UW School of Medicine Social Engineering and Phishing Awareness


Published on

An IT Security presentation I created for faculty and staff of the UW-Madison, School of Medicine, about how to recognize and defend against the threats of complex Phishing and Social Engineering, to protect sensitive digital information.

Published in: Technology, Art & Photos
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

UW School of Medicine Social Engineering and Phishing Awareness

  1. 1. Free Powerpoint Templates Page 1 Free Powerpoint Templates Phishing and Social Engineering Awareness - Nicholas Davis CISA, CISSP Security Architect UW-Madison, Division of Information Technology - 9 – 26 - 2013
  2. 2. Free Powerpoint Templates Page 2 Introduction • Background • Phishing and Social Engineering • History • Types • Examples • Detecting Fraudulent Email • Defending Against Phishing Attacks • Measured Phishing Awareness at DoIT • Samples and Participation Rates • Question and Answer Session
  3. 3. Free Powerpoint Templates Page 3 Social Engineering The art of manipulating people into performing actions or divulging confidential information It is typically trickery or deception for the purpose of information gathering, fraud, or computer system access
  4. 4. Free Powerpoint Templates Page 4 Phishing • Deception • Email • Websites • Facebook status updates • Tweets • Phishing, in the context of the healthcare working environment is extremely dangerous
  5. 5. Free Powerpoint Templates Page 5 Phishing 1995 • Target AOL users • Account passwords=free online time • Threat level: low • Techniques: similar names, such as www.ao1.com for www.aol.com
  6. 6. Free Powerpoint Templates Page 6 Phishling 2001 Target: Ebay and major banks Credit card numbers and account numbers = money Threat level: medium Techniques: Same in 1995
  7. 7. Free Powerpoint Templates Page 7 Phishing 2007 Targets are Paypal, banks, ebay Purpose to steal bank accounts Threat level is high Techniques: browser vulnerabilities, link obfuscation
  8. 8. Free Powerpoint Templates Page 8 Phishing in 2013 • Identity Information • Personal Harm • Blackmail
  9. 9. Free Powerpoint Templates Page 9 Looking In the Mirror • Which types of sensitive information do you have access to? • What about others who share the computer network with you? • Think about the implications associated that data being stolen and exploited!
  10. 10. Free Powerpoint Templates Page 10 What Phishing Looks Like • As scam artists become more sophisticated, so do their phishing e- mail messages and pop-up windows. • They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.
  11. 11. Free Powerpoint Templates Page 11 Techniques For Phishing • Employ visual elements from target site • DNS Tricks: • www.ebay.com.kr • www.ebay.com@ • www.gooogle.com • Unicode attacks • JavaScript Attacks • Spoofed SSL lock Certificates • Phishers can acquire certificates for domains they own • Certificate authorities make mistakes
  12. 12. Free Powerpoint Templates Page 12 Social Engineering Techniques • Socially aware attacks • Mine social relationships from public data • Phishing email appears to arrive from someone known to the victim • Use spoofed identity of trusted organization to gain trust • Urge victims to update or validate their account • Threaten to terminate the account if the victims not reply • Use gift or bonus as a bait • Security promises
  13. 13. Free Powerpoint Templates Page 13 Remember These Social Engineering Techniques Often employed in Phishing seem more real, urgent or to lower your guard of trust Threats – Do this or else! Authority – I have the authority to ask this Promises – If you do this, you will get $$$ Praise – You deserve this
  14. 14. Free Powerpoint Templates Page 14 Other Phishing Techniques Socially aware attacks Mine social relationships from public data Phishing email appears to arrive from someone known to the victim Use spoofed identity of trusted organization to gain trust Urge victims to update or validate their account Threaten to terminate the account if the victims not reply Use gift or bonus as a bait Security promises
