E-Book, Englisch, 214 Seiten
Gardner / Thomas Building an Information Security Awareness Program
1. Auflage 2014
ISBN: 978-0-12-419981-1
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
Defending Against Social Engineering and Technical Threats
E-Book, Englisch, 214 Seiten
ISBN: 978-0-12-419981-1
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
The best defense against the increasing threat of social engineering attacks is Security Awareness Training to warn your organization's staff of the risk and educate them on how to protect your organization's data. Social engineering is not a new tactic, but Building an Security Awareness Program is the first book that shows you how to build a successful security awareness training program from the ground up. Building an Security Awareness Program provides you with a sound technical basis for developing a new training program. The book also tells you the best ways to garner management support for implementing the program. Author Bill Gardner is one of the founding members of the Security Awareness Training Framework. Here, he walks you through the process of developing an engaging and successful training program for your organization that will help you and your staff defend your systems, networks, mobile devices, and data. Forewords written by Dave Kennedy and Kevin Mitnick! - The most practical guide to setting up a Security Awareness training program in your organization - Real world examples show you how cyber criminals commit their crimes, and what you can do to keep you and your data safe - Learn how to propose a new program to management, and what the benefits are to staff and your company - Find out about various types of training, the best training cycle to use, metrics for success, and methods for building an engaging and successful program
Bill Gardner is an Assistant Professor at Marshall University, where he teaches information security and foundational technology courses in the Department of Integrated Science and Technology. He is also President and Principal Security Consultant at BlackRock Consulting. In addition, Bill is Vice President and Information Security Chair at the Appalachian Institute of Digital Evidence. AIDE is a non-profit organization that provides research and training for digital evidence professionals including attorneys, judges, law enforcement officers and information security practitioners in the private sector. Prior to joining the faculty at Marshall, Bill co-founded the Hack3rCon convention, and co-founded 304blogs, and he continues to serve as Vice President of 304Geeks. In addition, Bill is a founding member of the Security Awareness Training Framework, which will be a prime target audience for this book.
Autoren/Hrsg.
Weitere Infos & Material
1;Front Cover;1
2;Building an Information Security Awareness Program: Defending Against Social Engineering
and Technical Threats;4
3;Copyright ;5
4;Dedications ;6
5;Contents ;8
6;Forewords ;12
7;Preface ;16
8;About the Authors ;18
9;Acknowledgments ;20
10;Chapter 1: What Is a Security Awareness Program? ;22
10.1;Introduction ;22
10.2;Policy Development ;25
10.3;Policy Enforcement ;25
10.4;Cost Savings ;26
10.5;Production Increases ;26
10.6;Management Buy-In ;27
10.7;Notes ;28
11;Chapter 2: Threat ;30
11.1;The Motivations of Online Attackers ;30
11.2;Money ;30
11.3;Industrial Espionage/Trade Secrets ;31
11.4;Hacktivism ;31
11.5;Cyber War ;32
11.6;Bragging Rights ;33
11.7;Notes ;33
12;Chapter 3: Cost of a Data Breach ;36
12.1;Ponemon Institute ;36
12.2;HIPAA;36
12.3;The Payment Card Industry Data Security Standard (PCI DSS) ;40
12.4;State Breach Notification Laws ;41
12.5;Notes ;44
13;Chapter 4: Most Attacks Are Targeted ;46
13.1;Targeted Attacks ;46
13.2;Recent Targeted Attacks ;47
13.3;Targeted Attacks Against Law Firms ;47
13.4;Operation Shady Rat ;49
13.5;Operation Aurora ;50
13.6;Night Dragon ;51
13.7;Watering Hole Attacks ;51
13.8;Common Attack Vectors: Common Results ;52
13.9;Notes ;53
14;Chapter 5: Who Is Responsible for Security? ;54
