Upload
nicholas-davis
View
97
Download
1
Embed Size (px)
Citation preview
Organizational Phishing EducationNicholas Davis, CISA, CISSP
November 15, 2016
Overview• Phishing Background• Threat to IT on within universities• Phishing education• Tricks employed• Sample educational phishing emails sent• Spotting the phish, after the click• Q&A
05/02/2023 2
Phishing DefinedPhishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication, usually email.
05/02/2023 3
Why Phishing Is Such a Threat
• IT infrastructure is designed to protect the campuses computing assets with many technical controls
• However, this persuades hackers to pursue access via alternate means, often choosing to exploit the human factor
05/02/2023 4
Your Password Is the Key to the Kingdom
If an attacker can persuade you to give them your password, they can evade all the controls put in place to protect sensitive systems
05/02/2023 5
Higher Education Proprietary Research Interests Phishers
Consider the value of an organization’s intellectual property
05/02/2023 UNIVERSITY OF WISCONSIN 6
I am Too Smart to Fall For a Trick Like Phishing
Most large organizations have a phishing participation rate of around 10%This rises when the population become the subjects of Spear Phishing, which is phishing email designed specifically for the recipient
05/02/2023 7
Phishing Relies Upon Social Engineering
The practice of deceiving someone, either in person, over the phone, or using a computer, with the express intent of breaching some level of security either personal or professional. Social engineering techniques are considered con games which are performed by con artists. The targets of social engineering may never realize they have been victimized.
05/02/2023 8
Tricks Used By Expert Phishers
Socially Aware: Mining of information about the target from publicly available resources, such as Facebook, property records, or even CCAPContext Aware: Make reference to an activity you are likely to engage in, such as Amazon.com, or UPS package receipt
05/02/2023 9
Specific Examples of Complex Phishing Attempts
Baiting: Placing a USB flash drive or CD, with malware on it, in a public place
05/02/2023 10
Specific Examples of Complex Phishing Attempts
QR Code Curiosity: Embedding malicious code within a QR code, on a printout posted to a community bulletin board
05/02/2023 11
Specific Examples of Complex Phishing Attempts
Out of Office, Out of Control: Taking advantage of an autoresponder, leveraging specific knowledge to exploit co-workers
05/02/2023 12
What Would Happen If You Received This Email?
05/02/2023 13
What Would Happen If You Received This Email?
05/02/2023 14
Tips To Spot Social Engineering Within a Phishing Attempt
• Asks you to verify a sensitive piece of information
• A sense of urgency is implied in the message• An overt or implied threat may be present• Flattery is used to get you to drop your guard• Use, and sometimes overuse of organizational
knowledge in employed• A bribe or reward for your “help” may be
offered
05/02/2023 15
Spotting the Phish After the Click
• Website address looks odd or incorrect• IP address shows in address bar• Multiple pop-ups appear on top of legitimate
website window• Website contains spelling or grammar errors• No SSL lock is present on what should be a
secure site
05/02/2023 16
Can You Spot the Issue Here
05/02/2023 17
How can you protect yourself?
• Try to remember that lurking behind every innocent-looking email could be a giant shark waiting to make its move. This is true whether it's work or personal email, so you must treat every email with a basic level of caution.
Protect Your Information• Do not send sensitive information such as bank details, social security
number, etc. over email. If you really need to, make sure you know who you are sending it to and start a new email rather than replying to a thread. Check the email address carefully.
Check the Address• Be mindful of who is emailing you. Check email addresses for
accuracy and look for signs of suspicious activity, for example if an email is not in the format you'd expect or a name appears to be spelt incorrectly. Email addresses made up of seemingly random combinations of letters and numbers may also be suspicious.
Don’t Click on Links• Hover over links WITHOUT CLICKING — the destination will show in
the bottom left of your screen and you can see whether it looks right. If in doubt, Google the address you need rather than clicking on a link.
Don’t Open Suspicious Attachments• Treat any attachment that you didn't request as highly suspect.
Contact your organizational help desk if you're not sure whether its safe and they will check it out for you.
If In Doubt, Contact Your Help Desk• If in doubt, email your organizational Help Desk. They will let you
know whether something is safe to open or click on. It's better to be safe than sorry.
Combat Phishing Attempts
• Never give away personal information, especially username and password
• Don’t let curiosity get the best of you• Look for the tell-tail signs we have discussed
today• There are no situations which justify
exceptions• If something sounds too good to be true…
05/02/2023 24
If You Think You Have Been Phished• This stuff isn't complicated, but it is incredibly easy to get caught out
by a well-crafted phishing campaign. If you should accidently succumb to a phishing attempt, please do not feel ashamed or fearful. It can happen to everyone, eventually. • In such a situation, the worst thing you can do is keep quiet. Instead,
contact your organization’s Help Desk immediately. Your machine may have been infected with malware, or your user credentials may be compromised. The very best way to remedy such a situation is to contact the Help Desk.
If You Think You Have Been Phished• You should not be reprimanded or punished in any way when you
come forward with information about potential phishing incidents. The Help Desk of your organization is there to assist, and help triage the situation after a successful phish occurs
Curiosity Killed the Cat!Lack of Curiosity Killed the Phish!
Nicholas Davis, CISA, CISSPChief Information Security OfficerUniversity of Wisconsin System
05/02/2023 27