Phishing Discussion. Pete Scheidt Lead Information Security Analyst California ISO

Size: px

Start display at page:

Download "Phishing Discussion. Pete Scheidt Lead Information Security Analyst California ISO"

Fay Cannon
5 years ago
Views:

1 Phishing Discussion Pete Scheidt Lead Information Security Analyst California ISO

2 2 Phish What is Phishing Types of Phish

3 3 Phish What is Phishing Attackers (Phishers) would (cast their nets) far and wide with techniques to encourage victims to part ways with their information.

4 4 Phish Types of Phish Spear phishing Whaling Anglerphishing Catphishing

5 5 Threat of Phish Number one threat delivery and communications vehicle 90+% of cyber attacks start with a phishing

6 6 Defending against the Phish People + Processes + Technology What is it comprised of? Frequency? Policy? Stick/Carrot? Training?

7 7 Defending against the Phish People + Processes Phishing and Awareness training sessions Listing of methods to help organize, discern, prioritize, and discard, potentially malicious messages. Newsletters, digital communications, and cyber news as it relates to security awareness and training. This allows employee s and contractors to stay up-to-date with the latest news and trends. Independent assessments of its security controls, processes, and protections, in an effort to calibrate, improve, and mature. Phishing campaign to reinforce Phishing and Awareness training. Real-time security training which covers phishing, security, and social engineering. Administrative Control for Disciplinary Guidelines to reinforce the Phishing and Awareness training program. Incentive reward bounty for users who comply with the Phishing and Awareness training program.

8 People + Processes A. Acceptable Use Policy B. Understand the difference between Spam/Junk/Bulk and Phishing. C. Report suspected Phishing s. D. Immediately report any suspicious activity takes place in the event of clicking on a URL or opening an attachment. E. Fundamental understanding of basic security controls.

9 9 Defending Against the Phish + Technical Controls Secure Gateways (SEG) URL Filtering Attachment Sandboxing Content Disarm and Reconstruction (CDR) 2-Factor Authentication Endpoint protections Anti-virus/malware protection, host-based firewalls, Next- Generation Antivirus (NGAV) and endpoint detection (e.g., CrowdStrike, Carbon Black, Barkly, etc)

Email Protection: Threat Types by Message Volume Over a 6 month

10 Protection: Threat Types by Message Volume Over a 6 month period we see a large difference in URL Threat vs. Attachment based threat.

11 11 Spear Phishing Against Industry What is Spear Phishing? Target attempt targeting a specific victim. This is achieved by acquiring personal details on the victim and then disguise themselves as a trustworthy friend or entity. What is Spear Phishing against Electric Industry? Targeted attempt to specific individuals in the electric industry by disguise themselves as a trustworthy business partner, often through the supply chain.

12 12 Industry Defending Against the Phish + Technical Collaborative Controls Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), Domain-Based Message Authentication, Reporting and Conformance (DMARC)

13 13 DMARC Binding Operational Directive set forth by DHS for all federal agencies. DMARC is an anti-spoofing tool that runs in the background. You can be sure that s that passed DMARC come from where they claim That location may STILL be hostile, but at least it s not faked

14 and Domain Protection: DMARC DMARC - Domain-based Message Authentication, Reporting, and Conformance (DMARC) relies upon both SPF and DKIM for the most robust solution for Authentication. As the threat landscape evolves from avoiding spam attacks to protection from phishing attacks, more organizations are relying on DMARC as a means to reduce vulnerability from abuse. DMARC provides what is commonly known as Identifier Alignment. Identifier Alignment forces the domains authenticated by SPF and DKIM to have a relationship to the "header From" domain - what the user sees in the From display name and what the mail server sees in the Envelope Sender (ormailfrom domain). Administrators can select either SPF, DKIM Verification, DKIM Signing, or DMARC as a means for authentication to satisfy the Organization's security policies. Benefits to adopting DMARC: Organizations can provide domain-specific feedback to message senders about the accuracy of authentication deployments. Organizations can take action against that fails authentication. senders have the ability to report what actions (Policy Enforcement) are taken when messages fail authentication checks.

Email and Domain Protection: DMARC in Action November 2017: The ISO adopts the DMARC framework to support Binding Operational Directive 18-01 set forth by DHS for all federal agencies.

15 and Domain Protection: DMARC in Action November 2017: The ISO adopts the DMARC framework to support Binding Operational Directive set forth by DHS for all federal agencies. December 2018: The ISO enables authentication on the mail gateways to observe inbound traffic. January 2018: The ISO creates an SPF record, DKIM key, and DMARC record to begin monitoring its domains. DMARC record is set to monitoring mode to baseline domain traffic. Monitoring mode allows the domain owner to observe domain activity on both consumer mail gateways business mail gateways, and internal mail gateways. During an 8 month period, the CAISO InfoSec team partnered with business units, 3-rd party service providers, and its business partners to remediate unauthorized traffic to align with DMARC. October 2018: The ISO moves its domain to a policy of quarantine. Consumer and Business gateways traffic Nov 2017-Jan 2019 for caiso.com

16 16

DMARC Continuing to enable trust between brand owners and receivers

DMARC Continuing to enable trust between brand owners and receivers February 2014 1 DMARC Defined DMARC stands for: Domain-based Message Authentication, Reporting & Conformance (pronounced dee-mark ) 2