Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Organizational Phishing Education
Nicholas Davis, CISA, CISSP
November 15, 2016
Overview
• Phishing Background
• Threat to IT on within universities
• Phishing education
• Tricks employed
• Sample educa...
Phishing Defined
Phishing is the act of attempting to acquire
information such as usernames, passwords, and
credit card de...
Why Phishing Is Such a
Threat
• IT infrastructure is designed to protect the
campuses computing assets with many
technical...
Your Password Is the Key to
the Kingdom
If an attacker can
persuade you to give
them your password,
they can evade all the...
Higher Education Proprietary
Research Interests Phishers
Consider the value of
an organization’s
intellectual property
11/...
I am Too Smart to Fall For a
Trick Like Phishing
Most large organizations have a phishing
participation rate of around 10%...
Phishing Relies Upon Social
Engineering
The practice of deceiving someone, either in
person, over the phone, or using a co...
Tricks Used By Expert
Phishers
Socially Aware: Mining of information about the
target from publicly available resources, s...
Specific Examples of
Complex Phishing Attempts
Baiting: Placing a USB flash drive or CD, with
malware on it, in a public p...
Specific Examples of
Complex Phishing Attempts
QR Code Curiosity: Embedding malicious code
within a QR code, on a printout...
Specific Examples of
Complex Phishing Attempts
Out of Office, Out of Control: Taking advantage of
an autoresponder, levera...
What Would Happen If You
Received This Email?
11/15/2016 13
What Would Happen If You
Received This Email?
11/15/2016 14
Tips To Spot Social Engineering Within
a Phishing Attempt
• Asks you to verify a sensitive piece of
information
• A sense ...
Spotting the Phish After
the Click
• Website address looks odd or incorrect
• IP address shows in address bar
• Multiple p...
Can You Spot the Issue
Here
11/15/2016 17
How can you protect yourself?
• Try to remember that lurking behind every innocent-looking email
could be a giant shark wa...
Protect Your Information
• Do not send sensitive information such as bank details, social security
number, etc. over email...
Check the Address
• Be mindful of who is emailing you. Check email addresses for
accuracy and look for signs of suspicious...
Don’t Click on Links
• Hover over links WITHOUT CLICKING — the destination will show in
the bottom left of your screen and...
Don’t Open Suspicious Attachments
• Treat any attachment that you didn't request as highly suspect.
Contact your organizat...
If In Doubt, Contact Your Help Desk
• If in doubt, email your organizational Help Desk. They will let you
know whether som...
Combat Phishing Attempts
• Never give away personal information,
especially username and password
• Don’t let curiosity ge...
If You Think You Have Been Phished
• This stuff isn't complicated, but it is incredibly easy to get caught out
by a well-c...
If You Think You Have Been Phished
• You should not be reprimanded or punished in any way when you
come forward with infor...
Curiosity Killed the Cat!
Lack of Curiosity Killed the
Phish!
Nicholas Davis, CISA, CISSP
Chief Information Security Offic...
Upcoming SlideShare
Loading in …5
×

0

Share

Download to read offline

Organizational Phishing Education

Download to read offline

A general education presentation, created to teach employees of an organization about Phishing, what it is, how to recognize it, avoid becoming a phishing victim, how to recognize common social engineering techniques, and what to do if you think you have been phished.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Organizational Phishing Education

