Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Smackdown: End-User Awareness Programs vs. Technology Solutions Justin Klein Keane Christine Brisson University of Pennsylvania School of Arts.

Published byJuniper Kelley Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Smackdown: End-User Awareness Programs vs. Technology Solutions Justin Klein Keane Christine Brisson University of Pennsylvania School of Arts."— Presentation transcript:

1 Security Smackdown: End-User Awareness Programs vs. Technology Solutions Justin Klein Keane Christine Brisson University of Pennsylvania School of Arts & Sciences

2 Analogies only work if they're accurate Except in the case of car analogies, which always suck *Let's try to keep this discussion free of car analogies

3

4 Proven Technical Solutions

5 http://www.darkreading.com/blog/240151108/on-security-awareness-training.html Security Luminaries agree: ● Bruce Schneier ● Dave Aitel, Immunity ● Richard Bejtlich, Mandiant N.B.: Detractors of security awareness training have no financial stake in the correctness of their argument.

6 Gizmodo -- The 10 most popular passwords of 2012: 1. Password (Unchanged) 2. 123456 (Unchanged) 3. 12345678 (Unchanged) 4. abc123 (Up 1) 5. qwerty (Down 1) 6. monkey (Unchanged) 7. letmein (Up 1) 8. dragon (Up 2) 9. 111111 (Up 3) 10. baseball (Up 1) What about Pa$$w0rd?

7

8 Simulated Phishing Campaigns ● New York State employees (2005) – 10,000 people – decline in response rate to fake phishing emails ● from 15% to 8% over two trials ● PhishMe at Emory (2012) – 40,000 people -- decline in response rate to fake phishing emails – From 13.7% overall to 8.1% over three trials. – No overall decline in number of successful phishing attacks ● Operation Carronade (West Point, 2004) – 80% of cadets (small sample size, 400) clicked on the link; 90% of freshmen – “There is a culture at West Point that any e-mail with a "COL" (abbreviation for Colonel) salutation has an action to be executed. To a cadet, the action/request is to be executed regardless of its nature or rationale. The e-mail sought to exploit this culture.”

9 Phishing Education is Misguided

10 Careful where you Click

11 Be careful where you click?

12 Human Cognition is Exploitable https://online.citiban.k.com/US/JSO/signon https://online.C|T|BANK.COM/US/JSO/signon https://online.citibank.com/US/JSO/signon:/accounts/login@evil.com https://online.citibänk.com/US/JSO/signon https://online.citibaņk.com/US/JSO/signon https://online.citbank.com/US/JSO/signon http://bit.ly/JQ9RCh http://translate.google.com/#auto/en/https%3A%2F%2Fevil.com Some tricks are invisible: http://www.symantec.com/connect/blogs/soft-hyphen-new-url-obfuscation-technique

13 Privacy/Sensitive data

14 Effective Training (Developers)

15 Effective Training (Users)

16 NCSAM Campaigns in SAS Two main messages ● Information Security is an issue ● Know who to contact if you have questions We chose themes based on pain points ● Data and privacy ● Be careful where you click ● Securing mobile devices Different methods of outreach ● Posters ● Web site ● Events (shredding day) ● “Security and Donuts” -- school wide but locally-based Shared material/ideas with other Penn schools/units

17

18 References ● West Point: ● http://www.educause.edu/ero/article/fostering-e-mail-security-awareness-west-point-carronade http://www.educause.edu/ero/article/fostering-e-mail-security-awareness-west-point-carronade ● New York State phishing: ● “You Won’t Believe How Adorable This Kitty Is! Click for More!” by Geoffrey A Fowler, Wall Street Journal, 3/27/2013. ● Emory University phishing: ● http://www.educause.edu/events/security-professionals-conference/phishing-ourselves-raise-awareness http://www.educause.edu/events/security-professionals-conference/phishing-ourselves-raise-awareness ● Top 10 Passwords: ● http://gizmodo.com/5954372/the-25-most-popular-passwords-of-2012 ● Anti-Phishing Phil: ● "Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish." by Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, Elizabeth Nunge. Symposium On Usable Privacy and Security (SOUPS) 2007, July 18-20, 2007, Pittsburgh, PA, USA. Available at http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdfhttp://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf ● West Virginia University training effort: ● “Information Security Training - Lessons Learned Along the Trail” by Michael Cooper. SIGUCCS ’08, October 19-22, 2008, Portland, Oregon, USA ● Arguments in favor of security training:: ● http://www.csoonline.com/article/705639/ten-commandments-for-effective-security-training http://www.csoonline.com/article/705639/ten-commandments-for-effective-security-training ● http://searchsecurity.techtarget.com/news/2240162630/Data-supports-need-for-awareness-training-despite-naysayers

