Using Measured Security Awareness To Combat Phishing Attacks


Published on

This presentation discusses how to detect phishing and provides some background on using a measured security awareness service as a continuing education tool. The presentation gives examples of how phishing can be used in a constructive manner, to give end users a real-life experience, dealing with phishing and spear phishing attacks.

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Using Measured Security Awareness To Combat Phishing Attacks

  1. 1. Measured Security Awareness Service Presented by Nicholas Davis, CISSP, CISA
  2. 2. Overview Phishing Background Threat to IT on campus Phishing education Tricks employed Sample phishing emails unique to UWMadison Spotting the phish, after the click How measured security awareness works Conducting a campaign in your department Q&A session 1/10/2014 UNIVERSITY OF WISCONSIN 2
  3. 3. Phishing Defined Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication, usually email. 1/10/2014 UNIVERSITY OF WISCONSIN 3
  4. 4. Famous Nigerian Phish 1/10/2014 UNIVERSITY OF WISCONSIN 4
  5. 5. Why Phishing Is Such a Threat UW-Madison IT infrastructure is designed to protect the campus computing assets with many technical controls However, this persuades hackers to pursue access via alternate means, often choosing to exploit the human factor 1/10/2014 UNIVERSITY OF WISCONSIN 5
  6. 6. Your Password Is the Key to the Kingdom If an attacker can persuade you to give them your password, they can evade all the controls put in place to protect sensitive systems 1/10/2014 UNIVERSITY OF WISCONSIN 6
  7. 7. UW-Madison’s Proprietary Research Interests Phishers Consider the value of UW-Madison’s intellectual property 1/10/2014 UNIVERSITY OF WISCONSIN 7
  8. 8. I am Too Smart to Fall For a Trick Like Phishing Most large organizations have a phishing participation rate of around 10% This rises when the population become the subjects of Spear Phishing, which is phishing email designed specifically for the recipient 1/10/2014 UNIVERSITY OF WISCONSIN 8
  9. 9. Phishing Relies Upon Social Engineering The practice of deceiving someone, either in person, over the phone, or using a computer, with the express intent of breaching some level of security either personal or professional. Social engineering techniques are considered con games which are performed by con artists. The targets of social engineering may never realize they have been victimized. 1/10/2014 UNIVERSITY OF WISCONSIN 9
  10. 10. Tricks Used By Expert Phishers Socially Aware: Mining of information about the target from publicly available resources, such as Facebook, property records, or even CCAP Context Aware: Make reference to an activity you are likely to engage in, such as, or UPS package receipt 1/10/2014 UNIVERSITY OF WISCONSIN 10
  11. 11. Specific Examples of Complex Phishing Attempts Baiting: Placing a USB flash drive or CD, with malware on it, in a public place 1/10/2014 UNIVERSITY OF WISCONSIN 11
  12. 12. Specific Examples of Complex Phishing Attempts QR Code Curiosity: Embedding malicious code within a QR code, on a printout posted to a community bulletin board 1/10/2014 UNIVERSITY OF WISCONSIN 12
  13. 13. Specific Examples of Complex Phishing Attempts Out of Office, Out of Control: Taking advantage of an autoresponder, leveraging specific knowledge to exploit co-workers 1/10/2014 UNIVERSITY OF WISCONSIN 13
  14. 14. What Would Happen If You Received This Email? 1/10/2014 UNIVERSITY OF WISCONSIN 14
  15. 15. What Would Happen If You Received This Email? 1/10/2014 UNIVERSITY OF WISCONSIN 15
  16. 16. Tips To Spot Social Engeering Within a Phishing Attempt Asks you to verify a sensitive piece of information A sense of urgency is implied in the message An overt or implied threat may be present Flattery is used to get you to drop your guard Use, and sometimes overuse of organizational knowledge in employed A bribe or reward for your “help” may be offered 1/10/2014 UNIVERSITY OF WISCONSIN 16
  17. 17. Have You Ever Been Successfully Phished? 1/10/2014 UNIVERSITY OF WISCONSIN 17
  18. 18. Spotting the Phish After the Click Website address looks odd or incorrect IP address shows in address bar Multiple pop-ups appear on top of legitimate website window Website contains spelling or grammar errors No SSL lock is present on what should be a secure site 1/10/2014 UNIVERSITY OF WISCONSIN 18
  19. 19. Can You Spot the Issue Here 1/10/2014 UNIVERSITY OF WISCONSIN 19
  20. 20. Combat Phishing Attempts Never give away personal information, especially username and password Don’t let curiosity get the best of you Look for the tell-tail signs we have discussed today There are no situations which justify exceptions If something sounds too good to be true… 1/10/2014 UNIVERSITY OF WISCONSIN 20
  21. 21. Measured Security Awareness Learning Through Doing Studies demonstrate that people tend to forget formal education, over time The best way to learn and remember, is through experience Measured security awareness is the ability to engage in realistic training within a safe, controlled and blame free environment 1/10/2014 UNIVERSITY OF WISCONSIN 21
  22. 22. UW-Madison’s Measured Security Awareness Program The Division of Information Technology has purchased a vendor solution which enables us to conduct measured security awareness campaigns The system is safe The system does NOT collect personal information such as who clicked on links, etc. Information is only reported in aggregate DoIT has been internally phishing 850 internal staff for over a year 1/10/2014 UNIVERSITY OF WISCONSIN 22
  23. 23. Results So Far, at DoIT At first, people were apprehensive The beginning phishes were easy After people get accustomed to it, attitudes became more accepting After a year, most people are enjoying the challenge Most importantly, many fewer people are falling for the phish 1/10/2014 UNIVERSITY OF WISCONSIN 23
  24. 24. This Proposal Smells Phishy Over the next six months, you will be presented with 12 phishing attacks Some will be easy to detect, others will be more sophisticated and difficult to detect We may even go on a Whaling Expedition! Do you know that that is? Participation rate will be collected (in aggregate) and summarized in a report 1/10/2014 UNIVERSITY OF WISCONSIN 24
  25. 25. Q&A Session Are you ready for a phishing expedition? Nicholas Davis 1/10/2014 UNIVERSITY OF WISCONSIN 25