Download presentation
Presentation is loading. Please wait.
Published byRose Long Modified over 9 years ago
1
INFO SEC INSTITUTE Fort Gordon Cyber Security & Technology Day www.federalevents.com INFOSEC I N S T I T U T E PhishSim + AwareEd = ? Jonathan Lampe, CISSP InfoSec Institute jonathan.lampe@infosecinstitute.com @infosecedu – securityiq.infosecinstitute.com The Future of Phishing Simulation and Security Awareness Education
2
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com What is Security Awareness Education? »Get everyone up to a specific level of knowledge »CBT (computer based training) Quizzes Games »Participation tracked or tested
3
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com What is Security Awareness Education? »Typical topics; NIST guidance and others exists NIST SP 800-16 (rev 1 draft 3): 4 levels of training on a continuum “all users” NIST SP 800-50: Understand and comply with agency security policies and procedures Be appropriately trained in the rules of behavior for the systems and applications to which they have access Keep software/ applications updated with security patches Proper password usage Data backup Proper antivirus protection Reporting any suspected incidents or violations of security policy Avoid social engineering attacks Deter the spread of spam or viruses and worms
4
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Who is “everyone”? »Military, civilian, contractors (?) »Often defined by regulation »But education can be tailored for different groups
5
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com What is Phishing Simulation? »Phishing = tricking people to take action after receiving a message Clicking a link in an email or IM Opening attachments Replying to SMS texts with credentials
6
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com What is Phishing Simulation? »Simulated phishing messages are sent to end users »Messages are typically staggered across a time period “Send 3 in March”
7
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com What is Phishing Simulation? »If end users click a link, they are given a phishing education »Managers or IS may follow up with users who get phished Consequences?
8
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com What is Phishing Simulation? »Automated messages and training may also follow
9
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com What is Phishing Simulation? »Users can ignore the simulations or report them »Managers and IS can also follow up with the good users Rewards?
10
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Why both? »Humans are still the weakest link Top three concerns are best addressed with TRAINING! Especially security awareness and phishing simulation!
11
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com If both are needed, where did “Phishing Simulation” specialist companies come from? »“Return on Investment” (ROI) ROI = Return (Value of Risk Reduction) / Investment (Cost of Campaign) ROI = (Return – Investment) / Investment
12
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com If both are needed, where did “Phishing Simulation” specialist companies come from? »“Return on Investment” (ROI) 30% change = 50% improvement (30/60) $338,000 annual loss due to phishing https://securityledger.com/2015/08/the-cost-of-phishing-more-than-you-think/ = $168,000 annual savings due to campaign (this is the “return”)
13
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com If both are needed, where did “Phishing Simulation” specialist companies come from? »“Return on Investment” (ROI) $50K cost for service (this is the “investment”) $168K annual savings due to campaign (this is the “return”) …equals 236% Return on Investment!
