SIMULATED ATTACKS. Evaluate Susceptibility Using PhishGuru, SmishGuru, and USBGuru MEASURE ASSESS

Transcription

1 SIMULATED ATTACKS Evaluate Susceptibility Using PhishGuru, SmishGuru, and USBGuru Technical safeguards like firewalls, antivirus software, and filters are critical for defending your infrastructure, but they cannot prevent one pervasive threat: user error. The simple truth is that successful social engineering attacks like those perpetrated through phishing s, malicious text messages, and infected USB drives hit their targets because users make poor decisions. Organizations that are strictly reactive only learn about their vulnerabilities during the aftermath of successful attacks. When you engage with Wombat, you gain the ability to be proactive. Our PhishGuru, SmishGuru, and USBGuru simulated attacks allow you to assess your levels and areas of susceptibility and begin to mitigate threats in a safe, controlled manner. Though our assessments can be used as standalone tools, we advise our customers to regard simulated attacks and training as two important but separate steps to effective security education. Our unique Continuous Training Methodology combines assessments with training, reinforcement, and data measurement to change employee behaviors and reduce risks to your organization. Customers who have used this approach have experienced up to a 90% reduction in successful phishing and malware attacks. ASSESS EDUCATE REINFORCE MEASURE

2 What Can You Do With Our Simulated Attacks? Get a sense of how your employees would respond to phishing and spear phishing s, malicious SMS/ text messages, and infected/unauthorized portable storage devices without exposing your network to an actual attack. Establish a baseline understanding of how vulnerable your organization could be to persistent and pervasive social engineering threats. Prime your employees for follow-up education. Our interactive training modules will help your staff recognize cyber security threats and react appropriately to keep data and systems safe. Analyze data gathered during assessments and education, and use that information to plan your future security awareness and training efforts. PhishGuru: Our Flagship Assessment Tool Is More Effective Than Ever Every day, new phishing s reach employee inboxes, and security offers play the waiting game: When will someone click and reply? When will someone download an infected attachment? When will someone enter credentials and give criminals access to our network and intellectual property? A software-as-a-service product, PhishGuru helps you get a step ahead of the hackers, allowing you to practice offense and defense. You ll help your employees recognize potentially dangerous behaviors, and they can put that knowledge to work to protect data and systems. As users learn to identify phishing s, our PhishAlarm alert tool allows them to participate in prevention efforts. Using this client add-on, users can report a suspected phishing with the click of a button. Employees who report a suspicious message are immediately rewarded with a thank you pop-up message or an that encourages this behavior in the future. PhishAlarm helps users draw on their knowledge and alert your security and incident response teams to suspected phishing s, which can help stop an attack in its tracks. What Can PhishGuru Do For You? Reveals vulnerabilities Our mock attacks help you evaluate your organization s susceptibility to general phishing s and sophisticated spear phishing messages. Simulates key attack scenarios Our customizable templates test three dangers commonly associated with phishing attacks: attachments, embedded links, and requests for personal data. Allows testing of multiple messages Topics in our library of PhishGuru templates include financial themes, social networking, seasonal messaging, IT prompts, and representations of recent attacks seen in the wild. You can also craft your own messages, which is helpful in assessing known issues. Supports randomized distribution Our Random Scheduling option spreads out and randomizes the distribution of s. This minimizes the impact on your servers and IT helpdesk during the assessment period. It also helps preserve the integrity of your reporting data by reducing the likelihood that employees will figure out and discuss the mock attacks. Provides just-in-time teaching Each employee who falls for a mock attack receives an explanation and brief, practical tips via our customizable Teachable Moments (see graphic). Links training to assessments With our exclusive Auto- Enrollment feature, you can automatically assign targeted training to any employee who falls for a mock attack. This administrative tool is about more than convenience; our studies have shown that when training is automatically linked, employees complete assignments sooner than those who receive manually scheduled assignments. Supports multiple languages Our PhishGuru templates and messages are available in 12 languages (and counting), which allows you to assess employees around the globe in their native languages. Tracks results and progress Our reports provide extensive analytics and data about employee responses to various attack scenarios. You ll also know whether employees fell for an attack through a mobile phone, a tablet, or a computer; the browsers they were using; and their locations when they fell for the attack.

