Book Review: "Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats"

Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats by Bill Gardner and Valerie Thomas is a great information security book. Rarely do you see a defensive approach to social engineering, a human problem within the computer security sphere that is largely attributed to be the weakest link in security. The book is about 150 pages, and costs $50 new in paperback and $35 on the kindle from Amazon, but based on other security books of the same size and relative content I find this to be a little over priced. With forwards by both Kevin Mitnick and Dave Kennedy, the issue of social engineering in the enterprise is made clear, and this book was created to the answer. According the Bill himself, "The purpose of this book is to lay out a plan to build a program from the ground up and then look at some way to measure the effectiveness of the program once it’s in place." Overall, the book remains technical and practical in it's advice while focusing on a largely human and educational topic, giving great advice and metrics along the way. Overall I give this book 7/10 stars, for being a great book on a subject largely untouched from a defensive side. I recommend this book for blue teamers, those putting together information security programs, however I don't recommend this book red teamers or general penetration testers, as they will likely already know the social engineering methods covered in this book or can learn them from a more comprehensive source.

As Bill outlines in the first chapter, a large part of a mature security program is user awareness training, and this book is a direct roadmap to setting up a rock solid user awareness campaign. Security awareness training not only plays a large part in preventing and/or detecting breaches, but it is also a critical piece of compliance and in the long run is one of the best proactive expenses a company can make. Using a large list of compliance mandates and recent breaches, the book really hammers home how costly a breach can be and how much of an actuality they are. The book does an excellent job at breaking down how every part of the lifecycle has a role in the security of the company. It goes into social engineering, how the weakest link in this lifecycle is most often the human elements. The book gives practical advice on how to understand, audit and train the human element against security risks. It provides open source tools to simulate your own social engineering attacks, provide training exercises and measure the effectiveness of your program. The book makes an emphasis as creating valuable measurements and metrics, and ultimately being able to gauge the success and value of your security awareness program. Coupled with personal stories regarding establishing information security programs, this book is clearly an excellent roadmap for those looking to institute their own information security awareness program. Finally, the book ends on a serious note with some breach notification rules. Each chapter also has extensive notes, annotations really, with links to supporting articles.

The following is the list of chapters and their major sub-sections. I include this as I think it gives a good outline of what the book covers:

Forwards
Kevin Mitnick
Dave Kennedy

Preface
About The Authors
Acknowledgments

What is a Security Awareness Program?
Introduction
Policy Development
Policy Enforcement
Cost Savings
Production Increases
Management Buy-In

Threats
The Motivations of Online Attackers
Money
Industrial Espionage / Trade Secrets
Hacktivism
Cyber War
Bragging Rights

Cost of a Data Breach
Ponemon Institute
HIPAA
The Payment Card Industry Data Security Standard (PCI DSS)
State Breach Notification Laws

Most Attacks are Targeted
Targeted Attacks
Recent Targeted Attacks
Targeted Attacks Against Law Firms
Operation Shady Rat
Operation Aurora
Night Dragon
Watering Hole Attacks
Common Attack Vectors: Common Results

Who Is Responsible for Security?
Information Technology (IT) Staff
The Security Team
The Receptionist
The CEO
Accounting
The Mailroom / Copy Center
The Runner / Courier
Everyone is Responsible for Seucrity

Why Current Programs Don't Work
The Lecture is Dead as a Teaching Tool
Why Learning Styles? Understand the Basis of Learning Styles

Social Engineering
What is Social Engineering?
Who are Social Engineers?
Why Does it Work?
How does it Work?
Information Gathering
Attack Planning and Execution
The Social Engineering Defensive Framework (SEDF)
Where can I Learn More About Social Engineering?

Physical Security
What is Physical Security?
Physical Security Layers
Threats to Physical Security
Why Physical Security is Important to an Awarness Program
How Physical Attacks Work
Minimizing the Risk of Physical Attacks

Types of Training
Formal Training
Informal Training

The Training Cycle
New Hire
Quarterly
Biannual
Continual
Point of Failure
Targeted Training
Sample Training Cycles
Adjusting Your Training Cycle

Creating Simulated Phishing Attacks
Understanding the Human Element
Methodology
Open-source Tool, Commercial Tool, or Vendor Performed?
Before You Begin
Determine Attack Objective
Select Recipients
Select a Type of Phishing Attack
Composing the E-mail
Creating the Landing Page
Sending the E-mail
Tracking Results
Post Assessment Follow-up

Brining It All Together
Create a Security Awareness Website
Sample Plans
Promoting Your Awareness Program

Measuring Effectiveness
Measurements Vs. Metrics
Creating Metrics
Additional Measurements
Reporting Metrics

Stories from the Front Lines
Phil Grimes
Amanda Berlin
Jimmy Vo
Security Research at Large Information Security Company
Harry Regan
Tess Schrodinger
Security Analyst at a Network Security Company
Ernie Hayden


One of my favorite parts of the book is "why Current Programs Don't Work", where Bill dives into why security is hard to bring about, quoting Bruce Schneier in saying, "Security is a process, not a product". Information Security is not a white or black topic, and often malicious programs or intents can be hard to decipher, so traditional learning models, such as lectures or computer based training isn't as effective. Bill presents a lot of research that shows that universities are more successful when the instrument interactive learning techniques. Bill covers the seven learning styles, visual, aural, verbal, physical, logical, social, and solitary, and applies them to helping install practical information security awareness. This was a really informative chapter for me, and was a unique approach to computer security education I will make sure to keep in mind in the future.

The introduction of the Social Engineering Defensive Framework (SEDF) is also a great tool to help organisations win the battle over social engineering attacks. It outline four basic phases, which also effectively embody the book: Determine Exposure, Evaluate Defenses, Educate the Workforce, and Streamline Existing Technology. Determine exposure involves evaluating internet resources for information leaks that could aid attackers. Evaluating defenses then involves testing the organization and general employee body against information security attacks. Educating the workforce involves bolstering the information security awareness campaign in areas that the metrics revealed deficiencies, in this way the program can continuously work on it's weak points and become part of the true security life cycle. Finally, streamlining existing technology and policy will supplement your education program, giving the staff the proper tools and procedures to deal with security events. Ultimately meaning you will have evaluated and tested your security posture, learned and promoted education around any deficiencies, and then ultimately implemented new policy and acquired the supporting technology to protect yourself from these threats in the future. This is a chapter that I would read in depth and certainly build into any Information Security Awareness program I were going to implement.

Lastly, I enjoyed "Stories from the Front Lines", the most of any chapter in the entire book. Being a penetration tester and highly active red teamer, many of the lessons of this book were either not directly applicable to me, or presented in a watered down form. This chapter really delivered for me, giving valuable first hand anecdotes and also proved that the book had something for everyone, from the person seeking an awareness education roadmap, to the security enthusiast looking for an intellectual read.

Overall, this is a great book, and I highly recommend it to those building out information security programs. It also comes with a number of useful tools in aiding your program, including the SEDF and a great appendix of resources. I really hope you pick this book up if your looking at rolling out an information security awareness program, as this book is chock full of information security education tips. The appendices also include such gems as:

Government Resources and Publications
Security Awareness Tips
Sample Policies
Commercial Security Awareness Training Resources
Web Resources and Links
Technical Tools That Can Be Used To Test Security Awareness Programs
The Security Awareness Training Framework
Building a Security Awareness Training Program Outline
State Security Breach Notification Laws
HIPPA Breach Notification Rule
Complying With The FTC Health Breach Notification Rule
Information Security Conferences
Recorded Presentations On How To Build An Information Security Awareness Program
Articles On How To Build An Information Security Awareness Program