Cybersecurity Solutions Jessie Pudelek Kevin Hill This manuscript - - PowerPoint PPT Presentation

End-User Security: A Cornerstone of Defense-in-Depth Cybersecurity Solutions

Jessie Pudelek Kevin Hill NLIT 2019

FERMILAB-SLIDES-19-037-CD This manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE-AC02-07CH11359 with the U.S. Department of Energy, Office of Science, Office of High Energy Physics

• Jessie Pudelek

Fermilab Cybersecurity Analyst

• Contact:

jpudelek@fnal.gov 630-840-5464

• Kevin Hill

Fermilab Cybersecurity Analyst

• Contact:

kevinh@fnal.gov 630-840-2068

5/1/2019 2

Speakers

• Background on the importance of cybersecurity awareness as part of end-user

security and defense-in-depth

• Review of Fermilab’s upgraded cybersecurity awareness platform
• Discussion on how Fermilab’s Cybersecurity Team is evaluating the effectiveness
• f the upgraded awareness platform

Outline

5/1/2019 3

• 98% of cyber attacks rely on social engineering
• 91% of cyber attacks start with a phishing email
• Credential compromise rose 70% in 2018

compared to 2017

• Business Email Compromise (BEC) scams

account for over $12 billion in losses

• 15% of people successfully phished will be

targeted at least once more time within the year

https://www.knowbe4.com/hubfs/PhishingandSocialEngineeringin2018.pdf https://www.darkreading.com/endpoint/91--of-cyberattacks-start-with-a-phishing-email/d/d-id/1327704 https://www.proofpoint.com/us/security-awareness/post/latest-phishing-first-2019 https://retruster.com/blog/2019-phishing-and-email-fraud-statistics.html

Statistics regarding the targeting of end-users

5/1/2019 4

https://blog.knowbe4.com/250000-ceo-fraud-in-a-municipal-finance-department

Example: Alamogordo, New Mexico

5/1/2019 5

• July 2018
• Procurement officer for city of Alamogordo received a legitimate-looking

email from an agent representing the Cooperative Education Exchange (CES), a real co-op that the city works with

• The email said that CES banking info needed to be changed to pay
• utstanding invoices
• The only phishing indicator was an outdated version of the CES logo
• The email was forwarded to the Finance Department, who paid the

requested $250,000

• Scam was discovered when the real CES inquired about a real payment

that the city thought it had already paid

• Two scams: Procurement officer and finance department

• General attacker goals:

– Monetary gain – Steal credentials – Run malicious code – Use computer as part of a botnet

• Social engineering is the easiest way for attackers to achieve their goals
• Social engineering is used because it works; humans still fall for these schemes

Humans are an easy target

5/1/2019 6

Until attackers stop targeting humans, the need for cybersecurity awareness remains.

• June 2017 Fermilab Cybersecurity sent

the first test phishing email to the lab community

• Standard UPS package delivery scam
• 2748 mailboxes received the message
• 27% clicked on the ‘malicious’ link
• 28 users reported the message

Social engineering and Fermilab

5/1/2019 7

• New security awareness website

– Blog articles – Printable handouts – Video lessons – Suspicious Emails of the Week page

• New branding

– Logo and slogan – User-friendly contact information

• Updated events

– Cybersecurity Awareness Day – Cyber Sleuths Phishing Awareness Campaign – Outreach

Cybersecurity Team addresses the problem

5/1/2019 8

Security Awareness Website

5/1/2019 9

• One central location for all cybersecurity

awareness materials

• Dynamic content
• Materials include:

– Articles – Suspicious Emails of the Week – Resources – Video series

securityawareness.fnal.gov

• Resource to highlight phishing emails that are

circulating at the lab for that week

• Contains a screenshot, short description, and

date it was reported

• Intended to help Fermilab community identify

phishing emails

• Secondary benefit: encourages reporting
• Related resource: Legitimate emails page

Resources – Suspicious emails of the week

5/1/2019 10

• Available from the left-hand menu
• n securityawareness.fnal.gov
• Contains pdf handouts with

detailed information for how to identify phishing emails

• PDFs can be saved and/or printed

for future use

Resources – Printable handouts

5/1/2019 11

• Multi-modal security awareness

platform

• Irwin’s Cybersecurity Corner is

a quirky video series featuring Fermilab CISO Irwin Gaines

• Covers many topics from IOT to

phishing scams

• https://www.youtube.com/watch

?v=uTQT53hrWrU

Resources – Video series

5/1/2019 12

• Computer Security Team becomes Cybersecurity Team
• New logo represents the partnership between the Cybersecurity Team (CST), lab

management, users to keep the lab cyber secure

• New email address to simplify reporting
• Slogan drives home this point: Cybersecurity is everyone’s responsibility!

