SlideShare a Scribd company logo

Shooting phish in a barrel

Download as PPTX, PDF
Amanda Berlin
Amanda Berlin

We all know that the end user is the weakest link. With all the talk around how broken user education is, I'd like to offer my two cents on it. I'll be going over the education by phishing program I put into place in an enterprise environment. The metrics I tracked were 1. users targeted 2. users successfully phished 3. phishes reported I'll share what I did, learned, screwed up on, and would change. I'll also have all of my material for the program available for anyone to use.

Technology
1 of 51
Shooting Phish in a Barrel and other terrible fish related puns...
Amanda Berlin @InfoSystir
Stuff I do @InfoSystir
CompanyX Metrics • +/- 2,000 employees • +/- 30 sites • Decent structure and security already • Some c-level buy in • No user education on security • $1,000 budget @InfoSystir
First Phish @InfoSystir
First Results • No warning • Gathered with theharvester.py • SET bombed out on me • 50 emails sent • 16 usernames/passwords = 32% • 4 reports = 8% @InfoSystir
Second Phish @InfoSystir
Second Results • 250 emails sent • 54 usernames/passwords = 22% • 4 reports = 2% @InfoSystir
Program @InfoSystir
Something Smells Phishy @InfoSystir
Phishing: • is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. @InfoSystir
CompanyX Hackers • We’ll be putting on our hacker hats and trying to get you to fall for our security tests. • While we won’t be trying to gather your credit card details, there are currently real hackers out in the world trying to get every bit of information they can. • They are the real bad guys and the whole point behind this campaign @InfoSystir
Key Points to remember • Don’t click on links in email. • Don’t open attachments that you aren’t expecting. • Never give your username/password to anyone. • If it smells phishy REPORT IT! @InfoSystir
Things that should be reported • Suspicious emails trying to get your information (usernames, passwords, what software we use, banking info, etc.). • Suspicious emails with attachments that you didn’t expect. • People attempting to access your computer that you haven’t authorized @InfoSystir
Contest Rules • Phishing emails must be forwarded to the helpdesk along with calling about suspicious activity. • Both internal (COMPANYX IT) and external (real hacker) emails count. • It is up to the COMPANYX hackers to determine if the email is a true phishing attempt or just spam. @InfoSystir
Contest Rules • Other suspicious electronic activity may count on a case by case basis. • All COMPANYX email users except IS department employees are eligible to win. • Pseudo-random COMPANYX staff members will be selected to draw winners. • A person may not win twice for the same drawing but is eligible to win in all other drawings. @InfoSystir
Awards! • Winners drawn from our “Phish Bowl” will win these phishy prizes! • Monthly – Two winners drawn – Each unique phishing report results in one entry – Drawings are held first regular business day of month for preceding month – Both monthly winners will receive $10 Java City gift cards @InfoSystir
Awards! • Quarterly – Two winners drawn – First quarterly winner drawn will receive a $50 Bass Pro gift card – Second quarterly winner drawn will receive a $50 Red Lobster gift card. @InfoSystir
