Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
KnowBe4 U R Phished!How you can protect you and your organization from social engineering scams
James R. McQuiggan, CISSPSecurity Awareness Advocate
• Security Awareness Advocate, KnowBe4 Inc.
• Former Cyber Security Awareness Lead, Siemens Energy & Product Security Officer, Siemens Gamesa
• Professor, Valencia College
• President, (ISC)2 Central Florida Chapter
• Board of Trustees, Center for Cyber Safety & EducationJames R. McQuiggan, CISSP
Security Awareness Advocate
3
3 2
• The world’s largest integrated Security Awareness Training and Simulated Phishing platform
• Based in Tampa Bay, Florida, founded in 2010
• CEO & employees are ex-antivirus, IT Security pros
• We help tens of thousands of organizations manage the ongoing problem of social engineering
• Winner of numerous industry awards
Enabling employees to make smarter security decisions
everyday
https://www.knowbe4.com/ncsam-resource-kit
• Cybersecurity Awareness Month training plan PDF• Social Media: A Global Concern"• Infographics, awareness posters• Cybersecurity awareness tip sheet• All assets are printable and available digitally• Bonus: access to free resources for you including
our popular on-demand webinar and whitepaper
Happy National Cybersecurity Month!
8
91%Source: Trend Micro
95%of all security incidents involve human errorSource: Security Intelligence
of cyber espionage begins with phishing
8
• The phaonmneal pweor of the hmuan mnid, aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoatnt tihngis taht the frist and lsat ltteer be in the rghit pclae.
• The rset can be a taotl mses and you can sitll raed it wouthita porbelm.
• Tihs is bcuseae the huamn mnid deos not raed ervey lteterby istlef, but the wrod as a wlohe. Amzanig huh?
• And I awlyas tghuhot slpeling was ipmorantt!
Perception vs. Reality
We started with this:
And ended with this:
These are two completely different sets of cards.And by rushing you through the process, you probably didn’t notice!
How did I identify and remove your card?
Thinking, Fast & Slow (Daniel Kahneman)
Graphic Source: https://readingraphics.com/book-summary-thinking-fast-and-slow/
What is an OODA Loop and how do I mess with it?
Observe
Orient
Decide
Act
“In order to win, we should operate at a faster tempo or rhythm than our adversaries—or, better yet, get inside [the] adversary's Observation-Orientation-Decision-Action time cycle or loop ... Such activity will make us appear ambiguous (unpredictable) thereby generate confusion and disorder among our adversaries—since our adversaries will be unable to generate mental images or pictures that agree with the menacing, as well as faster transient rhythm or patterns, they are competing against.”
-- John Boyd (creator of the OODA Loop)
Spies, Magicians, Pickpockets, Con-artists and Cybercriminals use techniques to
bypass the OODA Loop
23
What is an OODA Loop and how do I mess with it?
Observe
Orient
Decide
Act
These are critical thinking steps
These all impact the final action
The ideal situation for a cyber criminal is to hijack the OODA loop by creating a
knee-jerk action that effectively bypasses the first three steps and results in the
attacker’s intended Action.
•Check your links!•Look for transposed letters or used other symbols in the websites •Micorsoft.com(transposed)
•G00GLE.com (similar letters)
•Bankofarnerica.com(combined r n -> m)
•wikipediа.org vs wikipedia.org (homograph)
Typo-squatting
The Effect Of Consistency
KnowBe4 Study (10/2019)
• 20 Million Phishing Security Tests (PSTs)
• 18K organizations• Segmented by
industry type and organization size
41
Generating Industry-Leading Results and ROI
5
• Reduced Malware Infections
• Reduced Data Loss
• Reduced Potential Cyber-theft
• Increased User Productivity
• Users Have Security Top of Mind
87% Average ImprovementAcross all industries and sizes from baseline testing to one year or more of ongoing training and testing
Note: The initial Phish-Prone percentage is calculated on the basis of all users evaluated. These users had not received any training with the KnowBe4 platform prior to the evaluation. Subsequent time periods reflect Phish-Prone percentages for the subset of users who received training with the KnowBe4 platform.
Source: 2020 KnowBe4 Phishing by Industry Benchmarking Report
Red Flags
• Enable Editing• Enable Macros• DO YOU TRUST THE
SOURCE?• .XLSM file (contains
macros)• Emergency Contacts -??
• Why macros for a list?• Organization address book
• Who is it coming from?• Expected vs unexpected
• Attachments / Links• Mood / intent• Too Good to be true?