New branding and slogan

5/1/2019 13

Lock-shaped contact cards provide details on all cybersecurity awareness resources and contact information.

New branding continued

5/1/2019 14

front back

Events – Cybersecurity Awareness Day

5/1/2019 15

• Yearly event with cybersecurity training and

presentations

• Theme: Cybersecurity Starts with You!
• Updated materials
• Collaboration for presentations
• Cartoon Irwin selfie station and video series

• October DHS Cybersecurity Awareness Month
• Sleuths = mascots of phishing awareness
• Materials included:

– Video lesson on phishing – Posters – Blog articles – Weekly tips

Events – Cyber Sleuths

5/1/2019 16

Goal: Consistently remind members of the Fermilab community what they do matters, and they have an active role in cybersecurity.

• Increased cyber training presentations to various groups in the lab community
• Special training for summer students and interns
• Participation in STEM outreach
• Remedial phishing training

Events - Outreach

5/1/2019 17

• Phishing assessment metrics dropped

– 10/17 FedEx Tracking Email: 13% clickthrough rate – 07/18 UPS Notification Email: 13% clickthrough rate

• Reporting metrics rose

– 10/17 FedEx Tracking Email: 110 reports – 07/18 UPS Notification Email : 141 reports

• People are engaged in cybersecurity awareness

– Positive feedback on Irwin video series – Positive feedback on Cyber Sleuths

Evaluating new awareness program

5/1/2019 18

• Phishing assessments based off real phishing reports

and broken into categories to evaluate clickthrough trends – PayPal assessment: 1% – Facebook assessment: 6% – LinkedIn request assessment: 11%

• Reporting increasing in general

– Increased level of questions – Increased number of people asking for email reviews

Evaluation continued

5/1/2019 19

• Continued research on psychology of clicking
• Continued investigation of phishing categories

and targeted phishing groups

• Continued outreach and education based on

current events and results of phishing assessments

• Continued education on all topics in

cybersecurity to help people at work but also at home

Moving forward…awareness and training

5/1/2019 20

• Multi-modal security awareness platform extending to technical solutions
• Training is important, but not the only way Fermilab is working to secure users
• Enter the PhishAlarm button

– Simplifies reporting for Outlook users and increases reporting – Performs automated analysis – Integrates into our security controls for automatic black-hole routing

Moving forward…technical improvements

5/1/2019 21

• Beholder is a custom system at Fermilab to

coordinate system scanning and blocking

– Networking systems notify Beholder when new system is connected to network – New systems are scanned with multiple scanners – Scan results are analyzed for blockable vulnerabilities – Vulnerable systems are blocked, users are notified – User can fix issue and request access via Service Now tickets

Overview of Beholder

5/1/2019 22

• Traditionally people manually

forwarded suspected phish to cybersecurity

• Cybersecurity primary would

manually review and block as necessary

• Report Phish Add-in adds button

to report suspected phish in

• utlook clients on Windows, Mac

and Android

Overview of Phish Reporting

5/1/2019 23

Phish reports include useful information:

• Phishing certainty
• Domains that handled the emails
• Links in the email

5/1/2019 24

Phish Reports

• Traditionally the phishing reports have to be reviewed manually
• Suspect URLs need to be blocked
• Can we remove this delay?
• Yes!

Analyzing Phish Reports

5/1/2019 25

• Phishing analysis reports are emailed to

account that filters via procmail

• Procmail recognizes phishing analysis reports

and hands email to a python script

• Python script extracts hostnames in the

phishing links

• Hostnames are added to beholder via http api

call

Integrating Phish Reports into Beholder

5/1/2019 26

Listserv Procmail Python Beholder

• Phishing reports list all links in the phish emails, not just suspected malicious links

– Need to make sure we don’t block google.com, URL shorteners, OneDrive, etc.

• Imported hostnames get tagged as potential phishing links in Beholder
• Someone from Cybersecurity Team either blocks or whitelists the hostnames as

necessary

• Will automate process once the number of new whitelist entries drops

Interpreting Imported URLs

5/1/2019 27

Questions?

5/1/2019 28