protecting organizations from phishing scams, rsa webinar on sep 2010
DESCRIPTION
A webinar I gave in September 2010 about protecting organizations from phishing scams. This talk is based on our research at Carnegie Mellon University.TRANSCRIPT
![Page 1: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/1.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
Jason Hong, PhDAssoc. Prof, Carnegie Mellon University
CTO, Wombat Security Technologies
Protecting Organizations from Phishing Scams
![Page 2: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/2.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
![Page 3: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/3.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
300 million spear phishingemails are sent each day-Cisco 2008 Annual Security Report
![Page 4: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/4.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
Phishing Attacks are PervasivePhishing is a social engineering attack
Tricks users into sharing sensitive information or installing malware
Used for identity theft, corporate espionage, and theft of national secrets
Circumvents today’s security measuresTargets the person behind the keyboardWorks around encryption, two-factor, firewallsPassword reuse exacerbates problem, security
problem outside your perimeter can still affect you
![Page 5: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/5.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
How Bad is Phishing?Estimated ~0.4% of Internet users per year
fall for phishing attacksEstimated $1B+ direct losses to consumers per year
Bank accounts, credit card fraudDoesn’t include time wasted on recovery of funds,
restoring computers, emotional uncertaintyGrowth rate of phishing is high
Over 45k+ reported unique sites / monthSocial networking sites now major targets
![Page 6: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/6.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
How Bad is Phishing?Direct damage
Loss of sensitive customer data
![Page 7: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/7.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
How Bad is Phishing?Direct damage
Loss of sensitive customer dataLoss of intellectual propertyFraud
Attack on European carbon traders in early 2010, close to $5m stolen in targeted phishing attack
Indirect damage can be high tooDamage to reputation, lost sales, etcResponse costs (call centers, recovery)
One bank estimated costs of $1M per phishing attack
![Page 8: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/8.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
Spear-Phishing Attacks RisingType #1 – Uses info about your organization
This attack uses public informationNot immediately obvious it is an attackCould be sent to military personnel at a base
Our data suggests around 50% of people likely to fall for a good spear-phishing attack
General Clark is retiring next week, click here to say whether you can attend his retirement party
![Page 9: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/9.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
Spear-Phishing Attacks RisingType #2 – Uses info about you specifically
Might use information from social networking sites, corporate directories, or publicly available data
Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive’s name, company and phone number, and commands the recipient to appear before a grand jury in a civil case.
-- New York Times Apr16 2008
![Page 10: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/10.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
Protecting Your Users from PhishMake it invisible
Email and web filters for your employeesTakedown providers for your customers
Better user interfacesBetter web browser interfaces
Train peopleMost overlooked aspect of protectionMore effective than people realize
![Page 11: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/11.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
Problems with Traditional Security TrainingAll-day training sessions
Major disruption to work, no chance to practice skills, not realistic b/c people aren’t attacked in a classroom
People don’t know they have a problemCan’t go looking for the right information
Awareness campaigns don’t helpTelling people to watch out for phishing without
teaching meaningful skills to detect attacks is uselessCan also raise false positives (basically, raises
paranoia)Traditional training is boring
![Page 12: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/12.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
Embedded TrainingUse simulated phishing attacks to train people
Teach people in the context they would be attackedIf a person falls for simulated phish, then show
intervention as to what just happenedCreates a “teachable moment”
However, doing embedded training right is harder than it may seem
![Page 13: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/13.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
Doing Embedded Training RightCoordinating with Right GroupsUS Dept of Justice sent hoax phishing email, but
didn’t notify the entity they were impersonatingWasted lots of time and energy shutting it downAnxiety for many days about safety of retirement
plans
One Air Force Base sent hoax phishing email about Transformers 3 wanting to recruitSpread a fairly large Internet rumor about the movieWasted lots of time and energy addressing rumors
![Page 14: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/14.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
Doing Embedded Training RightPsychological CostsUniversity of Indiana researchers sent hoax
phishing email to students and staff“Some subjects called the experiment unethical,
inappropriate, illegal, unprofessional, fraudulent, self-serving, and/or useless.”
“They called for the researchers … to be fired, prosecuted, expelled, or otherwise reprimanded.”
“These reactions highlight that phishing not only has the potential monetary costs associated with identity theft, but also a significant psychological cost to victims.”
![Page 15: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/15.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
Embedded Training with PhishGuruKey differences:
Offer people immediate feedback and benefit (training)Do so in fun, engaging, and memorable format
Key to effective training is learning scienceExamines learning, retention, and transfer of skills
Example principlesLearning by doingImmediate feedbackConceptual-procedural
PersonalizationStory-based agentsReflection
![Page 16: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/16.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
![Page 17: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/17.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
Case Study #1Canadian healthcare organizationThree-month embedded training campaign
190 employeesSecurity assessment and effective training in context
![Page 18: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/18.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
Simulated Phishing Email
![Page 19: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/19.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
Case Study
![Page 20: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/20.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
Measurable Reduction in Falling for Phish
Viewed Email Only %
Viewed Email and Clicked Link % Employees
Campaign 1 20 10.53% 35 18.42% 190
Campaign 2 37 19.47% 23 12.11% 190
Campaign 3 7 3.70% 10 5.29% 189
![Page 21: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/21.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
0 10 20 30 40
Campaign 3
Campaign 2
Campaign 1
Viewed Email and Clicked Link
Viewed Email Only
![Page 22: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/22.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
Case Study 2Tested with over 500 people over a month
1 simulated phish at beginning of month, testing done at end of month
About 50% reduction in falling for phish68 out of 85 surveyed said they recommend continuing
doing this sort of training in the future“I really liked the idea of sending [organization] fake
phishing emails and then saying to them, essentially, HEY! You could've just gotten scammed! You should be more careful -- here's how....”
![Page 23: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/23.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
Micro-Games for Cyber SecurityTraining doesn’t have to be boringTraining doesn’t have to take long either
Micro game format, play for short timeTwo-thirds of Americans played
a video game in past six months Not just young people
Average game player 35 years old25% of people over 50 play games
Not just males40% are women (casual games)
![Page 24: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/24.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
Case Study 3Tested Anti-Phishing Phil micro game with ~4500 people
Huge improvement by novices in identifying phishing URLsAlso dramatically lowered false positives
![Page 25: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/25.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
False negatives for users who played Anti-Phishing Phil (“game condition”). False negatives are situations where people incorrectly label a phishing site as legitimate. Novices saw the greatest reduction in false negatives, and retained what they had learned.
![Page 26: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/26.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
False positives for users who played the Anti-Phishing Phil game. False positives are situations where people incorrectly label a legitimate site as phishing. Again, novices saw the greatest improvement in reducing false positives, and retained what they had learned.
![Page 27: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/27.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
SummaryPhishing scams on the riseSpear-phishing are highly targeted phishing attacksPeople are very susceptible to well-crafted phish
Today’s training can be boring and ineffectiveEmbedded training and micro games are an
effective alternative
![Page 28: Protecting Organizations from Phishing Scams, RSA Webinar on Sep 2010](https://reader037.vdocuments.site/reader037/viewer/2022110115/54c793fa4a7959035f8b4582/html5/thumbnails/28.jpg)
Copyright © Wombat Security Technologies, Inc. 2008-2010
Thank you!
Thanks, PhishGuru.Where can I learn
more?
Find more atwombatsecurity.com
Anti-Phishing Phil white paper: Cyber Security Training Game Teaches People to Avoid Phishing Attacks
PhishGuru white paper: An Empirical Evaluation of PhishGuru Training