Awards! • End of Year Grand Prize– One winner drawn – $300 Amazon gift card @InfoSystir
The Phish @InfoSystir
The most important part @InfoSystir
9 months of spreadsheets @InfoSystir
January Phish @InfoSystir
January Results • 934 emails sent • 322 usernames/passwords = 34% • 103 reports = 11% @InfoSystir
February Phish @InfoSystir
February Results • 567 emails sent • 89 usernames/passwords = 16% • 49 reports = 9% @InfoSystir
March Phish @InfoSystir
March Results • 1095 emails sent • 4 usernames/passwords = 0.4% • 37 reports = 3% @InfoSystir
March Results, cont. • First real phish caught and reported! @InfoSystir
April Phish @InfoSystir
April Results • 1159 emails sent • Goal was to look for reporting only • 261 reports = 23% @InfoSystir
May/June Phish @InfoSystir
May/June Results • Both external pentesting phishing attempts • 41 emails sent • 0 phished • 6 reports • 59 emails sent • 1 phished (post test time period) @InfoSystir
ZOMG IR @InfoSystir
May/June Results cont. • 10:30 campaign begins • 10:33 C-level dude forwarded email, and called • 10:34 Regular user forwarded email • 10:35 Regular user forwarded • 10:41 I.T. dept was discussing null routing the IP address and blackholing the domain name • 10:46 I.T. member forwarded the second version of the email • 11:05 Director forwarded the email • 11:20 Director forwarded the email @InfoSystir
July Phish @InfoSystir
July Results • 511 emails sent • 15 people clicked through • 8 reports @InfoSystir
August Phish @InfoSystir
August Results • 402 emails sent • 31 reports @InfoSystir
September Phish @InfoSystir
September Results • 2264 emails sent • 17 reports @InfoSystir
GRAPHS!!!! 0 200 400 600 800 1000 1200 1400 Jul-13 Aug-13 Sep-13 Oct-13 Nov-13 Dec-13 Jan-14 Feb-14 Mar-14 Apr-14 May-14 Jun-14 Jul-14 Aug-14 Sep-14 Hard Numbers Emails Sent Phished Reported @InfoSystir
GRAPHS!!!! 0% 5% 10% 15% 20% 25% 30% 35% 40% Jul-13 Aug-13 Sep-13 Oct-13 Nov-13 Dec-13 Jan-14 Feb-14 Mar-14 Apr-14 May-14 Jun-14 Jul-14 Aug-14 Sep-14 % Phished % Reported % @InfoSystir
What I’ve learned • Bi-directional positive response @InfoSystir
What I’ve learned • Someone is always going to click @InfoSystir
What I’ve learned • No one exempt @InfoSystir
What I’ve learned • Getting the point across @InfoSystir
What I would change • More formalized process for the helpdesk/first line of defense • More automation • Add vishing/physical • More measurements @InfoSystir
Stuff • Infosystir.blogspot.com – Email Templates – Training Modules – Meme posters – “You’ve Been Hacked” phish response – Awards program @InfoSystir
Other cool things • https://www.trustedsec.com/march-2013/the-debate-on-security- education-and-awareness/ • http://ben0xa.com/security-awareness-education/ • http://www.csoonline.com/article/2134189/strategic-planning-erm/how- to-create-security-awareness-with-incentives.html • http://www.irongeek.com/i.php?page=videos/derbycon2/2-2-7- benjamin-mauch-creating-a-powerful-user-defense-against-attackers • Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats – Bill Gardner & Valerie Thomas - http://amzn.com/0124199674 • Phishing Frenzy - http://www.phishingfrenzy.com/ @InfoSystir
@InfoSystir

