Contenu connexe Similaire à Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010 (20) Protecting Organizations from Phishing Scams, for RSA Webinar in Sep20101. Copyright © Wombat Security Technologies, Inc. 2008-2010
Jason Hong, PhD
Assoc. Prof, Carnegie Mellon University
CTO, Wombat Security Technologies
Protecting Organizations
from Phishing Scams
3. Copyright © Wombat Security Technologies, Inc. 2008-2010
300 million spear phishing
emails are sent each day
-Cisco 2008 Annual Security Report
4. Copyright © Wombat Security Technologies, Inc. 2008-2010
Phishing Attacks are Pervasive
Phishing is a social engineering attack
Tricks users into sharing sensitive information
or installing malware
Used for identity theft, corporate espionage,
and theft of national secrets
Circumvents today’s security measures
Targets the person behind the keyboard
Works around encryption, two-factor, firewalls
Password reuse exacerbates problem, security
problem outside your perimeter can still affect you
5. Copyright © Wombat Security Technologies, Inc. 2008-2010
How Bad is Phishing?
Estimated ~0.4% of Internet users per year
fall for phishing attacks
Estimated $1B+ direct losses to consumers per year
Bank accounts, credit card fraud
Doesn’t include time wasted on recovery of funds,
restoring computers, emotional uncertainty
Growth rate of phishing is high
Over 45k+ reported unique sites / month
Social networking sites now major targets
6. Copyright © Wombat Security Technologies, Inc. 2008-2010
How Bad is Phishing?
Direct damage
Loss of sensitive customer data
7. Copyright © Wombat Security Technologies, Inc. 2008-2010
How Bad is Phishing?
Direct damage
Loss of sensitive customer data
Loss of intellectual property
Fraud
Attack on European carbon traders in early 2010,
close to $5m stolen in targeted phishing attack
Indirect damage can be high too
Damage to reputation, lost sales, etc
Response costs (call centers, recovery)
One bank estimated costs of $1M per phishing attack
8. Copyright © Wombat Security Technologies, Inc. 2008-2010
Spear-Phishing Attacks Rising
Type #1 – Uses info about your organization
This attack uses public information
Not immediately obvious it is an attack
Could be sent to military personnel at a base
Our data suggests around 50% of people
likely to fall for a good spear-phishing attack
General Clark is retiring next week,
click here to say whether you can
attend his retirement party
9. Copyright © Wombat Security Technologies, Inc. 2008-2010
Spear-Phishing Attacks Rising
Type #2 – Uses info about you specifically
Might use information from social networking sites,
corporate directories, or publicly available data
Thousands of high-ranking executives across the
country have been receiving e-mail messages this
week that appear to be official subpoenas from the
United States District Court in San Diego. Each
message includes the executive’s name, company
and phone number, and commands the recipient to
appear before a grand jury in a civil case.
-- New York Times Apr16 2008
10. Copyright © Wombat Security Technologies, Inc. 2008-2010
Protecting Your Users from Phish
Make it invisible
Email and web filters for your employees
Takedown providers for your customers
Better user interfaces
Better web browser interfaces
Train people
Most overlooked aspect of protection
More effective than people realize
11. Copyright © Wombat Security Technologies, Inc. 2008-2010
Problems with Traditional Security Training
All-day training sessions
Major disruption to work, no chance to practice skills,
not realistic b/c people aren’t attacked in a classroom
People don’t know they have a problem
Can’t go looking for the right information
Awareness campaigns don’t help
Telling people to watch out for phishing without
teaching meaningful skills to detect attacks is useless
Can also raise false positives (basically, raises
paranoia)
Traditional training is boring
12. Copyright © Wombat Security Technologies, Inc. 2008-2010
Embedded Training
Use simulated phishing attacks to train people
Teach people in the context they would be attacked
If a person falls for simulated phish, then show
intervention as to what just happened
Creates a “teachable moment”
However, doing embedded training right is
harder than it may seem
13. Copyright © Wombat Security Technologies, Inc. 2008-2010
Doing Embedded Training Right
Coordinating with Right Groups
US Dept of Justice sent hoax phishing email, but
didn’t notify the entity they were impersonating
Wasted lots of time and energy shutting it down
Anxiety for many days about safety of retirement
plans
One Air Force Base sent hoax phishing email
about Transformers 3 wanting to recruit
Spread a fairly large Internet rumor about the movie
Wasted lots of time and energy addressing rumors
14. Copyright © Wombat Security Technologies, Inc. 2008-2010
Doing Embedded Training Right
Psychological Costs
University of Indiana researchers sent hoax
phishing email to students and staff
“Some subjects called the experiment unethical,
inappropriate, illegal, unprofessional, fraudulent,
self-serving, and/or useless.”
