using measured security awareness to combat phishing attacks

PowerPoint Presentation

Measured Security Awareness ServicePresented by Nicholas Davis, CISSP, CISA

OverviewPhishing BackgroundThreat to IT on campusPhishing educationTricks employedSample phishing emails unique to UW-MadisonSpotting the phish, after the clickHow measured security awareness worksConducting a campaign in your departmentQ&A session1/10/2014UNIVERSITY OF WISCONSIN2

Phishing DefinedPhishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication, usually email.1/10/2014UNIVERSITY OF WISCONSIN3

Famous Nigerian Phish

1/10/2014UNIVERSITY OF WISCONSIN4

4

Why Phishing Is Such a ThreatUW-Madison IT infrastructure is designed to protect the campus computing assets with many technical controlsHowever, this persuades hackers to pursue access via alternate means, often choosing to exploit the human factor


Your Password Is the Key to the KingdomIf an attacker can persuade you to give them your password, they can evade all the controls put in place to protect sensitive systems1/10/2014UNIVERSITY OF WISCONSIN6

UW-Madisons Proprietary Research Interests PhishersConsider the value of UW-Madisons intellectual property1/10/2014UNIVERSITY OF WISCONSIN7

I am Too Smart to Fall For a Trick Like PhishingMost large organizations have a phishing participation rate of around 10%This rises when the population become the subjects of Spear Phishing, which is phishing email designed specifically for the recipient1/10/2014UNIVERSITY OF WISCONSIN8

Phishing Relies Upon Social EngineeringThe practice of deceiving someone, either in person, over the phone, or using a computer, with the express intent of breaching some level of security either personal or professional. Social engineering techniques are considered con games which are performed by con artists. The targets of social engineering may never realize they have been victimized.1/10/2014UNIVERSITY OF WISCONSIN9

Tricks Used By Expert PhishersSocially Aware: Mining of information about the target from publicly available resources, such as Facebook, property records, or even CCAPContext Aware: Make reference to an activity you are likely to engage in, such as Amazon.com, or UPS package receipt1/10/2014UNIVERSITY OF WISCONSIN10

Specific Examples of Complex Phishing AttemptsBaiting: Placing a USB flash drive or CD, with malware on it, in a public place


Specific Examples of Complex Phishing AttemptsQR Code Curiosity: Embedding malicious code within a QR code, on a printout posted to a community bulletin board


Specific Examples of Complex Phishing AttemptsOut of Office, Out of Control: Taking advantage of an autoresponder, leveraging specific knowledge to exploit co-workers1/10/2014UNIVERSITY OF WISCONSIN13

What Would Happen If You Received This Email?


What Would Happen If You Received This Email?


Tips To Spot Social Engeering Within a Phishing AttemptAsks you to verify a sensitive piece of informationA sense of urgency is implied in the messageAn overt or implied threat may be presentFlattery is used to get you to drop your guardUse, and sometimes overuse of organizational knowledge in employedA bribe or reward for your help may be offered1/10/2014UNIVERSITY OF WISCONSIN16

Have You Ever Been Successfully Phished?


Spotting the Phish After the ClickWebsite address looks odd or incorrectIP address shows in address barMultiple pop-ups appear on top of legitimate website windowWebsite contains spelling or grammar errorsNo SSL lock is present on what should be a secure site1/10/2014UNIVERSITY OF WISCONSIN18

Can You Spot the Issue Here


Combat Phishing AttemptsNever give away personal information, especially username and passwordDont let curiosity get the best of youLook for the tell-tail signs we have discussed todayThere are no situations which justify exceptionsIf something sounds too good to be true1/10/2014UNIVERSITY OF WISCONSIN20

Measured Security Awareness Learning Through DoingStudies demonstrate that people tend to forget formal education, over timeThe best way to learn and remember, is through experienceMeasured security awareness is the ability to engage in realistic training within a safe, controlled and blame free environment


UW-Madisons Measured Security Awareness ProgramThe Division of Information Technology has purchased a vendor solution which enables us to conduct measured security awareness campaignsThe system is safeThe system does NOT collect personal information such as who clicked on links, etc. Information is only reported in aggregateDoIT has been internally phishing 850 internal staff for over a year 1/10/2014UNIVERSITY OF WISCONSIN22

Results So Far, at DoITAt first, people were apprehensiveThe beginning phishes were easyAfter people get accustomed to it, attitudes became more acceptingAfter a year, most people are enjoying the challengeMost importantly, many fewer people are falling for the phish1/10/2014UNIVERSITY OF WISCONSIN23

This Proposal Smells PhishyOver the next six months, you will be presented with 12 phishing attacksSome will be easy to detect, others will be more sophisticated and difficult to detectWe may even go on a Whaling Expedition! Do you know that that is?Participation rate will be collected (in aggregate) and summarized in a report


Q&A SessionAre you ready for a phishing expedition?

Nicholas [email protected]
