IT Security Protecting Ourselves From Phishing Attempts Ray Copeland Chief Information Officer (CIO)
Phishing Defined The fraudulent practice of sending emails claiming to be from reputable people or companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. Source-Google
PROTECTING OURSELVES FROM PHISHING Three Main Types of Phishing Spear phishing Phishing attempts directed at specific individuals or companies have been termed spear phishing. Attackers may gather personal information about their target to increase their probability of success. This technique is, by far, the most successful on the internet today, accounting for 91% of attacks. [ Clone phishing Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email. Whaling Several phishing attacks have been directed specifically at senior executives and other high-profile targets within businesses, and the term whaling has been coined for these kinds of attacks. In the case of whaling, the masquerading web page/email will take a more serious executive-level form. The content will be crafted to target an upper manager and the person's role in the company. The content of a whaling attack email is often written as a legal subpoena, customer complaint, or executive issue. Whaling scam emails are designed to masquerade as a critical business email, sent from a legitimate business authority. The content is meant to be tailored for upper management, and usually involves some kind of falsified company-wide concern. Whaling phishermen have also forged official-looking FBI subpoena emails, and claimed that the manager needs to click a link and install special software to view the subpoena. Source-Wikipedia
PROTECTING OURSELVES FROM PHISHING Ransomware
PROTECTING OURSELVES FROM PHISHING Ransomware Other types of cyber attacks typically take more work to monetize. (Example. Stealing credit cards) With ransomware victims tend to pay quickly. (Example. Recent hospital attacks) The amount is low enough that it's often easier to victims to pay up rather than struggle to recover the data by other means. Locky and TeslaCrypt, two common varieties of ransomware. CryptoWall becoming less popular Source-Maria Korolov, CSO
PROTECTING OURSELVES FROM PHISHING
Information Technology Steps
Information Technology Steps Secure Mail Server Environments Use Advanced SPAM Filtering Software Encrypt Email Messages Advanced Firewalls Multifactor Authentication Cloud Based Email Services
Secure Email Servers Secure Email Servers by Patching Ensure Servers and Email is backed up Conduct Periodic Restores
Use Advanced SPAM Filtering Software Spam Filter
Encrypt Email Messages
Advanced Firewall Use both Firewall Device and Desktop Firewall software Improved controls for accessing network and data and other systems Prevents browser hijacks Filter and block known addresses of phishermen
Multifactor Authentication Text Verification Cell Phone Call Alternate Email Address
Cloud Based Email Services Offers Added Protection without a heavy IT Resource investment
End User Steps
Website Examples
Email Examples
End User Proactive Steps Like other areas in security we need to take a defense in depth approach to phishing. Technical controls such as Advanced Threat Protection from O365 where links and attachments are evaluated in a sandbox for malicious content are helpful in catching a large portion of phishing attacks. Having a secure web gateway or web filter will also stop users from accessing malicious links and an up to date antivirus solution will help block the execution of malicious attachments. Following secure configuration standards such as the CIS benchmarks will also decrease the likelihood of a successful malicious attack. Technical controls aside, the end user is ultimately the most critical control when combating phishing so having an end user security awareness program is key. Russ Forsythe, CISSP Chief Information Security Officer State of Ohio
End User Proactive Steps Things to Consider If it looks wrong, it probably is wrong Check the email address carefully Watch for impersonal introductions Beware of Threats and Urgent Deadlines Don't fill in embedded forms Be cautious about phone numbers and web links
End User Proactive Steps If it looks wrong, it probably is wrong Phishing often looks, well, fishy. Typos can be a sign that an email is dodgy yes, The Guardian may be on thin ice with this point, but typos in an email from your bank really are a red flag as are all-capitals in the email's subject and a few too many exclamation marks.
End User Proactive Steps Check the email address carefully If you often get emails from a particular company, they'll usually come from the same address for example, the vast majority of my PayPal emails come from service@paypal.co.uk. Another address, especially one that looks strange, should raise suspicions.
End User Proactive Steps Watch for impersonal introductions Your bank, PayPal, Amazon etc know your name. A phisher sending out masses of emails doesn't. That's why real emails from these companies often address you by name. "Dear Customer" or variations on it may sound polite, but it's a definite warning sign, especially if the email is trying to get personal details from you.
End User Proactive Steps Beware of threats and urgent deadlines Sometimes a reputable company does need you to do something urgently ebay was recently forced to ask its customers to change their passwords quickly after a cyber-attack, for example. But usually, threats and urgency are a sign of phishing: if you're being asked to do something to prevent your account being shut down, or within a tight deadline, its cause for caution.
End User Proactive Steps Don't fill in embedded forms If an email comes with an embedded form for you to fill in personal details, financial data and/or login details, don't do it. Trustworthy companies will never ask you to do this in an email.
End User Proactive Steps Be cautious about phone numbers and web links If an email asks you to call a number to give your personal details over the phone, dig out some official correspondence from the company and use the number given there instead. And if you're asked to click on a link that looks legitimate, hover your mouse over it to see if you're actually being sent to a different site don't click on it if so.
Organizational Steps
Organizational Steps Creating Organizational Security Roles Organizational Awareness Programs Collaborating Training
Security Roles Enables an organization to have a dedicated focus on IT Security Role can be Part Time or Full Time
Creating Media and Posting it Throughout Office
Collaborating Partner with other counties Work with County Data Centers Plug into State Security entities and SOS Office
Additional Information & Training http://csrc.nist.gov/publications/nistpubs/800-45-version2/sp800-45v2.pdf http://csrc.nist.gov/publications/drafts/800-188/sp800_188_draft2.pdf https://www.us-cert.gov/publications/securing-your-web-browser https://msisac.cisecurity.org/toolkit/images/3.pdf https://msisac.cisecurity.org/toolkit/images/5.pdf http://www.infosec.ohio.gov/resources/definitions.aspx#phishing http://www.gcflearnfree.org/topics/
Q&A
THANK YOU!