14.1;Information Technology (IT) Staff ;54
14.2;The Security Team ;55
14.3;The Receptionist ;55
14.4;The CEO;55
14.5;Accounting ;56
14.6;The Mailroom/Copy Center ;56
14.7;The Runner/Courier ;56
14.8;Everyone Is Responsible for Security ;56
14.9;Notes ;58
15;Chapter 6: Why Current Programs Don't Work ;60
15.1;The Lecture Is Dead as a Teaching Tool ;60
15.2;The Seven Learning Styles ;61
15.3;Notes ;64
16;Chapter 7: Social Engineering;66
16.1;What Is Social Engineering? ;66
16.2;Who Are Social Engineers? ;67
16.3;Why Does It Work? ;67
16.4;How Does It Work? ;67
16.5;Information Gathering ;68
16.5.1;The Company Website ;68
16.5.2;Social Media ;69
16.5.3;Search Engines ;69
16.5.4;The Dumpster ;69
16.5.5;The Popular Lunch Spot ;70
16.6;Attack Planning and Execution ;70
16.6.1;Jerry the Attacker ;70
16.6.2;The Spear Phishing E-mail ;71
16.6.3;Hello, Help Desk? ;72
16.7;The Social Engineering Defensive Framework (SEDF) ;73
16.7.1;Determine Exposure ;74
16.7.2;Evaluate Defenses ;75
16.8;Employees ;76
16.9;Defenders ;76
16.9.1;Educate Employees ;76
16.9.2;Streamline Existing Technology and Policy ;78
16.9.2.1;Planning a Tabletop Exercise ;78
16.9.2.1.1;The Design Phase ;78
16.9.2.1.2;The Execution Phase ;81
16.9.2.1.3;The After-action Phase ;82
16.9.3;Preventative Tips ;82
16.9.4;Putting It All Together ;83
16.10;Where can I Learn More About Social Engineering? ;84
16.11;Notes ;84
17;Chapter 8: Physical Security;86
17.1;What Is Physical Security? ;86
17.1.1;Outer Perimeter Security ;86
17.1.2;Inner Perimeter Security ;86
17.1.3;Interior Security ;86
17.2;Physical Security Layers ;87
17.2.1;Deterrence ;87
17.2.2;Control ;87
17.2.3;Detection ;88
17.2.4;Identification ;88
17.3;Threats to Physical Security ;88
17.4;Why Physical Security Is Important to an Awareness Program ;88
17.5;How Physical Attacks Work ;89
17.5.1;Reconnaissance ;90
17.5.1.1;Off-site Reconnaissance ;90
17.5.1.1.1;Maps ;90
17.5.1.1.2;The Company Website ;92
17.5.1.1.3;Additional Sources ;92
17.5.1.2;On-Site Reconnaissance ;93
17.5.1.2.1;Surveillance ;93
17.5.1.2.2;Real Estate Meeting ;94
17.5.1.2.3;RFID Credential Stealing ;95
17.5.2;Attack Planning ;99
17.5.3;Attack Execution ;99
17.6;Minimizing the Risk of Physical Attacks ;100
17.6.1;Preparing for a Physical Assessment ;100
17.6.1.1;Set an Objective ;100
17.6.1.2;Declare Off-Limits Areas ;100
17.6.1.3;Schedule ;100
17.6.1.4;Authorization Letter ;100
17.6.2;Can't Afford a Physical Security Assessment? ;101
17.7;Notes ;101
18;Chapter 9: Types of Training ;102
18.1;Training Types ;102
18.2;Formal Training ;102
18.2.1;In-Person Training ;102
18.3;Advantages ;103
18.4;Disadvantages ;103
18.4.1;Computer-Based Training ;104
18.5;Advantages ;104
18.6;Disadvantages ;104
18.6.1;Web-Based Training ;104
18.7;Advantages ;105
18.8;Disadvantages ;105
18.8.1;Video Training ;106
18.9;Advantages ;106
18.10;Disadvantages ;106
18.11;Informal Training ;106
18.11.1;Lunch and Learn Sessions ;106
18.11.2;Homemade Video Campaign ;107
18.11.3;Posters ;108
18.12;Notes ;108
19;Chapter 10: The Training Cycle ;110
19.1;The Training Cycle ;110
19.2;New Hire ;110
19.3;Quarterly ;111
19.3.1;Why Quarterly? ;111
19.4;Biannual ;111
19.5;Continual ;111
19.6;Point of Failure ;112
19.7;Targeted Training ;112
19.8;Sample Training Cycles ;113
19.8.1;Minimal ;113
19.8.2;Moderate ;113
19.8.3;Robust ;113
19.9;Adjusting Your Training Cycle ;114
19.10;Notes ;114
20;Chapter 11: Creating Simulated Phishing Attacks;116
20.1;Simulated Phishing Attacks ;116
20.2;Understanding the Human Element ;116
20.3;Methodology ;116
20.4;Open-source Tool, Commercial Tool, or Vendor Performed? ;117
20.4.1;Open-Source Tool ;117
20.5;Pros ;118
20.6;Cons ;118
20.6.1;Commercial Tool ;119
20.7;Pros ;119
20.8;Cons ;119
20.8.1;Selecting a Commercial Tool ;120
20.8.2;Vendor Performed ;121
20.9;Pros ;121
20.10;Cons ;121
20.11;Before You Begin ;121
20.12;Determine Attack Objective ;122
20.13;Select Recipients ;123
20.14;Select a Type of Phishing Attack ;123
20.14.1;General ;123
20.14.2;Company-Specific ;123
20.14.3;Spear Phishing ;124
