Table of Contents

Cover image

Title page

Copyright

Dedications

Forewords

Preface

About the Authors

Acknowledgments

Chapter 1: What Is a Security Awareness Program?

Abstract

Introduction

Policy Development

Policy Enforcement

Cost Savings

Production Increases

Management Buy-In

Chapter 2: Threat

Abstract

The Motivations of Online Attackers

Money

Industrial Espionage/Trade Secrets

Hacktivism

Cyber War

Bragging Rights

Chapter 3: Cost of a Data Breach

Abstract

Ponemon Institute

HIPAA

The Payment Card Industry Data Security Standard (PCI DSS)

State Breach Notification Laws

Chapter 4: Most Attacks Are Targeted

Abstract

Targeted Attacks

Recent Targeted Attacks

Targeted Attacks Against Law Firms

Operation Shady RAT

Operation Aurora

Night Dragon

Watering Hole Attacks

Common Attack Vectors: Common Results

Chapter 5: Who Is Responsible for Security?

Abstract

Information Technology (IT) Staff

The Security Team

The Receptionist

The CEO

Accounting

The Mailroom/Copy Center

The Runner/Courier

Everyone Is Responsible For Security

Chapter 6: Why Current Programs Don't Work

Abstract

The Lecture is Dead as a Teaching Tool

Chapter 7: Social Engineering

Abstract

What is Social Engineering?

Who are Social Engineers?

Why Does It Work?

How Does It Work?

Information Gathering

Attack Planning and Execution

The Social Engineering Defensive Framework (SEDF)

Where Can I Learn More About Social Engineering?

Chapter 8: Physical Security

Abstract

What is Physical Security?

Physical Security Layers

Threats to Physical Security

Why Physical Security is Important to an Awareness Program

How Physical Attacks Work

Minimizing the Risk of Physical Attacks

Chapter 9: Types of Training

Abstract

Training Types

Formal Training

Informal Training

Chapter 10: The Training Cycle

Abstract

The Training Cycle

New Hire

Quarterly

Biannual

Continual

Point of Failure

Targeted Training

Sample Training Cycles

Adjusting Your Training Cycle

Chapter 11: Creating Simulated Phishing Attacks

Abstract

Simulated Phishing Attacks

Understanding the Human Element

Methodology

Open-Source Tool, Commercial Tool, or Vendor Performed?

Before You Begin

Determine Attack Objective

Select Recipients

Select a Type of Phishing Attack

Composing the E-mail

Creating the Landing Page

Sending the E-mail

Tracking Results

Post Assessment Follow-up

Chapter 12: Bringing It All Together

Abstract

Create a Security Awareness Website

Sample Plans

Promoting Your Awareness Program

Chapter 13: Measuring Effectiveness

Abstract

Measuring Effectiveness

Measurements vs. Metrics

Creating Metrics

Additional Measurements

Reporting Metrics

Chapter 14: Stories from the Front Lines

Abstract

Phil Grimes

Amanda Berlin

Jimmy Vo

Security Research at Large Information Security Company

Harry Regan

Tess Schrodinger

Security Analyst at a Network Security Company

Ernie Hayden

Appendices

Appendix A: Government Resources

Appendix B: Security Awareness Tips

Appendix C: Sample Policies

Appendix D: Commercial Security Awareness Training Resources

Appendix E: Other Web Resources and Links

Security Awareness Posters

Appendix F: Technical Tools That Can Be Used to Test Security Awareness Programs

Appendix G: The Security Awareness Training Framework

Appendix H: Building A Security Awareness Training Program Outline

Appendix I: State Security Breach Notification Laws

Appendix J: West Virginia State Breach Notification Laws, W.V. Code §§ 46A-2A-101 et seq

Appendix K: HIPAA Breach Notification Rule

Notification by a Business Associate

Federal Trade Commission (FTC) Health Breach Notification Rule

Appendix L: Complying with the FTC Health Breach Notification Rule

Who's Covered by the Health Breach Notification Rule

You're Not a Vendor of Personal Health Records If You're Covered by HIPAA

Third-Party Service Provider

What Triggers the Notification Requirement

What to do If a Breach Occurs

Who You Must Notify and When You Must Notify Them

How to Notify People

What Information to Include

Answers to Questions About the Health Breach Notification Rule

We’re an HIPAA Business Associate, But We Also Offer Personal Health Record Services to the Public. Which Rule Applies to Us?

What’s The Penalty for Violating the FTC Health Breach Notification Rule?

Law Enforcement Officials Have Asked us to Delay Notifying People About the Breach. Whatshould we Do?

Where Can I Learn More ABout the FTC Health Breach Notification Rule? Visit www.ftc.gov/healthbreach.

Your Opportunity to Comment

Appendix L: Information Security Conferences

Appendix M: Recorded Presentations on How to Build an Information Security Awareness Program

Appendix N: Articles on How to Build an Information Security Awareness Program

Index

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.186.79