Скачать книгу

I a Builder Yet?

      Michele and I started to develop a program that we implemented in a few places. The program is simple but powerful. It involves using the very tools that are used against us to empower us. We know that this concept is not something we invented. After all, there are more than a handful of companies right now selling “phishing services” to legitimate organizations. Many users of those products – large companies – have come to us and said things like, “We have been using this tool for a year, but our click ratios are still super high. What can we do?”

      Before I answer that, let me tell you a story. I remember when I was buying my first home. My wife and I were super excited as the closing approached. (We were going to own a home!) So I did what all men who own a home do: I bought some more tools. I went to Home Depot and bought a beautiful set of cordless tools, a saw, a drill, a jigsaw, and some other miscellaneous tools.

      I brought them into my house the first day and found the perfect spot on the shelves in the basement for that toolbox. There it sat for a year. Then all of a sudden I had to cut something. I was so excited; I finally got to use my new tools! I got the toolbox and pulled out the circular saw. I read all the instructions, including something like, “Ensure you are using the proper blade for the material you are cutting.”

      I looked at the blade, thought, “Yep, looks sharp,” and cut my board. It worked. I still had all my limbs and appendages, the board was cut, and the saw didn't blow up. This process continued for a couple hours when all of a sudden the saw started jamming; it stopped cutting. I charged the batteries and did the finger-touch test to the blade and thought, “Ouch, still sharp.” Frustrated, I determined the tool was at fault. “Stupid saw; must be defective.”

      Then a friend came over to help me out. He took one look at the saw and said, “Um, dude, why are you cutting 2×4s with a fine-tooth blade?”

      “A what-toothed what?” I replied.

      My friend shook his head, and then he gave me an education on blades.

      Why do I tell you this humiliating, emasculating story other than to point out my utter lack of manliness? To prove this point: Owning tools does not make you a builder!

      Phishing tools are no different than construction tools. Just buying the tool doesn't make you secure, and it doesn't make you able to educate others on the phishing problem.

      Teaching People to Phish

      So, back to the program Michele and I were developing: We started to analyze phishing and security awareness programs and discovered – as many other serious security professionals have determined – that many of them were useless.

      No, security awareness is not useless. I'm not so naïve and silly to say that we don't need awareness. But the style and method of awareness training just wasn't working. Seriously, raise your hand right now if you ever paid attention all the way through a 30- or 60-minute DVD presentation on security awareness. Okay – the one guy in the back – you can put your hand down. But as I suspected, barely a hand is raised.

      People tune out training if it's not interactive and quick. Marketers know this; they tell us to make websites interesting, fun, interactive, and to the point. Why should education be anything less?

      We started to come up with a plan to make the phishing portion of our clients' security awareness interactive, interesting, and, most of all, not too lengthy. That is why this book had to be written; we wanted to answer a few questions:

      • How serious is phishing?

      • What psychological principles play a part in phishing?

      • Can phishing really be used as a successful part of your security awareness education?

      • If so, how can a company implement that?

      • Can any size business create a serious phishing education program?

      We sat down and outlined a book on phishing, defined our program, and formalized our methodology. We then gave a lot of thought to whether we wanted to release this to the public; after all, it took us years of work to develop our method. After we started to see how it was helping so many of our clients, we decided to write the book. On first approach, though, it seemed like a phishing book wasn't of much interest to many – at least not until the events of 2014, when phishing dominated the front pages again and again during real hacking events. Phishing is being used in attacks every day; phishing service providers are popping up every month; and companies all over the globe are jumping on the bandwagon to start phishing education programs.

      What You Can Expect

      Michele and I hope that this book will help you on your quest to protect yourself and your company against malicious phishers. We want to take you on the journey we went through in getting ready to write this book.

      Chapter 1 starts with the basics. It explains what phishing is and why it is used, and we included a lot of examples of the most current and effective phish.

      Chapter 2 delves into the why of phishing. Why do those phish work? What is the psychology behind them that makes phishing so effective?

      Chapter 3 takes a look at just one area – influence – and explains how that principle is used by malicious phishers.

      Chapter 4 is all about protection. Now that the first three chapters have covered the bases of what phishing is, it's time to start discussing how you can protect yourself from it. We give tips for both civilians and corporations, as well as analyze some of the worst suggestions we have heard.

      Chapter 5 gets into how you can create a corporate phishing program to help secure your folks.

      But how do you tie all this information into corporate policies? I know, I know; the word policy is like a four-letter word in these books. But we have to discuss it, and the brief but important Chapter 6 is where we do that.

      This book wouldn't be complete without looking at some of the most current tools on the market and how they work to complement the program being set up. Chapter 7 covers those tools.

      Chapter 8 concludes the book by rounding off all the principles and discussion with some clear-cut rules of making this program work.

      Conventions Used in This Book

      To help you get the most from the text and keep track of what's happening, we used some conventions throughout the book.

      Special formatting in the text represents the following things:

      • We highlight new terms and important words when we introduce them.

      • We show URLs within the text like so: www.social-engineer.org/.

      Note

      Notes indicate notes, tips, hints, tricks, or asides to the current discussion.

      Summary

      The idea behind this book is to dissect what a phish is, why it works, and the principles behind it. We want to fully expose all the flaws of phishing so you can understand how to defend against it.

      In my last book, Unmasking the Social Engineer, I told a story about a friend who is a master swordsman. He learned his skill by learning all about swords – how to use them and how they work – and then choosing the best partner to help him learn how to fight with them. That story applies here, too. After you learn all about identifying phish, become familiar with the available tools, and learn how to choose a good sparring partner, you can then begin to create a program that will hone your skills and help you and your employees, family, and friends stay secure.

      Before we can get that deep into the ring, we need to start with some light weights, including learning some key elements such as “What is phishing?” and “What are some examples of it?”

      Read on to find out the answers to these questions.

      Chapter 1

      An Introduction to the Wild World of Phishing

      Lana: