HIPAA COW Healthcare IT Networking Group Co-Chairs. Scott Vaughan. Brad Candell. Sauk Prairie Healthcare. Group Health Cooperative of Eau Claire

Transcription

1 1 HIPAA COW Healthcare IT Networking Group Co-Chairs Scott Vaughan Sauk Prairie Healthcare Brad Candell Group Health Cooperative of Eau Claire 2 Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. - Wikipedia 3 1

2 Spear Phishing - Phishing attempts directed at specific individuals or companies have been termed spear phishing. This involves espionage to gather personal information about their target to increase their probability of success. Clone Phishing - A type of phishing attack whereby a legitimate, and previously delivered, containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned . The attachment or link within the is replaced with a malicious version and then sent from an address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. Whaling Phishing attacks that are directed specifically at senior executives and other high-profile targets within businesses. CEO CFO IT/Help Desk 4 Significant loss Financial Privileged Information / Trade Secrets Credentials Detection is often difficult with technologybased security measures. Limited education for the most susceptible attack vector (Employees). 5 A proactive, simulated phishing attack on some/all of your staff members that helps provide an analysis of the susceptibility of your staff. Detailed Analysis & Reporting Training Opportunities Technological Enhancements Process & Procedure Enhancements Human Resource Involvement 6 2

3 Vendor (Paid) Solutions Open Source Custom Built Manually 7 Installed/Hosted Platforms Trusted Expertise Support Minimal effort Speed of Implementation Integrated training modules 8 Installed/Hosted Platforms Great for Proof-of-Concept Cost (Free) Customizable with/without source code 9 3

4 As simple or as complex as you would like. Choice of the technology platform(s). Customized to meet any/all organizational needs. Integrated with internal applications. Active Directory Computer-based Training Security Suites 10 To Each Their Own 11 Working with Senior Leadership Technological Considerations Server(s) Firewall IDP/IPS Platform Selection Configuration Domain Name(s) End Point Message Choosing your victims 12 4

5 Risk of Phishing in your organization Cost/Benefit Analysis Advanced Notification The toll of tricking employees Outcome 13 Server(s) Internal or external Rate limiting Don t get blacklisted Firewall Intrusion Detection / Prevention 14 Organization Specific Technologies IT Staff Skills Acceptance of Open Source Software Licensing Cost & Effort Long Term Investment (Is it a one-time test?) Ownership (IT vs Compliance vs Security) Security Integrations 15 5

6 vs vs 16 Use proven templates that are likely to trick employees into completing the phish. 17 Consider making a custom template that applies only to your organization. 18 6

7 Time to think like a hacker.. Make the message as convincing as possible. Follow closely with known correspondence formats

8 Everyone Random Departments What truly matters is that you are able to keep track of a recipient between campaigns. 22 Letting key employees/departments know in advance Information Technology Human Resources Compliance Executives What type of phishing attack are you hoping to run? Credential theft? Running a malicious executable? harvesting? 23 GoPhish ( MIT Licensed by Jordan Wright Written in Go Supports Windows, Linux and OSX Source code available on GitHub Phishing Frenzy GNU General Public License Written in Ruby on Rails Supports any web server that also supports Ruby Source code available on GitHub 24 8

9 Identify and perform staff education opportunities. Identify areas to improve the reporting of suspicious messages. Enhance policies and procedures. Chronological analysis Fine tune future campaigns Human Resource involvement 25 PhishMe Wombat ThreatSim Phishing Box PhishLabs KnowBe4 BlackFin (Symantec) PhishLine 26 GoPhish Phishing Frenzy SpeedPhish Framework King Phisher Simple Phishing Toolkit (sptoolkit) LUCY (Community Version) 27 9

10 Anti-Phishing Working Group Phishing.org