  1. 1. Organizational Phishing Education Nicholas Davis, CISA, CISSP November 15, 2016
  2. 2. Overview • Phishing Background • Threat to IT on within universities • Phishing education • Tricks employed • Sample educational phishing emails sent • Spotting the phish, after the click • Q&A 11/15/2016 2
  3. 3. Phishing Defined Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication, usually email. 11/15/2016 3
  4. 4. Why Phishing Is Such a Threat • IT infrastructure is designed to protect the campuses computing assets with many technical controls • However, this persuades hackers to pursue access via alternate means, often choosing to exploit the human factor 11/15/2016 4
  5. 5. Your Password Is the Key to the Kingdom If an attacker can persuade you to give them your password, they can evade all the controls put in place to protect sensitive systems 11/15/2016 5
  6. 6. Higher Education Proprietary Research Interests Phishers Consider the value of an organization’s intellectual property 11/15/2016 UNIVERSITY OF WISCONSIN 6
  7. 7. I am Too Smart to Fall For a Trick Like Phishing Most large organizations have a phishing participation rate of around 10% This rises when the population become the subjects of Spear Phishing, which is phishing email designed specifically for the recipient 11/15/2016 7
  8. 8. Phishing Relies Upon Social Engineering The practice of deceiving someone, either in person, over the phone, or using a computer, with the express intent of breaching some level of security either personal or professional. Social engineering techniques are considered con games which are performed by con artists. The targets of social engineering may never realize they have been victimized. 11/15/2016 8
  9. 9. Tricks Used By Expert Phishers Socially Aware: Mining of information about the target from publicly available resources, such as Facebook, property records, or even CCAP Context Aware: Make reference to an activity you are likely to engage in, such as Amazon.com, or UPS package receipt 11/15/2016 9
  10. 10. Specific Examples of Complex Phishing Attempts Baiting: Placing a USB flash drive or CD, with malware on it, in a public place 11/15/2016 10
  11. 11. Specific Examples of Complex Phishing Attempts QR Code Curiosity: Embedding malicious code within a QR code, on a printout posted to a community bulletin board 11/15/2016 11
  12. 12. Specific Examples of Complex Phishing Attempts Out of Office, Out of Control: Taking advantage of an autoresponder, leveraging specific knowledge to exploit co-workers 11/15/2016 12
  13. 13. What Would Happen If You Received This Email? 11/15/2016 13
  14. 14. What Would Happen If You Received This Email? 11/15/2016 14
  15. 15. Tips To Spot Social Engineering Within a Phishing Attempt • Asks you to verify a sensitive piece of information • A sense of urgency is implied in the message • An overt or implied threat may be present • Flattery is used to get you to drop your guard • Use, and sometimes overuse of organizational knowledge in employed • A bribe or reward for your “help” may be offered 11/15/2016 15
  16. 16. Spotting the Phish After the Click • Website address looks odd or incorrect • IP address shows in address bar • Multiple pop-ups appear on top of legitimate website window • Website contains spelling or grammar errors • No SSL lock is present on what should be a secure site 11/15/2016 16
  17. 17. Can You Spot the Issue Here 11/15/2016 17
  18. 18. How can you protect yourself? • Try to remember that lurking behind every innocent-looking email could be a giant shark waiting to make its move. This is true whether it's work or personal email, so you must treat every email with a basic level of caution.
  19. 19. Protect Your Information • Do not send sensitive information such as bank details, social security number, etc. over email. If you really need to, make sure you know who you are sending it to and start a new email rather than replying to a thread. Check the email address carefully.
  20. 20. Check the Address • Be mindful of who is emailing you. Check email addresses for accuracy and look for signs of suspicious activity, for example if an email is not in the format you'd expect or a name appears to be spelt incorrectly. Email addresses made up of seemingly random combinations of letters and numbers may also be suspicious.
  21. 21. Don’t Click on Links • Hover over links WITHOUT CLICKING — the destination will show in the bottom left of your screen and you can see whether it looks right. If in doubt, Google the address you need rather than clicking on a link.
  22. 22. Don’t Open Suspicious Attachments • Treat any attachment that you didn't request as highly suspect. Contact your organizational help desk if you're not sure whether its safe and they will check it out for you.
  23. 23. If In Doubt, Contact Your Help Desk • If in doubt, email your organizational Help Desk. They will let you know whether something is safe to open or click on. It's better to be safe than sorry.
  24. 24. Combat Phishing Attempts • Never give away personal information, especially username and password • Don’t let curiosity get the best of you • Look for the tell-tail signs we have discussed today • There are no situations which justify exceptions • If something sounds too good to be true… 11/15/2016 24
  25. 25. If You Think You Have Been Phished • This stuff isn't complicated, but it is incredibly easy to get caught out by a well-crafted phishing campaign. If you should accidently succumb to a phishing attempt, please do not feel ashamed or fearful. It can happen to everyone, eventually. • In such a situation, the worst thing you can do is keep quiet. Instead, contact your organization’s Help Desk immediately. Your machine may have been infected with malware, or your user credentials may be compromised. The very best way to remedy such a situation is to contact the Help Desk.
  26. 26. If You Think You Have Been Phished • You should not be reprimanded or punished in any way when you come forward with information about potential phishing incidents. The Help Desk of your organization is there to assist, and help triage the situation after a successful phish occurs
  27. 27. Curiosity Killed the Cat! Lack of Curiosity Killed the Phish! Nicholas Davis, CISA, CISSP Chief Information Security Officer University of Wisconsin System 11/15/2016 27

A general education presentation, created to teach employees of an organization about Phishing, what it is, how to recognize it, avoid becoming a phishing victim, how to recognize common social engineering techniques, and what to do if you think you have been phished.

Views

Total views

294

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

13

Shares

0

Comments

0

Likes

0

×