![Page 1: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/1.jpg)
March 31, 2015
Pat Falcon Information Security Policy & Awareness Specialist
David Sherry Chief Information Security Officer
Managing the Phishing Frenzy at Brown University
The Phish Bowl
Providence, RI
This presentation leaves copyright of the content to the presenter. Unless otherwise noted in the materials, uploaded content carries the Creative Commons Attribution-NonCommercial-
ShareAlike license, which grants usage to the general public with the stipulated criteria.
![Page 2: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/2.jpg)
How to keep your head above
water when it feels like you’re
drowning in good intentions.
or . . .
![Page 3: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/3.jpg)
Goal
Introduce you to a good model for creating your own
“phishing central” with supporting procedures.
Provide ideas for an awareness campaign to empower and
engage your users in helping to thwart phishing attacks.
The Phish Bowl
![Page 4: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/4.jpg)
Overview
Context
Computing at Brown
Computing & Information Services
The Information Security Group (ISG roles & relationships)
The Phishing Frenzy of August 2013 (or, the Great Flood)
The Phish Bowl
![Page 5: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/5.jpg)
The Phish Bowl
What it is (and isn’t)
Process: creation, roll-out, results, next steps
Tour (brown.edu/go/phishbowl)
The Phish Bowl
Overview
![Page 6: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/6.jpg)
Your Phishing Story
A chance to share your solutions
What have you built?
Or perhaps, rebuilt?
Inspired by this talk?
The Phish Bowl
Overview
![Page 7: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/7.jpg)
Sound like a plan?
![Page 8: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/8.jpg)
Sound like a plan?
![Page 9: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/9.jpg)
Context
Computing at Brown (the numbers)
Faculty: 718 (if adjunct, visiting, clinical, and other "non-regular" faculty included 2,000+)
Staff: 3,207 (includes exempt, non-exempt, limited duration, union and bio-med)
Students: 8,848 (6,264 undergrads, 2,094 graduate and 490 medical students)
Hospital affiliation: 3,508 (includes affiliated but not on payroll)
Total number of accounts: ~ 20,000 + alumni + applicants
» All possible phishing victims!
The Phish Bowl
![Page 10: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/10.jpg)
Context
Computing & Information Services (CIS)
Large, mostly centralized computing organization
Over 200 full-time staff plus student employees
Departmental IT groups (including Advancement, BioMed, Center for Computation &
Visualization, Division of Campus Life & Student Services, Facilities Management and University Library)
CIO reports to Provost, eight direct reports
http://it.brown.edu (new website)
The Phish Bowl
![Page 11: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/11.jpg)
Context
Information Security Group (ISG)
Small team of two works closely with allies to extend its impact Network security engineers (separate group), IT Service Desk, decentralized computing support (DCCs)
CISO – CIS senior director, consulted on all major IT projects OGC, Internal Audit, VP Research, Bio Med IT director (HIPAA), CCV, Asst VP of Business & Finance /
Commerce Committee (PCI), DPCRM / Univ Library, Alumni Relations, etc.; in position since 2008
Policy & Awareness Specialist Responsible for National Cyber Security Awareness Month and Data Privacy Month events; all
communication including website, alerts, social media and marketing; in position since formed in 2004
The Phish Bowl
![Page 12: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/12.jpg)
Context
Phishing Frenzy
And then the dam burst in August 2013 and it soon felt like we
were gasping for air (42 compromised accounts just on Aug 1 & 2!)
The Phish Bowl
![Page 13: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/13.jpg)
Along the phishing perimeter Winter of 2014
![Page 14: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/14.jpg)
From: P. Sentha Kumar Sent: Wednesday, December 17, 2014 1:49 AM To: senthangri @yahoo.com Subject: Help please
![Page 15: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/15.jpg)
Hope all is well with you, am out of town I travel to Turkey for a short vacation , I have a little problem here my ATM card didn't work here...
![Page 16: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/16.jpg)
I tried about 5 different ATM booths no money was dispensed.
![Page 17: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/17.jpg)
am stranded here I don't have any money with me. I need you to wire me 2000 Euro or whatever amount if not all via western Union I'll refund back your money immediately I get back next week.
![Page 18: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/18.jpg)
Let me know if you can help me out. Hope to hear from you soon Thanks, Sentha
![Page 19: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/19.jpg)
Learn how to spot phishing attempts.
Look for them in the Phish Bowl ( brown.edu/go/phishbowl ).
