text.skipToContent text.skipToNavigation

Building an Information Security Awareness Program Defending Against Social Engineering and Technical Threats von Gardner, Bill (eBook)

  • Verlag: Elsevier Reference Monographs
eBook (ePUB)
54,68 €
inkl. gesetzl. MwSt.
Sofort per Download lieferbar

Online verfügbar

Building an Information Security Awareness Program

The best defense against the increasing threat of social engineering attacks is Security Awareness Training to warn your organization's staff of the risk and educate them on how to protect your organization's data. Social engineering is not a new tactic, but Building an Security Awareness Program is the first book that shows you how to build a successful security awareness training program from the ground up. Building an Security Awareness Program provides you with a sound technical basis for developing a new training program. The book also tells you the best ways to garner management support for implementing the program. Author Bill Gardner is one of the founding members of the Security Awareness Training Framework. Here, he walks you through the process of developing an engaging and successful training program for your organization that will help you and your staff defend your systems, networks, mobile devices, and data. Forewords written by Dave Kennedy and Kevin Mitnick! The most practical guide to setting up a Security Awareness training program in your organization
Real world examples show you how cyber criminals commit their crimes, and what you can do to keep you and your data safe
Learn how to propose a new program to management, and what the benefits are to staff and your company
Find out about various types of training, the best training cycle to use, metrics for success, and methods for building an engaging and successful program


    Format: ePUB
    Kopierschutz: AdobeDRM
    Seitenzahl: 215
    Sprache: Englisch
    ISBN: 9780124199811
    Verlag: Elsevier Reference Monographs
    Größe: 5177 kBytes
Weiterlesen weniger lesen

Building an Information Security Awareness Program

Chapter 1 What Is a Security Awareness Program?

Bill Gardner Marshall University, Huntington, WV, USA

Not all attacks are technical. Now that we have built technical defenses around our networks, social engineering is used in the majority of recent breaches. The only defense against social engineering is an engaging security awareness program. A security awareness program helps with the development and enforcement of policies while at the same time helping to set the limits of what is acceptable and what is not acceptable behavior by the users of an organization's computer and telecommunication services. A security awareness program helps to limit risks of breaches to an organization's sensitive and confidential data. A security awareness program is defined as a formal program with the goal of training users of potential threats to an organization's information and how to avoid situations that might put the organization's data at risk.





Policy development

Policy enforcement

Cost savings

Production increases

Formal program

A security awareness program is a formal program with the goal of training users of the potential threats to an organization's information and how to avoid situations that might put the organization's data at risk.

The goals of the security awareness program are to lower the organization's attack surface, to empower users to take personal responsibility for protecting the organization's information, and to enforce the policies and procedures the organization has in place to protect its data. Policies and procedures might include but are not limited to computer use policies, Internet use policies, remote access policies, and other policies that aim to govern and protect the organization's data.

In information security, people are the weakest link. People want to be helpful. People want to do a good job. People want to give good customer service to their coworkers, clients, and vendors. People are curious. Social engineers seek to exploit these characteristics in humans. "Social Engineering is defined as the process of deceiving people into giving away access or confidential information" [ 1 ]. The only known defense for social engineering attacks is an effective security awareness program. Unless users understand the tactics and techniques of social engineers, they will fall prey and put the organization's data at risk.

A survey of recent breaches will reveal that a large majority of them took advantage of exploiting humans. One example is the RSA breach [ 2 ] where sophisticated attackers used targeted spear phishing to steal RSA SecurID authentication tokens that lead to a further breach at US defense contractor Lockheed Martin [ 3 ]. Another example is the "Aurora" attack against Google and other large software companies that used an attack that sent users to a website that infected users with a cutting-edge 0day exploit. The result was that a large amount of intellectual property including source code was stolen from companies including Google and Adobe [ 4 ].

Nowadays, online bad guys don't try to break in through the firewall. Bad guys go around the firewall. Organizations have spent billions of dollars developing layered defenses against online attackers. There are solutions such as antivirus, intrusion detection systems, intrusion prevention systems, and other technical solutions to protect information. With these sophisticated solutions in place, attackers are now turning to more targeted attacks focused on tricking users into clicking links or opening attachments.

Dave Kennedy's Social-Engineer Toolkit does an excellent job of modeling social engineer attacks such as websit

Weiterlesen weniger lesen