We all know that the end user is the weakest link. With all the talk around how broken user education is, I'd like to offer my two cents on it. I'll be going over the education by phishing program I put into place in an enterprise environment. The metrics I tracked were
1. users targeted
2. users successfully phished
3. phishes reported
I'll share what I did, learned, screwed up on, and would change. I'll also have all of my material for the program available for anyone to use.
6. First Results
• No warning
• Gathered with theharvester.py
• SET bombed out on me
• 50 emails sent
• 16 usernames/passwords = 32%
• 4 reports = 8%
@InfoSystir
11. Phishing:
• is the act of attempting to acquire
information such as
usernames, passwords, and credit card
details (and sometimes, indirectly, money)
by masquerading as a trustworthy entity in
an electronic communication.
@InfoSystir
12. CompanyX Hackers
• We’ll be putting on our hacker hats and trying to get you
to fall for our security tests.
• While we won’t be trying to gather your credit card
details, there are currently real hackers out in the world
trying to get every bit of information they can.
• They are the real bad guys and the whole point behind
this campaign
@InfoSystir
13. Key Points to remember
• Don’t click on links in email.
• Don’t open attachments that you aren’t
expecting.
• Never give your username/password to
anyone.
• If it smells phishy REPORT IT!
@InfoSystir
14. Things that should be reported
• Suspicious emails trying to get your
information (usernames, passwords, what
software we use, banking info, etc.).
• Suspicious emails with attachments that
you didn’t expect.
• People attempting to access your
computer that you haven’t authorized
@InfoSystir
15. Contest Rules
• Phishing emails must be forwarded to the
helpdesk along with calling about
suspicious activity.
• Both internal (COMPANYX IT) and
external (real hacker) emails count.
• It is up to the COMPANYX hackers to
determine if the email is a true phishing
attempt or just spam.
@InfoSystir
16. Contest Rules
• Other suspicious electronic activity may
count on a case by case basis.
• All COMPANYX email users except IS
department employees are eligible to win.
• Pseudo-random COMPANYX staff members
will be selected to draw winners.
• A person may not win twice for the same
drawing but is eligible to win in all other
drawings.
@InfoSystir
17. Awards!
• Winners drawn from our “Phish Bowl” will win
these phishy prizes!
• Monthly – Two winners drawn
– Each unique phishing report results in one entry
– Drawings are held first regular business day of month
for preceding month
– Both monthly winners will receive $10 Java City gift
cards
@InfoSystir
18. Awards!
• Quarterly – Two winners drawn
– First quarterly winner drawn will receive a $50
Bass Pro gift card
– Second quarterly winner drawn will receive a
$50 Red Lobster gift card.
@InfoSystir
19. Awards!
• End of Year Grand Prize– One winner
drawn
– $300 Amazon gift card
@InfoSystir
35. May/June Results cont.
• 10:30 campaign begins
• 10:33 C-level dude forwarded email, and
called
• 10:34 Regular user forwarded email
• 10:35 Regular user forwarded
• 10:41 I.T. dept was discussing null routing the
IP address and blackholing the domain name
• 10:46 I.T. member forwarded the second
version of the email
• 11:05 Director forwarded the email
• 11:20 Director forwarded the email
@InfoSystir
48. What I would change
• More formalized process for the
helpdesk/first line of defense
• More automation
• Add vishing/physical
• More measurements
@InfoSystir
50. Other cool things
• https://www.trustedsec.com/march-2013/the-debate-on-security-
education-and-awareness/
• http://ben0xa.com/security-awareness-education/
• http://www.csoonline.com/article/2134189/strategic-planning-erm/how-
to-create-security-awareness-with-incentives.html
• http://www.irongeek.com/i.php?page=videos/derbycon2/2-2-7-
benjamin-mauch-creating-a-powerful-user-defense-against-attackers
• Building an Information Security Awareness Program: Defending
Against Social Engineering and Technical Threats – Bill Gardner &
Valerie Thomas - http://amzn.com/0124199674
• Phishing Frenzy - http://www.phishingfrenzy.com/
@InfoSystir
We all know that the end user is the weakest link. With all the talk around how broken user education is, I'd like to offer my two cents on it. I'll be going over the education by phishing program I put into place in an enterprise environment. The metrics I tracked were
1. users targeted
2. users successfully phished
3. phishes reported
I'll share what I did, learned, screwed up on, and would change. I'll also have all of my material for the program available for anyone to use.