Cybersecurity Solutions Jessie Pudelek Kevin Hill This manuscript - PowerPoint PPT Presentation

FERMILAB-SLIDES-19-037-CD End-User Security: A Cornerstone of Defense-in-Depth Cybersecurity Solutions Jessie Pudelek Kevin Hill This manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE-AC02-07CH11359 with the U.S. Department of Energy, NLIT 2019 Office of Science, Office of High Energy Physics

Speakers • Jessie Pudelek • Kevin Hill Fermilab Fermilab Cybersecurity Analyst Cybersecurity Analyst • Contact: • Contact: kevinh@fnal.gov jpudelek@fnal.gov 630-840-2068 630-840-5464 2 5/1/2019

Outline • Background on the importance of cybersecurity awareness as part of end-user security and defense-in-depth • Review of Fermilab’s upgraded cybersecurity awareness platform • Discussion on how Fermilab’s Cybersecurity Team is evaluating the effectiveness of the upgraded awareness platform 3 5/1/2019

Statistics regarding the targeting of end-users • 98% of cyber attacks rely on social engineering • 91% of cyber attacks start with a phishing email • Credential compromise rose 70% in 2018 compared to 2017 • Business Email Compromise (BEC) scams account for over $12 billion in losses • 15% of people successfully phished will be targeted at least once more time within the year https://www.knowbe4.com/hubfs/PhishingandSocialEngineeringin2018.pdf https://www.darkreading.com/endpoint/91--of-cyberattacks-start-with-a-phishing-email/d/d-id/1327704 https://www.proofpoint.com/us/security-awareness/post/latest-phishing-first-2019 https://retruster.com/blog/2019-phishing-and-email-fraud-statistics.html 4 5/1/2019

Example: Alamogordo, New Mexico • July 2018 • Procurement officer for city of Alamogordo received a legitimate-looking email from an agent representing the Cooperative Education Exchange (CES), a real co-op that the city works with • The email said that CES banking info needed to be changed to pay outstanding invoices • The only phishing indicator was an outdated version of the CES logo • The email was forwarded to the Finance Department, who paid the requested $250,000 • Scam was discovered when the real CES inquired about a real payment that the city thought it had already paid • Two scams: Procurement officer and finance department https://blog.knowbe4.com/250000-ceo-fraud-in-a-municipal-finance-department 5 5/1/2019

Humans are an easy target • General attacker goals: – Monetary gain – Steal credentials – Run malicious code – Use computer as part of a botnet • Social engineering is the easiest way for attackers to achieve their goals • Social engineering is used because it works; humans still fall for these schemes Until attackers stop targeting humans, the need for cybersecurity awareness remains. 6 5/1/2019

Social engineering and Fermilab • June 2017 Fermilab Cybersecurity sent the first test phishing email to the lab community • Standard UPS package delivery scam • 2748 mailboxes received the message • 27% clicked on the ‘malicious’ link • 28 users reported the message 7 5/1/2019

Cybersecurity Team addresses the problem • New security awareness website – Blog articles – Printable handouts – Video lessons – Suspicious Emails of the Week page • New branding – Logo and slogan – User-friendly contact information • Updated events – Cybersecurity Awareness Day – Cyber Sleuths Phishing Awareness Campaign – Outreach 8 5/1/2019

Security Awareness Website • One central location for all cybersecurity awareness materials • Dynamic content • Materials include: – Articles – Suspicious Emails of the Week – Resources – Video series securityawareness.fnal.gov 9 5/1/2019

Resources – Suspicious emails of the week • Resource to highlight phishing emails that are circulating at the lab for that week • Contains a screenshot, short description, and date it was reported • Intended to help Fermilab community identify phishing emails • Secondary benefit: encourages reporting • Related resource: Legitimate emails page 10 5/1/2019

Resources – Printable handouts • Available from the left-hand menu on securityawareness.fnal.gov • Contains pdf handouts with detailed information for how to identify phishing emails • PDFs can be saved and/or printed for future use 11 5/1/2019

Resources – Video series • Multi-modal security awareness platform • Irwin’s Cybersecurity Corner is a quirky video series featuring Fermilab CISO Irwin Gaines • Covers many topics from IOT to phishing scams • https://www.youtube.com/watch ?v=uTQT53hrWrU 12 5/1/2019

