Domain 5
5.6 Security Awareness
Implement security awareness practices.
0% Complete

Phishing awareness is the strategic process of educating users to recognize, avoid, and report social engineering attacks delivered via electronic communication.
Phishing Recognition and Principles Phishers exploit human psychology using specific influence principles to bypass technical controls. - Urgency: Creating a "limited time" scenario to force a user to act before thinking. - Authority: Impersonating executives (CEO fraud) or government agencies to compel obedience. - Scarcity: Offering exclusive access or rewards to encourage clicks. - Social Proof: Using the influence of peers or large groups to validate a malicious request. - Fear: Threatening account suspension or legal action to induce panic and compliance.
Phishing Campaigns and Training Organizations must move beyond static instructional memos to keep users engaged and reduce the risk of "tuning out." - Computer-Based Training (CBT): Utilizing diverse media such as videos and interactive modules to improve retention. - Gamification: Applying game-design elements like leaderboards, badges, and points to make security assessments engaging. - Capture the Flag (CTF): Using controlled environments where employees perform mock attacks (like SQL injections) to understand the attacker's perspective. - Phishing Simulations: Sending safe "lure" emails to staff to identify high-risk users and measure the organization's current risk awareness.
Risk Response and Assessment Managing the threat of phishing involves identifying vulnerabilities and determining the appropriate response level. - Risk Analysis: Calculating the likelihood of an attack and the potential impact on assets. - Risk Avoidance: Choosing to eliminate a high-risk activity entirely rather than trying to secure it. - Risk Mitigation: Implementing controls, such as MFA or phishing filters, to reduce threats to an acceptable level. - Residual Risk: The remaining threat level after all security controls are applied; management must decide to either accept this risk or invest further.
Adversarial AI and Evasion Attackers are increasingly using Artificial Intelligence and Machine Learning to scale phishing. - Deepfakes: Using AI to spoof Voice Recognition (Siri/Alexa styles) or Facial Recognition for sophisticated social engineering. - Adversarial AI: Using automated tools to craft highly personalized emails based on OSINT (Open Source Intelligence) gathered from social media.
Quick recall - Phishing vs. Vishing: Phishing is email-based; vishing uses voice/phone. - OSINT: Data gathered from public sources to make phishing lures more convincing. - Residual Risk: Risk that remains after training and technical controls are active. - Trigger words: Urgency, Authority, Badges, Leaderboards, Likelihood/Impact.