• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
UW School of Medicine   Social Engineering and Phishing Awareness
 

UW School of Medicine Social Engineering and Phishing Awareness

on

  • 563 views

An IT Security presentation I created for faculty and staff of the UW-Madison, School of Medicine, about how to recognize and defend against the threats of complex Phishing and Social Engineering, to ...

An IT Security presentation I created for faculty and staff of the UW-Madison, School of Medicine, about how to recognize and defend against the threats of complex Phishing and Social Engineering, to protect sensitive digital information.

Statistics

Views

Total Views
563
Views on SlideShare
563
Embed Views
0

Actions

Likes
0
Downloads
18
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    UW School of Medicine   Social Engineering and Phishing Awareness UW School of Medicine Social Engineering and Phishing Awareness Presentation Transcript

    • Free Powerpoint Templates Page 1 Free Powerpoint Templates Phishing and Social Engineering Awareness - Nicholas Davis CISA, CISSP Security Architect UW-Madison, Division of Information Technology - 9 – 26 - 2013
    • Free Powerpoint Templates Page 2 Introduction • Background • Phishing and Social Engineering • History • Types • Examples • Detecting Fraudulent Email • Defending Against Phishing Attacks • Measured Phishing Awareness at DoIT • Samples and Participation Rates • Question and Answer Session
    • Free Powerpoint Templates Page 3 Social Engineering The art of manipulating people into performing actions or divulging confidential information It is typically trickery or deception for the purpose of information gathering, fraud, or computer system access
    • Free Powerpoint Templates Page 4 Phishing • Deception • Email • Websites • Facebook status updates • Tweets • Phishing, in the context of the healthcare working environment is extremely dangerous
    • Free Powerpoint Templates Page 5 Phishing 1995 • Target AOL users • Account passwords=free online time • Threat level: low • Techniques: similar names, such as www.ao1.com for www.aol.com
    • Free Powerpoint Templates Page 6 Phishling 2001 Target: Ebay and major banks Credit card numbers and account numbers = money Threat level: medium Techniques: Same in 1995
    • Free Powerpoint Templates Page 7 Phishing 2007 Targets are Paypal, banks, ebay Purpose to steal bank accounts Threat level is high Techniques: browser vulnerabilities, link obfuscation
    • Free Powerpoint Templates Page 8 Phishing in 2013 • Identity Information • Personal Harm • Blackmail
    • Free Powerpoint Templates Page 9 Looking In the Mirror • Which types of sensitive information do you have access to? • What about others who share the computer network with you? • Think about the implications associated that data being stolen and exploited!
    • Free Powerpoint Templates Page 10 What Phishing Looks Like • As scam artists become more sophisticated, so do their phishing e- mail messages and pop-up windows. • They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.
    • Free Powerpoint Templates Page 11 Techniques For Phishing • Employ visual elements from target site • DNS Tricks: • www.ebay.com.kr • www.ebay.com@192.168.0.5 • www.gooogle.com • Unicode attacks • JavaScript Attacks • Spoofed SSL lock Certificates • Phishers can acquire certificates for domains they own • Certificate authorities make mistakes
    • Free Powerpoint Templates Page 12 Social Engineering Techniques • Socially aware attacks • Mine social relationships from public data • Phishing email appears to arrive from someone known to the victim • Use spoofed identity of trusted organization to gain trust • Urge victims to update or validate their account • Threaten to terminate the account if the victims not reply • Use gift or bonus as a bait • Security promises
    • Free Powerpoint Templates Page 13 Remember These Social Engineering Techniques Often employed in Phishing seem more real, urgent or to lower your guard of trust Threats – Do this or else! Authority – I have the authority to ask this Promises – If you do this, you will get $$$ Praise – You deserve this
    • Free Powerpoint Templates Page 14 Other Phishing Techniques Socially aware attacks Mine social relationships from public data Phishing email appears to arrive from someone known to the victim Use spoofed identity of trusted organization to gain trust Urge victims to update or validate their account Threaten to terminate the account if the victims not reply Use gift or bonus as a bait Security promises
