Friday, April 28, 2017

Live Phishing Education Slides

This template (or one like it created by you and your team!) can be used when auto-directing users after a live phishing campaign, as well as for normal instruction.

You’ve Been Hacked!

But it’s OK...and it was only a quiz (the real test is from an attacker). (Click the arrows for more info!) What Just Happened, and Why? Did you know: real attackers are making these same attempts all the time against our network?

We’d rather help ourselves become stronger before the attackers can help themselves to our patients’ data. No matter how many advanced technical hurdles internet security puts in place, the best defense is always an alert member of the team (you!).

Classroom is theory—treating that first patient wasn’t. It’s better to practice when it’s safe. 

Social Engineering 101(0101)

Computers are black and white, on or off; humans aren’t, so unfortunately we present a better target to attackers:

RSA (security company) hacked in 2011 via email

HBGary (security company) hacked 2011 via reused passwords, email

Google/Adobe—hacked, operation Aurora 2010

So It’s OK That You Were Exploited (This Time)

If people who work for computer technology companies—some of which specialize in security—fall for attacks, it’s to be expected that you would fall for similar attacks as well.

We get better with practice; this is an opportunity for that practice.

No Blame, No Shames, Just...

You work for a healthcare organization where listening and trusting people is a priority! That’s good!

...but social engineering plays on your good nature and trust by building rapport (“I love our patients, too!”), making a request (“Password, please!”), and often faking urgency (“The CEO/CIO/CNO all want this done now!”).

A Few Strategies for Next Time

If you aren’t expecting an email from someone (even if you know them), don’t click the links or open the attachment.

If you think it might be work-related, reply to the person and ask for more specifics.

If a website is asking for personal information (like your password), and you don’t recognize the site, call the IT helpdesk.

Because There Will Be a Next Time

If the site looks correct, make sure that it is a secure site (https:// in the URL bar, look for the lock).

If Something Feels Funny

You just logged in, and you went immediately back to the login page.

The site doesn’t use HTTPS but requests a password.

You received an email from someone you don’t know or about a package you didn’t send.

A document that claims to have payroll information in it.

A greeting card as an attachment.

If Something Looks Funny

You open an attachment and you get a weird error, or the document doesn’t contain what it said it would.

You are prompted to turn on macros or install a driver update, or a new version of Flash player.

The website looks like ours, but the website address (URL) in the address bar looks different.

You find a USB thumb drive or a CD/DVD lying around.

If Something Sounds Funny

You get a call from “IT” and they ask for your username and password, or say they are working on a problem you have not reported.

A call from a new vendor who wants to know who our current vendor for xyz is (so they can call back and pose as being from that company).

A request from the “fire marshal” to look at the extension cords under your computer desk (should be with facilities).

You find a USB thumb drive or a CD/DVD lying around.

Feels, Looks, or Sounds Funny—Call the IS Helpdesk

If it is something normal, they can help you.

If it is not, they’ll escalate the issue so we can take swift, appropriate action and warn other users.

What If I Already Clicked the Link, or Opened the Attachment?

No blame, no shame, but please—CALL NOW!

The sooner your IT team knows, the sooner they can help you and prevent the issue from going farther.

What If I Didn’t Click the Link or Attachment?

If you think it looks suspicious, better safe than sorry.

Your IT team still needs to know about the possible threat to our patients’ protected health information (PHI).

Other users might not be as discerning.

The attacker might come back with something better next time.

Your IT Team Is Here for You!

Would you like a one-on-one session to talk about any of this information?

Do you lead a team who could benefit from this material?

If so, please contact the helpdesk at x1111 and let us know!

Phishing Program Rules

Some explanation and rules of the phishing program will help your users get excited and involved in the rewards program.

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

The IT team would like to present a new contest called “Something Smells Phishy!”

We’ll be putting on our hacker hats and trying to get you to fall for our security tests. While we won’t be trying to gather your credit card details, there are currently real hackers out in the world trying to get every bit of information they can.

They are the real bad guys and the whole point behind this campaign. Expect to see more training and key points to remember:

Don’t click links in emails.

Don’t open attachments that you aren’t expecting.

Never give your username/password to anyone.

If it smells phishy REPORT IT!

All of this is a training exercise and the more you learn, the safer we all are and the more chances you have to win some awesome prizes! Each time you report a legitimate phishing attempt (either from us or a real attacker) your name gets entered into the phish bowl for the following prizes!

Things that should be reported:

Suspicious emails trying to get your information (usernames, passwords, what software we use, banking info, etc).

Suspicious emails with attachments that you didn’t expect.

People attempting to access your computer that you haven’t authorized.

APIs - REST API