Fighting Phishing

Book description

Keep valuable data safe from even the most sophisticated social engineering and phishing attacks

Fighting Phishing: Everything You Can Do To Fight Social Engineering and Phishing serves as the ideal defense against phishing for any reader, from large organizations to individuals. Unlike most anti-phishing books, which focus only on one or two strategies, this book discusses all the policies, education, and technical strategies that are essential to a complete phishing defense. This book gives clear instructions for deploying a great defense-in-depth strategy to defeat hackers and malware. Written by the lead data-driven defense evangelist at the world's number one anti-phishing company, KnowBe4, Inc., this guide shows you how to create an enduring, integrated cybersecurity culture.

  • Learn what social engineering and phishing are, why they are so dangerous to your cybersecurity, and how to defend against them
  • Educate yourself and other users on how to identify and avoid phishing scams, to stop attacks before they begin
  • Discover the latest tools and strategies for locking down data when phishing has taken place, and stop breaches from spreading
  • Develop technology and security policies that protect your organization against the most common types of social engineering and phishing

Anyone looking to defend themselves or their organization from phishing will appreciate the uncommonly comprehensive approach in Fighting Phishing.

Table of contents

  1. Cover
  2. Table of Contents
  3. Title Page
  4. Introduction
    1. Who This Book Is For
    2. What Is Covered in This Book
    3. How to Contact Wiley or the Author
  5. PART I: Introduction to Social Engineering Security
    1. CHAPTER 1: Introduction to Social Engineering and Phishing
      1. What Are Social Engineering and Phishing?
      2. How Prevalent Are Social Engineering and Phishing?
      3. Summary
    2. CHAPTER 2: Phishing Terminology and Examples
      1. Social Engineering
      2. Phish
      3. Well-Known Brands
      4. Top Phishing Subjects
      5. Stressor Statements
      6. Malicious Downloads
      7. Malware
      8. Bots
      9. Downloader
      10. Account Takeover
      11. Spam
      12. Spear Phishing
      13. Whaling
      14. Page Hijacking
      15. SEO Pharming
      16. Calendar Phishing
      17. Social Media Phishing
      18. Romance Scams
      19. Vishing
      20. Pretexting
      21. Open-Source Intelligence
      22. Callback Phishing
      23. Smishing
      24. Business Email Compromise
      25. Sextortion
      26. Browser Attacks
      27. Baiting
      28. QR Phishing
      29. Phishing Tools and Kits
      30. Summary
    3. CHAPTER 3: 3x3 Cybersecurity Control Pillars
      1. The Challenge of Cybersecurity
      2. Compliance
      3. Risk Management
      4. Defense-In-Depth
      5. 3x3 Cybersecurity Control Pillars
      6. Summary
  6. PART II: Policies
    1. CHAPTER 4: Acceptable Use and General Cybersecurity Policies
      1. Acceptable Use Policy (AUP)
      2. General Cybersecurity Policy
      3. Summary
    2. CHAPTER 5: Anti-Phishing Policies
      1. The Importance of Anti-Phishing Policies
      2. What to Include
      3. Summary
    3. CHAPTER 6: Creating a Corporate SAT Policy
      1. Getting Started with Your SAT Policy
      2. Necessary SAT Policy Components
      3. Example of Security Awareness Training Corporate Policy
      4. Acme Security Awareness Training Policy: Version 2.1
      5. Summary
  7. PART III: Technical Defenses
    1. CHAPTER 7: DMARC, SPF, and DKIM
      1. The Core Concepts
      2. A US and Global Standard
      3. Email Addresses
      4. Sender Policy Framework (SPF)
      5. Domain Keys Identified Mail (DKIM)
      6. Domain-based Message Authentication, Reporting, and Conformance (DMARC)
      7. Configuring DMARC, SPF, and DKIM