“They called for the researchers … to be fired,
prosecuted, expelled, or otherwise reprimanded.”
“These reactions highlight that phishing not only has the
potential monetary costs associated with identity theft,
but also a significant psychological cost to victims.”
15. Copyright © Wombat Security Technologies, Inc. 2008-2010
Embedded Training with PhishGuru
Key differences:
Offer people immediate feedback and benefit (training)
Do so in fun, engaging, and memorable format
Key to effective training is learning science
Examines learning, retention, and transfer of skills
Example principles
Learning by doing
Immediate feedback
Conceptual-procedural
Personalization
Story-based agents
Reflection
17. Copyright © Wombat Security Technologies, Inc. 2008-2010
Case Study #1
Canadian healthcare organization
Three-month embedded training campaign
190 employees
Security assessment and effective training in context
20. Copyright © Wombat Security Technologies, Inc. 2008-2010
Measurable Reduction in Falling for Phish
Viewed
Email
Only %
Viewed
Email and
Clicked Link % Employees
Campaign 1 20 10.53% 35 18.42% 190
Campaign 2 37 19.47% 23 12.11% 190
Campaign 3 7 3.70% 10 5.29% 189
21. Copyright © Wombat Security Technologies, Inc. 2008-2010
0 10 20 30 40
Campaign3
Campaign2
Campaign1
ViewedEmail and Clicked
Link
ViewedEmail Only
22. Copyright © Wombat Security Technologies, Inc. 2008-2010
Case Study 2
Tested with over 500 people over a month
1 simulated phish at beginning of month,
testing done at end of month
About 50% reduction in falling for phish
68 out of 85 surveyed said they recommend continuing
doing this sort of training in the future
“I really liked the idea of sending [organization] fake
phishing emails and then saying to them, essentially, HEY!
You could've just gotten scammed! You should
be more careful -- here's how....”
23. Copyright © Wombat Security Technologies, Inc. 2008-2010
Micro-Games for Cyber Security
Training doesn’t have to be boring
Training doesn’t have to take long either
Micro game format, play for short time
Two-thirds of Americans played
a video game in past six months
Not just young people
Average game player 35 years old
25% of people over 50 play games
Not just males
40% are women (casual games)
24. Copyright © Wombat Security Technologies, Inc. 2008-2010
Case Study 3
Tested Anti-Phishing Phil micro game with ~4500 people
Huge improvement by novices in identifying phishing URLs
Also dramatically lowered false positives
25. Copyright © Wombat Security Technologies, Inc. 2008-2010
False negatives for users who played Anti-Phishing Phil (“game condition”). False negatives are
situations where people incorrectly label a phishing site as legitimate. Novices saw the greatest
reduction in false negatives, and retained what they had learned.
26. Copyright © Wombat Security Technologies, Inc. 2008-2010
False positives for users who played the Anti-Phishing Phil game. False positives are situations
where people incorrectly label a legitimate site as phishing. Again, novices saw the greatest
improvement in reducing false positives, and retained what they had learned.
27. Copyright © Wombat Security Technologies, Inc. 2008-2010
Summary
Phishing scams on the rise
Spear-phishing are highly targeted phishing attacks
People are very susceptible to well-crafted phish
Today’s training can be boring and ineffective
Embedded training and micro games are an
effective alternative
28. Copyright © Wombat Security Technologies, Inc. 2008-2010
Thank you!
Thanks, PhishGuru.
Where can I learn
more?
Find more at
wombatsecurity.com
Anti-Phishing Phil white paper:
Cyber Security Training Game
Teaches People to Avoid Phishing
Attacks
PhishGuru white paper:
An Empirical Evaluation of
PhishGuru Training
Notes de l'éditeur Image from BusinessWeek Apr 2008 San Jose, Calif.-based Cisco's annual security study found that spam is growing quickly — nearly 200 billion spam messages are now sent each day, double the volume in 2007 — and that targeted attacks are also rising sharply. More than 0.4% of all spam sent in September were targeted attacks, Cisco found. That might sound low, but since 90% of all e-mails sent worldwide are spam, this means 800 million messages a day are attempts are spear phishing. A year ago, targeted attacks with personalized messages were less than 0.1% of all spam. Personalization Story-based agents Reflection http://wombatsecurity.com/file_download/6/PhishGuru%20White%20Paper.pdf http://wombatsecurity.com/file_download/8/Anti-Phishing%20Phil%20whitepaper.pdf