Using Measured Security Awareness To Combat Phishing Attacks
Upcoming SlideShare
Loading in...5

Using Measured Security Awareness To Combat Phishing Attacks



This presentation discusses how to detect phishing and provides some background on using a measured security awareness service as a continuing education tool. The presentation gives examples of how ...

This presentation discusses how to detect phishing and provides some background on using a measured security awareness service as a continuing education tool. The presentation gives examples of how phishing can be used in a constructive manner, to give end users a real-life experience, dealing with phishing and spear phishing attacks.



Total Views
Views on SlideShare
Embed Views



3 Embeds 4 2 1 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Using Measured Security Awareness To Combat Phishing Attacks Using Measured Security Awareness To Combat Phishing Attacks Presentation Transcript

    • Measured Security Awareness Service Presented by Nicholas Davis, CISSP, CISA
    • Overview Phishing Background Threat to IT on campus Phishing education Tricks employed Sample phishing emails unique to UWMadison Spotting the phish, after the click How measured security awareness works Conducting a campaign in your department Q&A session 1/10/2014 UNIVERSITY OF WISCONSIN 2
    • Phishing Defined Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication, usually email. 1/10/2014 UNIVERSITY OF WISCONSIN 3
    • Famous Nigerian Phish 1/10/2014 UNIVERSITY OF WISCONSIN 4
    • Why Phishing Is Such a Threat UW-Madison IT infrastructure is designed to protect the campus computing assets with many technical controls However, this persuades hackers to pursue access via alternate means, often choosing to exploit the human factor 1/10/2014 UNIVERSITY OF WISCONSIN 5
    • Your Password Is the Key to the Kingdom If an attacker can persuade you to give them your password, they can evade all the controls put in place to protect sensitive systems 1/10/2014 UNIVERSITY OF WISCONSIN 6
    • UW-Madison’s Proprietary Research Interests Phishers Consider the value of UW-Madison’s intellectual property 1/10/2014 UNIVERSITY OF WISCONSIN 7
    • I am Too Smart to Fall For a Trick Like Phishing Most large organizations have a phishing participation rate of around 10% This rises when the population become the subjects of Spear Phishing, which is phishing email designed specifically for the recipient 1/10/2014 UNIVERSITY OF WISCONSIN 8
    • Phishing Relies Upon Social Engineering The practice of deceiving someone, either in person, over the phone, or using a computer, with the express intent of breaching some level of security either personal or professional. Social engineering techniques are considered con games which are performed by con artists. The targets of social engineering may never realize they have been victimized. 1/10/2014 UNIVERSITY OF WISCONSIN 9
    • Tricks Used By Expert Phishers Socially Aware: Mining of information about the target from publicly available resources, such as Facebook, property records, or even CCAP Context Aware: Make reference to an activity you are likely to engage in, such as, or UPS package receipt 1/10/2014 UNIVERSITY OF WISCONSIN 10
    • Specific Examples of Complex Phishing Attempts Baiting: Placing a USB flash drive or CD, with malware on it, in a public place 1/10/2014 UNIVERSITY OF WISCONSIN 11
    • Specific Examples of Complex Phishing Attempts QR Code Curiosity: Embedding malicious code within a QR code, on a printout posted to a community bulletin board 1/10/2014 UNIVERSITY OF WISCONSIN 12
    • Specific Examples of Complex Phishing Attempts Out of Office, Out of Control: Taking advantage of an autoresponder, leveraging specific knowledge to exploit co-workers 1/10/2014 UNIVERSITY OF WISCONSIN 13
    • What Would Happen If You Received This Email? 1/10/2014 UNIVERSITY OF WISCONSIN 14
    • What Would Happen If You Received This Email? 1/10/2014 UNIVERSITY OF WISCONSIN 15
    • Tips To Spot Social Engeering Within a Phishing Attempt Asks you to verify a sensitive piece of information A sense of urgency is implied in the message An overt or implied threat may be present Flattery is used to get you to drop your guard Use, and sometimes overuse of organizational knowledge in employed A bribe or reward for your “help” may be offered 1/10/2014 UNIVERSITY OF WISCONSIN 16
    • Have You Ever Been Successfully Phished? 1/10/2014 UNIVERSITY OF WISCONSIN 17
    • Spotting the Phish After the Click Website address looks odd or incorrect IP address shows in address bar Multiple pop-ups appear on top of legitimate website window Website contains spelling or grammar errors No SSL lock is present on what should be a secure site 1/10/2014 UNIVERSITY OF WISCONSIN 18
    • Can You Spot the Issue Here 1/10/2014 UNIVERSITY OF WISCONSIN 19
    • Combat Phishing Attempts Never give away personal information, especially username and password Don’t let curiosity get the best of you Look for the tell-tail signs we have discussed today There are no situations which justify exceptions If something sounds too good to be true… 1/10/2014 UNIVERSITY OF WISCONSIN 20
    • Measured Security Awareness Learning Through Doing Studies demonstrate that people tend to forget formal education, over time The best way to learn and remember, is through experience Measured security awareness is the ability to engage in realistic training within a safe, controlled and blame free environment 1/10/2014 UNIVERSITY OF WISCONSIN 21
    • UW-Madison’s Measured Security Awareness Program The Division of Information Technology has purchased a vendor solution which enables us to conduct measured security awareness campaigns The system is safe The system does NOT collect personal information such as who clicked on links, etc. Information is only reported in aggregate DoIT has been internally phishing 850 internal staff for over a year 1/10/2014 UNIVERSITY OF WISCONSIN 22
    • Results So Far, at DoIT At first, people were apprehensive The beginning phishes were easy After people get accustomed to it, attitudes became more accepting After a year, most people are enjoying the challenge Most importantly, many fewer people are falling for the phish 1/10/2014 UNIVERSITY OF WISCONSIN 23
    • This Proposal Smells Phishy Over the next six months, you will be presented with 12 phishing attacks Some will be easy to detect, others will be more sophisticated and difficult to detect We may even go on a Whaling Expedition! Do you know that that is? Participation rate will be collected (in aggregate) and summarized in a report 1/10/2014 UNIVERSITY OF WISCONSIN 24
    • Q&A Session Are you ready for a phishing expedition? Nicholas Davis 1/10/2014 UNIVERSITY OF WISCONSIN 25