Best Practices for Avoiding Getting Speared Like a Phish

Size: px

Start display at page:

Download "Best Practices for Avoiding Getting Speared Like a Phish"

Randolph Erik Barrett
7 years ago
Views:

1 Best Practices for Avoiding Getting Speared Like a Phish Thoughts from in-house 2016 MRIS Erik M Feig General Counsel MRIS ACC NCR Small Law Department Initiative May, 2016 Erik.feig@mris.net

2 PANELISTS Erik Feig General Counsel MRIS Michael Dombrowski Cybersecurity Leader BDO Randy V. Sabett, J.D., CISSP Vice Chair, Privacy & Data Protection Practice Group Cooley LLP 2

3 PHISHING OVERVIEW 3

4 BUILD & MAINTAIN CYBERSECURITY Threats State sponsored PHISHING OVERVIEW: THREATS Organized crime Malware Phishing Insiders Targeted hacking Vulnerability 4

5 TYPES OF PHISHING 1. PHISHING 2. SPEAR PHISHING PHISHING OVERVIEW 3. CLONE PHISHING 4. WHALE PHISHING 5

6 SPEAR PHISHING is a targeted to an individual and looks like it comes from an individual or business that you know. Common target types: PHISHING OVERVIEW Victim Segmentation Personalization Sender Impersonation Zero-day vulnerabilities 6

7 SPEAR PHISHING GOALS Acquire PII Acquire Account Information PHISHING OVERVIEW Steal Money Install Malware 7

8 SPEAR PHISHING DESIGN Mining social networks (facebook, linkedin, etc..) PHISHING OVERVIEW Blogs Company website Malware 8

9 ANATOMY OF AN ATTACK PHISHING OVERVIEW 9

GONE PHISHIN PHISHING OVERVIEW In 2015, spear-phishing campaigns increased 55% 91% of cyber-attacks start with an e-mail of spear phishing origin 94% of targeted e-mails are trying to scam the

10 GONE PHISHIN PHISHING OVERVIEW In 2015, spear-phishing campaigns increased 55% 91% of cyber-attacks start with an of spear phishing origin 94% of targeted s are trying to scam the potential victims through malicious attachments while only 6% use links to trick them 2 out of every 1000 targets fall for spear phishing attacks 70% of spear phishing s get opened compared to 3% for normal phishing attacks 10

11 HOW TO PROTECT AND DETECT 11

12 HOW TO PROTECT & DETECT TRAINING & AWARENESS PHISHING FILTERS FOR BROWSERS PROTECT & DETECT CHECK LINKS BEFORE CLICKING VALIDATE WITH KNOWN SENDER VIA SEPARATE MONITORING SOLUTIONS 12

13 HOW TO DETECT VALIDATE BEFORE CLICKING / HOVER OVER THE LINK 13

14 VALIDATE PRIOR TO WIRING Spear phishing Tessa, HOW TO DETECT I need you to facilitate a wire transfer for a payment, let me know if you're available and i will forward the details for the payment. I'll wait for your . Thanks Mason 14

15 SAMPLE SOCIAL ENGINEERING REVIEW Work with Company to select and design a social engineering campaign Configure solution and build content (e.g., Company IT support site spoofing) PROTECT AND DETECT Perform campaign and track results Validate the information obtained via the Social Engineering campaign 15

16 Social Engineering Phishing Credentials Access 16

17 LEGAL HAS A role at each stage Preparing Responding Assessing Learning Improving 17

18 Enterprise Attention Costs and Insurance Understand the Threats and Tools Assess the Risks Privilege Communication Active Stakeholder Involvement is Key Asses the Potential Benefits Engage Staff, Management, and BOD Education and Training Policies and Procedures Assemble the Team Think Broadly! 18

19 Time To Compromise and Exfiltration 98.6% Verizon, 2016 Data Breach Investigation Report 19

20 Time to Compromise Vs. Time to Discovery Verizon, 2016 Data Breach Investigation Report 20

21 Complete set of timespans 2012 [82%] 85% [98.6%] 21

22 Recommendations What should the management team, board of directors, and security function be focused on when deploying a security program? 1. Create Governance Structure 2. Research Threats 3. Prioritize Information Assets 4. Perform a Risk Analysis 5. Create a Security Protection Plan Tied to a Technology Acquisition Strategy 6. Engage Third Parties Appropriately (legal, technical, procedural) 7. Request Regular Updates and Adjust Accordingly 8. Test the Response Plan 9. Maintain Appropriate Insurance Coverage 10. Provide Regular Cybersecurity Training for Employees, Vendors, and Other Third Parties 11. Stay informed learn, learn, learn (including RAND report from 1964) 22

23 Paul Baran On Distributed Communications RAND Corporation, 1964 [t]he present Memorandum is a consideration of the security aspects of a system of the type proposed, in which secrecy is of paramount importance [and where] we should fully anticipate the existence of "spies" within our ostensibly secure communications secrecy protection structure; hence our primary interest should be in raising the "price" of espied information to a level which becomes excessive. 23

24 Wrap Up Thoughts and Questions? 24

25 Thank You Erik Feig Randy V. Sabett, J.D., CISSP Michael Dombrowski

Conducting an Email Phishing Campaign

Conducting an Email Phishing Campaign WMISACA/Lansing IIA Joint Seminar May 26, 2016 William J. Papanikolas, CISA, CFSA Sparrow Health System Estimated cost of cybercrime to the world economy in 2015 was