Copyright © Wombat Security Technologies, Inc. 2008-2010
Jason Hong, PhDAssoc. Prof, Carnegie Mellon University
CTO, Wombat Security Technologies
Protecting Organizations from Phishing Scams
Copyright © Wombat Security Technologies, Inc. 2008-2010
Copyright © Wombat Security Technologies, Inc. 2008-2010
300 million spear phishingemails are sent each day-Cisco 2008 Annual Security Report
Copyright © Wombat Security Technologies, Inc. 2008-2010
Phishing Attacks are PervasivePhishing is a social engineering attack
Tricks users into sharing sensitive information or installing malware
Used for identity theft, corporate espionage, and theft of national secrets
Circumvents today’s security measuresTargets the person behind the keyboardWorks around encryption, two-factor, firewallsPassword reuse exacerbates problem, security
problem outside your perimeter can still affect you
Copyright © Wombat Security Technologies, Inc. 2008-2010
How Bad is Phishing?Estimated ~0.4% of Internet users per year
fall for phishing attacksEstimated $1B+ direct losses to consumers per year
Bank accounts, credit card fraudDoesn’t include time wasted on recovery of funds,
restoring computers, emotional uncertaintyGrowth rate of phishing is high
Over 45k+ reported unique sites / monthSocial networking sites now major targets
Copyright © Wombat Security Technologies, Inc. 2008-2010
How Bad is Phishing?Direct damage
Loss of sensitive customer data
Copyright © Wombat Security Technologies, Inc. 2008-2010
How Bad is Phishing?Direct damage
Loss of sensitive customer dataLoss of intellectual propertyFraud
Attack on European carbon traders in early 2010, close to $5m stolen in targeted phishing attack
Indirect damage can be high tooDamage to reputation, lost sales, etcResponse costs (call centers, recovery)
One bank estimated costs of $1M per phishing attack
Copyright © Wombat Security Technologies, Inc. 2008-2010
Spear-Phishing Attacks RisingType #1 – Uses info about your organization
This attack uses public informationNot immediately obvious it is an attackCould be sent to military personnel at a base
Our data suggests around 50% of people likely to fall for a good spear-phishing attack
General Clark is retiring next week, click here to say whether you can attend his retirement party
Copyright © Wombat Security Technologies, Inc. 2008-2010
Spear-Phishing Attacks RisingType #2 – Uses info about you specifically
Might use information from social networking sites, corporate directories, or publicly available data
Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive’s name, company and phone number, and commands the recipient to appear before a grand jury in a civil case.
-- New York Times Apr16 2008
Copyright © Wombat Security Technologies, Inc. 2008-2010
Protecting Your Users from PhishMake it invisible
Email and web filters for your employeesTakedown providers for your customers
Better user interfacesBetter web browser interfaces
Train peopleMost overlooked aspect of protectionMore effective than people realize
Copyright © Wombat Security Technologies, Inc. 2008-2010
Problems with Traditional Security TrainingAll-day training sessions
Major disruption to work, no chance to practice skills, not realistic b/c people aren’t attacked in a classroom
People don’t know they have a problemCan’t go looking for the right information
Awareness campaigns don’t helpTelling people to watch out for phishing without
teaching meaningful skills to detect attacks is uselessCan also raise false positives (basically, raises
paranoia)Traditional training is boring
Copyright © Wombat Security Technologies, Inc. 2008-2010
Embedded TrainingUse simulated phishing attacks to train people
Teach people in the context they would be attackedIf a person falls for simulated phish, then show
intervention as to what just happenedCreates a “teachable moment”
However, doing embedded training right is harder than it may seem
Copyright © Wombat Security Technologies, Inc. 2008-2010
Doing Embedded Training RightCoordinating with Right GroupsUS Dept of Justice sent hoax phishing email, but
didn’t notify the entity they were impersonatingWasted lots of time and energy shutting it downAnxiety for many days about safety of retirement
plans
One Air Force Base sent hoax phishing email about Transformers 3 wanting to recruitSpread a fairly large Internet rumor about the movieWasted lots of time and energy addressing rumors
Copyright © Wombat Security Technologies, Inc. 2008-2010
Doing Embedded Training RightPsychological CostsUniversity of Indiana researchers sent hoax
phishing email to students and staff“Some subjects called the experiment unethical,
inappropriate, illegal, unprofessional, fraudulent, self-serving, and/or useless.”