Recommended

Hacker risks presentation to ACFE PR Chapter
Hacker risks presentation to ACFE PR ChapterHacker risks presentation to ACFE PR Chapter
Hacker risks presentation to ACFE PR ChapterJose L. Quiñones-Borrero
 
How to protect your clients and your law firm from money transfer scams
How to protect your clients and your law firm from money transfer scamsHow to protect your clients and your law firm from money transfer scams
How to protect your clients and your law firm from money transfer scamsGabor Szathmari
 
protecting your digital personal life
protecting your digital personal lifeprotecting your digital personal life
protecting your digital personal lifeNathan Lesser
 
Identity Theft nigerian fraud cyberbullying
Identity Theft nigerian fraud cyberbullyingIdentity Theft nigerian fraud cyberbullying
Identity Theft nigerian fraud cyberbullyingMatt Smith
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Cybercrime and the Developer: How to Start Defending Against the Darker Side... Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Cybercrime and the Developer: How to Start Defending Against the Darker Side...Steve Poole
 
Cyber Security work shop by Kapil Mehrotra
Cyber Security work shop by Kapil MehrotraCyber Security work shop by Kapil Mehrotra
Cyber Security work shop by Kapil MehrotraKapil Mehrotra
 
Crontab Cyber Security session 4
Crontab Cyber Security session 4Crontab Cyber Security session 4
Crontab Cyber Security session 4gpioa
 
Abuser Stories: Thinking Like the Bad Guy to Reduce Software Vulnerabilities
Abuser Stories: Thinking Like the Bad Guy to Reduce Software VulnerabilitiesAbuser Stories: Thinking Like the Bad Guy to Reduce Software Vulnerabilities
Abuser Stories: Thinking Like the Bad Guy to Reduce Software VulnerabilitiesProjectCon
 

Recommended

Hacker risks presentation to ACFE PR Chapter
Hacker risks presentation to ACFE PR ChapterHacker risks presentation to ACFE PR Chapter
Hacker risks presentation to ACFE PR ChapterJose L. Quiñones-Borrero
 
How to protect your clients and your law firm from money transfer scams
How to protect your clients and your law firm from money transfer scamsHow to protect your clients and your law firm from money transfer scams
How to protect your clients and your law firm from money transfer scamsGabor Szathmari
 
protecting your digital personal life
protecting your digital personal lifeprotecting your digital personal life
protecting your digital personal lifeNathan Lesser
 
Identity Theft nigerian fraud cyberbullying
Identity Theft nigerian fraud cyberbullyingIdentity Theft nigerian fraud cyberbullying
Identity Theft nigerian fraud cyberbullyingMatt Smith
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Cybercrime and the Developer: How to Start Defending Against the Darker Side... Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Cybercrime and the Developer: How to Start Defending Against the Darker Side...Steve Poole
 
Cyber Security work shop by Kapil Mehrotra
Cyber Security work shop by Kapil MehrotraCyber Security work shop by Kapil Mehrotra
Cyber Security work shop by Kapil MehrotraKapil Mehrotra
 
Crontab Cyber Security session 4
Crontab Cyber Security session 4Crontab Cyber Security session 4
Crontab Cyber Security session 4gpioa
 
Abuser Stories: Thinking Like the Bad Guy to Reduce Software Vulnerabilities
Abuser Stories: Thinking Like the Bad Guy to Reduce Software VulnerabilitiesAbuser Stories: Thinking Like the Bad Guy to Reduce Software Vulnerabilities
Abuser Stories: Thinking Like the Bad Guy to Reduce Software VulnerabilitiesProjectCon
 
Demand More From Your Data: Scale Quantity And Quality Of Marketing Qualified...
Demand More From Your Data: Scale Quantity And Quality Of Marketing Qualified...Demand More From Your Data: Scale Quantity And Quality Of Marketing Qualified...
Demand More From Your Data: Scale Quantity And Quality Of Marketing Qualified...G3 Communications
 
EAC-VB2023.pdf
EAC-VB2023.pdfEAC-VB2023.pdf
EAC-VB2023.pdfssuserb29f84
 
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Infosecurity2010
 
Cyber security - Trend Micro
Cyber security - Trend MicroCyber security - Trend Micro
Cyber security - Trend MicroAuckland Salesforce User Group
 
Cybercrime: A Primer
Cybercrime: A PrimerCybercrime: A Primer
Cybercrime: A Primerfwscholl
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crimelathika25
 
Exploring Phishing Attacks.pptx
Exploring Phishing Attacks.pptxExploring Phishing Attacks.pptx
Exploring Phishing Attacks.pptxRatnaPrakash5
 
Jax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developerJax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developerSteve Poole
 
Do it Best Corp. Techapalooza 2014 Presentation
Do it Best Corp. Techapalooza 2014 PresentationDo it Best Corp. Techapalooza 2014 Presentation
Do it Best Corp. Techapalooza 2014 PresentationBrian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideSteve Poole
 
Cybercrimes and Cybercriminals
Cybercrimes and CybercriminalsCybercrimes and Cybercriminals
Cybercrimes and CybercriminalsAshikur Rahman
 
