Index

Note: Page numbers followed by f indicate figures.

A

The Art of Deception 63
Awareness program, security 
announcements 117
budget 134, 138
campaigns 40
consistent program 141
contests and prizes 116–117
cost savings 135
deployment 122
e-mail signature 147
enforcement 4–5
experience 137–138
forensics and security 141
HIPAA Security Rule 18
homemade video campaign 86–87
learning and teaching styles 127, 134, 139
vs. metrics  See (Metrics)
planned program 141
political obstacles 127, 134, 139
polygraph examiner 148
posters 87, 147
quarterly training 90
receptionists 34
RSA breach 1–2
security researcher 125–126
SET 2
social engineering and nontechnical attacks 126
training cycle 127, 134, 139

B

BCBST  See Blue Cross Blue Shield of Tennessee (BCBST)
Biannual training 90, 110–111, 115
Blue Cross Blue Shield of Tennessee (BCBST) 19
Bragging rights 12
Breach notification laws 5, 20–23
Bronze Soldier of Tallinn 11

C

Catch Me If You Can 63
CBT  See Computer-based training (CBT)
Chief Information Security Officer (CISO) 100–101
Commercial security awareness training resources 161
Company website 47, 71
Computer-based training (CBT) 83
Continual training, security 90–91, 113, 115
Cost savings 5, 135
Cyber war 
Bronze Soldier of Tallinn 11
definition 11
espionage 12

D

Data breach cost 
HIPAA 15–19
notification laws 20–23
PCI DSS 19–20
Ponemon Institute 15
savings 5
Department of Health and Human Services (DHHS) 5, 16
Dumpster diving method 33, 48–49, 73

E

Embedded training 91, 139
End users, security 
Chinese hackers and industrial espionage 36
corporate network 30
education 138
law firm’s computer system 36
midlevel managers, organization 37
network defenders 37
personal information 37
social media sites 36–37
VOHO attack 30

F

FBI alerted lawfirms 26–28
Federal Trade Commission (FTC) 
Health Breach notification rule 180
HIPAA business associate 187–188
law enforcement officials 188
nation’s consumer protection agency 181
notification requirement 182–183
personal health records 181–182
PHR-related entity 183
third-party service provider 182
Formal training 
CBT 83
in-person  See (Instructor-led training)
video 85
WBT 83–85

G

Government resources 159–160

H

Hacktivism 
anonymous users 11
iPhone “jailbreak” 10
political causes 10
PSN 10
Hands-on learning 41
Health Insurance Portability and Accountability Act (HIPAA) 
definition 15
and DHHS 16
“Health Care Law Blog” 18
HITECH 4, 19
implementation specifications 16
privacy and security rules 19
HIPAA Breach Notification Rule 
business associate 178–179
definition 175–176
FTC 180
media notice 177
secretary 177–178
unsecured protected health information and guidance 176

I

Industrial espionage 10
Informal training 
homemade video campaign 86–87
lunch and learn sessions 85–86
Information security awareness program 
articles 190
recorded presentations 190
Information technology (IT) staff 33, 40, 46
Instructor-led training 81–83
Interactive learning 
active and passive 39
password policy 42
screen locking reminder card 42, 42f
security team 115
segments and quizzes 84–85
styles 41
tools 40
Internet Crime Complaint Center (IC3), FBI 27–28

K

Kali Linux 162

L

Landing page 
creation 104–105
and e-mail 98
graphic tool 98
KnowBe4 105f
Large budget plan 
biannual training 115
continual training 115–116
new hire training 114
phishing assessment 116
Layers, physical security 
control 66
detection 67
deterrence 66
identification 67
Low budget plan 
biannual training 110–111
continual training 111
new hire training 110
phishing assessment 111

M

Mailroom/copy center 35
Metrics 
in information security awareness program 131, 136
long-term users 98
management 126
measurements, phishing detection 120
names 120
PhishingBox 120, 121f
reporting  See (Reporting, metrics)
security team 121
Moderate budget plan 
biannual training 112–113
continual training 113
new hire training 112
phishing assessment 113–114
Money 
data breaches 5
marketing 148
online attackers 9
organization 35
scam 27
security awareness program 7
and time 42–43

N

National Cyber Security Awareness Month (NCSAM) 117
NCSAM  See National Cyber Security Awareness Month (NCSAM)
Network security company, security analyst 151–154
New hire training 89, 112, 114
Night Dragon attacks 30
No Tech Hacking 63

O

Off-site reconnaissance 
company website 71
maps 69–71
real estate companies 71
social media 72
tax records 71
Online attackers 
cyber war 11–12
hacktivism 10–11
industrial espionage 10
money 9
organization defenses 2
personal and financial information 9
On-site reconnaissance 
real estate meeting 73–74
RFID credential stealing 74–77
surveillance 72–73
Operation Aurora 29
Organization’s network, CEO 25, 34–35, 101

