Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFO SEC INSTITUTE Fort Gordon Cyber Security & Technology Day www.federalevents.com INFOSEC I N S T I T U T E PhishSim + AwareEd = ? Jonathan Lampe, CISSP.

Published byRose Long Modified over 9 years ago

Similar presentations

Presentation on theme: "INFO SEC INSTITUTE Fort Gordon Cyber Security & Technology Day www.federalevents.com INFOSEC I N S T I T U T E PhishSim + AwareEd = ? Jonathan Lampe, CISSP."— Presentation transcript:

1 INFO SEC INSTITUTE Fort Gordon Cyber Security & Technology Day www.federalevents.com INFOSEC I N S T I T U T E PhishSim + AwareEd = ? Jonathan Lampe, CISSP InfoSec Institute jonathan.lampe@infosecinstitute.com @infosecedu – securityiq.infosecinstitute.com The Future of Phishing Simulation and Security Awareness Education

2 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com What is Security Awareness Education? »Get everyone up to a specific level of knowledge »CBT (computer based training) Quizzes Games »Participation tracked or tested

3 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com What is Security Awareness Education? »Typical topics; NIST guidance and others exists NIST SP 800-16 (rev 1 draft 3): 4 levels of training on a continuum “all users” NIST SP 800-50: Understand and comply with agency security policies and procedures Be appropriately trained in the rules of behavior for the systems and applications to which they have access Keep software/ applications updated with security patches Proper password usage Data backup Proper antivirus protection Reporting any suspected incidents or violations of security policy Avoid social engineering attacks Deter the spread of spam or viruses and worms

4 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Who is “everyone”? »Military, civilian, contractors (?) »Often defined by regulation »But education can be tailored for different groups

5 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com What is Phishing Simulation? »Phishing = tricking people to take action after receiving a message Clicking a link in an email or IM Opening attachments Replying to SMS texts with credentials

6 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com What is Phishing Simulation? »Simulated phishing messages are sent to end users »Messages are typically staggered across a time period “Send 3 in March”

7 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com What is Phishing Simulation? »If end users click a link, they are given a phishing education »Managers or IS may follow up with users who get phished Consequences?

8 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com What is Phishing Simulation? »Automated messages and training may also follow

9 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com What is Phishing Simulation? »Users can ignore the simulations or report them »Managers and IS can also follow up with the good users Rewards?

10 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Why both? »Humans are still the weakest link Top three concerns are best addressed with TRAINING! Especially security awareness and phishing simulation!

11 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com If both are needed, where did “Phishing Simulation” specialist companies come from? »“Return on Investment” (ROI) ROI = Return (Value of Risk Reduction) / Investment (Cost of Campaign) ROI = (Return – Investment) / Investment

12 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com If both are needed, where did “Phishing Simulation” specialist companies come from? »“Return on Investment” (ROI) 30% change = 50% improvement (30/60) $338,000 annual loss due to phishing https://securityledger.com/2015/08/the-cost-of-phishing-more-than-you-think/ = $168,000 annual savings due to campaign (this is the “return”)

13 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com If both are needed, where did “Phishing Simulation” specialist companies come from? »“Return on Investment” (ROI) $50K cost for service (this is the “investment”) $168K annual savings due to campaign (this is the “return”) …equals 236% Return on Investment!

14 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com The Situation Three Years Ago »One budget, two providers Security Awareness CBT “We will train your users on general concepts. Then you can see you took what training they took and their scores on the tests.” Security Awareness CBT “We will train your users on general concepts. Then you can see you took what training they took and their scores on the tests.” Phishing Simulator “We will teach your users to stop falling for phishing messages. You can use our reports to prove it’s working (and show a positive ROI).” Phishing Simulator “We will teach your users to stop falling for phishing messages. You can use our reports to prove it’s working (and show a positive ROI).” Budget

15 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com The Situation Three Years Ago »Separate CBT and phishing simulator vendors SANS Institute ThreatSim PhishMe PhishLine InfoSec Institute Security Mentor (others)

16 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com The Situation Three Years Ago »Gartner publishes a guide that merges all vendors together »Specifies: Interactive CBT “Direct behavioral conditioning” (“anti-phishing”)

17 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Security “Education” »Set of activities and objectives that: Elevate security competence Motivates employees to make security decisions for themselves »Includes “awareness” and “conditioning” CBT Phishing Gartner Magic Quadrant for Security Awareness Computer- Based Training (CBT) Vendors (October 2014)

18 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Characteristics of CBT »Interactive Builds competence and knowledge retention »SCORM or via local or cloud-based LMS »Assessments of participation and completion »Customization of content Gartner Magic Quadrant for Security Awareness Computer- Based Training (CBT) Vendors (October 2014)

19 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Characteristics of Anti-Phishing »Improve trainee resistance »Demonstrate reductions in successful attacks »Realistic Library of phishing templates based on actual phishing messages captured by clients Gartner Magic Quadrant for Security Awareness Computer- Based Training (CBT) Vendors (October 2014)

20 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Developing Realistic Phishing »The “Phish.io” Experiment Free crowdsourcing cloud-based service Allowed anyone to try to phish up to 10 people -Google address book integration Rewards of more attempts and recognition