Report sightings to [email protected].
Make phishing History!
This message brought to you by the
Information Security Group, CIS
![Page 20: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/20.jpg)
The Phish Bowl (an origin story)
The Idea
Began as a suggestion to segregate phishing alerts –
provided by the Brown community – on one basic page
Envisioned as a moderated online upload site
Would be used to feed social media (“Phish Feed”)
The Phish Bowl
![Page 21: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/21.jpg)
But it could also be an opportunity to develop a more timely and efficient system for managing phishing threats to better protect the Brown community do this by standardizing incident response
address general confusion (community and IT staff)
expedite alerts to prevent escalation of phishing incidents
The Phish Bowl
The Phish Bowl (an evolution)
![Page 22: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/22.jpg)
But it could also be an opportunity to:
raise awareness and be a teaching tool.
be the focus of our back-to-school campaign and National Cyber
Security Awareness Month efforts in October.
empower the community by appealing to their nature to serve.
The Phish Bowl
The Phish Bowl (an evolution)
![Page 23: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/23.jpg)
The Phish Bowl
The Phish Bowl (an evolution)
In other words . . .
it became less about technology
![Page 24: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/24.jpg)
and more about marketing and
social engineering (the good kind).
The Phish Bowl
The Phish Bowl (an evolution)
In other words . . .
it became less about technology
![Page 25: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/25.jpg)
and more about marketing and
social engineering (the good kind).
The Phish Bowl
The Phish Bowl (an evolution)
![Page 26: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/26.jpg)
and more about marketing and
social engineering (the good kind).
The Phish Bowl
The Phish Bowl (an evolution)
In other words . . .
it became less about technology
![Page 27: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/27.jpg)
Creation & tour
Roll-out & marketing materials
Results
Next steps
The Phish Bowl
The Phish Bowl (the process)
![Page 28: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/28.jpg)
Timeline:
March & April 2014: “Phish Feed”; proposal written & finalized
May: Approval by senior directors to proceed
June & July: Meeting with web team (design* & marketing plans)
August: Website in place; messages firmed up (announcements,
canned response); workflow document created; training; release
* Design and name inspired by Cornell’s “Phish Bowl” (thanks!)
The Phish Bowl
The Phish Bowl (creation)
![Page 29: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/29.jpg)
To automate or not to automate?
Web form + dashboard for a moderator
Could auto-strip URLs but how to handle
Brown names or other content not to post?
Bottom Line:
How to make it as easy as possible for user?
Just forward it!
The Phish Bowl
The Phish Bowl (creation)
![Page 30: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/30.jpg)
brown.edu/go/phishbowl
The Phish Bowl
The Phish Bowl (tour)
![Page 31: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/31.jpg)
8/15 (2014): IT Service Desk demo and training
8/18: “Go Live!” date
8/19: Targeted email (CIS, department computing coordinators)
8/25: Morning Mail (morningmail.brown.edu)
8/29-30: Back-to-School
10/1-31: National Cyber Security Awareness Month
10/29: Brown’s Safety Resource Fair (every October)
3/15-20 (2015): New site, new look
The Phish Bowl
The Phish Bowl (roll-out)
![Page 32: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/32.jpg)
The Phish Bowl
The Phish Bowl (auto-response)
![Page 33: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/33.jpg)
The Phish Bowl
The Phish Bowl (auto-response)
![Page 34: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/34.jpg)
The Phish Bowl
The Phish Bowl (announcement)
![Page 35: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/35.jpg)
The Phish Bowl
The Phish Bowl (announcement)
![Page 36: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/36.jpg)
Back-to-School
The Phish Bowl
The Phish Bowl (marketing)
![Page 37: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/37.jpg)
October / National Cyber Security Awareness Month
Website (links to events and online contest)
Ads in student newspaper (Brown Daily Herald)
The Phish Bowl
The Phish Bowl (marketing)
![Page 38: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/38.jpg)
October / National Cyber Security Awareness Month
Website (links to events and online contest)
Ads in student newspaper (Brown Daily Herald)
The Phish Bowl
The Phish Bowl (marketing)
![Page 39: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/39.jpg)
The Phish Bowl
National Cyber Security Awareness Month
![Page 40: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/40.jpg)
The Phish Bowl
National Cyber Security Awareness Month
![Page 41: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/41.jpg)