20.15;Composing the E-Mail ;124
20.15.1;Formatting the Link ;125
20.16;Creating the Landing Page ;125
20.17;Sending the E-Mail ;126
20.17.1;Timing is Everything ;127
20.18;Tracking Results ;127
20.19;Post Assessment Follow-up ;128
20.20;Notes ;128
21;Chapter 12: Bringing It All Together;130
21.1;Create a Security Awareness Website ;130
21.2;Sample Plans ;131
21.2.1;Low Budget ;131
21.2.1.1;New Hire Training ;131
21.2.1.2;Biannual Training ;131
21.2.1.3;Continual Training ;132
21.2.1.4;Phishing Assessment ;132
21.2.2;Moderate Budget ;133
21.2.2.1;New Hire Training ;133
21.2.2.2;Biannual Training ;133
21.2.2.3;Continual Training ;134
21.2.2.4;Phishing Assessment ;134
21.2.3;Large Budget ;135
21.2.3.1;New Hire Training ;135
21.2.3.2;Biannual Training ;136
21.2.3.3;Continual Training ;136
21.2.3.4;Phishing Assessment ;137
21.3;Promoting Your Awareness Program ;137
21.3.1;Contests and Prizes ;137
21.3.2;Announcements ;138
21.3.3;National Cyber Security Awareness Month ;138
21.4;Notes ;138
22;Chapter 13: Measuring Effectiveness;140
22.1;Measuring Effectiveness ;140
22.2;Measurements vs. Metrics ;140
22.3;Creating Metrics ;140
22.3.1;Metric Name ;141
22.3.2;What Is Measured ;141
22.3.3;How It's Measured ;141
22.3.4;When It's Measured ;141
22.3.5;Who Measures ;142
22.4;Additional Measurements ;142
22.5;Reporting Metrics ;143
22.5.1;Building Your Presentation ;143
22.5.1.1;Introduction ;143
22.5.1.2;How Metrics Were Derived ;143
22.5.1.3;The Metrics ;144
22.6;Notes ;145
23;Chapter 14: Stories from the Front Lines;146
23.1;Phil Grimes ;146
23.2;Amanda Berlin ;149
23.3;Jimmy Vo ;154
23.4;Security Research at Large Information Security Company ;156
23.5;Harry Regan ;158
23.6;Tess Schrodinger ;161
23.7;Security Analyst at a Network Security Company ;172
23.8;Ernie Hayden ;175
24;Appendices ;180
24.1;Appendix A: Government Resources ;180
24.1.1;NIST Special Publication 800-16 ;180
24.1.2;NIST Special Publication 800-16 Appendix A-D ;180
24.1.3;NIST Special Publication 800-16 Appendix E ;180
24.1.4;Statement of Work Computer Security Awareness and Training: April 2000 ;180
24.1.5;NIST Special Publication 800-50: Building an Information Technology Security Awareness and Training Program ;180
24.1.6;US Department of Health and Human Services: Security Awareness and Training ;180
24.1.7;National Initiative for Cybersecurity Careers and Studies ;180
24.1.8;NIH Information Security Awareness Course ;181
24.1.9;National Cyber Security Awareness Month ;181
24.1.10;Cyber Security Tips: US-CERT ;181
24.1.11;Cyber Security Alerts: US-CERT ;181
24.1.12;Information Security Awareness Training for Texas ;181
24.1.13;Florida Department of Children and Families ;181
24.1.14;Information Security Awareness Training Family Educational Rights and Privacy Act (FERPA) ;181
24.2;Appendix B: Security Awareness Tips ;181
24.2.1;Stop.Think.Connect ;181
24.2.2;StaySafeOnline ;181
24.3;Appendix C: Sample Policies ;181
24.3.1;SANS: Information Security Policy Templates ;181
24.3.2;Open-Source Security Awareness Training Resources ;182
24.4;Appendix D: Commercial Security Awareness Training Resources ;182
24.4.1;SANS: Securing The Human ;182
24.4.2;The Security Awareness Company ;182
24.4.3;Kevin Mitnick Security Awareness Training: KnowBe4 ;182
24.4.4;The Roer Group: The Security Culture Company ;182
24.5;Appendix E: Other Web Resources and Links ;182
24.5.1;SANS: The Importance of Security Awareness Training ;182
24.5.2;Schneier on Security: Security Awareness Training ;182
24.5.3;Building a Security Awareness Program: Cyberguard ;182
24.5.4;Security Awareness Toolbox: The Information Warfare Site ;182
24.5.5;SANS Reading Room: Security Awareness Section ;182
24.6;Security Awareness Posters ;183
24.6.1;Cyber Security Awareness Challenge 2.0 ;183
24.7;Appendix F: Technical Tools That Can Be Used to Test Security Awareness Programs ;183
24.7.1;Kali Linux ;183
24.7.2;Social-Engineer Toolkit ;183
24.7.3;SpearPhisher ;183
24.8;Appendix G: The Security Awareness Training Framework ;183
24.8.1;Purpose/Project Charter ;183