P

Payment Card Industry Data Security Standard (PCI DSS) 4, 19–20
PCI DSS  See Payment Card Industry Data Security Standard (PCI DSS)
Peer-instruction 39
Phishing attacks  See also Simulated phishing assessment
assessment 111, 116
awareness 83–84
company-specific attacks 102–103
domain purchases 62
e-mail 50–51
employees knowledge 56
general attacks 102
network and host operating system 58
organization’s accounting department 35
and phone assessments 55
RSA SecurID 1–2
simulated attack 95
spear phishing e-mail 103
stamp collecting e-mails 25
vs. watering hole 31
Physical security 
assessments  See (Red Team)
attack execution phase 78
awareness program 67–68
inner perimeter 65
interior level 65
layers 66–67
outer perimeter 65
planning phase attack 78
policies 34
threats 67
Planning and execution, attack 
Jerry, the attacker 49
spear phishing e-mail 50–51
PlayStation Network (PSN) 10
Ponemon Institute 5, 15
PSN  See PlayStation Network (PSN)

R

Receptionist, defense 34
Reconnaissance 
off-site  See (Off-site reconnaissance)
on-site 72–77
Red team 
authorization letter 79–80
objective 79
off-limits areas 79
schedule 79
Reporting, metrics 
clustered column chart 122, 123f
line chart 123, 124f
pie chart 123, 124f
program description 122
RFID access systems 
antenna, binder 74, 76f
bishop 75, 77f
long-range reader 74–75, 77f
organizer and Proxmark3 74, 76f
power supply 74, 75f
Proxmark3 hardware 74, 75f
unauthorized entry prevention 74

S

Search engines 48
Security awareness program 
articles 190
budget 130, 143, 156
learning and teaching styles 131, 146, 157
management buy-in 130, 156
metrics 131, 144
network analyst 128
political obstacles 130, 143, 156
recorded presentations 190
red and blue team 133
security posture 129
“Smart Grid Pioneer” 154–155
social engineering 126
training cycle 131, 145, 156
Security awareness training framework (SATF) 
communications/social media team 165
component definition 166
deliverables 163
documentation/artifact team 164
history 165
mission 165–166
purpose/project charter 162
research/outreach team 164–165
standardized reporting metrics 167–168
subteams and committees 163–164
taxonomy/classification team 164
Security research, information security company 135–137
SET  See Social-Engineer Toolkit (SET)
Shady RAT operation 28–29
Simulated phishing assessment 
commercial tool 98–100
high-level methodology 95–96
objective 101
open-sourced software/tools 96–98
recipients selection 102
sending, e-mail 105–106
tracking 106
as training tools 95
types 102–103
vendor performance 100
Social engineering 
attack cycle phases 46
description 45
help desk 51–52
information gathering 47–49
internal phishing campaign 136
media  See (Social media)
men vs. women 46
persuasion and deception 45
phases 62, 63f
popular spot 49
psychological makeup 46
search engines 48
security awareness program 1
SEDF 52–62
timing 50
Social Engineering Defensive Framework (SEDF) 
attack prevention 52–53, 61–62
defense evaluation 54–55
education, employees 55–57
exposure determination 53–54
phases 62, 63f
technology and policy 57–61
Social-Engineer Toolkit (SET) 
elements 2, 3f
policies and procedures 2
PowerShell 130
technical tool 2
technical tools, security awareness programs 162
website cloning 2
Social media 
assessment team 72
Facebook and Twitter 48
LinkedIn 48
NCSAM 117
password reset 48
safety 56
scams 36–37
website 25, 36–37
SpearPhisher 162
Spear phishing email 2, 31, 50–51
State security breach notification laws 170–171

T

Tabletop exercise, SEDF 
after-action phase 61
design phase 57–60
execution phase 60–61
Targeted attacks 
Chinese hackers 36
defense and government contracting 26
description 25
e-mail 25
against law firms 26–28
password reset 33
RSA breach 26
Shady Rat 28–29
spear phishing 31
state breach notification laws 31
TJX breach 37
training 91–92
Targeted training, security 91–92
Training cycle 
adjustment 93
biannual 90
continual training 90–91
embedded 91
minimal 92
moderate 92
quarterly security awareness 90
robust 92
security analyst 152

U

Uniform resource locator (URL) 104, 105
URL  See Uniform resource locator (URL)

V

Video training 85
Visual learning styles 40, 41

W

Watering hole attacks 30–31
Web-based training (WBT) 83–85
Web resources and links 161
Website, security awareness 109–110
West Virginia Consumer Credit and Protection Act 
applicability 23, 174
computerized personal information 173–174
definitions 20–22, 172–173
notification procedures 23
security breach notice requirements 174
violations 23, 174
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.19.243