The Phish Bowl
National Cyber Security Awareness Month
![Page 42: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/42.jpg)
The Phish Bowl
National Cyber Security Awareness Month
![Page 43: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/43.jpg)
In the crucible / trial by fire The timing couldn’t have been any better
On the whole, it worked as intended On 8/25 – 8/26, we received 55 reports to phishbowl
During that same period, personal account (5), ISG (9), and has continued to diminish over time
Hits on brown.edu/go/phishbowl Still get reports for alerts in Phish Bowl, but it is consulted
The Phish Bowl
The Phish Bowl (the results)
![Page 44: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/44.jpg)
The Phish Bowl
The Phish Bowl (the results)
8/25 9/23 10/1 11/11 2/18 (325) (224) (230) (449) (116)
![Page 45: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/45.jpg)
The numbers:
1,160+ emails sent to [email protected] since 8/25
(from 575 unique senders)
160+ alerts in the Phish Bowl since 8/25
207 compromised accounts since 8/25
171 compromised accounts between 8/1/2013 & 8/25/2014
(42 on 8/1 & 8/2 IRS.gov)
The Phish Bowl
The Phish Bowl (the results)
![Page 46: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/46.jpg)
The Phish Bowl
The Phish Bowl (lessons learned)
#1: Can’t bring in the robots just yet even with auto-response, still need the human-touch to edit & respond at times
#2: Handling content spam, legitimate email, duplicates, vishing, screen shots
#3: A chance to break out the markers & whiteboard teachable moments + opportunity for more connections w/ community
#4: Make the message even simpler and/or re-educate [email protected] worked; brown.edu/go/phishbowl not as well
#5: Hardest thing: the stories of victims
![Page 47: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/47.jpg)
#1: Survey (general community + IT Service Desk) name recognition, what worked or didn’t, suggestions
#2: Fire up phase 2 of marketing plan monthly reminders + quizzes; set timeframe
#3: Review phishing alerts archive, rebundle, delete
The Phish Bowl
The Phish Bowl (next steps)
![Page 48: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/48.jpg)
The Phish Bowl
Your turn – what’s your story?
![Page 49: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/49.jpg)
The Phish Bowl
Crowdsourcing / Collective Wisdom
Who handles phishing at your school?
Is there a formal set of procedures or standard practice?
How is the community notified of major outbreaks?
What is the community’s role (active, passive, none)?
Do you have anything like the Phish Bowl or plans to create it?
![Page 50: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/50.jpg)
Along the phishing perimeter, The beginning of 2015
![Page 51: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/51.jpg)
From: Kristin Bishop < kristin.bishop @ fiu.edu > Sent: Fri, Jan 2, 2015 at 1:08 PM Subject: Kristin Bishop doc#987654 To:
![Page 52: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/52.jpg)
DOCUMENTS FOR YOU Compliment of the season !!
![Page 53: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/53.jpg)
I need you to go through this uploaded files, Due to the size i have zipped and compressed it making it accessible via google secure folders.
![Page 54: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/54.jpg)
For immediate access click Access Files Here just sign in with your email, This files are very important. Let me know what you think.
![Page 55: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/55.jpg)
Regards, Kristin Bishop, Asst. Professor
![Page 56: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/56.jpg)
Learn how to spot phishing attempts.
Look for them in the Phish Bowl ( brown.edu/go/phishbowl ).
Report sightings to [email protected].
Make phishing History!
This message brought to you by the
Information Security Group, CIS
![Page 57: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/57.jpg)
The Phish Bowl
Resources
brown.edu/go/phishbowl (Cornell’s Phish Bowl: www.it.cornell.edu/security/phishbowl.cfm)
http://it.brown.edu (CIS home page)
Spot, Protect and Recover from Phishing www.brown.edu/information-technology/knowledge-base/article/1248
Anti-Phishing Working Group (www.antiphishing.org/)
Higher Education Information Security Council (HEISC) www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-initiative
Awareness and Training (A&T) Working Group www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-initiative/
community-engagement?
![Page 58: The Phish Bowl: Managing the Phishing Frenzy at Brown University (271828159)](https://reader034.vdocument.in/reader034/viewer/2022042905/577cb4271a28aba7118c5347/html5/thumbnails/58.jpg)
Reminder from program committee to fill out your session evaluation.
Thank you for attention.
Pat Falcon: [email protected] Information Security Policy & Awareness Specialist
David Sherry: [email protected] Chief Information Security Officer
The Information Security Group: [email protected] | brown.edu/go/isg