Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jason Belford September 28, 2017.

Published byAnnika Solberg Modified over 6 years ago

Similar presentations

Presentation on theme: "Jason Belford September 28, 2017."— Presentation transcript:

1 Jason Belford September 28, 2017

2 These slides have been modified from the original presentation to remove information concerning the prevention of or response to cyber attacks, or information that describes a security system used to control access to or use of an automated data processing or telecommunications system.

3 Phishing Simulations Why do we even want to discuss this?

4 Phishing Threat Why do we even want to discuss this?
The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation. Why do we even want to discuss this?

5 Phishing Simulations What are we actually talking about?

6 Phishing Simulations Benefits of doing this?
Goal: Reduces risk of successful phishing Best way to reach the masses quickly Users become more “cautious” Hands on training better than theory Justify 2-factor Identification of ”Hot” spots Benefits of doing this?

7 Phishing Simulations Drawbacks of doing this?
Could build distrust in an organization Results could be embarrassing Products could be expensive People could be embarrassed or being “tested” Resource intensive (includes help desks, security staff, Decrease in productivity Drawbacks of doing this?

8 Phishing Simulation Best Practices Goal: Training, only!
Non-punitive (really!) Keep the results private Get permission (get our of jail free card) Don’t make it too tricky (psychology of success; double barreling) Notify users ahead of time Eve L. Phish Best Practices

9 Phishing Simulation Best Practices Involve Communications
Notify your helpdesk(S) Whitelist the IPs Pick good dates Use real messages Set your expectations (25,15,10,5) Risk-based approach Eve L. Phish Best Practices

10 Phishing Simulations Some Options PhishLine PhishLabs DUO insight
PhishMe Go Phish PyPhish (Phish Slap) KnowBe4 Lots of others… Metasploit Some Options

11 Phishing Simulations Some Options PhishLine Metasploit DUO insight
PhishLabs Go Phish PhishMe KnowBe4 PyPhish (Phish Slap) Some Options

12 Phishing Simulations The good, bad, & ugly Product Pro Con Duo Insight
Free (for now) Not customizable; Training is limited GoPhish Free / Open Source. Interface is very difficult if you have more than 2,500 recipients; must provide scenarios, hardware, and training pages PhishMe Cloud Service; Lots of simulations and training. Can provide scenarios, training Expensive ($1-$2 per user). Will not allow certain types of scenarios. PyPhish (formerly Phish Slap) Made with an EDU focus; Low cost Must provide scenarios, hardware, and training pages. The good, bad, & ugly

13 Phishing Simulations Heightened awareness (after notification)
More reports Some folks entered credentials and then reported it Some folks quickly closed laptop immediately upon seeing “Ooops! You just fell for a phishing message” Interesting Observations

14 Phishing Simulations back·draft ˈbakdraft/ noun
a current of air or water that flows backward down a chimney, pipe, etc. a phenomenon in which a fire that has consumed all available oxygen suddenly explodes when more oxygen is made available, typically because a door or window has been opened.

15 Phishing Simulations Higher Education– Sensitivity Issue?
To: From: Name of School Date: October 10, 2015 Subject: Unknown Login Your account was recently accessed from: Country: Spain IP: X.X.14.65 If this was not you, please click here. Higher Education– Sensitivity Issue? The equivalent of a backdraft

16 Phishing Simulations Higher Education– Sensitivity Issue?
To: From: Name of School Date: October 10, 2015 Subject: Unknown Login Your account was recently accessed from: Country: Spain IP: X.X.14.65 If this was not you, please click here. Higher Education– Sensitivity Issue? The equivalent of a backdraft

17 Phishing Simulations Higher Education– Sensitivity Issue?
To: From: Name of School Date: October 11, 2015 Subject: Unknown Login Your account was recently accessed from: Country: Nigeria IP: X.X.14.65 If this was not you, please click here. Higher Education– Sensitivity Issue? The equivalent of a backdraft