“They called for the researchers … to be fired, prosecuted, expelled, or otherwise reprimanded.”
“These reactions highlight that phishing not only has the potential monetary costs associated with identity theft, but also a significant psychological cost to victims.”
Copyright © Wombat Security Technologies, Inc. 2008-2010
Embedded Training with PhishGuruKey differences:
Offer people immediate feedback and benefit (training)Do so in fun, engaging, and memorable format
Key to effective training is learning scienceExamines learning, retention, and transfer of skills
Example principlesLearning by doingImmediate feedbackConceptual-procedural
PersonalizationStory-based agentsReflection
Copyright © Wombat Security Technologies, Inc. 2008-2010
Copyright © Wombat Security Technologies, Inc. 2008-2010
Case Study #1Canadian healthcare organizationThree-month embedded training campaign
190 employeesSecurity assessment and effective training in context
Copyright © Wombat Security Technologies, Inc. 2008-2010
Simulated Phishing Email
Copyright © Wombat Security Technologies, Inc. 2008-2010
Case Study
Copyright © Wombat Security Technologies, Inc. 2008-2010
Measurable Reduction in Falling for Phish
Viewed Email Only %
Viewed Email and Clicked Link % Employees
Campaign 1 20 10.53% 35 18.42% 190
Campaign 2 37 19.47% 23 12.11% 190
Campaign 3 7 3.70% 10 5.29% 189
Copyright © Wombat Security Technologies, Inc. 2008-2010
0 10 20 30 40
Campaign 3
Campaign 2
Campaign 1
Viewed Email and Clicked Link
Viewed Email Only
Copyright © Wombat Security Technologies, Inc. 2008-2010
Case Study 2Tested with over 500 people over a month
1 simulated phish at beginning of month, testing done at end of month
About 50% reduction in falling for phish68 out of 85 surveyed said they recommend continuing
doing this sort of training in the future“I really liked the idea of sending [organization] fake
phishing emails and then saying to them, essentially, HEY! You could've just gotten scammed! You should be more careful -- here's how....”
Copyright © Wombat Security Technologies, Inc. 2008-2010
Micro-Games for Cyber SecurityTraining doesn’t have to be boringTraining doesn’t have to take long either
Micro game format, play for short timeTwo-thirds of Americans played
a video game in past six months Not just young people
Average game player 35 years old25% of people over 50 play games
Not just males40% are women (casual games)
Copyright © Wombat Security Technologies, Inc. 2008-2010
Case Study 3Tested Anti-Phishing Phil micro game with ~4500 people
Huge improvement by novices in identifying phishing URLsAlso dramatically lowered false positives
Copyright © Wombat Security Technologies, Inc. 2008-2010
False negatives for users who played Anti-Phishing Phil (“game condition”). False negatives are situations where people incorrectly label a phishing site as legitimate. Novices saw the greatest reduction in false negatives, and retained what they had learned.
Copyright © Wombat Security Technologies, Inc. 2008-2010
False positives for users who played the Anti-Phishing Phil game. False positives are situations where people incorrectly label a legitimate site as phishing. Again, novices saw the greatest improvement in reducing false positives, and retained what they had learned.
Copyright © Wombat Security Technologies, Inc. 2008-2010
SummaryPhishing scams on the riseSpear-phishing are highly targeted phishing attacksPeople are very susceptible to well-crafted phish
Today’s training can be boring and ineffectiveEmbedded training and micro games are an
effective alternative
Copyright © Wombat Security Technologies, Inc. 2008-2010
Thank you!
Thanks, PhishGuru.Where can I learn
more?
Find more atwombatsecurity.com
Anti-Phishing Phil white paper: Cyber Security Training Game Teaches People to Avoid Phishing Attacks
PhishGuru white paper: An Empirical Evaluation of PhishGuru Training