Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010

Copyright © Wombat Security Technologies, Inc. 2008-2010
Jason Hong, PhD
Assoc. Prof, Carnegie Mellon University
CTO, Wombat Security Technologies
Protecting Organizations
from Phishing Scams

300 million spear phishing
emails are sent each day
-Cisco 2008 Annual Security Report

Phishing Attacks are Pervasive
Phishing is a social engineering attack
Tricks users into sharing sensitive information
or installing malware
Used for identity theft, corporate espionage,
and theft of national secrets
Circumvents today’s security measures
Targets the person behind the keyboard
Works around encryption, two-factor, firewalls
Password reuse exacerbates problem, security
problem outside your perimeter can still affect you

How Bad is Phishing?
Estimated ~0.4% of Internet users per year
fall for phishing attacks
Estimated $1B+ direct losses to consumers per year
Bank accounts, credit card fraud
Doesn’t include time wasted on recovery of funds,
restoring computers, emotional uncertainty
Growth rate of phishing is high
Over 45k+ reported unique sites / month
Social networking sites now major targets

Direct damage
Loss of sensitive customer data

Direct damage
Loss of sensitive customer data
Loss of intellectual property
Fraud
Attack on European carbon traders in early 2010,
close to $5m stolen in targeted phishing attack
Indirect damage can be high too
Damage to reputation, lost sales, etc
Response costs (call centers, recovery)
One bank estimated costs of $1M per phishing attack

Spear-Phishing Attacks Rising
Type #1 – Uses info about your organization
This attack uses public information
Not immediately obvious it is an attack
Could be sent to military personnel at a base
Our data suggests around 50% of people
likely to fall for a good spear-phishing attack
General Clark is retiring next week,
click here to say whether you can
attend his retirement party

Spear-Phishing Attacks Rising
Type #2 – Uses info about you specifically
Might use information from social networking sites,
corporate directories, or publicly available data
Thousands of high-ranking executives across the
country have been receiving e-mail messages this
week that appear to be official subpoenas from the
United States District Court in San Diego. Each
message includes the executive’s name, company
and phone number, and commands the recipient to
appear before a grand jury in a civil case.
-- New York Times Apr16 2008

Protecting Your Users from Phish
Make it invisible
Email and web filters for your employees
Takedown providers for your customers
Better user interfaces
Better web browser interfaces
Train people
Most overlooked aspect of protection
More effective than people realize

Problems with Traditional Security Training
All-day training sessions
Major disruption to work, no chance to practice skills,
not realistic b/c people aren’t attacked in a classroom
People don’t know they have a problem
Can’t go looking for the right information
Awareness campaigns don’t help
Telling people to watch out for phishing without
teaching meaningful skills to detect attacks is useless
Can also raise false positives (basically, raises
paranoia)
Traditional training is boring

Embedded Training
Use simulated phishing attacks to train people
Teach people in the context they would be attacked
If a person falls for simulated phish, then show
intervention as to what just happened
Creates a “teachable moment”
However, doing embedded training right is
harder than it may seem

Doing Embedded Training Right
Coordinating with Right Groups
US Dept of Justice sent hoax phishing email, but
didn’t notify the entity they were impersonating
Wasted lots of time and energy shutting it down
Anxiety for many days about safety of retirement
plans
One Air Force Base sent hoax phishing email
about Transformers 3 wanting to recruit
Spread a fairly large Internet rumor about the movie
Wasted lots of time and energy addressing rumors

Doing Embedded Training Right
Psychological Costs
University of Indiana researchers sent hoax
phishing email to students and staff
“Some subjects called the experiment unethical,
inappropriate, illegal, unprofessional, fraudulent,
self-serving, and/or useless.”
“They called for the researchers … to be fired,
prosecuted, expelled, or otherwise reprimanded.”
“These reactions highlight that phishing not only has the
potential monetary costs associated with identity theft,
but also a significant psychological cost to victims.”

Embedded Training with PhishGuru
Key differences:
Offer people immediate feedback and benefit (training)
Do so in fun, engaging, and memorable format
Key to effective training is learning science
Examines learning, retention, and transfer of skills
Example principles
Learning by doing
Immediate feedback
Conceptual-procedural
Personalization
Story-based agents
Reflection

Case Study #1
Canadian healthcare organization
Three-month embedded training campaign
190 employees
Security assessment and effective training in context

Simulated Phishing Email

Case Study

Measurable Reduction in Falling for Phish
Viewed
Email
Only %
Viewed
Email and
Clicked Link % Employees
Campaign 1 20 10.53% 35 18.42% 190
Campaign 2 37 19.47% 23 12.11% 190
Campaign 3 7 3.70% 10 5.29% 189

0 10 20 30 40
Campaign3
Campaign2
Campaign1
ViewedEmail and Clicked
Link
ViewedEmail Only

Case Study 2
Tested with over 500 people over a month
1 simulated phish at beginning of month,
testing done at end of month
About 50% reduction in falling for phish
68 out of 85 surveyed said they recommend continuing
doing this sort of training in the future
“I really liked the idea of sending [organization] fake
phishing emails and then saying to them, essentially, HEY!
You could've just gotten scammed! You should
be more careful -- here's how....”

Micro-Games for Cyber Security
Training doesn’t have to be boring
Training doesn’t have to take long either
Micro game format, play for short time
Two-thirds of Americans played
a video game in past six months
Not just young people
Average game player 35 years old
25% of people over 50 play games
Not just males
40% are women (casual games)

Case Study 3
Tested Anti-Phishing Phil micro game with ~4500 people
Huge improvement by novices in identifying phishing URLs
Also dramatically lowered false positives

False negatives for users who played Anti-Phishing Phil (“game condition”). False negatives are
situations where people incorrectly label a phishing site as legitimate. Novices saw the greatest
reduction in false negatives, and retained what they had learned.

False positives for users who played the Anti-Phishing Phil game. False positives are situations
where people incorrectly label a legitimate site as phishing. Again, novices saw the greatest
improvement in reducing false positives, and retained what they had learned.

Summary
Phishing scams on the rise
Spear-phishing are highly targeted phishing attacks
People are very susceptible to well-crafted phish
Today’s training can be boring and ineffective
Embedded training and micro games are an
effective alternative

Thank you!
Thanks, PhishGuru.
Where can I learn
more?
Find more at
wombatsecurity.com
Anti-Phishing Phil white paper:
Cyber Security Training Game
Teaches People to Avoid Phishing
Attacks
PhishGuru white paper:
An Empirical Evaluation of
PhishGuru Training

Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (7)

Similar a Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010

Similar a Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010 (20)

Último

Último (20)

Protecting Organizations from Phishing Scams, for RSA Webinar in Sep2010

Notas del editor