Fighting Phishing - Everything You Can Do to Fight Social Engineering and Phishing

Read more

Keep valuable data safe from even the most sophisticated social engineering and phishing attacks
 
Fighting Phishing: Everything You Can Do To Fight Social Engineering and Phishing serves as the ideal defense against phishing for any reader, from large organizations to individuals. Unlike most anti-phishing books, which focus only on one or two strategies, this book discusses all the policies, education, and technical strategies that are essential to a complete phishing defense. This book gives clear instructions for deploying a great defense-in-depth strategy to defeat hackers and malware. Written by the lead data-driven defense evangelist at the world's number one anti-phishing company, KnowBe4, Inc., this guide shows you how to create an enduring, integrated cybersecurity culture.
* Learn what social engineering and phishing are, why they are so dangerous to your cybersecurity, and how to defend against them
* Educate yourself and other users on how to identify and avoid phishing scams, to stop attacks before they begin
* Discover the latest tools and strategies for locking down data when phishing has taken place, and stop breaches from spreading
* Develop technology and security policies that protect your organization against the most common types of social engineering and phishing
 
Anyone looking to defend themselves or their organization from phishing will appreciate the uncommonly comprehensive approach in Fighting Phishing.

List of contents

Introduction xiii
 
Part I Introduction to Social Engineering Security 1
 
Chapter 1 Introduction to Social Engineering and Phishing 3
 
What Are Social Engineering and Phishing? 3
 
How Prevalent Are Social Engineering and Phishing? 8
 
Chapter 2 Phishing Terminology and Examples 23
 
Social Engineering 23
 
Phish 24
 
Well- Known Brands 25
 
Top Phishing Subjects 26
 
Stressor Statements 27
 
Malicious Downloads 30
 
Malware 31
 
Bots 31
 
Downloader 32
 
Account Takeover 32
 
Spam 33
 
Spear Phishing 34
 
Whaling 35
 
Page Hijacking 35
 
SEO Pharming 36
 
Calendar Phishing 38
 
Social Media Phishing 40
 
Romance Scams 41
 
Vishing 44
 
Pretexting 46
 
Open- Source Intelligence 47
 
Callback Phishing 47
 
Smishing 49
 
Business Email Compromise 51
 
Sextortion 53
 
Browser Attacks 53
 
Baiting 56
 
QR Phishing 56
 
Phishing Tools and Kits 57
 
Summary 59
 
Chapter 3 3x3 Cybersecurity Control Pillars 61
 
The Challenge of Cybersecurity 61
 
Compliance 62
 
Risk Management 65
 
Defense-In-Depth 68
 
3x3 Cybersecurity Control Pillars 70
 
Summary 72
 
Part II Policies 73
 
Chapter 4 Acceptable Use and General Cybersecurity Policies 75
 
Acceptable Use Policy (AUP) 75
 
General Cybersecurity Policy 79
 
Summary 88
 
Chapter 5 Anti-Phishing Policies 89
 
The Importance of Anti-Phishing Policies 89
 
What to Include 90
 
Summary 109
 
Chapter 6 Creating a Corporate SAT Policy 111
 
Getting Started with Your SAT Policy 112
 
Necessary SAT Policy Components 112
 
Example of Security Awareness Training Corporate Policy 128
 
Acme Security Awareness Training Policy: Version 2.1 128
 
Summary 142
 
Part III Technical Defenses 145
 
Chapter 7 DMARC, SPF, and DKIM 147
 
The Core Concepts 147
 
A US and Global Standard 149
 
Email Addresses 151
 
Sender Policy Framework (SPF) 159
 
Domain Keys Identified Mail (DKIM) 165
 
Domain- based Message Authentication, Reporting, and Conformance (DMARC) 169
 
Configuring DMARC, SPF, and DKIM 174
 
Putting It All Together 175
 
DMARC Configuration Checking 176
 
How to Verify DMARC Checks 177
 
How to Use DMARC 179
 
What DMARC Doesn't Do 180
 
Other DMARC Resources 181
 
Summary 182
 
Chapter 8 Network and Server Defenses 185
 
Defining Network 186
 
Network Isolation 187
 
Network-Level Phishing Attacks 187
 
Network- and Server-Level Defenses 190
 
Summary 214
 
Chapter 9 Endpoint Defenses 217
 
Focusing on Endpoints 217
 
Anti- Spam and Anti- Phishing Filters 218
 
Anti- Malware 218
 
Patch Management 218
 
Browser Settings 219
 
Browser Notifications 223
 
Email Client Settings 225
 
Firewalls 227
 
Phishing- Resistant MFA 227
 
Password Managers 228
 
VPNs 230
 
Prevent Unauthorized External Domain Collaboration 231
 
DMARC 231
 
End Users Should Not Be Logged on as Admin 232
 
Change and Configuration Management 232
 
Mobile Device Management 233
 
Summary 233
 
Chapter 10 Advanced Defenses 235
 
AI- Based Content Filters 23

About the author

ROGER A. GRIMES has 35 years of experience in computer security and has authored 13 previous books on the topic. He is the Data-Driven Defense Evangelist at KnowBe4, a security awareness education company, and a senior computer security consultant and cybersecurity architect.

Summary

Keep valuable data safe from even the most sophisticated social engineering and phishing attacks

Fighting Phishing: Everything You Can Do To Fight Social Engineering and Phishing serves as the ideal defense against phishing for any reader, from large organizations to individuals. Unlike most anti-phishing books, which focus only on one or two strategies, this book discusses all the policies, education, and technical strategies that are essential to a complete phishing defense. This book gives clear instructions for deploying a great defense-in-depth strategy to defeat hackers and malware. Written by the lead data-driven defense evangelist at the world's number one anti-phishing company, KnowBe4, Inc., this guide shows you how to create an enduring, integrated cybersecurity culture.
* Learn what social engineering and phishing are, why they are so dangerous to your cybersecurity, and how to defend against them
* Educate yourself and other users on how to identify and avoid phishing scams, to stop attacks before they begin
* Discover the latest tools and strategies for locking down data when phishing has taken place, and stop breaches from spreading
* Develop technology and security policies that protect your organization against the most common types of social engineering and phishing

Anyone looking to defend themselves or their organization from phishing will appreciate the uncommonly comprehensive approach in Fighting Phishing.