Maggots Hip 'n' Shouldered: Crowd Funding Academic Research ANU 2014
Maggots Hip 'n' Shouldered: Crowd Funding Academic Research ANU 2014Maggots Hip 'n' Shouldered: Crowd Funding Academic Research ANU 2014
Maggots Hip 'n' Shouldered: Crowd Funding Academic Research ANU 2014VeraQ Pty Ltd
 
O365Engage17 - Protecting your Users Against Email Spoofing and Phishing
O365Engage17 - Protecting your Users Against Email Spoofing and PhishingO365Engage17 - Protecting your Users Against Email Spoofing and Phishing
O365Engage17 - Protecting your Users Against Email Spoofing and PhishingNCCOMMS
 
(Ab)using Identifiers: Indiscernibility of Identity
(Ab)using Identifiers: Indiscernibility of Identity(Ab)using Identifiers: Indiscernibility of Identity
(Ab)using Identifiers: Indiscernibility of IdentityBayCHI
 
Enjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber CriminalsEnjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber CriminalsStephen Cobb
 
Chapter-5.pptx
Chapter-5.pptxChapter-5.pptx
Chapter-5.pptxShreyaKushwaha28
 
Cyber Security Awareness October 2014
Cyber Security Awareness October 2014Cyber Security Awareness October 2014
Cyber Security Awareness October 2014Donald E. Hester
 
E business internet fraud
E business internet fraudE business internet fraud
E business internet fraudRadiant Minds
 
Discretion in APT
Discretion in APTDiscretion in APT
Discretion in APTHeungSoo Kang
 
Social Gaming for Social Good
Social Gaming for Social GoodSocial Gaming for Social Good
Social Gaming for Social GoodSocial Media for Nonprofits
 
Mental Health in Infosec: Hackers, Hugs, & Drugs
Mental Health in Infosec: Hackers, Hugs, & DrugsMental Health in Infosec: Hackers, Hugs, & Drugs
Mental Health in Infosec: Hackers, Hugs, & DrugsAmanda Berlin
 
InheritedASecurityDept
InheritedASecurityDeptInheritedASecurityDept
InheritedASecurityDeptAmanda Berlin
 

More Related Content

Similar to Shooting phish in a barrel

Demand More From Your Data: Scale Quantity And Quality Of Marketing Qualified...
Demand More From Your Data: Scale Quantity And Quality Of Marketing Qualified...Demand More From Your Data: Scale Quantity And Quality Of Marketing Qualified...
Demand More From Your Data: Scale Quantity And Quality Of Marketing Qualified...G3 Communications
 
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Infosecurity2010
 
Cybercrime: A Primer
Cybercrime: A PrimerCybercrime: A Primer
Cybercrime: A Primerfwscholl
 
Exploring Phishing Attacks.pptx
Exploring Phishing Attacks.pptxExploring Phishing Attacks.pptx
Exploring Phishing Attacks.pptxRatnaPrakash5
 
Jax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developerJax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developerSteve Poole
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideSteve Poole
 
Cybercrimes and Cybercriminals
Cybercrimes and CybercriminalsCybercrimes and Cybercriminals
Cybercrimes and CybercriminalsAshikur Rahman
 
Maggots Hip 'n' Shouldered: Crowd Funding Academic Research ANU 2014
Maggots Hip 'n' Shouldered: Crowd Funding Academic Research ANU 2014Maggots Hip 'n' Shouldered: Crowd Funding Academic Research ANU 2014
Maggots Hip 'n' Shouldered: Crowd Funding Academic Research ANU 2014VeraQ Pty Ltd
 
O365Engage17 - Protecting your Users Against Email Spoofing and Phishing
O365Engage17 - Protecting your Users Against Email Spoofing and PhishingO365Engage17 - Protecting your Users Against Email Spoofing and Phishing
O365Engage17 - Protecting your Users Against Email Spoofing and PhishingNCCOMMS
 
(Ab)using Identifiers: Indiscernibility of Identity
(Ab)using Identifiers: Indiscernibility of Identity(Ab)using Identifiers: Indiscernibility of Identity
(Ab)using Identifiers: Indiscernibility of IdentityBayCHI
 
Enjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber CriminalsEnjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber CriminalsStephen Cobb
 
Cyber Security Awareness October 2014
Cyber Security Awareness October 2014Cyber Security Awareness October 2014
Cyber Security Awareness October 2014Donald E. Hester
 
E business internet fraud
E business internet fraudE business internet fraud
E business internet fraudRadiant Minds
 

Similar to Shooting phish in a barrel (20)

Demand More From Your Data: Scale Quantity And Quality Of Marketing Qualified...
Demand More From Your Data: Scale Quantity And Quality Of Marketing Qualified...Demand More From Your Data: Scale Quantity And Quality Of Marketing Qualified...
Demand More From Your Data: Scale Quantity And Quality Of Marketing Qualified...
 
EAC-VB2023.pdf
EAC-VB2023.pdfEAC-VB2023.pdf
EAC-VB2023.pdf
 
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
 
Cyber security - Trend Micro
Cyber security - Trend MicroCyber security - Trend Micro
Cyber security - Trend Micro
 
Cybercrime: A Primer
Cybercrime: A PrimerCybercrime: A Primer
Cybercrime: A Primer
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
 
Exploring Phishing Attacks.pptx
Exploring Phishing Attacks.pptxExploring Phishing Attacks.pptx
Exploring Phishing Attacks.pptx
 
Jax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developerJax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developer
 
Do it Best Corp. Techapalooza 2014 Presentation
Do it Best Corp. Techapalooza 2014 PresentationDo it Best Corp. Techapalooza 2014 Presentation
Do it Best Corp. Techapalooza 2014 Presentation
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker Side
 
Cybercrimes and Cybercriminals
Cybercrimes and CybercriminalsCybercrimes and Cybercriminals
Cybercrimes and Cybercriminals
 
Maggots Hip 'n' Shouldered: Crowd Funding Academic Research ANU 2014
Maggots Hip 'n' Shouldered: Crowd Funding Academic Research ANU 2014Maggots Hip 'n' Shouldered: Crowd Funding Academic Research ANU 2014
Maggots Hip 'n' Shouldered: Crowd Funding Academic Research ANU 2014
 
O365Engage17 - Protecting your Users Against Email Spoofing and Phishing
O365Engage17 - Protecting your Users Against Email Spoofing and PhishingO365Engage17 - Protecting your Users Against Email Spoofing and Phishing
O365Engage17 - Protecting your Users Against Email Spoofing and Phishing
 
(Ab)using Identifiers: Indiscernibility of Identity
(Ab)using Identifiers: Indiscernibility of Identity(Ab)using Identifiers: Indiscernibility of Identity
(Ab)using Identifiers: Indiscernibility of Identity
 
Enjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber CriminalsEnjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber Criminals
 
Chapter-5.pptx
Chapter-5.pptxChapter-5.pptx
Chapter-5.pptx
 
Cyber Security Awareness October 2014
Cyber Security Awareness October 2014Cyber Security Awareness October 2014
Cyber Security Awareness October 2014
 
E business internet fraud
E business internet fraudE business internet fraud
E business internet fraud
 
Discretion in APT
Discretion in APTDiscretion in APT
Discretion in APT
 
Social Gaming for Social Good
Social Gaming for Social GoodSocial Gaming for Social Good
Social Gaming for Social Good
 

More from Amanda Berlin

Mental Health in Infosec: Hackers, Hugs, & Drugs
Mental Health in Infosec: Hackers, Hugs, & DrugsMental Health in Infosec: Hackers, Hugs, & Drugs
Mental Health in Infosec: Hackers, Hugs, & DrugsAmanda Berlin
 
InheritedASecurityDept
InheritedASecurityDeptInheritedASecurityDept
InheritedASecurityDeptAmanda Berlin
 
Where to Start When Your Environment is Fucked
Where to Start When Your Environment is FuckedWhere to Start When Your Environment is Fucked
Where to Start When Your Environment is FuckedAmanda Berlin
 