19 References (cont.) ● Proven technical controls ● "Strategies to Mitigate Targeted Cyber Intrusion," Australian Defense Signals Directorate. http://www.dsd.gov.au/infosec/top-mitigations http://www.dsd.gov.au/infosec/top-mitigations ● "20 Critical Controls," Center for Strategic and International Studies. https://www.sans.org/critical-security-controls/guidelines.php https://www.sans.org/critical-security-controls/guidelines.php ● Phishing resources: ● https://crypto.stanford.edu/antiphishing/ https://crypto.stanford.edu/antiphishing/ ● https://www.mozilla.org/en-US/firefox/phishing-protection/ https://www.mozilla.org/en-US/firefox/phishing-protection/ ● https://community.opendns.com/phishtank/ https://community.opendns.com/phishtank/ ● Security training is a waste: ● “On Security Awareness Training,” by Bruce Schneier. Dark Reading http://www.darkreading.com/blog/240151108/on-security-awareness-training.html http://www.darkreading.com/blog/240151108/on-security-awareness-training.html ● “Why you shouldn't train employees for security awareness”, by Dave Aitel. CSO Online, http://www.csoonline.com/article/711412/why-you-shouldn-t-train-employees-for-security- awareness http://www.csoonline.com/article/711412/why-you-shouldn-t-train-employees-for-security- awareness ● “Security Awareness Training: A Waste of Time?,” by Richard Bejtlich. Tao Security, http://taosecurity.blogspot.com/2005/11/security-awareness-training-waste-of.html http://taosecurity.blogspot.com/2005/11/security-awareness-training-waste-of.html ● Malware obfuscation techniques ● “Soft Hyphen – A New URL Obfuscation Technique,” by Samir Patil. Symantec Official Blog, http://www.symantec.com/connect/blogs/soft-hyphen-new-url-obfuscation-techniquehttp://www.symantec.com/connect/blogs/soft-hyphen-new-url-obfuscation-technique

Download ppt "Security Smackdown: End-User Awareness Programs vs. Technology Solutions Justin Klein Keane Christine Brisson University of Pennsylvania School of Arts."

Similar presentations

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW 2007 2008.09.09 Yue Zhang, Jason Hong, and Lorrie Cranor.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014.

The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014.
CSCD 303 Essential Computer Security Winter 2014 Lecture 3 - Social Engineering1 Phishing Reading: See links at end of lecture.

CSCD 303 Essential Computer Security Winter 2014 Lecture 3 - Social Engineering1 Phishing Reading: See links at end of lecture.
C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.

C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.
Part 2 of Evil Lurking in Websites Data Security at the University of Wisconsin Oshkosh.

Part 2 of Evil Lurking in Websites Data Security at the University of Wisconsin Oshkosh.
Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.

Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University.

CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University.
October is National Cyber Security Month OIT and IT providers are launching an awareness campaign to provide tips and resources to help you stay safe online.

October is National Cyber Security Month OIT and IT providers are launching an awareness campaign to provide tips and resources to help you stay safe online.
Jason Hong, PhD Carnegie Mellon University Wombat Security Technologies Teaching Johnny Not to Fall for Phish.

Jason Hong, PhD Carnegie Mellon University Wombat Security Technologies Teaching Johnny Not to Fall for Phish.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.

Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.
CyLab Usable Privacy and Security Laboratory C yLab U sable P rivacy and S ecurity Laboratory Statistical.

CyLab Usable Privacy and Security Laboratory C yLab U sable P rivacy and S ecurity Laboratory Statistical.
Usable Privacy and Security: Protecting People from Online Phishing Scams Alessandro Acquisti Lorrie Cranor Julie Downs Jason Hong Norman Sadeh Carnegie.

Usable Privacy and Security: Protecting People from Online Phishing Scams Alessandro Acquisti Lorrie Cranor Julie Downs Jason Hong Norman Sadeh Carnegie.
Usable Privacy and Security Jason I. Hong Carnegie Mellon University.

Usable Privacy and Security Jason I. Hong Carnegie Mellon University.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.
Internet Safety Are we keeping our students safe? By Kelli Zehr & Amanda Ostmeyer.

Internet Safety Are we keeping our students safe? By Kelli Zehr & Amanda Ostmeyer.
1 Ben Woelk RIT Information Security Office Advancing Digital Self Defense Establishing a Culture of Security Awareness at the Rochester Institute of Technology.

1 Ben Woelk RIT Information Security Office Advancing Digital Self Defense Establishing a Culture of Security Awareness at the Rochester Institute of Technology.
Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.

Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.

Similar presentations

Ads by Google