Joint work with Acknowledgments for data gathering and ... · •Joint work with ─ Freya...

1

•  Jointworkwith─ FreyaGassmann,UniversityofSaarland,Germany

─ RobertLandwirth,FAUofErlangen-Nuremberg,Germany

• Acknowledgmentsfordatagatheringandanalysis─ NadinaHintz,AndreasLuder,AnnaGirard,GastonPugliese

2

•  Studiedmath(Russia)&computerscience(Germany)•  PhDincomputerscience(2008),Germany

─ Accesscontrolprotocolsforwirelesssensornetworks•  ResearcheratFAU,Germany

─ Friedrich-Alexander-UniversitätErlangen-Nürnberg•  HumanFactorsinSecurity&PrivacyGroup

─ Groupleader

3

IntroducRon

Agenda

•  Spearphishingstudies─ Design&ethics─ Study1!piTalls&lessonslearnt

─ Study2!recommendaRons

• Roleofsecurityawareness• ChallengesinpatchinghumanvulnerabiliRes

4

Technicalvs.HumanVulnerabiliRes•  TechnicalvulnerabiliRes

─ Found!patch/redesign/acceptrisk

• HumanvulnerabiliRes─ Knowhowtoexploit─ Doweknowhowtopatch?•  IssecurityawarenessTHEsoluRon?

5

SpearPhishing

• Academicresearch:>1000paperssince2004

• Phishingasaservice(PhaaS)─ KnowBe4,PhishMe,WombatSecurity,manyothers

─ PentesRngthehumans

6

Whatdon’tweknowyet?

7

ResearchQuesRons

•  Emailvs.Facebook

─ Differenceinclickingrates?• Reasonsforclickingandnotclicking?

─ Whycansomepeopleprotectthemselvesbeeerthantheirpeers?

─ WouldknowingthisprovideusefulinformaRonfordefenders?

8

StudyIdea

•  Simulatedaeack

─ Sendspearphishingmessageswithalink

─ Senders:non-exisRngpersons─ RecruituniversitystudentsforparRcipaRnginthestudy•  Email/Facebook

• Measureclickingbehavior

• Asktheminafollow-upsurveywhytheyclicked/didnotclick9

MessageHey<receiver’sfirstname>,herearethepicturesfromthelastweek:hep://<IPaddress>/photocloud/page.php?h=<USERID>

Pleasedonotsharethemwithpeoplewhohavenotbeenthere:-)SeeyounextRme!<firstnameofthesender>

10

accessdenied

Ethics:Recruitment

─ Don’texperimentwithpeoplewithouttheirconsent!

─ ParRcipantsrecruitedforasurveyabout“onlinebehavior”• Notinformedbeforehandabouttherealpurposeofthestudy

─ IncenRve:win10x10EURonlineshoppingvoucher─ Time:August/September2013

11

Ethics:ConnecRngBehaviorwithSurvey

12

sendmessagewithindividuallink

waitRll“enough”peopleclickedsendsurvey

withindividuallink

Surveyshouldbeanonymous!validityoftheanswers

13

sendmessagewithindividuallink

wait3weeks sendanonymoussurveyask:clickedornot?

FinalDesign

Study1:Clicked

14

0%

50%

100%

email Facebook

56%

38%

89/158 90/240

StaRsRcallysignificantdifference

Study1:SurveyAnsweredsurvey:85%(339outof398)

15

0%

50%

100%

reallyclicked reportedthatclicked

68/339179/398

45%

20%

Study2:DesignChanges

16

OnJanuary7th,2014:Hey,theNewYearpartywasgreat!herearethepictures:hep://<IPaddress>/photocloud/page.php?h=<USERID>

sendmessagewith

individuallink

ifclicked!wait24h senddifferentsurveylinksviaemailandonFacebook

ask:clickedornot?ifdidnotclick!wait7days

Study2:Clicked

17

0%

50%

100%

email Facebook

119/280194/975

20%

42.5%

StaRsRcallysignificantdifference

AddressingbyNameImportantviaemail,butnotonFacebook?

Disclaimer:Study1≠Study2!!!!Differentmessages

18

0%

50%

100%

Study1:email Study2:email Study1:Facebook Study2:Facebook

20%

42.5%56%

38%

StaRsRcallysignificantNotsignificant

BothStudies:FactorsNotStaRsRcallyCorrelatedtoClicking

• Genderofsender• Genderofreceiver•  FriendrequestonFacebook• AmountofinformaRononsender’sFacebookprofile

19

20

Study1vs.Study2:SurveyReliability

21

0%

50%

100%

Study1:actuallyclicked

Study1:reportedthatclicked

Study2:actuallyclicked

Study2:reportedthatclicked

25%16%

45%

20%

Study1vs.Study2:SurveyReliability

22

0%

50%

100%

Study1:actuallyclicked

Study1:reportedthatclicked

Study2:actuallyclicked

Study2:reportedthatclicked

25%16%

45%

20%

0%

50%

100%

Email:actuallyclicked

Email:reportedthatclicked

Facebook:actuallyclicked

Facebook:reportedthatclicked

Study2:Emailvs.FacebookSurveyReliability

•  Email:ok•  Facebook:???

