No Phishing Beyond This Point

Transcript

1. No Phishing Beyond This Point HERE PHISHY PHISHY… Presented by

   Grant Boudreau

2. About Me • Information Technology System Specialist for Nova Scotia’s

   public education sector • 2009 Cape Breton University graduate - Bachelor of Technology Information in Network Management • OSCP, OSWP, Security+, OCSA, MCTS, Network+, Server+, A+ • Co-Host of the East Coast InfoSec Podcast (along with co-host Darryl MacLeod – AtlSecCon Board Member)

3. OffSec Rockstar? Not really…

4. The Five Stages of Data Loss Grief R.I.P. 1TB DRIVE

   (2012-2016) ALSO, SORRY FOR POTATO QUALITY PICS…

5. Stage One: Denial Source: Robot Chicken, Adult Swim

6. Stage Two: Anger Source: Robot Chicken, Adult Swim

7. Stage Three: Bargaining Source: Robot Chicken, Adult Swim

8. Stage Four: Depression Source: Robot Chicken, Adult Swim

9. Stage Five: Acceptance Source: Robot Chicken, Adult Swim

10. Phishing COME SAIL AWAY…

11. Phishing DEFINITION • A scam by which an e-mail user

    is duped into revealing personal or confidential information which the scammer can use illicitly source: https://www.merriam-webster.com/dictionary/phishing

12. Phishing DEFINITION • A scam by which an e-mail user

    is duped into revealing personal or confidential information which the scammer can use illicitly source: https://www.merriam-webster.com/dictionary/phishing • A scam by which an e-mail, SMS, or phone user is duped into revealing personal or confidential information which the scammer can use illicitly

13. Phishing Stats “…HOW ARE THEY ARMED?… IT IS OFTEN WITH

    PHISHING…” -2016 VERIZON DBRI REPORT

14. Phishing Stats Source: 2016 Verizon DBRI Report

15. Phishing Stats Source: 2016 Verizon DBRI Report

16. Phishing Stats Source: 2016 Verizon DBRI Report

17. Phishing Stats WHAT DOES THIS ALL MEAN? • “What we

    have here is a failure to communicate. Apparently, the communication between the criminal and the victim is much more effective than the communication between employees and security staff.” – 2016 Verizon DBRI Report

18. How to Fight Phishing PUT ‘EM UP

19. How to Fight Phishing • Define Security Priorities • Phishing

    Awareness Training • Hardware (Firewalls, Mail Gateways, etc.) • Software (AntiVirus, AntiMalware, etc.)

20. Security Priorities LET’S MAKE A LIST… AND BY MAKE, I

    MEAN GOOGLE IT…

21. Security Priorities (From Google’s Security Blog) SECURITY NON-EXPERTS 1) Use

    Antivirus 2) Use Strong Passwords 3) Change Passwords Frequently 4) Only Visit Websites They Know 5) Don’t Share Personal Information SECURITY EXPERTS 1) Install Software Updates 2) Use Unique Passwords 3) Use Two-Factor Authentication 4) Use Strong Passwords 5) Use a Password Manager https://security.googleblog.com/2015/07/new-research-comparing-how-security.html

22. Phishing Awareness Training EFFECTIVE OR NOT?

23. Phishing Awareness Training • Train staff on what to look

    for in emails • Do not open email attachments from unknown senders • Look for grammar and spelling errors • Check link destinations • Aggressive email content …but does it really work?

24. Phishing Awareness Training • End users need to buy into

    it • Spear phishing is much harder to detect, if done correctly DOES IT WORK?

25. Phishing Awareness Training • Make workplace pamphlets and posters for

    reminders ALTERNATIVE?

26. Hardware NEXT-GEN GOODNESS

27. Hardware • Next-Generation Firewalls • Block unrated sites • Block

    known malicious sites • Etc. • Mail Gateways • Scan emails for malicious attachments • Block known malicious domains • Etc. …but do they really work?

28. Hardware • Rules and filters can be easily bypassed •

    Known good sites can send malicious content via ads DO THEY WORK?

29. Hardware NOT AN ALTERNATIVE, BUT AN ADDED RESOURCE

30. Software BYTING THE HAND THAT FEEDS YOU

31. Software • Anti-Malware/Anti-Rootkit/Anti-*insert cyber awesomeness word here* • Blocks known

    malicious code • Can prevent ransomware from encrypting files • Etc. • Ensure software is up to date • Prevents known exploits from triggering • DOUBLEPULSAR… *mic drop* • Etc. …but does it really work?

32. Software • 0-Days • Patching is hard =( DOES IT

    WORK?

33. Software ALTERNATIVE…

34. Users & Hardware & Software OH MY…

35. Users & Hardware & Software

36. Users & Hardware & Software • Need to work in

    harmony with each other • Need to get along with each other • Need to… you get the point… DOES IT WORK? NEEDS TO WORK

37. Users & Hardware & Software • BACKUPS!!! IF ALL ELSE

    FAILS?

38. Users & Hardware & Software OR

39. How to Troll the Phishers

40. How to Troll the Phishers • A honeytoken is data

    or a computing resource that exists for the purpose of alerting you when someone accesses it. HONEYTOKENS (THANKS JSAVOIE FOR THIS TIP) Source: https://zeltser.com/honeytokens-canarytokens-setup/

41. How to Troll the Phishers • Ted Talk: This is

    what happens when you reply to spam email JAMES VEITCH (COMEDIAN AND WRITER)

42. Questions?

43. Thank you! Twitters: @gzboudreau @ecoastinfosec Websites: https://driftsec.ca https://eastcoastinfosec.ca