Where To Start When Your Environment is Fucked
Where To Start When Your Environment is FuckedWhere To Start When Your Environment is Fucked
Where To Start When Your Environment is FuckedAmanda Berlin
 
Defcon 23 Comedy inception
Defcon 23 Comedy inceptionDefcon 23 Comedy inception
Defcon 23 Comedy inceptionAmanda Berlin
 
Hackers are people too
Hackers are people tooHackers are people too
Hackers are people tooAmanda Berlin
 

More from Amanda Berlin (6)

Mental Health in Infosec: Hackers, Hugs, & Drugs
Mental Health in Infosec: Hackers, Hugs, & DrugsMental Health in Infosec: Hackers, Hugs, & Drugs
Mental Health in Infosec: Hackers, Hugs, & Drugs
 
InheritedASecurityDept
InheritedASecurityDeptInheritedASecurityDept
InheritedASecurityDept
 
Where to Start When Your Environment is Fucked
Where to Start When Your Environment is FuckedWhere to Start When Your Environment is Fucked
Where to Start When Your Environment is Fucked
 
Where To Start When Your Environment is Fucked
Where To Start When Your Environment is FuckedWhere To Start When Your Environment is Fucked
Where To Start When Your Environment is Fucked
 
Defcon 23 Comedy inception
Defcon 23 Comedy inceptionDefcon 23 Comedy inception
Defcon 23 Comedy inception
 
Hackers are people too
Hackers are people tooHackers are people too
Hackers are people too
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Shooting phish in a barrel

