eBook - ePub
Building an Information Security Awareness Program
Defending Against Social Engineering and Technical Threats
Bill Gardner, Valerie Thomas
This is a test
Buch teilen
- 214 Seiten
- English
- ePUB (handyfreundlich)
- Über iOS und Android verfügbar
eBook - ePub
Building an Information Security Awareness Program
Defending Against Social Engineering and Technical Threats
Bill Gardner, Valerie Thomas
Angaben zum Buch
Buchvorschau
Inhaltsverzeichnis
Quellenangaben
Über dieses Buch
The best defense against the increasing threat of social engineering attacks is Security Awareness Training to warn your organization's staff of the risk and educate them on how to protect your organization's data. Social engineering is not a new tactic, but Building an Security Awareness Program is the first book that shows you how to build a successful security awareness training program from the ground up.
Building an Security Awareness Program provides you with a sound technical basis for developing a new training program. The book also tells you the best ways to garner management support for implementing the program. Author Bill Gardner is one of the founding members of the Security Awareness Training Framework. Here, he walks you through the process of developing an engaging and successful training program for your organization that will help you and your staff defend your systems, networks, mobile devices, and data.
Forewords written by Dave Kennedy and Kevin Mitnick!
- The most practical guide to setting up a Security Awareness training program in your organization
- Real world examples show you how cyber criminals commit their crimes, and what you can do to keep you and your data safe
- Learn how to propose a new program to management, and what the benefits are to staff and your company
- Find out about various types of training, the best training cycle to use, metrics for success, and methods for building an engaging and successful program
Häufig gestellte Fragen
Wie kann ich mein Abo kündigen?
Gehe einfach zum Kontobereich in den Einstellungen und klicke auf „Abo kündigen“ – ganz einfach. Nachdem du gekündigt hast, bleibt deine Mitgliedschaft für den verbleibenden Abozeitraum, den du bereits bezahlt hast, aktiv. Mehr Informationen hier.
(Wie) Kann ich Bücher herunterladen?
Derzeit stehen all unsere auf Mobilgeräte reagierenden ePub-Bücher zum Download über die App zur Verfügung. Die meisten unserer PDFs stehen ebenfalls zum Download bereit; wir arbeiten daran, auch die übrigen PDFs zum Download anzubieten, bei denen dies aktuell noch nicht möglich ist. Weitere Informationen hier.
Welcher Unterschied besteht bei den Preisen zwischen den Aboplänen?
Mit beiden Aboplänen erhältst du vollen Zugang zur Bibliothek und allen Funktionen von Perlego. Die einzigen Unterschiede bestehen im Preis und dem Abozeitraum: Mit dem Jahresabo sparst du auf 12 Monate gerechnet im Vergleich zum Monatsabo rund 30 %.
Was ist Perlego?
Wir sind ein Online-Abodienst für Lehrbücher, bei dem du für weniger als den Preis eines einzelnen Buches pro Monat Zugang zu einer ganzen Online-Bibliothek erhältst. Mit über 1 Million Büchern zu über 1.000 verschiedenen Themen haben wir bestimmt alles, was du brauchst! Weitere Informationen hier.
Unterstützt Perlego Text-zu-Sprache?
Achte auf das Symbol zum Vorlesen in deinem nächsten Buch, um zu sehen, ob du es dir auch anhören kannst. Bei diesem Tool wird dir Text laut vorgelesen, wobei der Text beim Vorlesen auch grafisch hervorgehoben wird. Du kannst das Vorlesen jederzeit anhalten, beschleunigen und verlangsamen. Weitere Informationen hier.
Ist Building an Information Security Awareness Program als Online-PDF/ePub verfügbar?
Ja, du hast Zugang zu Building an Information Security Awareness Program von Bill Gardner, Valerie Thomas im PDF- und/oder ePub-Format sowie zu anderen beliebten Büchern aus Informatica & Sicurezza informatica. Aus unserem Katalog stehen dir über 1 Million Bücher zur Verfügung.
Information
Thema
InformaticaChapter 1
What Is a Security Awareness Program?
Bill Gardner Marshall University, Huntington, WV, USA
Abstract
Not all attacks are technical. Now that we have built technical defenses around our networks, social engineering is used in the majority of recent breaches. The only defense against social engineering is an engaging security awareness program. A security awareness program helps with the development and enforcement of policies while at the same time helping to set the limits of what is acceptable and what is not acceptable behavior by the users of an organization's computer and telecommunication services. A security awareness program helps to limit risks of breaches to an organization's sensitive and confidential data. A security awareness program is defined as a formal program with the goal of training users of potential threats to an organization's information and how to avoid situations that might put the organization's data at risk.
Keywords
Security
Awareness
Policy
Policy development
Policy enforcement
Cost savings
Production increases
Formal program
Introduction
A security awareness program is a formal program with the goal of training users of the potential threats to an organization's information and how to avoid situations that might put the organization's data at risk.
The goals of the security awareness program are to lower the organization's attack surface, to empower users to take personal responsibility for protecting the organization's information, and to enforce the policies and procedures the organization has in place to protect its data. Policies and procedures might include but are not limited to computer use policies, Internet use policies, remote access policies, and other policies that aim to govern and protect the organization's data.
In information security, people are the weakest link. People want to be helpful. People want to do a good job. People want to give good customer service to their coworkers, clients, and vendors. People are curious. Social engineers seek to exploit these characteristics in humans. “Social Engineering is defined as the process of deceiving people into giving away access or confidential information” [1]. The only known defense for social engineering attacks is an effective security awareness program. Unless users understand the tactics and techniques of social engineers, they will fall prey and put the organization's data at risk.
