Foreword xiIntroduction xiiiChapter 1: Step 1: Foster a Strong Security Culture 1Kevin Mitnick, Human Hacker Extraordinaire 3The Importance of a Strong Security Culture 5Hackers Are the Bad Guys, Right? 6What is Security Culture? 7How to Foster a Strong Security Culture 9Security Leaders on Security Culture 12What Makes a Good CISO? 13The Biggest Mistakes Businesses Make When It Comes to Cybersecurity 14The Psychological Phases of a Cybersecurity Professional 15Chapter 2: Step 2: Build a Security Team 19Why Step 2 is Controversial 20How to Hire the Right Security Team. . .the Right Way 28Security Team Tips from Security Leaders 29The "Culture Fit"--Yuck! 30Cybersecurity Budgets 34Design Your Perfect Security Team 35Chapter 3: Step 3: Regulatory Compliance 39What Are Data Breaches, and Why Are They Bad? 40The Scary Truth Found in Data Breach Research 45An Introduction to Common Data Privacy Regulations 49The General Data Protection Regulation 49The California Consumer Privacy Act 50The Health Insurance Portability and Accountability Act 52The Gramm-Leach-Bliley Act 52Payment Card Industry Data Security Standard 53Governance, Risk Management, and Compliance 53More About Risk Management 54Threat Modeling 55Chapter 4: Step 4: Frequent Security Testing 57What is Security Testing? 58Security Testing Types 58Security Audits 58Vulnerability Assessments Versus Penetration Testing 59Red Team Testing 61Bug Bounty Programs 61What's Security Maturity? 63The Basics of Security Audits and Vulnerability Assessments 64Log Early, Log Often 66Prepare for Vulnerability Assessments and Security Audits 67A Concise Guide to Penetration Testing 69Penetration Testing Based on Network Knowledge 70Penetration Testing Based on Network Aspects 73Security Leaders on Security Maturity 76Security Testing is Crucial 78Chapter 5: Step 5: Security Framework Application 79What is Incident Response? 80Preparation 80Identification or Analysis 82Containment, Mitigation, or Eradication 83Recovery 84Post-incident 86Your Computer Security Incident Response Team 86Cybersecurity Frameworks 89NIST Cybersecurity Framework 89Identify 90Protect 92Detect 95Respond 97Recover 99ISO 27000 Cybersecurity Frameworks 101CIS Controls 102COBIT Cybersecurity Framework 105Security Frameworks and Cloud Security 106Chapter 6: Step 6: Control Your Data Assets 109The CIA Triad 110Access Control 112Patch Management 113Physical Security and Your Data 115Malware 116Cryptography Basics 119Bring Your Own Device and Working from Home 123Data Loss Prevention 124Managed Service Providers 126The Dark Web and Your Data 128Security Leaders on Cyber Defense 130Control Your Data 132Chapter 7: Step 7: Understand the Human Factor 133Social Engineering 134Phishing 139What Can NFTs and ABA Teach Us About Social Engineering? 141How to Prevent Social Engineering Attacks on Your Business 146UI and UX Design 147Internal Threats 148Hacktivism 152Chapter 8: Step 8: Build Redundancy and Resilience 155Understanding Data and Networks 156Building Capacity and Scalability with the Power of the Cloud 158Back It Up, Back It Up, Back It Up 161RAID 162What Ransomware Taught Business About Backups 164Business Continuity 167Disaster Recovery 168Chapter 9: Afterword 173Step 1 173The Most Notorious Cyberattacker Was Actually a Con Man 174A Strong Security Culture Requires All Hands on Deck 174Hackers Are the Good Guys, Actually 174What Is Security Culture? 175What Makes a Good CISO? 175The Psychological Phases of a Cybersecurity Professional 176Recommended Readings 177Step 2 178Tackling the Cybersecurity Skills Gap Myth 178Take "Culture Fit" Out of Your Vocabulary 179Your Cybersecurity Budget 180Recommended Readings 180Step 3 181Data Breaches 181Data Privacy Regulations 182Risk Management 183Recommended Readings 183Step 4 184Security Audits 184Vulnerability Assessments 185Penetration Testing 185Bug Bounty Programs 185Recommended Reading 186Step 5 187Incident Response 187Cybersecurity Frameworks 187Recommended Reading 188Step 6 188The CIA Triad 188Access Control 189Patch Management 189Physical Security 189Malware 189Cryptography 190BYOD and Working from Home 190Data Loss Prevention 191Managed Service Providers 191Recommended Reading 191Step 7 192Social Engineering 192UI and UX Design 193Internal Threats 193Recommended Readings 194Step 8 194Cloud Networks 195Data Backups 195Business Continuity and Disaster Recovery 196Recommended Readings 196Keeping Your Business Cyber Secure 197Index 199

KIM CRAWLEY focuses on researching and writing about cybersecurity issues. Her career has included work with Sophos, AT&T Cybersecurity, BlackBerry Cylance, Tripwire, and Venafi. She specializes in all matters red team, blue team, and purple team and is especially fascinated by malware, social engineering, and advanced persistent threats. She runs an online cybersecurity event called DisInfoSec.