24.8.2;Deliverables ;184
24.8.3;Components and Subteams ;184
24.8.4;Taxonomy/Classification Team ;185
24.8.5;Documentation/Artifact Team ;185
24.8.6;Research/Outreach Team ;185
24.8.7;Communications/Social Media Team ;186
24.8.8;The History of the Security Awareness Training Framework ;186
24.8.9;The Mission of the Security Awareness Training Framework ;186
24.8.10;Define the Components ;187
24.8.11;Understand How People Learn Information Security Awareness ;188
24.8.12;Develop Feedback Mechanisms and Standardized Reporting Metrics ;188
24.9;Appendix H: Building a Security Awareness Training Program Outline ;189
24.10;Appendix I: State Security Breach Notification Laws ;191
24.11;Appendix J: West Virginia State Breach Notification Laws, W.V. Code 46A-2A-101 ET SEQ ;193
24.12;Appendix K: HIPAA Breach Notification Rule ;196
24.12.1;Definition of Breach ;196
24.12.2;Unsecured Protected Health Information and Guidance ;197
24.12.3;Breach Notification Requirements ;197
24.12.4;Individual Notice ;197
24.12.5;Media Notice ;198
24.12.6;Notice to the Secretary ;198
24.13;Notification by a Business Associate ;199
24.13.1;Administrative Requirements and Burden of Proof ;199
24.13.2;Instructions for Submitting Notice of a Breach to the Secretary ;199
24.13.3;Breaches Affecting 500 or More Individuals ;200
24.13.4;Breaches Affecting Fewer than 500 Individuals ;200
24.14;Federal Trade Commission (FTC) Health Breach Notification Rule ;201
24.15;Appendix L: Complying with the FTC Health Breach Notification Rule ;201
24.16;Who's Covered by the Health Breach Notification Rule ;202
24.17;You're not a Vendor of Personal Health Records If You're Covered by HIPAA ;202
24.18;Third-Party Service Provider ;203
24.19;What Triggers the Notification Requirement ;203
24.20;What to Do If a Breach Occurs ;204
24.21;Who You Must Notify and When You Must Notify Them ;204
24.22;How to Notify People ;205
24.23;What Information to Include ;206
24.24;Answers to Questions About the Health Breach Notification Rule ;207
24.25;We're an HIPAA Business Associate, but We Also Offer Personal Health Record Services to the Public. Which Rule Applies to Us? ;208
24.26;What's the Penalty for Violating the FTC Health Breach Notification Rule? ;209
24.27;Law Enforcement Officials Have Asked Us to Delay Notifying People About the Breach. What Should We Do? ;209
24.28;Where Can I Learn More About the FTC Health Breach Notification Rule? Visit www.ftc.gov/healthbreach. ;209
24.29;Your Opportunity to Comment ;209
24.30;Appendix L: Information Security Conferences ;210
24.31;Appendix M: Recorded Presentations on How to Build an Information Security Awareness Program ;211
24.32;Appendix N: Articles on How to Build an Information Security Awareness Program ;211
25;Index ;212
Chapter 1 What Is a Security Awareness Program?
Bill Gardner Marshall University, Huntington, WV, USA Abstract
Not all attacks are technical. Now that we have built technical defenses around our networks, social engineering is used in the majority of recent breaches. The only defense against social engineering is an engaging security awareness program. A security awareness program helps with the development and enforcement of policies while at the same time helping to set the limits of what is acceptable and what is not acceptable behavior by the users of an organization's computer and telecommunication services. A security awareness program helps to limit risks of breaches to an organization's sensitive and confidential data. A security awareness program is defined as a formal program with the goal of training users of potential threats to an organization's information and how to avoid situations that might put the organization's data at risk. Keywords Security Awareness Policy Policy development Policy enforcement Cost savings Production increases Formal program Introduction