RECAP - Phishing
• Social Engineering • Phishing
• Guessing• Brute Force, Dictionary, weak
passwords• Lookups
• Based on previous data breaches
• 2.2 billion records out there!• Account Takeover (ATO)
Recoveries• Email security questions
Password Attacks
58
It reduces your risk because it can:• Store credential information• Generate the strong passwords• Alert you of compromised accounts• Keep the passwords unique• If possible, unique usernames too• Store the security question responses
• With social media it’s easier to discover the answers
• Consider different / wrong answers• Free vs Paid Options
Password Vault
59
• Have I been Pwned• https://haveibeenpwned.com
• Alerts you data breaches• If it happens, change your password even if
it’s got MFA• Change the password on other accounts that
use the same password
• Password Exposure Test• www.knowbe4.com/resources
Ways to Protect / Check your email
• Separate devices for work & personal use
• Consider using direct Ethernet connection
• Ensure wireless connection is secure (WPA2/WPA3)
• Keep systems and network devices up to date
• Use a VPN for protection & to interact with employer systems/data
• Use a VPN when outside of your home or work network (hotel, coffee shop wifi)
Work from home considerations
CYBERHYGIENE
Check your Links
Backup your data
Use secure WiFi & VPNs
Consider strong & unique passwords
Have a password vault for secure information
Avoid oversharing on social media
People working from home may bestressed and distracted.
…which makes them more vulnerable than ever to deception and cyberattack.
James R. McQuiggan, CISSPSecurity Awareness AdvocateEmail: [email protected]: @James_McQuigganLinkedIn: /in/jmcquiggan
Thank you for your attention
For more information visit blog.knowbe4.com
Questions?
Resources• KnowBe4
• Blog – https://blog.knowbe4.com• Social Engineering Red Flags - https://www.knowbe4.com/hubfs/Social-Engineering-Red-Flags.pdf• Rogue URLs - https://www.knowbe4.com/hubfs/Red%20Flags%20of%20Rogue%20URLs%20(3).pdf• Rogue URL webinar: https://blog.knowbe4.com/combatting-rogue-url-tricks-how-you-can-quickly-identify-and-
investigate-the-latest-phishing-attacks• Phishing Benchmark Report - https://info.knowbe4.com/phishing-by-industry-benchmarking-report• KnowBe4 Homecourse Training (password: homecourse) https://www.knowbe4.com/homecourse
• Identity Security Resources• Have I been pwned (email check) https://haveibeenpwned.com
• Books• Transformational Security Awareness
• https://www.amazon.com/dp/B07RDM1C2M/ref=cm_sw_r_tw_dp_x_4Kk9EbMRWGASX• A Data Driven Computer Defense
• https://www.amazon.com/dp/1092500847/ref=cm_sw_r_tw_dp_x_gKk9EbYJTJBRZ
70
KnowBe4 Security Awareness TrainingBaseline TestingWe provide baseline testing to assess the Phish-Prone™ percentage of your users through a free simulated phishing attack.
Train Your UsersThe world's largest library of security awareness training content; including interactive modules, videos, games, posters and newsletters. Automated training campaigns with scheduled reminder emails.
Phish Your UsersBest-in-class, fully automated simulated phishing attacks, thousands of templates with unlimited usage, and community phishing templates.
See the ResultsEnterprise-strength reporting, showing stats and graphs for both training and phishing, ready for management. Show the great ROI!
Generating Industry-Leading Results and ROI
5
• Reduced Malware Infections
• Reduced Data Loss
• Reduced Potential Cyber-theft
• Increased User Productivity
• Users Have Security Top of Mind
87% Average ImprovementAcross all industries and sizes from baseline testing to one year or more of ongoing training and testing
Note: The initial Phish-Prone percentage is calculated on the basis of all users evaluated. These users had not received any training with the KnowBe4 platform prior to the evaluation. Subsequent time periods reflect Phish-Prone percentages for the subset of users who received training with the KnowBe4 platform.
Source: 2020 KnowBe4 Phishing by Industry Benchmarking Report
2
• The world’s largest integrated Security Awareness Training and Simulated Phishing platform
• Based in Tampa Bay, Florida, founded in 2010
• CEO & employees are ex-antivirus, IT Security pros
• We help tens of thousands of organizations manage the ongoing problem of social engineering
• Winner of numerous industry awards
About Us