protecting organizations from phishing scams, rsa webinar on sep 2010

Copyright © Wombat Security Technologies, Inc. 2008-2010

Jason Hong, PhDAssoc. Prof, Carnegie Mellon University

CTO, Wombat Security Technologies

Protecting Organizations from Phishing Scams


300 million spear phishingemails are sent each day-Cisco 2008 Annual Security Report


Phishing Attacks are PervasivePhishing is a social engineering attack

Tricks users into sharing sensitive information or installing malware

Used for identity theft, corporate espionage, and theft of national secrets

Circumvents today’s security measuresTargets the person behind the keyboardWorks around encryption, two-factor, firewallsPassword reuse exacerbates problem, security

problem outside your perimeter can still affect you


How Bad is Phishing?Estimated ~0.4% of Internet users per year

fall for phishing attacksEstimated $1B+ direct losses to consumers per year

Bank accounts, credit card fraudDoesn’t include time wasted on recovery of funds,

restoring computers, emotional uncertaintyGrowth rate of phishing is high

Over 45k+ reported unique sites / monthSocial networking sites now major targets


How Bad is Phishing?Direct damage

Loss of sensitive customer data


How Bad is Phishing?Direct damage

Loss of sensitive customer dataLoss of intellectual propertyFraud

Attack on European carbon traders in early 2010, close to $5m stolen in targeted phishing attack

Indirect damage can be high tooDamage to reputation, lost sales, etcResponse costs (call centers, recovery)

One bank estimated costs of $1M per phishing attack


Spear-Phishing Attacks RisingType #1 – Uses info about your organization

This attack uses public informationNot immediately obvious it is an attackCould be sent to military personnel at a base

Our data suggests around 50% of people likely to fall for a good spear-phishing attack

General Clark is retiring next week, click here to say whether you can attend his retirement party


Spear-Phishing Attacks RisingType #2 – Uses info about you specifically

Might use information from social networking sites, corporate directories, or publicly available data

Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive’s name, company and phone number, and commands the recipient to appear before a grand jury in a civil case.

-- New York Times Apr16 2008


Protecting Your Users from PhishMake it invisible

Email and web filters for your employeesTakedown providers for your customers

Better user interfacesBetter web browser interfaces

Train peopleMost overlooked aspect of protectionMore effective than people realize


Problems with Traditional Security TrainingAll-day training sessions

Major disruption to work, no chance to practice skills, not realistic b/c people aren’t attacked in a classroom

People don’t know they have a problemCan’t go looking for the right information

Awareness campaigns don’t helpTelling people to watch out for phishing without

teaching meaningful skills to detect attacks is uselessCan also raise false positives (basically, raises

paranoia)Traditional training is boring


Embedded TrainingUse simulated phishing attacks to train people

Teach people in the context they would be attackedIf a person falls for simulated phish, then show

intervention as to what just happenedCreates a “teachable moment”

However, doing embedded training right is harder than it may seem


Doing Embedded Training RightCoordinating with Right GroupsUS Dept of Justice sent hoax phishing email, but

didn’t notify the entity they were impersonatingWasted lots of time and energy shutting it downAnxiety for many days about safety of retirement

plans

One Air Force Base sent hoax phishing email about Transformers 3 wanting to recruitSpread a fairly large Internet rumor about the movieWasted lots of time and energy addressing rumors


Doing Embedded Training RightPsychological CostsUniversity of Indiana researchers sent hoax

phishing email to students and staff“Some subjects called the experiment unethical,

inappropriate, illegal, unprofessional, fraudulent, self-serving, and/or useless.”

“They called for the researchers … to be fired, prosecuted, expelled, or otherwise reprimanded.”

“These reactions highlight that phishing not only has the potential monetary costs associated with identity theft, but also a significant psychological cost to victims.”


Embedded Training with PhishGuruKey differences:

Offer people immediate feedback and benefit (training)Do so in fun, engaging, and memorable format

Key to effective training is learning scienceExamines learning, retention, and transfer of skills

Example principlesLearning by doingImmediate feedbackConceptual-procedural

PersonalizationStory-based agentsReflection


Case Study #1Canadian healthcare organizationThree-month embedded training campaign

190 employeesSecurity assessment and effective training in context


Simulated Phishing Email


Case Study


Measurable Reduction in Falling for Phish

Viewed Email Only %

Viewed Email and Clicked Link % Employees

Campaign 1 20 10.53% 35 18.42% 190

Campaign 2 37 19.47% 23 12.11% 190

Campaign 3 7 3.70% 10 5.29% 189


0 10 20 30 40

Campaign 3

Campaign 2

Campaign 1

Viewed Email and Clicked Link

Viewed Email Only


Case Study 2Tested with over 500 people over a month

1 simulated phish at beginning of month, testing done at end of month

About 50% reduction in falling for phish68 out of 85 surveyed said they recommend continuing

doing this sort of training in the future“I really liked the idea of sending [organization] fake

phishing emails and then saying to them, essentially, HEY! You could've just gotten scammed! You should be more careful -- here's how....”


Micro-Games for Cyber SecurityTraining doesn’t have to be boringTraining doesn’t have to take long either

Micro game format, play for short timeTwo-thirds of Americans played

a video game in past six months Not just young people

Average game player 35 years old25% of people over 50 play games

Not just males40% are women (casual games)


Case Study 3Tested Anti-Phishing Phil micro game with ~4500 people

Huge improvement by novices in identifying phishing URLsAlso dramatically lowered false positives


False negatives for users who played Anti-Phishing Phil (“game condition”). False negatives are situations where people incorrectly label a phishing site as legitimate. Novices saw the greatest reduction in false negatives, and retained what they had learned.


False positives for users who played the Anti-Phishing Phil game. False positives are situations where people incorrectly label a legitimate site as phishing. Again, novices saw the greatest improvement in reducing false positives, and retained what they had learned.


SummaryPhishing scams on the riseSpear-phishing are highly targeted phishing attacksPeople are very susceptible to well-crafted phish

Today’s training can be boring and ineffectiveEmbedded training and micro games are an

effective alternative


Thank you!

Thanks, PhishGuru.Where can I learn

more?

Find more atwombatsecurity.com

Anti-Phishing Phil white paper: Cyber Security Training Game Teaches People to Avoid Phishing Attacks

PhishGuru white paper: An Empirical Evaluation of PhishGuru Training

protecting organizations from phishing scams, rsa webinar on sep 2010

Technology

security problem

pervasive phishing

phishing scams

spearphishing attacks

hoax phishing email

spear phishing emails

todays security measures

annual security report