New branding and slogan • Computer Security Team becomes Cybersecurity Team • New logo represents the partnership between the Cybersecurity Team (CST), lab management, users to keep the lab cyber secure • New email address to simplify reporting • Slogan drives home this point: Cybersecurity is everyone’s responsibility! 13 5/1/2019

New branding continued Lock-shaped contact cards provide details on all cybersecurity awareness resources and contact information. front back 14 5/1/2019

Events – Cybersecurity Awareness Day • Yearly event with cybersecurity training and presentations • Theme: Cybersecurity Starts with You! • Updated materials • Collaboration for presentations • Cartoon Irwin selfie station and video series 15 5/1/2019

Events – Cyber Sleuths • October DHS Cybersecurity Awareness Month • Sleuths = mascots of phishing awareness • Materials included: – Video lesson on phishing – Posters – Blog articles – Weekly tips 16 5/1/2019

Events - Outreach Goal: Consistently remind members of the Fermilab community what they do matters, and they have an active role in cybersecurity. • Increased cyber training presentations to various groups in the lab community • Special training for summer students and interns • Participation in STEM outreach • Remedial phishing training 17 5/1/2019

Evaluating new awareness program • Phishing assessment metrics dropped – 10/17 FedEx Tracking Email: 13% clickthrough rate – 07/18 UPS Notification Email: 13% clickthrough rate • Reporting metrics rose – 10/17 FedEx Tracking Email: 110 reports – 07/18 UPS Notification Email : 141 reports • People are engaged in cybersecurity awareness – Positive feedback on Irwin video series – Positive feedback on Cyber Sleuths 18 5/1/2019

Evaluation continued • Phishing assessments based off real phishing reports and broken into categories to evaluate clickthrough trends – PayPal assessment: 1% – Facebook assessment: 6% – LinkedIn request assessment: 11% • Reporting increasing in general – Increased level of questions – Increased number of people asking for email reviews 19 5/1/2019

Moving forward…awareness and training • Continued research on psychology of clicking • Continued investigation of phishing categories and targeted phishing groups • Continued outreach and education based on current events and results of phishing assessments • Continued education on all topics in cybersecurity to help people at work but also at home 20 5/1/2019

Moving forward…technical improvements • Multi-modal security awareness platform extending to technical solutions • Training is important, but not the only way Fermilab is working to secure users • Enter the PhishAlarm button – Simplifies reporting for Outlook users and increases reporting – Performs automated analysis – Integrates into our security controls for automatic black-hole routing 21 5/1/2019

Overview of Beholder • Beholder is a custom system at Fermilab to coordinate system scanning and blocking – Networking systems notify Beholder when new system is connected to network – New systems are scanned with multiple scanners – Scan results are analyzed for blockable vulnerabilities – Vulnerable systems are blocked, users are notified – User can fix issue and request access via Service Now tickets 22 5/1/2019

Overview of Phish Reporting • Traditionally people manually forwarded suspected phish to cybersecurity • Cybersecurity primary would manually review and block as necessary • Report Phish Add-in adds button to report suspected phish in outlook clients on Windows, Mac and Android 23 5/1/2019

Phish Reports Phish reports include useful information: • Phishing certainty • Domains that handled the emails • Links in the email 24 5/1/2019

Analyzing Phish Reports • Traditionally the phishing reports have to be reviewed manually • Suspect URLs need to be blocked • Can we remove this delay? • Yes! 25 5/1/2019

Integrating Phish Reports into Beholder • Phishing analysis reports are emailed to account that filters via procmail Listserv • Procmail recognizes phishing analysis reports and hands email to a python script Procmail • Python script extracts hostnames in the Python phishing links • Hostnames are added to beholder via http api Beholder call 26 5/1/2019

Interpreting Imported URLs • Phishing reports list all links in the phish emails, not just suspected malicious links – Need to make sure we don’t block google.com, URL shorteners, OneDrive, etc. • Imported hostnames get tagged as potential phishing links in Beholder • Someone from Cybersecurity Team either blocks or whitelists the hostnames as necessary • Will automate process once the number of new whitelist entries drops 27 5/1/2019

Questions? 28 5/1/2019