A security awareness program is a formal program with the goal of training users of the potential threats to an organization's information and how to avoid situations that might put the organization's data at risk. The goals of the security awareness program are to lower the organization's attack surface, to empower users to take personal responsibility for protecting the organization's information, and to enforce the policies and procedures the organization has in place to protect its data. Policies and procedures might include but are not limited to computer use policies, Internet use policies, remote access policies, and other policies that aim to govern and protect the organization's data. In information security, people are the weakest link. People want to be helpful. People want to do a good job. People want to give good customer service to their coworkers, clients, and vendors. People are curious. Social engineers seek to exploit these characteristics in humans. “Social Engineering is defined as the process of deceiving people into giving away access or confidential information” [1]. The only known defense for social engineering attacks is an effective security awareness program. Unless users understand the tactics and techniques of social engineers, they will fall prey and put the organization's data at risk. A survey of recent breaches will reveal that a large majority of them took advantage of exploiting humans. One example is the RSA breach [2] where sophisticated attackers used targeted spear phishing to steal RSA SecurID authentication tokens that lead to a further breach at US defense contractor Lockheed Martin [3]. Another example is the “Aurora” attack against Google and other large software companies that used an attack that sent users to a website that infected users with a cutting-edge 0day exploit. The result was that a large amount of intellectual property including source code was stolen from companies including Google and Adobe [4]. Nowadays, online bad guys don't try to break in through the firewall. Bad guys go around the firewall. Organizations have spent billions of dollars developing layered defenses against online attackers. There are solutions such as antivirus, intrusion detection systems, intrusion prevention systems, and other technical solutions to protect information. With these sophisticated solutions in place, attackers are now turning to more targeted attacks focused on tricking users into clicking links or opening attachments. Dave Kennedy's Social-Engineer Toolkit does an excellent job of modeling social engineer attacks such as website, attachment, human interface device (HID), and QR attacks for defenders to use to test their own environments [5]. This might sound simplistic, but what would most users do if they received an attachment that appears to come from the HR department that appears to be a spreadsheet of raises for everyone in the organization (Figure 1.1)? Curiosity might not just kill the cat; it might also put your data at risk. Figure 1.1 Social-Engineer Toolkit (SET). While SET is a technical tool, its goal is to use nontechnical means to exploit humans who in turn exploit computers, which leads to data compromise [6]. SET can easily clone a website to an attacker's machine where exploits are then inserted into the website. At that point, the attacker will attempt to direct users to the cloned site. This might be accomplished by spear phishing, sending the user linked disguised by a link-shortening service or buying a domain to host the cloned site that looks legitimate. Once the user is on the cloned site, the attacker can use a number of different attack vectors to steal information or install backdoors to allow the attack to access the system as if the attacker was a legitimate user. SET also has the ability to encode these attacks, so they are not detected by antivirus and other software used to detect malware and intrusions. The credential harvester attack is accomplished through SET by cloning a site like Twitter, Facebook, or even a bank or credit card site with a username and password file. When the user attempts to log into the site, SET steals the username and password and logs the