An IT Security presentation I created for faculty and staff of the UW-Madison, School of Medicine, about how to recognize and defend against the threats of complex Phishing and Social Engineering, to protect sensitive digital information.
UW School of Medicine Social Engineering and Phishing Awareness
1. Free Powerpoint Templates
Page 1
Free Powerpoint Templates
Phishing and
Social Engineering
Awareness
-
Nicholas Davis
CISA, CISSP
Security Architect
UW-Madison, Division of
Information Technology
-
9 – 26 - 2013
2. Free Powerpoint Templates
Page 2
Introduction
• Background
• Phishing and Social Engineering
• History
• Types
• Examples
• Detecting Fraudulent Email
• Defending Against Phishing Attacks
• Measured Phishing Awareness at
DoIT
• Samples and Participation Rates
• Question and Answer Session
3. Free Powerpoint Templates
Page 3
Social Engineering
The art of manipulating people
into performing actions or
divulging confidential information
It is typically trickery or deception
for the purpose of information
gathering, fraud, or computer
system access
4. Free Powerpoint Templates
Page 4
Phishing
• Deception
• Email
• Websites
• Facebook status updates
• Tweets
• Phishing, in the context of the
healthcare working environment is
extremely dangerous
5. Free Powerpoint Templates
Page 5
Phishing 1995
• Target AOL users
• Account passwords=free online
time
• Threat level: low
• Techniques: similar names,
such as www.ao1.com for
www.aol.com
6. Free Powerpoint Templates
Page 6
Phishling 2001
Target: Ebay and major banks
Credit card numbers and account
numbers = money
Threat level: medium
Techniques: Same in 1995
7. Free Powerpoint Templates
Page 7
Phishing 2007
Targets are Paypal, banks, ebay
Purpose to steal bank accounts
Threat level is high
Techniques: browser
vulnerabilities, link obfuscation
9. Free Powerpoint Templates
Page 9
Looking In the Mirror
• Which types of sensitive information
do you have access to?
• What about others who share the
computer network with you?
• Think about the implications
associated that data being stolen
and exploited!
10. Free Powerpoint Templates
Page 10
What Phishing Looks Like
• As scam artists become more
sophisticated, so do their phishing e-
mail messages and pop-up windows.
• They often include official-looking
logos from real organizations and
other identifying information taken
directly from legitimate Web sites.
11. Free Powerpoint Templates
Page 11
Techniques For Phishing
• Employ visual elements from target site
• DNS Tricks:
• www.ebay.com.kr
• www.ebay.com@192.168.0.5
• www.gooogle.com
• Unicode attacks
• JavaScript Attacks
• Spoofed SSL lock Certificates
• Phishers can acquire certificates for domains
they own
• Certificate authorities make mistakes
12. Free Powerpoint Templates
Page 12
Social Engineering
Techniques
• Socially aware attacks
• Mine social relationships from public
data
• Phishing email appears to arrive from
someone known to the victim
• Use spoofed identity of trusted
organization to gain trust
• Urge victims to update or validate
their account
• Threaten to terminate the account if
the victims not reply
• Use gift or bonus as a bait
• Security promises
13. Free Powerpoint Templates
Page 13
Remember These
Social Engineering
Techniques
Often employed in Phishing seem more real,
urgent or to lower your guard of trust
Threats – Do this or else!
Authority – I have the authority to ask this
Promises – If you do this, you will get $$$
Praise – You deserve this
14. Free Powerpoint Templates
Page 14
Other Phishing Techniques
Socially aware attacks
Mine social relationships from public
data
Phishing email appears to arrive from
someone known to the victim
Use spoofed identity of trusted
organization to gain trust
Urge victims to update or validate their
account
Threaten to terminate the account if
the victims not reply
Use gift or bonus as a bait
Security promises
15. Free Powerpoint Templates
Page 15
Let’s Talk About Facebook
• So important, it gets its own slide!
• Essentially unauthenticated – discussion
• Three friends and you’re out! -
discussion
• Privacy settings mean nothing –
discussion
• Treasure Trove of identity information
• Games as information harvesters
21. Free Powerpoint Templates
Page 21
Detecting
Fraudulent Email
Information requested is inappropriate for the
channel of communication:
"Verify your account."nobody should not ask
you to send passwords, login names, Social
Security numbers, or other personal
information through e-mail.
Urgency and potential penalty or loss are
implied:
"If you don't respond within 48 hours, your
account will be closed.”
22. Free Powerpoint Templates
Page 22
Detecting Fraudulent
Email
"Dear Valued Customer."Phishing e-mail
messages are usually sent out in bulk and often
do not contain your first or last name.
23. Free Powerpoint Templates
Page 23
Dectecting Fraudulent
Email
"Click the link below to gain
access to your account.“
This is an example or URL
Masking (hiding the web address)
URL alteration
www.micosoft.com
www.mircosoft.com
www.verify-microsoft.com
24. Free Powerpoint Templates
Page 24
How to Defend Against
Phishing Attacks
•Never respond to an email asking for
personal information
• Always check the site to see if it is secure
(SSL lock)
• Look for misspellings or errors in grammar
• Never click on the link on the email. Enter
the web address manually
• Keep your browser updated
• Keep antivirus definitions updated
• Use a firewall
• When in doubt, ask your Network
Administrator for their opinion
25. Free Powerpoint Templates
Page 25
A Note on Spear Phishing
• Designed especially for you
• Includes your name
• May reference an environment
or issue you are aware of and
familiar with
• Asks for special treatment, with
justification for the request
29. Free Powerpoint Templates
Page 29
Baiting
Hey, look! A free USB drive!
I wonder what is on this confidential CD which I
found in the bathroom?
These are vectors for malware!
Play on your curiousity or desire to get
something for nothing
Don’t be a piggy!
30. Free Powerpoint Templates
Page 30
Out of Office
Out of Control
Using the Out of Office responder
in a responsible manner
31. Free Powerpoint Templates
Page 31
Phishing Awareness at DoIT
DoIT staff undergo formal Security
Awareness training every year
Reading is one thing, experiencing is
another
We wanted some real measurements
Purchased a product which enabled us
to run measured phishing campaigns
Eight campaigns over the past year,
from simple to complex
38. Free Powerpoint Templates
Page 38
Results
Average industry end user
“participation rate” is 14%
Can you guess what our
participation rate was?
The more familiar the subject
matter, the more likely people are
to let their guard down
39. Free Powerpoint Templates
Page 39
Summary
Technology does not provide all the
answers
Think of Phishing every time you open
an email
Remember, Social Engineering happens
everywhere, not just at St. Elsewhere
40. Free Powerpoint Templates
Page 40
Questions and
Discussion
Nicholas Davis
ndavis1@wisc.edu
facebook.com/nicholas.a.davis