23

15.5%20% 18%

42.5%

ReasonsforClicking:Results• Curiosity:34%

24

“Curiosity”

•  “Iwascurious”•  “Iwantedtoseewhatisthere”•  “Outofinterest”•  “Iwantedtofindoutmoreaboutthepictures”

•  “Ididnotknowthesender,butwantedtoseewhoisonthepictures”

25

ReasonsforClicking:Results(somepeoplereportedmulRplereasons)

• Curiosity:34%•  FitsmyNewYearparty:27%

•  InvesRgaRon:17%• Knownsender:16%

•  Trustintotechnicalcontext:11%

26

“TrustIntoTechnicalContext”•  “Mycomputerblocksaccessifthereisavirusproblem”

•  “Iknew,ifthiswassomethingdangerous,myKasperskywouldprotectme”

•  “IuseFirefoxandMacOS,soI’mnotafraidoftheviruses”

•  “IusedTorBundle”

•  “AOerIgoogled,photocloudseemedtobeacleanwebsite”

•  “Igoogledtheemailaddress[…]Ifoundnothing”

•  “IPcamefromtheuniversity”

•  “Iconsiderthewebmailoftheuniversitytobesafe”27

ReasonsforClicking:Results(somepeoplereportedmulRplereasons)

• Curiosity:34%•  FitsmyNewYearparty:27%

•  InvesRgaRon:17%• Knownsender:16%

•  Trustintosystem:11%

• Reallypicturesofme?7%

28

ReasonsforNon-Clicking(somepeoplereportedmulRplereasons)

• Unknownsender:51%• Virus/Spam/Phishing/Scam/Fake:44%

• DoesnotfitmyNewYearcelebraRon:36%

• Doesnotfitmywayoflife:12%

•  InvesRgaRon:6%─ FBprofile:2%

29

DidNotClickBecauseOfPrivacy(6%)

•  “It(themessage)seemedtobeprivate”

•  “Ithoughthemessagewasgenuineandwantedprotectprivacy”

•  “Itsaid:pleasedon’tclickifyoudon’tknowme”

•  “Themessagewasnotforme”

•  “Ididnotseeanyreasontolookupprivatepicturesofastrangerwhoobviouslymadeamistake”

30

FactorsNotStaRsRcallyCorrelatedwithReportedClicking

•  ITsecurityknowledge(self-assessed)

• Knowledgethatemailsendercanbespoofed

• Knowledgethatlinkscanbedangerous

31

AvtudetowardsParRcipaRonintheStudy(-3=verynegaRve,3=veryposiRve)

32

0

10

20

30

-3 -2 -1 0 1 2 3

non-clickersclickers

%

%

%

%

ShouldSuchStudiesbeConductedinTheFuture?

33

yesnonotsure

2%

85%

13%

LimitaRons

•  Study1≠Study2─ OnlytentaRvecomparisonsacrosstwostudies!

• Validityofthereasons─ Cannotlookintopeople’sheadsatthemomentofclicking

•  “reportedclickers”≠“realclickers”

34

Lesson1:TargeRng• Curiosity/Interest

─ 78%knewthatlinkscanbedangerous• Context

─ Knownsender•  82%knewthatsendercanbespoofed

─ Plausibility:situaRon&expectaRons•  Facebook:dopeoplenoRcethattheyclicked?

35

Lesson2:RequirementsonUsers• Besuspicious:

─ Evenifyouknowthesender─ EvenifthemessagefitsyourcurrentsituaRon

─ EvenifthemessagefitsyourworkandlifepracRces

• Besuspiciousofeverything!

36

DecepRonMode

37

Letmeintroduce…• Highlytrainedspecialagent• Alotofpeoplewanttokillhim

•  (Almost)anypersoninhislifecanbeatraitor

• HastobeindecepRonmodeineverylifesituaRon

• Doeshisjobexcellently• Doesnotexist"

38

WantYourEmployeesBeAwareofSpearPhishing?• WantthemtobeinJamesBondmodeeveryRmetheyreadamessage?

39

• AddthistojobdescripRons• Makesuretopaythemadequately

accounRngsales

humanresources customersupport

publicrelaRons

BeingSecurityAware:PersonalAdventures

40

PersonalExample1:Curiosity/Interest(anonymized)

41

From:john.smith@turner.com

To:zinaida.benenson@fau.de

Subject:CNNrequest--aboutyourupcomingBlackHattalk

Zinaida,

JohnatCNNhere.I’mthenewsnetwork’scybersecurityreporter.Here’salinktomywork,incaseyou’renotfamiliarwithit.

IsawthedescripRonofyourupcomingBlackHattalk.YourtopiclooksfantasRc!