3 The PhishGuru Assessment and Education Cycle SEND PHISHING ATTACK TEACHABLE MOMENT DELIVERED AUTO-ENROLLMENT REPEAT REPORTING IN-DEPTH TRAINING MODULES REPORTS SHOW RESULTS AND HELP YOU TAILOR ADDITIONAL EFFORTS

4 SmishGuru: Gauge Vulnerability on Mobile Phones Mobile devices allow on-the-go access to networks and communications and social engineering scams. Mobile threats are continuing to become more prevalent, and with business data and systems on the move, it s increasingly important to be able to rely on your employees to handle their devices appropriately. Our industry-leading SmishGuru simulated attack program allows you to send mock smishing messages to assess your organization s susceptibility to actual malicious SMS/text messages. It is a natural add-on to PhishGuru assessments and an ideal precursor to our interactive training modules that focus on mobile device and mobile app safety. What Can SmishGuru Do For You? Mitigates the risks your organization faces from careless responses to text messages. Provides multiple customizable text messages that are sent directly to your employees mobile phones. Delivers customizable Teachable Moments (see opposite page) that alert employees to what happened when they fall for a mock attack. They get your staff thinking about best practices and how to respond to future threats. USBGuru: Evaluate Use of Infected Devices Our USBGuru simulated attack tool allows you to test employees on a pervasive and dangerous threat vector: infected removable memory devices. Hackers have been known to plant infected devices and drives in common areas; even new USB drives have been manufactured to carry dangerous malware. Simply plugging in these devices can pose a threat, and seemingly innocent files can carry a payload that can cripple an entire network. USBGuru puts you in the scammers shoes without putting your organization at risk. Using our cloud-based interface, you can easily create a custom executable file that is embedded with a brief Teachable Moment. The file is then loaded onto USB devices that can be randomly placed throughout your organization just waiting to be plugged in. What Can USBGuru Do For You? Allows you to track the unique USB devices that are accessed during an assessment period. Gives you insights into which users accessed a planted device and how many times the device was used. Delivers practical tips via customizable Teachable Moments (see opposite page) when your employees interact with a planted USB device.

5 Assessments and Teachable Moments: An Effective Pairing At Wombat, we understand the impact mock attacks can have on your employees and we know that impact can trend in a positive or negative direction, depending on how the messages are delivered and how employees feel in the critical moments following the attacks. Our approach which pairs simulated attacks with just-in-time teaching via our customizable Teachable Moments sets the stage for our interactive training modules because it motivates and engages your employees. Our data has shown that employees who fall for a mock attack are up to 90% more likely to complete follow-up training. Our Teachable Moments deliver simple, constructive advice to employees who fall for a mock attack. In less than a minute, each Teachable Moment explains what happened, alerts employees to what they did wrong, and offers helpful, actionable tips about how to avoid future threats. You can choose from multiple messaging styles, and each message can be customized to identify alternate tips or communicate company policies and procedures. We offer up to four design options for each simulated attack: 1 2 Landing page This design mimics the look of a webbased landing page. You can select from multiple variations, including engaging animated options. This type of Teachable Moment is available for use with PhishGuru, SmishGuru, and USBGuru simulated attacks. Multi-panel illustration This style uses four illustrated panels, and users will see the mock attack message they clicked on prior to receiving the Teachable Moment. This design is available for use with PhishGuru and SmishGuru simulated attacks. Support for USBGuru is planned for a future release. 3 4 Create your own page with internal messaging Comic strip The comic strip design is tailored to represent the attack vector, and you can choose from scenarios that feature either male or female characters. This design is available for use with PhishGuru simulated attacks. Support for USBGuru is planned for a future release. Redirect to your message If you prefer not to use one of our designs, you can choose to route your employees to your own internal messaging. This option is supported on all our simulated attacks.

6 Why Wombat? Our award-winning Security Education Platform provides everything you need to deliver a complete, effective security awareness and training program. Research conducted by the Aberdeen Group has shown that our Continuous Training Methodology can help change behaviors of your end users and reduce risk and business impact by up to 60%. Our approach to security education is based on our Learning Science Principles, which facilitate longer knowledge retention and help create lasting behavior change. Comprehensive support services before, during, and after your program launch are included at no extra cost. Our methodology delivers a cohesive, consistent educational experience. Our training library includes 17 interactive modules in 13 languages and it s still growing. About Wombat and Our Continuous Training Methodology Wombat Security Technologies was born from research at the world-renowned Carnegie Mellon University where our co-founders are faculty members at the CMU School of Computer Science. In 2008, they led the largest national research project on combating phishing attacks with a goal to address the human element of cyber security and develop novel, more effective anti-phishing solutions. ASSESS EDUCATE These technologies and research provided the foundation for our product solutions as well as our Continuous Training Methodology. The methodology, comprised of a continuous cycle of assessment, education, reinforcement, and measurement, has been shown to deliver up to a 90% reduction in successful phishing attacks and malware infections. REINFORCE MEASURE Anti-Phishing Training Suite: Our Methodology in Action Reduce susceptibility and change behavior with our Anti-Phishing Training Suite, which combines PhishGuru assessments with five interactive training modules that are 10 to 15 minutes long: Security, Anti-Phishing Phyllis, Anti-Phishing Phil, URL Training, and Social Engineering. By pairing assessments and training, you can significantly increase the effectiveness of your security awareness and training program. Our interactive modules will help your users recognize the different facets of phishing attacks, identify malicious URLs, and spot (and avoid) common social engineering scams. Contact Us: wombatsecurity.com 00515SAB info@wombatsecurity.com Wombat Security Technologies, Inc. All rights reserved.