14
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com The Situation Three Years Ago »One budget, two providers Security Awareness CBT “We will train your users on general concepts. Then you can see you took what training they took and their scores on the tests.” Security Awareness CBT “We will train your users on general concepts. Then you can see you took what training they took and their scores on the tests.” Phishing Simulator “We will teach your users to stop falling for phishing messages. You can use our reports to prove it’s working (and show a positive ROI).” Phishing Simulator “We will teach your users to stop falling for phishing messages. You can use our reports to prove it’s working (and show a positive ROI).” Budget
15
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com The Situation Three Years Ago »Separate CBT and phishing simulator vendors SANS Institute ThreatSim PhishMe PhishLine InfoSec Institute Security Mentor (others)
16
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com The Situation Three Years Ago »Gartner publishes a guide that merges all vendors together »Specifies: Interactive CBT “Direct behavioral conditioning” (“anti-phishing”)
17
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Security “Education” »Set of activities and objectives that: Elevate security competence Motivates employees to make security decisions for themselves »Includes “awareness” and “conditioning” CBT Phishing Gartner Magic Quadrant for Security Awareness Computer- Based Training (CBT) Vendors (October 2014)
18
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Characteristics of CBT »Interactive Builds competence and knowledge retention »SCORM or via local or cloud-based LMS »Assessments of participation and completion »Customization of content Gartner Magic Quadrant for Security Awareness Computer- Based Training (CBT) Vendors (October 2014)
19
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Characteristics of Anti-Phishing »Improve trainee resistance »Demonstrate reductions in successful attacks »Realistic Library of phishing templates based on actual phishing messages captured by clients Gartner Magic Quadrant for Security Awareness Computer- Based Training (CBT) Vendors (October 2014)
20
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Developing Realistic Phishing »The “Phish.io” Experiment Free crowdsourcing cloud-based service Allowed anyone to try to phish up to 10 people -Google address book integration Rewards of more attempts and recognition
21
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Developing Realistic Phishing »Phish.io allowed “Build Your Own Templates” Crowdsourced! -Management approval Tracked and displayed template effectiveness to all users
22
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Developing Realistic Phishing »Phish.io Statistics Tracked open rate and phish rate across multiple templates Increased phish rate from 15% to 40%
23
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Developing Realistic Phishing »Phish.io Surprise Almost all targets fled before the landing page loaded! -Training was NOT delivered Two innovations: -Simplified landing page -Email follow-ups
24
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com The Situation Now »Vendors provide both CBT and phishing simulation Partnerships have evolved into acquisitions New integrated offerings are emerging ThreatSim Wombat Security Tech PhishSim AwareEd Security Education Platform
25
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com The Situation Now »CBT libraries have to be redeveloped Video vs. Interactive Exercises New Threats: Mobile, Social Engineering New Video Expectations: -Tablet viewing, resizable -No more Flash players (iOS, security issues, etc.) -HD Quality
26
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com With Convergence Comes Expectations »Single interface to manage learners and reports Both Security Awareness and Phishing »“My after-phished education should be interactive” “And visible on my iPod. And in HD. Or small if I’m using a phone.” »“I should be able to customize everything” CBT branding, custom phishing messages, notifications, “landing page” learning experiences
27
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Example: Interactive Training
28
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Example: Customization
29
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Example: Customization
30
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Education “Campaigns” »A “Campaign” provides some education to some group E.g., “Cybersecurity basics for employees in purchasing” E.g., “Refresher course for all existing personnel” »Specific time-based activities (e.g., “campaign runs”) provide specific education to specific people E.g., “Malware, Intro to Phishing and Password Security to the 137 people in the X, Y and Z departments during Q1 2017.” »Integrated solutions provide configuration and reports on BOTH Also allow content and group membership to evolve over time Also allow synchronization of educational experiences (CBT and phishing)
31
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Example: Campaigns
32
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Future Security Education Governance »#1: “Am I in compliance?” »#2: “Was this a good use of our money?”
33
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com #1: Proving Compliance »Learners who took (often passed) interactive CBT »Learners who avoid phishing messages 78% Compliant 62% Compliant
34
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com #2: Proving Good Use of Money »Quantify cost of incidents due to phishing and untrained workforce »Apply to improvements and cost of solution $294K expected phishing loss + $224K expected untrained loss = $518K expected loss $160K expected phishing loss + $100K expected untrained loss = $260K expected loss $518K - $260K = $258K return vs. $75K investment …yields an ROI of 244%!
35
INFOSEC I N S T I T U T E Fort Gordon Cyber Security & Technology Day www.federalevents.com Takeaways »Phishing Simulation and Security Awareness CBT capabilities are now provided by one-stop “Security Education” vendors »Look for signs of successful integration to avoid wasting time and effort managing multiple solutions: Single interface to manage learners, reports and campaigns Phishing training is consistent throughout »Begin to look for governance reporting: Who’s in compliance? Am I getting decent bang for my buck?
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.