Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Protect Your Organization from
Phishing Threats
Andy Rappaport, Chief Architect
Tom Smit, Customer Experience Manager

PA ...
Agenda
•
•
•
•
•

The Evolving Phishing Threat
Attacker’s mentality - What CORE’s penetration testers tell us
5 minute Ide...
Phishing is Not the Same as Spam
• Spam: Unwanted email (and possibly texts)
• Phishing: malicious email – social engineer...
The Evolving Phishing Threat
• Frequency is declining1 but sophistication is increasing
• Spearphishing effectiveness has ...
What CORE’s Pen. Testers Tell Us
• Social Engineering is the preferred attack vector.
• Users are easier: “We can always p...
What CORE’s Pen. Testers Tell Us – The Approach
• Establish trust with non-threating message to small group.
− We have bee...
Try the 5 Minute Identity Harvest Challenge
• Pick an important corporate user – your company or another
• Search for just...
Phish Defenses – What You Can Do
• Defend - Technology deployments
 Blacklisting known phishing sites
 Spam filters
 An...
Self-Phishing Best Practices
• Goal: Understand and lower phish risk
• Systematic testing
− Data-driven. Objective.
− Crea...
Benefits of Self-Phishing
Data-driven Security - Goals-questions-metrics
• Goal: understand/measure own risk from phish ex...
CORE Insight

PA G E 1 1
Insight Can Assess Over Time

Investments in training has
proven productive.

On going evaluation is
critical to minimizin...
Insight Identifies Critical Areas

Identify current weaknesses
in an organization.

Campaigns focus on different users.
•
...
Insight Builds Focused Campaigns
Clone Phishing

Spear Phishing
General Phishing
First Generic Bank <accounts@firstgeneric...
Reporting

PA G E 1 5
Go to www.coresecurity.com/videos/protecting-yourorganization-phishing-threats to watch the recorded
presentation
For more...
Upcoming SlideShare
Loading in …5
×

Protect your organization from phishing attacks

583 views

Published on

Learn about various types of phishing attacks and how to protect your organization.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Protect your organization from phishing attacks

  1. 1. Protect Your Organization from Phishing Threats Andy Rappaport, Chief Architect Tom Smit, Customer Experience Manager PA G E
  2. 2. Agenda • • • • • The Evolving Phishing Threat Attacker’s mentality - What CORE’s penetration testers tell us 5 minute Identity Harvest Challenge Best Practices – What You Can Do Organizational Preparedness with CORE Insight PA G E 2
  3. 3. Phishing is Not the Same as Spam • Spam: Unwanted email (and possibly texts) • Phishing: malicious email – social engineering attack − Pretending to be from someone you trust − Designed to look like legitimate email from a trusted source. • Types of Phishing: − Spear Phishing – Targets select individuals − Clone Phishing – use previous emails to create legitimate appearances while changing the links in the email. Use existing trust. − Long-lining – Mix of large volume of highly customized emails – intended to defeat filter-type defenses. PA G E 3
  4. 4. The Evolving Phishing Threat • Frequency is declining1 but sophistication is increasing • Spearphishing effectiveness has significantly increased2 • $1.5 Billion – total loses from phishing in 20123 • Why? Lowered barriers to achieve online trust − Decreased face-to-face contact: remote offices, outsource, partners, social nets − Tech by-pass the human: Single-sign-on, federation, browsers save a password − Mixed personas (personal & biz): BYOD. Sources 1. Anti-phishing Working Group Attack Trend Reports: http://www.antiphishing.org/resources/apwg-reports/ 2. http://threatpost.com/spear-phishing-remains-preferred-point-entry-targeted-persistent-attacks-113012 3. http://www.emc.com/collateral/fraud-report/rsa-online-fraud-report-012013.pdf PA G E 4
  5. 5. What CORE’s Pen. Testers Tell Us • Social Engineering is the preferred attack vector. • Users are easier: “We can always phish someone [in an engagement.] Its just a matter of how hard we need to try.” • Establish, escalate and leverage trust: “until you get someone [or something] you want”. • Value of compromising an identity − Email account: send email as them  leverage their trust network − Browser or host: passwords  logon as them Note the significance of trust in each statement. PA G E 5
  6. 6. What CORE’s Pen. Testers Tell Us – The Approach • Establish trust with non-threating message to small group. − We have been experiencing some errors with the XYZZY system. Sorry for any inconvenience. − We are scheduling an upgrade for the XYZZY system. • … then send the Phish email − Sorry. Please use this temporary XYZZY system <some link> • Make it look right − Use corporate branding / images. Duh. • Personalize - if possible − Title: Attendee list for your XYZZY conference keynote o (A person’s future conference schedule might be easy to discover) PA G E 6
  7. 7. Try the 5 Minute Identity Harvest Challenge • Pick an important corporate user – your company or another • Search for just 5 minutes to get spear-phish info • Pick a few places to look: − − − − − Corporate site, news Financial: scheduled stock trades Search engine: blogs, conferences, speeches, planned travel Social: Linked-in (college – home-coming), Facebook (social, family) Physical Addresses: work, home, vaca What could an attacker do with more time? PA G E 7
  8. 8. Phish Defenses – What You Can Do • Defend - Technology deployments  Blacklisting known phishing sites  Spam filters  Anti-virus software • Educate - User awareness − Regular 2-way communication. Make humans part of your sensor network. − Share real-world examples • Understand the risk - Establish Policy − Ex: CSR or IT password reset – are they being helpful or insecure? − Zip files through the firewall? − Mixing personal and business. • Test and measure your own exposure and risk − Test your own defenses − Hands-on employee assessments PA G E 8 GOTCHA!
  9. 9. Self-Phishing Best Practices • Goal: Understand and lower phish risk • Systematic testing − Data-driven. Objective. − Create an easily-repeatable process − Not a one-time gotcha. (Hook-and-release) • Test people and defenses/controls • Different levels of sophistication Assess Test Improve − E.g. obvious form letter; targeted message w/specific but publicallyavailable information PA G E 9
  10. 10. Benefits of Self-Phishing Data-driven Security - Goals-questions-metrics • Goal: understand/measure own risk from phish exposure. • Questions: − − − − Does the A/V on our IT ‘golden images’ detect spam/phish messages. Do our defenses provide useful clues to employees? Which of our users are susceptible to phishing? How much does our user awareness program reduce the risk? • Metrics: Understanding effectiveness of your training − Measure over time and identify areas to improve − Approach: Mix baselines (Nigerian prince) with more focused (spearphish) • Identify users and groups who need additional education − Adequately trained? New hires? Admins? IT? Devs? PA G E 1 0
  11. 11. CORE Insight PA G E 1 1
  12. 12. Insight Can Assess Over Time Investments in training has proven productive. On going evaluation is critical to minimizing risk. PA G E 1 2 Next quarter’s focus can be clearly identified.
  13. 13. Insight Identifies Critical Areas Identify current weaknesses in an organization. Campaigns focus on different users. • • • PA G E 1 3 Marketing Executives Contractors Web Developers Focus limited resources on more critical activities
  14. 14. Insight Builds Focused Campaigns Clone Phishing Spear Phishing General Phishing First Generic Bank <accounts@firstgenericbank.com Please update your account information Mar 12, 2013 3:23PM PST PA G E 1 4
  15. 15. Reporting PA G E 1 5
  16. 16. Go to www.coresecurity.com/videos/protecting-yourorganization-phishing-threats to watch the recorded presentation For more information please contact Core Security at (617)399-6980 or info@coresecurity.com PA G E 1 6

×