      8. Putting It All Together
      9. DMARC Configuration Checking
      10. How to Verify DMARC Checks
      11. How to Use DMARC
      12. What DMARC Doesn't Do
      13. Other DMARC Resources
      14. Summary
    2. CHAPTER 8: Network and Server Defenses
      1. Defining Network
      2. Network Isolation
      3. Network-Level Phishing Attacks
      4. Network- and Server-Level Defenses
      5. Summary
    3. CHAPTER 9: Endpoint Defenses
      1. Focusing on Endpoints
      2. Anti-Spam and Anti-Phishing Filters
      3. Anti-Malware
      4. Patch Management
      5. Browser Settings
      6. Browser Notifications
      7. Email Client Settings
      8. Firewalls
      9. Phishing-Resistant MFA
      10. Password Managers
      11. VPNs
      12. Prevent Unauthorized External Domain Collaboration
      13. DMARC
      14. End Users Should Not Be Logged on as Admin
      15. Change and Configuration Management
      16. Mobile Device Management
      17. Summary
    4. CHAPTER 10: Advanced Defenses
      1. AI-Based Content Filters
      2. Single-Sign-Ons
      3. Application Control Programs
      4. Red/Green Defenses
      5. Email Server Checks
      6. Proactive Doppelganger Searches
      7. Honeypots and Canaries
      8. Highlight New Email Addresses
      9. Fighting USB Attacks
      10. Phone-Based Testing
      11. Physical Penetration Testing
      12. Summary
  8. PART IV: Creating a Great Security Awareness Program
    1. CHAPTER 11: Security Awareness Training Overview
      1. What Is Security Awareness Training?
      2. Goals of SAT
      3. Senior Management Sponsorship
      4. Absolutely Use Simulated Phishing Tests
      5. Different Types of Training
      6. Compliance
      7. Localization
      8. SAT Rhythm of the Business
      9. Reporting/Results
      10. Checklist
      11. Summary
    2. CHAPTER 12: How to Do Training Right
      1. Designing an Effective Security Awareness Training Program
      2. Building/Selecting and Reviewing Training Content
      3. Additional References
      4. Summary
    3. CHAPTER 13: Recognizing Rogue URLs
      1. How to Read a URL
      2. Most Important URL Information
      3. Rogue URL Tricks
      4. Summary
    4. CHAPTER 14: Fighting Spear Phishing
      1. Background
      2. Spear Phishing Examples
      3. How to Defend Against Spear Phishing
      4. Summary
    5. CHAPTER 15: Forensically Examining Emails
      1. Why Investigate?
      2. Why You Should Not Investigate
      3. How to Investigate
      4. Examining Emails
      5. Clicking on Links and Running Malware
      6. Submit Links and File Attachments to AV
      7. The Preponderance of Evidence
      8. A Real-World Forensic Investigation Example
      9. Summary
    6. CHAPTER 16: Miscellaneous Hints and Tricks
      1. First-Time Firing Offense
      2. Text-Only Email
      3. Memory Issues
      4. SAT Counselor
      5. Annual SAT User Conference
      6. Voice-Call Tests
      7. Credential Searches
      8. Dark Web Searches
      9. Social Engineering Penetration Tests
      10. Ransomware Recovery
      11. Patch, Patch, Patch
      12. CISA Cybersecurity Awareness Program
      13. Passkeys
      14. Avoid Controversial Simulated Phishing Subjects
      15. Practice and Teach Mindfulness
      16. Must Have Mindfulness Reading
      17. Summary
    7. CHAPTER 17: Improving Your Security Culture
      1. What Is a Security Culture?
      2. Seven Dimensions of a Security Culture
      3. Improving Security Culture
      4. Other Resources
      5. Summary
  9. Conclusion
  10. Acknowledgments
  11. About the Author
  12. Index
  13. Copyright
  14. Dedication
  15. End User License Agreement

Product information

  • Title: Fighting Phishing
  • Author(s): Roger A. Grimes
  • Release date: February 2024
  • Publisher(s): Wiley
  • ISBN: 9781394249206