Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010
Upcoming SlideShare
Loading in...5
×
 

Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010

on

  • 159 views

Slides I used for an RSA Webinar in Sep 2010, presenting the results of our team's research on protecting people from phishing scams.

Slides I used for an RSA Webinar in Sep 2010, presenting the results of our team's research on protecting people from phishing scams.

Statistics

Views

Total Views
159
Views on SlideShare
159
Embed Views
0

Actions

Likes
0
Downloads
5
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Image from BusinessWeek Apr 2008 San Jose, Calif.-based Cisco's annual security study found that spam is growing quickly — nearly 200 billion spam messages are now sent each day, double the volume in 2007 — and that targeted attacks are also rising sharply. More than 0.4% of all spam sent in September were targeted attacks, Cisco found. That might sound low, but since 90% of all e-mails sent worldwide are spam, this means 800 million messages a day are attempts are spear phishing. A year ago, targeted attacks with personalized messages were less than 0.1% of all spam.
  • Personalization Story-based agents Reflection
  • http://wombatsecurity.com/file_download/6/PhishGuru%20White%20Paper.pdf http://wombatsecurity.com/file_download/8/Anti-Phishing%20Phil%20whitepaper.pdf

Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010 Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010 Presentation Transcript

  • Copyright © Wombat Security Technologies, Inc. 2008-2010 Jason Hong, PhD Assoc. Prof, Carnegie Mellon University CTO, Wombat Security Technologies Protecting Organizations from Phishing Scams
  • Copyright © Wombat Security Technologies, Inc. 2008-2010
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 300 million spear phishing emails are sent each day -Cisco 2008 Annual Security Report
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 Phishing Attacks are Pervasive Phishing is a social engineering attack Tricks users into sharing sensitive information or installing malware Used for identity theft, corporate espionage, and theft of national secrets Circumvents today’s security measures Targets the person behind the keyboard Works around encryption, two-factor, firewalls Password reuse exacerbates problem, security problem outside your perimeter can still affect you
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 How Bad is Phishing? Estimated ~0.4% of Internet users per year fall for phishing attacks Estimated $1B+ direct losses to consumers per year Bank accounts, credit card fraud Doesn’t include time wasted on recovery of funds, restoring computers, emotional uncertainty Growth rate of phishing is high Over 45k+ reported unique sites / month Social networking sites now major targets
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 How Bad is Phishing? Direct damage Loss of sensitive customer data
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 How Bad is Phishing? Direct damage Loss of sensitive customer data Loss of intellectual property Fraud Attack on European carbon traders in early 2010, close to $5m stolen in targeted phishing attack Indirect damage can be high too Damage to reputation, lost sales, etc Response costs (call centers, recovery) One bank estimated costs of $1M per phishing attack
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 Spear-Phishing Attacks Rising Type #1 – Uses info about your organization This attack uses public information Not immediately obvious it is an attack Could be sent to military personnel at a base Our data suggests around 50% of people likely to fall for a good spear-phishing attack General Clark is retiring next week, click here to say whether you can attend his retirement party
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 Spear-Phishing Attacks Rising Type #2 – Uses info about you specifically Might use information from social networking sites, corporate directories, or publicly available data Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive’s name, company and phone number, and commands the recipient to appear before a grand jury in a civil case. -- New York Times Apr16 2008
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 Protecting Your Users from Phish Make it invisible Email and web filters for your employees Takedown providers for your customers Better user interfaces Better web browser interfaces Train people Most overlooked aspect of protection More effective than people realize
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 Problems with Traditional Security Training All-day training sessions Major disruption to work, no chance to practice skills, not realistic b/c people aren’t attacked in a classroom People don’t know they have a problem Can’t go looking for the right information Awareness campaigns don’t help Telling people to watch out for phishing without teaching meaningful skills to detect attacks is useless Can also raise false positives (basically, raises paranoia) Traditional training is boring
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 Embedded Training Use simulated phishing attacks to train people Teach people in the context they would be attacked If a person falls for simulated phish, then show intervention as to what just happened Creates a “teachable moment” However, doing embedded training right is harder than it may seem
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 Doing Embedded Training Right Coordinating with Right Groups US Dept of Justice sent hoax phishing email, but didn’t notify the entity they were impersonating Wasted lots of time and energy shutting it down Anxiety for many days about safety of retirement plans One Air Force Base sent hoax phishing email about Transformers 3 wanting to recruit Spread a fairly large Internet rumor about the movie Wasted lots of time and energy addressing rumors
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 Doing Embedded Training Right Psychological Costs University of Indiana researchers sent hoax phishing email to students and staff “Some subjects called the experiment unethical, inappropriate, illegal, unprofessional, fraudulent, self-serving, and/or useless.” “They called for the researchers … to be fired, prosecuted, expelled, or otherwise reprimanded.” “These reactions highlight that phishing not only has the potential monetary costs associated with identity theft, but also a significant psychological cost to victims.”
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 Embedded Training with PhishGuru Key differences: Offer people immediate feedback and benefit (training) Do so in fun, engaging, and memorable format Key to effective training is learning science Examines learning, retention, and transfer of skills Example principles Learning by doing Immediate feedback Conceptual-procedural Personalization Story-based agents Reflection
  • Copyright © Wombat Security Technologies, Inc. 2008-2010
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 Case Study #1 Canadian healthcare organization Three-month embedded training campaign 190 employees Security assessment and effective training in context
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 Simulated Phishing Email
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 Case Study
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 Measurable Reduction in Falling for Phish Viewed Email Only % Viewed Email and Clicked Link % Employees Campaign 1 20 10.53% 35 18.42% 190 Campaign 2 37 19.47% 23 12.11% 190 Campaign 3 7 3.70% 10 5.29% 189
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 0 10 20 30 40 Campaign3 Campaign2 Campaign1 ViewedEmail and Clicked Link ViewedEmail Only
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 Case Study 2 Tested with over 500 people over a month 1 simulated phish at beginning of month, testing done at end of month About 50% reduction in falling for phish 68 out of 85 surveyed said they recommend continuing doing this sort of training in the future “I really liked the idea of sending [organization] fake phishing emails and then saying to them, essentially, HEY! You could've just gotten scammed! You should be more careful -- here's how....”
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 Micro-Games for Cyber Security Training doesn’t have to be boring Training doesn’t have to take long either Micro game format, play for short time Two-thirds of Americans played a video game in past six months Not just young people Average game player 35 years old 25% of people over 50 play games Not just males 40% are women (casual games)
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 Case Study 3 Tested Anti-Phishing Phil micro game with ~4500 people Huge improvement by novices in identifying phishing URLs Also dramatically lowered false positives
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 False negatives for users who played Anti-Phishing Phil (“game condition”). False negatives are situations where people incorrectly label a phishing site as legitimate. Novices saw the greatest reduction in false negatives, and retained what they had learned.
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 False positives for users who played the Anti-Phishing Phil game. False positives are situations where people incorrectly label a legitimate site as phishing. Again, novices saw the greatest improvement in reducing false positives, and retained what they had learned.
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 Summary Phishing scams on the rise Spear-phishing are highly targeted phishing attacks People are very susceptible to well-crafted phish Today’s training can be boring and ineffective Embedded training and micro games are an effective alternative
  • Copyright © Wombat Security Technologies, Inc. 2008-2010 Thank you! Thanks, PhishGuru. Where can I learn more? Find more at wombatsecurity.com Anti-Phishing Phil white paper: Cyber Security Training Game Teaches People to Avoid Phishing Attacks PhishGuru white paper: An Empirical Evaluation of PhishGuru Training