A survey of recent breaches will reveal that a large majority of them took advantage of exploiting humans. One example is the RSA breach [2] where sophisticated attackers used targeted spear phishing to steal RSA SecurID authentication tokens that lead to a further breach at US defense contractor Lockheed Martin [3]. Another example is the “Aurora” attack against Google and other large software companies that used an attack that sent users to a website that infected users with a cutting-edge 0day exploit. The result was that a large amount of intellectual property including source code was stolen from companies including Google and Adobe [4].
Nowadays, online bad guys don't try to break in through the firewall. Bad guys go around the firewall. Organizations have spent billions of dollars developing layered defenses against online attackers. There are solutions such as antivirus, intrusion detection systems, intrusion prevention systems, and other technical solutions to protect information. With these sophisticated solutions in place, attackers are now turning to more targeted attacks focused on tricking users into clicking links or opening attachments.
Dave Kennedy's Social-Engineer Toolkit does an excellent job of modeling social engineer attacks such as website, attachment, human interface device (HID), and QR attacks for defenders to use to test their own environments [5]. This might sound simplistic, but what would most users do if they received an attachment that appears to come from the HR department that appears to be a spreadsheet of raises for everyone in the organization (Figure 1.1)? Curiosity might not just kill the cat; it might also put your data at risk.
Figure 1.1 Social-Engineer Toolkit (SET).
While SET is a technical tool, its goal is to use nontechnical means to exploit humans who in turn exploit computers, which leads to data compromise [6]. SET can easily clone a website to an attacker's machine where exploits are then inserted into the website. At that point, the attacker will attempt to direct users to the cloned site. This might be accomplished by spear phishing, sending the user linked disguised by a link-shortening service or buying a domain to host the cloned site that looks legitimate. Once the user is on the cloned site, the attacker can use a number of different attack vectors to steal information or install backdoors to allow the attack to access the system as if the attacker was a legitimate user. SET also has the ability to encode these attacks, so they are not detected by antivirus and other software used to detect malware and intrusions. The credential harvester attack is accomplished through SET by cloning a site like Twitter, Facebook, or even a bank or credit card site with a username and password file. When the user attempts to log into the site, SET steals the username and password and logs the user into the legitimate website. We will discuss SET in more detail later in the book.
A security awareness program also is a building block of a mature security program. Policies and procedures are the first building blocks. The next layer is a security awareness program, also called user awareness training. Only when these two elements are in place do we then move to the next steps of patch management, log management, antivirus/HIDS, security appliances, and finally metrics. For years, organizations have thrown money at security, when that money would have been better spent training their users (Figure 1.2). The focus of this book is building a security awareness program step by step with the ultimate goal of building a mature security program.
Figure 1.2 Elements of a mature security program.
Policy Development
Policy development sets the goals, limitations, and expectations of the organization's users. Depending on the size of the organization, these policies can be a number of documents addressing specific divisions of the organization's IT and HR structure, or it might in the case of smaller organizations be one single document that outlines the limitations and duties of those who use the organization's telephone, computer, e-mail, and other digital assets.
The most common policy is the computer use policy. Other separate policies that can be addressed in a separate document are e-mail usage, Internet usage, telephone usage, and fax usage. Computer use, also sometimes called acceptable use policy, defines the user's level of access to computer and telecommunication resources and their rights and limitation as to the use of those resources. The biggest goal of the acceptable use is to define where use ends and abuse begins. For example, it would be deemed an abuse in most organizations if user spends work time accessing porn and gambling sites. It would also be considered abuse if employees use phone and e-mail services for excessive personal communication during the workday. Most organizations understand that some personal use is necessary and the acceptable use policy to define what constitutes what is acceptable and what is not acceptable use of the organization's equipment and services.
Some organizations' usage policies are based on the template found on the Internet [7]. While these sorts of templates are useful, it is important to remember that they need to be customized to define the needs and missions of your organization.
The organization's human resources department also needs to be involved. In many cases, specific portions of the policies will have penalties that will be enforced by HR. In most cases, policies and procedure will have to be developed with regulations in mind. Those organizations that handle health data are likely to be covered by HIPAA/HITECH. Organizations that handle credit card transactions are likely to be covered by PCI DSS. Specifically, the HIPAA/HITECH physical standards of the security rule address issues including workstation use, 164.310(b); workstation security, 164.310(c); and device and media controls, 164.310(d)(1). HIPAA/HITECH also calls for punishing those who don't follow policies under the administrative standards of the security rule, specifically authorizations and/or supervision, workforce clearance procedure, and termination procedures, 164.308(a)(3).
Policy Enforcement
Policy without enforcement is a waste of time and a detriment to the organization. One of the goals of an effective security awareness program is to enforce policies by educating users on what the policies and the organization's expectations are.
There is nothing more useless than an unenforced policy. Many organizations spend a lot of time developing policies. Many times, these policies end up in a binder on a shelf in someone's office.
Giving copies of the acceptable use and other policies to the users is a good first step, but most of the time, the users will not spend the time to read the information. A security awareness program should be used to review these policies, especially the policies that apply to the use, abuse, and penalties for the abuse of the organization's communication and information technology infrastructure.
The goal of this book is to illustrate how to build an effective security awareness program from getting management buy-in to measuring the program using effective metrics. It is also written for anyone from a managerial level to the IT manager on the digital frontlines with an interest in starting a...