations typically create security awareness programs to ensure that their employees, or users, are aware of cybersecurity problems that are already known to the organization. Phishing messages, which I cover in the next section, represent the most prolific attack against users.

Reducing losses from phishing attacks

Phishing attacks are common enough these days that many people are already familiar with the term. A working definition is “an email message that intends to trick a user into taking an action that is against the user’s interests.” A phishing awareness program would ideally train people to properly determine how to handle incoming emails in a way that reduces the likelihood of loss. For example, if a message asks for the disclosure of information, the ideal situation is that a user knows what information they can disclose and to whom while also determining whether the sender is valid. Chapter 6 discusses this topic in more detail.
To appreciate the losses that a phishing attack can cause, consider these prominent attacks:
  • Sony: The infamous 2014 Sony hack, which was reportedly perpetrated by North Korea, began with a phishing attack. The hack resulted in the leak of information about movies, the movies themselves, and embarrassing emails. Sony reported costs of the hack to be $35 million.
  • Target: The 2013 Target hack, which compromised more than 110 million credit card numbers and consumer records, began with a phishing attack of a Target vendor. Target reported the resulting costs to be $162 million.
  • OPM: The attack on the Office of Personnel Management (OPM), discovered in 2014, which compromised the security clearance files of 20 million US government employees and contractors, began with a phishing attack against a government contractor. The costs and losses are immeasurable because this attack is considered a major intelligence success for China, the perpetrator of the attack named by the US government.
  • Colonial Pipeline: The Colonial Pipeline ransomware attack in 2021 began with a phishing message that captured user credentials and allowed the criminals to establish a sustained presence on the network. This allowed the criminals to find the most critical systems and eventually install the ransomware, which caused Colonial Pipeline to shut down the pipeline, halting a primary oil delivery to the US east coast. Colonial Pipeline paid the criminals approximately $4.4 million, but the actual costs resulting from the shutdown were tens of millions of dollars to Colonial Pipeline and an incalculable cost to the economy.
Technical stuff
The Verizon Enterprises Solutions’ Data Breach Investigations Report, commonly referred to as the DBIR, is one of the most often cited studies in the cybersecurity field. The report, which is produced annually, is drawn from data collected directly by Verizon’s managed security service. The DBIR, considered a reliable overview of real-life attacks against organizations around the world, indicates that more than a whopping 85 percent of all major attacks begin by targeting users. You can access the report at www.verizon.com/business/resources/reports/dbir.

Reducing losses by reducing risk

Just as people get themselves into automobile accidents despite advances in automobile safety, even reasonably aware users may fall victim to cybersecurity attacks. All cybersecurity countermeasures will eventually fail. Countermeasures include encryption, passwords, antivirus software, multifactor authentication, and more. Perfect security doesn’t exist. Your goal in establishing a security awareness program is to reduce risk by influencing user actions.
Remember
Don’t expect users to be perfect — risk reduction isn’t about eliminating risk altogether, which is impossible. Expect your security awareness program to reduce the number and severity of incidents, thereby reducing losses from the incidents.
Also, a more aware user knows when something seems wrong and knows how to react to it. If your users sense that they might have been compromised, they start taking actions to mitigate the loss. If they accidentally email sensitive data to the wrong person, they try to stop the message or have it deleted. If they end up on a malicious website that starts serving adware, they disconnect before additional damage can occur. They know how to properly report any and all potential incidents, so your organization can begin to stop any loss or damage in progress. In the worst case, at least they can launch an investigation after the fact to find out what happened.
In the ideal situation, even when a user takes no potentially harmful action, they report the situation to the appropriate party. They report details such as whether someone tried to follow them through a door, even if they turn the person away, because they know that the person might attempt to enter through another door or follow someone else through the door. If someone detects a phishing message, they don’t click on it — instead, they report the message because they realize that other, less aware users may click on it, and then the administrators can delete the message before that happens.
As you can see, awareness requires more than knowing what to be afraid of — you also have to know how to do things correctly. Too many awareness programs focus on teaching users what to be afraid of rather than on establishing policies and procedures for how to perform functions correctly, and in a way that doesn’t result in loss.
Remember
The goal for awareness is for users to behave according to policies and procedures. Part of the function of an awareness program is making users aware that bad guys exist and that those bad guys will attempt to do bad things. But awareness programs primarily focus on making people aware of how to behave according to procedures in potentially risky situations.

Grasping how users initiate loss

At a cybersecurity conference where I spoke, I was in a buffet line at lunchtime. At one table that the line passed, I saw some stickers that said, Don’t Click On Sh*t! The person in front of me was an administrator, and he grabbed a handful of stickers while saying, “I need a lot of these to give to my users.” I then replied, “You must give your users a lot of ‘sh*t’ to click on.”
The guy was confused and asked what I meant. I replied that the users would have no items to avoid clicking on if the systems he supported didn’t pass the messages to the users. I then added that if he knows users will click on problematic items, he should be taking active measures to stop the inevitable damage. He was confused, but of course kept the stickers.
Tip
For more information on user-initiated loss, find a copy of my book, written with Dr. Tracy Celaya Brown, You Can Stop Stupid: Stopping Losses from Accidental and Malicious Actions (Wiley, 2021).
Users can cause only the amount of damage they’re put in the position to cause — and then allowed to carry out. However, even after they make a potentially damaging mistake, or even if they’re blatantly malicious, it doesn’t mean that the system should allow the loss to be realized.
For example, a user can click on a phishing message only if the antiphishing technology used by your organization fails to filter the message. If the user clicks on a phishing message and ransomware is activated, the ransomware can destroy the system only if the user has permission to install software on the system — and then in almost all cases, you have no standard antimalware on the system.
Remember
User error is a symptom of the problems with your system. Even if a user makes a mistake, or is even malicious, the resulting loss is a problem with the system providing users with potential actions and then enabling the loss.
In essence, users may initiate a chain of actions that create the loss, but the loss is a result of failings in the system as a whole.

Knowing How Security Awareness Programs Work

Unfortu...

Table of contents

  1. Cover
  2. Title Page
  3. Table of Contents
  4. Introduction
  5. Part 1: Getting to Know Security Awareness
  6. Part 2: Building a Security Awareness Program
  7. Part 3: Putting Your Security Awareness Program Into Action
  8. Part 4: The Part of Tens
  9. Appendix: Sample Questionnaire
  10. Index
  11. About the Author
  12. Advertisement Page
  13. Connect with Dummies
  14. End User License Agreement