user into the legitimate website. We will discuss SET in more detail later in the book. A security awareness program also is a building block of a mature security program. Policies and procedures are the first building blocks. The next layer is a security awareness program, also called user awareness training. Only when these two elements are in place do we then move to the next steps of patch management, log management, antivirus/HIDS, security appliances, and finally metrics. For years, organizations have thrown money at security, when that money would have been better spent training their users (Figure 1.2). The focus of this book is building a security awareness program step by step with the ultimate goal of building a mature security program. Figure 1.2 Elements of a mature security program. Policy Development
Policy development sets the goals, limitations, and expectations of the organization's users. Depending on the size of the organization, these policies can be a number of documents addressing specific divisions of the organization's IT and HR structure, or it might in the case of smaller organizations be one single document that outlines the limitations and duties of those who use the organization's telephone, computer, e-mail, and other digital assets. The most common policy is the computer use policy. Other separate policies that can be addressed in a separate document are e-mail usage, Internet usage, telephone usage, and fax usage. Computer use, also sometimes called acceptable use policy, defines the user's level of access to computer and telecommunication resources and their rights and limitation as to the use of those resources. The biggest goal of the acceptable use is to define where use ends and abuse begins. For example, it would be deemed an abuse in most organizations if user spends work time accessing porn and gambling sites. It would also be considered abuse if employees use phone and e-mail services for excessive personal communication during the workday. Most organizations understand that some personal use is necessary and the acceptable use policy to define what constitutes what is acceptable and what is not acceptable use of the organization's equipment and services. Some organizations' usage policies are based on the template found on the Internet [7]. While these sorts of templates are useful, it is important to remember that they need to be customized to define the needs and missions of your organization. The organization's human resources department also needs to be involved. In many cases, specific portions of the policies will have penalties that will be enforced by HR. In most cases, policies and procedure will have to be developed with regulations in mind. Those organizations that handle health data are likely to be covered by HIPAA/HITECH. Organizations that handle credit card transactions are likely to be covered by PCI DSS. Specifically, the HIPAA/HITECH physical standards of the security rule address issues including workstation use, 164.310(b); workstation security, 164.310(c); and device and media controls, 164.310(d)(1). HIPAA/HITECH also calls for punishing those who don't follow policies under the administrative standards of the security rule, specifically authorizations and/or supervision, workforce clearance procedure, and termination procedures, 164.308(a)(3). Policy Enforcement
Policy without enforcement is a waste of time and a detriment to the organization. One of the goals of an effective security awareness program is to enforce policies by educating users on what the policies and the organization's expectations are. There is nothing more useless than an unenforced policy. Many organizations spend a lot of time developing policies. Many times, these policies end up in a binder on a shelf in someone's office. Giving copies of the acceptable use and other policies to the users is a good first step, but most of the time, the users will not spend the time to read the information. A security awareness program should be...