18 Phishing Simulations Higher Education– Sensitivity Issue?
To: From: Name of School Date: October 11, 2015 Subject: Unknown Login Your account was recently accessed from: Country: Nigeria IP: X If this was not you, please click here. Higher Education– Sensitivity Issue? “The African American Student Union has members From Nigeria and we support these students. Your recent phishing message was offensive. This message rely on stereotypes of Nigeria and does not represent the entire country. We believe the Institute should write all students who received the message and apologize for your actions. ” The equivalent of a backdraft

19 Phishing Simulations Army - Communication Issues
Army Command wanted to test his staff Sent to small group Subject: 401k account breach Army - Communication Issues Lots of people shared DOD, FBI, Border Protection, and Labor Dept. involved Investigation took 3 weeks to find source The equivalent of a backdraft

20 Phishing Simulations UVA Case Study
We have run multiple successful simulations. If you have specific questions of concerns about the simulations, please contact Jason Belford UVA Case Study

21 He who knows most, knows best how little he knows.
Questions? ? He who knows most, knows best how little he knows. --Thomas Jefferson

Download ppt "Jason Belford September 28, 2017."

Similar presentations

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via

What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via
You can customize your privacy settings. The privacy page gives you control over who can view your content. At most only your friends, their friends and.

You can customize your privacy settings. The privacy page gives you control over who can view your content. At most only your friends, their friends and.
** Deckplate training for Navy Sailors **.  On Thursday, 9 July, the Office of Personnel Management (OPM) announced a cyber incident exposed the federal.

** Deckplate training for Navy Sailors **.  On Thursday, 9 July, the Office of Personnel Management (OPM) announced a cyber incident exposed the federal.
Information Security Phishing Update CTC

Information Security Phishing Update CTC
PHISHING AND SPAM EMAIL INTRODUCTION There’s a good chance that in the past week you have received at least one email that pretends to be from your bank,

PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
WEB SPOOFING by Miguel and Ngan. Content Web Spoofing Demo What is Web Spoofing How the attack works Different types of web spoofing How to spot a spoofed.

WEB SPOOFING by Miguel and Ngan. Content Web Spoofing Demo What is Web Spoofing How the attack works Different types of web spoofing How to spot a spoofed.
Phishing Internet scams. Phishing phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and.

Phishing Internet scams. Phishing phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and.
‹#› September 2015 Cloud-CISC Cloud Cyber Incident Information Sharing Center.

‹#› September 2015 Cloud-CISC Cloud Cyber Incident Information Sharing Center.
SANSUEB SOFTWARE PRESENTS SkyTextMsg – Online Texting for your Business.

SANSUEB SOFTWARE PRESENTS SkyTextMsg – Online Texting for your Business.
Data Security at Duke DECEMBER 2015. What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.

Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.
Zeus Virus By: Chris Foley. Overview  What is Zeus  What Zeus Did  The FBI investigation  The virus for phones  Removal and detection  Conclusion.

Zeus Virus By: Chris Foley. Overview  What is Zeus  What Zeus Did  The FBI investigation  The virus for phones  Removal and detection  Conclusion.
Cyber security. Malicious Code Social Engineering Detect and prevent.

Cyber security. Malicious Code Social Engineering Detect and prevent.
Important Information Provided by Information Technology Center

Important Information Provided by Information Technology Center
Explaining Bitcoins will be the easy part: Email Borne Attacks and How You Can Defend Against Them Karsten Chearis Sales Engineer.

Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them Karsten Chearis Sales Engineer.
A Board-Level Business Risk

A Board-Level Business Risk
Threat Scan (ETS) for Office 365

Threat Scan (ETS) for Office 365
PHISHING Hi, The comms team asked if I could refresh everyone about Phishing after a fairly successful phishing email circulated last week that led to.

PHISHING Hi, The comms team asked if I could refresh everyone about Phishing after a fairly successful phishing circulated last week that led to.
how to prevent them from being successful

how to prevent them from being successful
There Will be Attacks – Improve Your Defenses

There Will be Attacks – Improve Your Defenses

Similar presentations

Ads by Google