Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats, First Edition (2014)
Companies invest millions of dollars each year in the latest security products, from firewalls to access-card systems, but they fail to invest in their most valuable resources in securing their environments—more specifically, their employees. All too often, security-awareness training is a once-a-year event involving dated and unengaging material that is largely ignored. The result is that employees lack understanding of modern-day attacks and their ramifications. This knowledge gap presents endless opportunities for attackers. In Building a Security Awareness Program, Bill Gardner and Valerie Thomas have detailed the steps for building an entire security-awareness program from scratch. The book also serves as a guidebook for those seeking to improve or modernize their existing security-awareness programs.
Personally, I have used this knowledge gap to my advantage in my past life as a black-hat hacker and throughout my time as a security consultant. I have accessed thousands of systems by combining social engineering with technical attacks. During a recent penetration test, I obtained access to a client's network by e-mailing a malicious document that appeared to originate from one of the client's vendors. All it took was one click of a mouse and I was in. A few days later, I had access to the client's entire corporate network, source code, financials, and more.
While phishing is a popular attack vector, other types of attacks still pose threats. The stories in the social engineering chapter may seem too good to be true, but they describe actual events. Thomas and Gardner have performed these attacks during penetration tests on unsuspecting employees and were successful every time. The best technologies in the world won't protect you if an attacker can walk right through the front door unchallenged. In Chapter 12, “Bringing It All Together,” Thomas and Gardner define the steps needed not only to build an awareness program but also to begin the process of empowering the employee to challenge and verify suspicious behavior.
As attacks become more focused, organizations must adapt their defenses to include the human element of security. Creating an awareness program from the ground up can be intimidating and overwhelming. Building a Security Awareness Program walks you through the step-by-step process of creating a program as unique as your organization so you'll be prepared when an attacker comes calling.
Kevin Mitnick, speaker, consultant, and author of The New York Times best-seller Ghost in the Wires
This book to me is one of the fundamental books that should be used in building an information security program and understanding what risks are really out there. For me, one of the largest risks we face in security today is through the human element. Bill and Valerie have done an amazing job in showing both the effectiveness of the types of attacks that can happen and most importantly how to build a successful program that aims at reducing the risks associated with targeted attacks. When I was a chief security officer for a Fortune 1000, building an education and awareness program was one of my most accomplishing moments. Not only did the awareness program give the security team an elevated detection capability with our employee population, but also it started to change the culture to something that was security-driven. When we implemented something in our organization, it wasn't because security was doing it to be draconian or overprotective—our employees actually understood that it was part of a much larger picture. A mission that mattered. Our program skyrocketed and moved at an escalated pace with executives and IT working for one goal alike. All because of our awareness program.
Flash forward and look at the attacks that are occurring. Our perimeter is getting better and we're locking down more things. Hackers move to the past of least resistance and that is our end-user population right now. We have to take action, we have to train our people, and most importantly, it has to matter to them. Education and awareness works, and I can prove it with folks that we work with all the time. I've seen awareness transform an entire company to be a security-driven one on a number of occasions. Focus less on the technology, and focus on the fundamental blocks of educating your users.
I've read a lot of books in my time, but this one is different. It's a way to build a successful security-awareness program, a way to pave your INFOSEC program forward, and a way to train users in a way that makes it possible to detect attacks. I'm such a big advocate on bringing awareness to corporations and employees; it's one of the most returns you will ever get on an investment. The blend that Bill and Valerie bring on showing successful attacks that have occurred in the wild and following it up with how to proactively defend is brilliant.
If you have read through this book already, take everything in, take a break, and figure out how to implement everything that you've learned here. These words of advice come from experience and what works. Your program, your visibility, and your ability to stop attacks while reducing risk depends on it.
If you are just picking this book up and you can pick up one book this year, pick this one. It's one of the most important books you will ever read.
Dave Kennedy, speaker, consultant, author, and CEO of TrustedSec
Many people have asked me why I wanted to write a book on building an information security awareness program. While everyone knows having one is a great idea, no one really knows where to start. The purpose of this book is to lay out a plan to build a program from the ground up and then look at some way to measure the effectiveness of the program once it's in place.
This book is meant to be a roadmap. One size won't always fit all, and there may be different routes to achieving the same goals in your organization. As I built information security awareness programs, I realized that documenting what I was doing and how I was doing it might be valuable to others who might need such information.