Canwegetanexclusivelookatyourresearchandwritethefirstnewsstoryaboutit?

Cheers,

JohnSmith

john.smith@CNN.com 42

PersonalExample2:Context(anonymized)

43

From:JournalofExperiments(EXPE)exp@editorial-expe.comTo:zinaida.benenson@fau.deSubject:InvitaRontoPeerReviewEXPE-M-35-00737DearDr.Benenson,InviewofyourexperRse[…][…]Ifyouwouldliketoreviewthispaper,pleaseclickthislink:hep://expe.editorial-expe.com/l.asp?i=35189&l=GKXKMQKIfyoudonotwishtoreviewthispaper,pleaseclickthislink:hep://expe.editorial-expe.com/l.asp?i=87665&l=6HN7KKBestregards,Editor<nameI’veneverheardof>

44

From:JournalofExperiments(EXPE)exp@editorial-expe.comTo:zinaida.benenson@fau.deSubject:InvitaRontoPeerReviewEXPE-M-35-00737DearDr.Benenson,InviewofyourexperRse[…][…]Ifyouwouldliketoreviewthispaper,pleaseclickthislink:hep://expe.editorial-expe.com/l.asp?i=35189&l=GKXKMQ

Ifyoudonotwishtoreviewthispaper,pleaseclickthislink:hep://expe.editorial-expe.com/l.asp?i=87665&l=6HN7KKBestregards,Editor<nameI’veneverheardof>

45

FirstClick,ThenNoRce:MessagestoHelpdeskD.Caputoetal."Goingspearphishing:Exploringembeddedtrainingandawareness.“

IEEESecurity&PrivacyMagazine,2014

•  “IclickedonitinadvertentlywithoutthinkingandexitedExplorerwithoutreadingthelink.”

•  “Ijustopenedthis.Thenfollowedlinklikeanidiot.ThenkilledtheprocessusingTaskManager.Pleaseadviseaswhattodo.”

•  “Ican’tbelieveIactuallyclickedonthelink!Letmeknowifthere’ssomethingIneedtodotoensuremylaptopisn’tinfected,orifthisisjustaprank.”

46

PersonalExample3:AnAeachment(anonymized)

47

From:setup@company-I’m-dealing-with.comTo:zinaid.benenson@fau.de

Subject:MessageID:23519-0297:FRT-92362.WorkitemNumber:CMPVDM24062016157789020297

Aeachment:aeach/15072016/29375.docx

48

Hi,Pleaseseerequestdetailsbelow.PleaseprovidetherequiredinformaRonbyreplyingtothisemail.QueryReason:Bankingdetails

WorkitemNumber:CMPVDM24062016157789020297

CreatedDate:15-Jul-2016

Name:ZinaidaBenenson

Comments:DearSir/MadamInorderforustocompletethesetupofyouraccountwithin

oursystem,weneedyourbankaccountdetailstowhichseelementofyourinvoicesshouldbemade.Pleasecompletetheaeachedforminfullandreturntous,ensuringithasbeensignedbyanauthorizedsignatory.

49

Lesson3:PentesRng&PatchingHumans

• WhatarethereasonsforineffecRvenessofanawarenesstraining?─  Curiosity/interest!natural&creaRvehumantraits

─  “ThismessagefitsmycurrentsituaRon”/“Iknowthesender”!usefuldecisionalheurisRcs

• WhatpriceuserspayforaneffecRveawarenesstraining?─  JamesBondmode

─  FalseposiRves?Workslowdown?

─  BreakdownofsocialrelaRonships?Atmosphereofdistrust?

─  Embarrassment?Shame?Anger?

50

FeasibleUserInvolvement?• Reportsuspiciousmessages?

─ Bepreparedtoget“amateursecurity”!(BruceSchneierabout“Ifyouseesomething,saysomething”)

• Reliableindicatorsforswitchinginto“JamesBondmode”─ FalseposiRvesdestroytrustintotheindicator─ Digitallysignmessages•  Non-expertsmisinterpretmeaning/don’tnoRce•  CanbesocialengineeredintoaccepRnganinvalidsignature

•  Stopsending“phishy”legiRmatemessages

•  Expectmistakes 51

KeyTakeaways•  Spearphishing:whatdefenseisfeasibleandbeneficialforhumans?

─  Peoplewon’tandcan’tabstainfromdecisionalheurisRcs─ Don’trequirepermanentJamesBondmode

•  PentesRngandpatchinghumansistricky─ Whatdoyouwantpeopletodo?─  Thinkaboutconsequencesforpeople&forcompany─ Alwaysaskconsent

•  Talktotheusers─ AutomatedobservaRonandmeasurementarenotenough─ Askdirectlyabouttheirexperiences,opinions,workpracRces

52

Thankyou!QuesRons?

PleasecompletetheSpeakerFeedbackSurveys

ZinaidaBenenson

zinaida.benenson@fau.de

53

Research&evidenceneeded!Ifyourcompanyisinterested,pleasetalktome