21 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Developing Realistic Phishing »Phish.io allowed “Build Your Own Templates” Crowdsourced! -Management approval Tracked and displayed template effectiveness to all users

22 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Developing Realistic Phishing »Phish.io Statistics Tracked open rate and phish rate across multiple templates Increased phish rate from 15% to 40%

23 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Developing Realistic Phishing »Phish.io Surprise Almost all targets fled before the landing page loaded! -Training was NOT delivered Two innovations: -Simplified landing page -Email follow-ups

24 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com The Situation Now »Vendors provide both CBT and phishing simulation Partnerships have evolved into acquisitions New integrated offerings are emerging ThreatSim Wombat Security Tech PhishSim AwareEd Security Education Platform

25 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com The Situation Now »CBT libraries have to be redeveloped Video vs. Interactive Exercises New Threats: Mobile, Social Engineering New Video Expectations: -Tablet viewing, resizable -No more Flash players (iOS, security issues, etc.) -HD Quality

26 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com With Convergence Comes Expectations »Single interface to manage learners and reports Both Security Awareness and Phishing »“My after-phished education should be interactive” “And visible on my iPod. And in HD. Or small if I’m using a phone.” »“I should be able to customize everything” CBT branding, custom phishing messages, notifications, “landing page” learning experiences

27 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Example: Interactive Training

28 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Example: Customization

29 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Example: Customization

30 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Education “Campaigns” »A “Campaign” provides some education to some group E.g., “Cybersecurity basics for employees in purchasing” E.g., “Refresher course for all existing personnel” »Specific time-based activities (e.g., “campaign runs”) provide specific education to specific people E.g., “Malware, Intro to Phishing and Password Security to the 137 people in the X, Y and Z departments during Q1 2017.” »Integrated solutions provide configuration and reports on BOTH Also allow content and group membership to evolve over time Also allow synchronization of educational experiences (CBT and phishing)

31 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Example: Campaigns

32 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Future Security Education Governance »#1: “Am I in compliance?” »#2: “Was this a good use of our money?”

33 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com #1: Proving Compliance »Learners who took (often passed) interactive CBT »Learners who avoid phishing messages 78% Compliant 62% Compliant

34 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com #2: Proving Good Use of Money »Quantify cost of incidents due to phishing and untrained workforce »Apply to improvements and cost of solution $294K expected phishing loss + $224K expected untrained loss = $518K expected loss $160K expected phishing loss + $100K expected untrained loss = $260K expected loss $518K - $260K = $258K return vs. $75K investment …yields an ROI of 244%!

35 INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Takeaways »Phishing Simulation and Security Awareness CBT capabilities are now provided by one-stop “Security Education” vendors »Look for signs of successful integration to avoid wasting time and effort managing multiple solutions: Single interface to manage learners, reports and campaigns Phishing training is consistent throughout »Begin to look for governance reporting: Who’s in compliance? Am I getting decent bang for my buck?

Download ppt "INFO SEC INSTITUTE Fort Gordon Cyber Security & Technology Day www.federalevents.com INFOSEC I N S T I T U T E PhishSim + AwareEd = ? Jonathan Lampe, CISSP."

Similar presentations

Nishidh, CISSP. To comply with Sarbanes oxley and other legislations To comply with industry standards and business partner requirements To protect.

Nishidh, CISSP. To comply with Sarbanes oxley and other legislations To comply with industry standards and business partner requirements To protect.
Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
How to protect yourself, your computer, and others on the internet

How to protect yourself, your computer, and others on the internet
BENEFITS OF SUCCESSFUL IT MODERNIZATION

BENEFITS OF SUCCESSFUL IT MODERNIZATION
The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014.

The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014.
DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.

DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.
Security Controls – What Works

Security Controls – What Works
Slide 1 Google Apps EDUCAUSE Live Jeff Keltner Business Development Manager June 19, 2007 Client Logo.

Slide 1 Google Apps EDUCAUSE Live Jeff Keltner Business Development Manager June 19, 2007 Client Logo.
Welcome to New Hire Orientation Information Security

Welcome to New Hire Orientation Information Security
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.

Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.
3.06 Understand the use of direct marketing to attract attention and to build brand.

3.06 Understand the use of direct marketing to attract attention and to build brand.
A – Promotion E-Mail Marketing PE: Understand the use of direct marketing to attract attention and to build brand. PI: Explain the nature of e-mail marketing.

A – Promotion Marketing PE: Understand the use of direct marketing to attract attention and to build brand. PI: Explain the nature of marketing.
A Guide to Getting Started

A Guide to Getting Started
3.06 Understand the use of direct marketing to attract attention and to build brand.

3.06 Understand the use of direct marketing to attract attention and to build brand.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
First Community Bank www.fcbnm.com Prevx Safe Online Rollout & Best Practice Presentation.

First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.
A First Course in Information Security

A First Course in Information Security
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Design of a cyber security awareness campaign for Internet Cafés users in rural areas WA Labuschagne, MM Eloff, N Veerasamy, L Leenen, M Mujinga CSIR /

Design of a cyber security awareness campaign for Internet Cafés users in rural areas WA Labuschagne, MM Eloff, N Veerasamy, L Leenen, M Mujinga CSIR /

Similar presentations

Ads by Google