  15. 15. Free Powerpoint Templates Page 15 Let’s Talk About Facebook • So important, it gets its own slide! • Essentially unauthenticated – discussion • Three friends and you’re out! - discussion • Privacy settings mean nothing – discussion • Treasure Trove of identity information • Games as information harvesters
  16. 16. Free Powerpoint Templates Page 16 Socially Aware
  17. 17. Free Powerpoint Templates Page 17 Context Aware “Your bid on eBay has won!” “The books on your Amazon wish list are on sale!”
  18. 18. Free Powerpoint Templates Page 18 Seems Suspicious
  19. 19. Free Powerpoint Templates Page 19 Social Engineering Methods 419 Scam Nigerian Email Spanish Prisoner
  20. 20. Free Powerpoint Templates Page 20 Too Good to be True
  21. 21. Free Powerpoint Templates Page 21 Detecting Fraudulent Email Information requested is inappropriate for the channel of communication: "Verify your account."nobody should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail. Urgency and potential penalty or loss are implied: "If you don't respond within 48 hours, your account will be closed.”
  22. 22. Free Powerpoint Templates Page 22 Detecting Fraudulent Email "Dear Valued Customer."Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name.
  23. 23. Free Powerpoint Templates Page 23 Dectecting Fraudulent Email "Click the link below to gain access to your account.“ This is an example or URL Masking (hiding the web address) URL alteration www.micosoft.com www.mircosoft.com www.verify-microsoft.com
  24. 24. Free Powerpoint Templates Page 24 How to Defend Against Phishing Attacks •Never respond to an email asking for personal information • Always check the site to see if it is secure (SSL lock) • Look for misspellings or errors in grammar • Never click on the link on the email. Enter the web address manually • Keep your browser updated • Keep antivirus definitions updated • Use a firewall • When in doubt, ask your Network Administrator for their opinion
  25. 25. Free Powerpoint Templates Page 25 A Note on Spear Phishing • Designed especially for you • Includes your name • May reference an environment or issue you are aware of and familiar with • Asks for special treatment, with justification for the request
  26. 26. Free Powerpoint Templates Page 26 Don’t Touch That QR Code Curiousity Is Dangerous
  27. 27. Free Powerpoint Templates Page 27 Other Techniques An ocean of Phishing techniques •Clone Phishing - Discussion •Whaling - Discussion •Filter Evasion - Discussion •Phone Phishing - Discussion •Tabnabbing - Discussion •Evil Twins - Discussion
  28. 28. Free Powerpoint Templates Page 28 Social Engineering Trojans
  29. 29. Free Powerpoint Templates Page 29 Baiting Hey, look! A free USB drive! I wonder what is on this confidential CD which I found in the bathroom? These are vectors for malware! Play on your curiousity or desire to get something for nothing Don’t be a piggy!
  30. 30. Free Powerpoint Templates Page 30 Out of Office Out of Control Using the Out of Office responder in a responsible manner
  31. 31. Free Powerpoint Templates Page 31 Phishing Awareness at DoIT DoIT staff undergo formal Security Awareness training every year Reading is one thing, experiencing is another We wanted some real measurements Purchased a product which enabled us to run measured phishing campaigns Eight campaigns over the past year, from simple to complex
  32. 32. Free Powerpoint Templates Page 32 Fidlety - Simple
  33. 33. Free Powerpoint Templates Page 33 Liked-In – A Little Harder
  34. 34. Free Powerpoint Templates Page 34 Faceblock Friends - Tricky
  35. 35. Free Powerpoint Templates Page 35 A Coupon From The Home Despot
  36. 36. Free Powerpoint Templates Page 36 A New Kitchen At Work
  37. 37. Free Powerpoint Templates Page 37 Dr. Jekyll – Or Mr. Hyde? The Crown Jewel!
  38. 38. Free Powerpoint Templates Page 38 Results Average industry end user “participation rate” is 14% Can you guess what our participation rate was? The more familiar the subject matter, the more likely people are to let their guard down
  39. 39. Free Powerpoint Templates Page 39 Summary Technology does not provide all the answers Think of Phishing every time you open an email Remember, Social Engineering happens everywhere, not just at St. Elsewhere
  40. 40. Free Powerpoint Templates Page 40 Questions and Discussion Nicholas Davis ndavis1@wisc.edu facebook.com/nicholas.a.davis