  • 1. Shooting Phish in a Barrel and other terrible fish related puns...
  • 4. CompanyX Metrics • +/- 2,000 employees • +/- 30 sites • Decent structure and security already • Some c-level buy in • No user education on security • $1,000 budget @InfoSystir
  • 6. First Results • No warning • Gathered with theharvester.py • SET bombed out on me • 50 emails sent • 16 usernames/passwords = 32% • 4 reports = 8% @InfoSystir
  • 8. Second Results • 250 emails sent • 54 usernames/passwords = 22% • 4 reports = 2% @InfoSystir
  • 11. Phishing: • is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. @InfoSystir
  • 12. CompanyX Hackers • We’ll be putting on our hacker hats and trying to get you to fall for our security tests. • While we won’t be trying to gather your credit card details, there are currently real hackers out in the world trying to get every bit of information they can. • They are the real bad guys and the whole point behind this campaign @InfoSystir
  • 13. Key Points to remember • Don’t click on links in email. • Don’t open attachments that you aren’t expecting. • Never give your username/password to anyone. • If it smells phishy REPORT IT! @InfoSystir
  • 14. Things that should be reported • Suspicious emails trying to get your information (usernames, passwords, what software we use, banking info, etc.). • Suspicious emails with attachments that you didn’t expect. • People attempting to access your computer that you haven’t authorized @InfoSystir
  • 15. Contest Rules • Phishing emails must be forwarded to the helpdesk along with calling about suspicious activity. • Both internal (COMPANYX IT) and external (real hacker) emails count. • It is up to the COMPANYX hackers to determine if the email is a true phishing attempt or just spam. @InfoSystir
  • 16. Contest Rules • Other suspicious electronic activity may count on a case by case basis. • All COMPANYX email users except IS department employees are eligible to win. • Pseudo-random COMPANYX staff members will be selected to draw winners. • A person may not win twice for the same drawing but is eligible to win in all other drawings. @InfoSystir
  • 17. Awards! • Winners drawn from our “Phish Bowl” will win these phishy prizes! • Monthly – Two winners drawn – Each unique phishing report results in one entry – Drawings are held first regular business day of month for preceding month – Both monthly winners will receive $10 Java City gift cards @InfoSystir
  • 18. Awards! • Quarterly – Two winners drawn – First quarterly winner drawn will receive a $50 Bass Pro gift card – Second quarterly winner drawn will receive a $50 Red Lobster gift card. @InfoSystir
  • 19. Awards! • End of Year Grand Prize– One winner drawn – $300 Amazon gift card @InfoSystir
  • 21. The most important part @InfoSystir
  • 22. 9 months of spreadsheets @InfoSystir
  • 24. January Results • 934 emails sent • 322 usernames/passwords = 34% • 103 reports = 11% @InfoSystir
  • 26. February Results • 567 emails sent • 89 usernames/passwords = 16% • 49 reports = 9% @InfoSystir
  • 28. March Results • 1095 emails sent • 4 usernames/passwords = 0.4% • 37 reports = 3% @InfoSystir
  • 29. March Results, cont. • First real phish caught and reported! @InfoSystir
  • 31. April Results • 1159 emails sent • Goal was to look for reporting only • 261 reports = 23% @InfoSystir
  • 33. May/June Results • Both external pentesting phishing attempts • 41 emails sent • 0 phished • 6 reports • 59 emails sent • 1 phished (post test time period) @InfoSystir
  • 35. May/June Results cont. • 10:30 campaign begins • 10:33 C-level dude forwarded email, and called • 10:34 Regular user forwarded email • 10:35 Regular user forwarded • 10:41 I.T. dept was discussing null routing the IP address and blackholing the domain name • 10:46 I.T. member forwarded the second version of the email • 11:05 Director forwarded the email • 11:20 Director forwarded the email @InfoSystir
  • 37. July Results • 511 emails sent • 15 people clicked through • 8 reports @InfoSystir
  • 39. August Results • 402 emails sent • 31 reports @InfoSystir
  • 41. September Results • 2264 emails sent • 17 reports @InfoSystir
  • 42. GRAPHS!!!! 0 200 400 600 800 1000 1200 1400 Jul-13 Aug-13 Sep-13 Oct-13 Nov-13 Dec-13 Jan-14 Feb-14 Mar-14 Apr-14 May-14 Jun-14 Jul-14 Aug-14 Sep-14 Hard Numbers Emails Sent Phished Reported @InfoSystir
  • 43. GRAPHS!!!! 0% 5% 10% 15% 20% 25% 30% 35% 40% Jul-13 Aug-13 Sep-13 Oct-13 Nov-13 Dec-13 Jan-14 Feb-14 Mar-14 Apr-14 May-14 Jun-14 Jul-14 Aug-14 Sep-14 % Phished % Reported % @InfoSystir
  • 44. What I’ve learned • Bi-directional positive response @InfoSystir
  • 45. What I’ve learned • Someone is always going to click @InfoSystir
  • 46. What I’ve learned • No one exempt @InfoSystir
  • 47. What I’ve learned • Getting the point across @InfoSystir
  • 48. What I would change • More formalized process for the helpdesk/first line of defense • More automation • Add vishing/physical • More measurements @InfoSystir
  • 49. Stuff • Infosystir.blogspot.com – Email Templates – Training Modules – Meme posters – “You’ve Been Hacked” phish response – Awards program @InfoSystir
  • 50. Other cool things • https://www.trustedsec.com/march-2013/the-debate-on-security- education-and-awareness/ • http://ben0xa.com/security-awareness-education/ • http://www.csoonline.com/article/2134189/strategic-planning-erm/how- to-create-security-awareness-with-incentives.html • http://www.irongeek.com/i.php?page=videos/derbycon2/2-2-7- benjamin-mauch-creating-a-powerful-user-defense-against-attackers • Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats – Bill Gardner & Valerie Thomas - http://amzn.com/0124199674 • Phishing Frenzy - http://www.phishingfrenzy.com/ @InfoSystir

Editor's Notes

  1. We all know that the end user is the weakest link. With all the talk around how broken user education is, I'd like to offer my two cents on it. I'll be going over the education by phishing program I put into place in an enterprise environment. The metrics I tracked were 1. users targeted 2. users successfully phished 3. phishes reported I'll share what I did, learned, screwed up on, and would change. I'll also have all of my material for the program available for anyone to use.