    • Free Powerpoint Templates Page 15 Let’s Talk About Facebook • So important, it gets its own slide! • Essentially unauthenticated – discussion • Three friends and you’re out! - discussion • Privacy settings mean nothing – discussion • Treasure Trove of identity information • Games as information harvesters
    • Free Powerpoint Templates Page 16 Socially Aware
    • Free Powerpoint Templates Page 17 Context Aware “Your bid on eBay has won!” “The books on your Amazon wish list are on sale!”
    • Free Powerpoint Templates Page 18 Seems Suspicious
    • Free Powerpoint Templates Page 19 Social Engineering Methods 419 Scam Nigerian Email Spanish Prisoner
    • Free Powerpoint Templates Page 20 Too Good to be True
    • Free Powerpoint Templates Page 21 Detecting Fraudulent Email Information requested is inappropriate for the channel of communication: "Verify your account."nobody should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail. Urgency and potential penalty or loss are implied: "If you don't respond within 48 hours, your account will be closed.”
    • Free Powerpoint Templates Page 22 Detecting Fraudulent Email "Dear Valued Customer."Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name.
    • Free Powerpoint Templates Page 23 Dectecting Fraudulent Email "Click the link below to gain access to your account.“ This is an example or URL Masking (hiding the web address) URL alteration www.micosoft.com www.mircosoft.com www.verify-microsoft.com
    • Free Powerpoint Templates Page 24 How to Defend Against Phishing Attacks •Never respond to an email asking for personal information • Always check the site to see if it is secure (SSL lock) • Look for misspellings or errors in grammar • Never click on the link on the email. Enter the web address manually • Keep your browser updated • Keep antivirus definitions updated • Use a firewall • When in doubt, ask your Network Administrator for their opinion
    • Free Powerpoint Templates Page 25 A Note on Spear Phishing • Designed especially for you • Includes your name • May reference an environment or issue you are aware of and familiar with • Asks for special treatment, with justification for the request
    • Free Powerpoint Templates Page 26 Don’t Touch That QR Code Curiousity Is Dangerous
    • Free Powerpoint Templates Page 27 Other Techniques An ocean of Phishing techniques •Clone Phishing - Discussion •Whaling - Discussion •Filter Evasion - Discussion •Phone Phishing - Discussion •Tabnabbing - Discussion •Evil Twins - Discussion
    • Free Powerpoint Templates Page 28 Social Engineering Trojans
    • Free Powerpoint Templates Page 29 Baiting Hey, look! A free USB drive! I wonder what is on this confidential CD which I found in the bathroom? These are vectors for malware! Play on your curiousity or desire to get something for nothing Don’t be a piggy!
    • Free Powerpoint Templates Page 30 Out of Office Out of Control Using the Out of Office responder in a responsible manner
    • Free Powerpoint Templates Page 31 Phishing Awareness at DoIT DoIT staff undergo formal Security Awareness training every year Reading is one thing, experiencing is another We wanted some real measurements Purchased a product which enabled us to run measured phishing campaigns Eight campaigns over the past year, from simple to complex
    • Free Powerpoint Templates Page 32 Fidlety - Simple
    • Free Powerpoint Templates Page 33 Liked-In – A Little Harder
    • Free Powerpoint Templates Page 34 Faceblock Friends - Tricky
    • Free Powerpoint Templates Page 35 A Coupon From The Home Despot
    • Free Powerpoint Templates Page 36 A New Kitchen At Work
    • Free Powerpoint Templates Page 37 Dr. Jekyll – Or Mr. Hyde? The Crown Jewel!
    • Free Powerpoint Templates Page 38 Results Average industry end user “participation rate” is 14% Can you guess what our participation rate was? The more familiar the subject matter, the more likely people are to let their guard down
    • Free Powerpoint Templates Page 39 Summary Technology does not provide all the answers Think of Phishing every time you open an email Remember, Social Engineering happens everywhere, not just at St. Elsewhere
    • Free Powerpoint Templates Page 40 Questions and Discussion Nicholas Davis ndavis1@wisc.edu facebook.com/nicholas.a.davis