Protect your organization from phishing attacks


Published on

Learn about various types of phishing attacks and how to protect your organization.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Protect your organization from phishing attacks

  1. 1. Protect Your Organization from Phishing Threats Andy Rappaport, Chief Architect Tom Smit, Customer Experience Manager PA G E
  2. 2. Agenda • • • • • The Evolving Phishing Threat Attacker’s mentality - What CORE’s penetration testers tell us 5 minute Identity Harvest Challenge Best Practices – What You Can Do Organizational Preparedness with CORE Insight PA G E 2
  3. 3. Phishing is Not the Same as Spam • Spam: Unwanted email (and possibly texts) • Phishing: malicious email – social engineering attack − Pretending to be from someone you trust − Designed to look like legitimate email from a trusted source. • Types of Phishing: − Spear Phishing – Targets select individuals − Clone Phishing – use previous emails to create legitimate appearances while changing the links in the email. Use existing trust. − Long-lining – Mix of large volume of highly customized emails – intended to defeat filter-type defenses. PA G E 3
  4. 4. The Evolving Phishing Threat • Frequency is declining1 but sophistication is increasing • Spearphishing effectiveness has significantly increased2 • $1.5 Billion – total loses from phishing in 20123 • Why? Lowered barriers to achieve online trust − Decreased face-to-face contact: remote offices, outsource, partners, social nets − Tech by-pass the human: Single-sign-on, federation, browsers save a password − Mixed personas (personal & biz): BYOD. Sources 1. Anti-phishing Working Group Attack Trend Reports: 2. 3. PA G E 4
  5. 5. What CORE’s Pen. Testers Tell Us • Social Engineering is the preferred attack vector. • Users are easier: “We can always phish someone [in an engagement.] Its just a matter of how hard we need to try.” • Establish, escalate and leverage trust: “until you get someone [or something] you want”. • Value of compromising an identity − Email account: send email as them  leverage their trust network − Browser or host: passwords  logon as them Note the significance of trust in each statement. PA G E 5
  6. 6. What CORE’s Pen. Testers Tell Us – The Approach • Establish trust with non-threating message to small group. − We have been experiencing some errors with the XYZZY system. Sorry for any inconvenience. − We are scheduling an upgrade for the XYZZY system. • … then send the Phish email − Sorry. Please use this temporary XYZZY system <some link> • Make it look right − Use corporate branding / images. Duh. • Personalize - if possible − Title: Attendee list for your XYZZY conference keynote o (A person’s future conference schedule might be easy to discover) PA G E 6
  7. 7. Try the 5 Minute Identity Harvest Challenge • Pick an important corporate user – your company or another • Search for just 5 minutes to get spear-phish info • Pick a few places to look: − − − − − Corporate site, news Financial: scheduled stock trades Search engine: blogs, conferences, speeches, planned travel Social: Linked-in (college – home-coming), Facebook (social, family) Physical Addresses: work, home, vaca What could an attacker do with more time? PA G E 7
  8. 8. Phish Defenses – What You Can Do • Defend - Technology deployments  Blacklisting known phishing sites  Spam filters  Anti-virus software • Educate - User awareness − Regular 2-way communication. Make humans part of your sensor network. − Share real-world examples • Understand the risk - Establish Policy − Ex: CSR or IT password reset – are they being helpful or insecure? − Zip files through the firewall? − Mixing personal and business. • Test and measure your own exposure and risk − Test your own defenses − Hands-on employee assessments PA G E 8 GOTCHA!
  9. 9. Self-Phishing Best Practices • Goal: Understand and lower phish risk • Systematic testing − Data-driven. Objective. − Create an easily-repeatable process − Not a one-time gotcha. (Hook-and-release) • Test people and defenses/controls • Different levels of sophistication Assess Test Improve − E.g. obvious form letter; targeted message w/specific but publicallyavailable information PA G E 9
  10. 10. Benefits of Self-Phishing Data-driven Security - Goals-questions-metrics • Goal: understand/measure own risk from phish exposure. • Questions: − − − − Does the A/V on our IT ‘golden images’ detect spam/phish messages. Do our defenses provide useful clues to employees? Which of our users are susceptible to phishing? How much does our user awareness program reduce the risk? • Metrics: Understanding effectiveness of your training − Measure over time and identify areas to improve − Approach: Mix baselines (Nigerian prince) with more focused (spearphish) • Identify users and groups who need additional education − Adequately trained? New hires? Admins? IT? Devs? PA G E 1 0
  11. 11. CORE Insight PA G E 1 1
  12. 12. Insight Can Assess Over Time Investments in training has proven productive. On going evaluation is critical to minimizing risk. PA G E 1 2 Next quarter’s focus can be clearly identified.
  13. 13. Insight Identifies Critical Areas Identify current weaknesses in an organization. Campaigns focus on different users. • • • PA G E 1 3 Marketing Executives Contractors Web Developers Focus limited resources on more critical activities
  14. 14. Insight Builds Focused Campaigns Clone Phishing Spear Phishing General Phishing First Generic Bank < Please update your account information Mar 12, 2013 3:23PM PST PA G E 1 4
  15. 15. Reporting PA G E 1 5
  16. 16. Go to to watch the recorded presentation For more information please contact Core Security at (617)399-6980 or PA G E 1 6