Embed Size (px)
Citation preview
Welcome!System Source Webinar
Using KnowBe4 for Phishing and Training toFight Back Against the Hackers
April 8, 2020
Michelle Robinson, Learning Center Director, [email protected], 410.771.5544 x4388
Maury Weinstein, President and Co-Founder, [email protected] x4319
We Hope You are
Enjoying Your
Pizza!!
If you haven’t received your pizza,
then contact Mike Jones:
During the Webinar…
Audio – In presentation mode until end
Control Panel
View webinar in full screen mode
In Chat – Tell us what you hope to learn today?
Feel free to submit written questions
Open Q & A at the end using questions section
Evaluation just after webinar finish
Agenda
• Your security agenda
• Top Breach Patterns
• When phishing prevention fails
• Best practices for implementing an end-user security awareness program
• Our data supporting end-user security training and phishing
• Finding your security comfort level
• KnowBe4 demonstration
Your Security Agenda
1. Following regulatory or other external directionA. most standards treat all requirements equally
2. Seeking research driven direction to optimize securityA. maximize security at lowest cost
B. no “one size fits all” approach
C. preventing under-, over- and useless spending
Web Applications Web app was path of the attack
ErrorsUnintentional action directly compromising asset
MisuseUnapproved or malicious use of resources
Privilege abuse
For fun, curiosity or financial gain
Top Breach Patterns We Can Learn From
Web Application Attacks
• Code exploit
• >50% cloud email server access
• Thwarting authentication process with stolen credentials
• Minimize information or credentials on web server
• 2FA to slow intruders
• Patch CMS and plug-ins consistently
Breach Trends vs. 2013
$ Stolenby Breach Type
2019 Verizon Report FindingsGood news - Phish rates going down!
-5%
0%
5%
10%
15%
20%
25%
30%
Ph
ish
Pro
ne
%
Training Impact on Phish Prone Staff52 person sample
Training implemented for
those failing
New hires -untrained
Payroll Fraud
Result: Four figure loss
Hi,
I recently switched to a new financial institution and I need your quick assistance to update my paycheck direct deposit details.
Thanks,X
Yeah…it won’t happen to me. That is what I said until I got a text from one of our ee’s on Friday night. She had texted me earlier around 5pm inquiring about her direct deposit. I promptly texted her bac to check her new account…..she texted me back two hours later and told me that there was no new account!It was so obvious as I looked back on the bogus email that I got in her name….all of the signs were there. I had been warned by you….i have been warning our payroll folks….but yet it happened to me…..why?My day is nothing but rushing through emails to check them off like a mcdonalds worker fulfilling the orders that pop up on their screens.This ee is our retired X officer….she only works for us part time and I only pay her once per month. I hardly ever see her or talk to her. Her personal situation is in flux since her husband is dying and on hospice care. It seemed to make sense to me that she may change her banking info considering her husbands situation. … so how would someone know that she was one of those who I processed payroll? It turns out that the original email was sent to our payroll person and she fell for it and responded that I did the payroll for her and gave the fraudster my contact info.So anyway, I was anxious to be hyper responsive to our ee….i like her a lot and feel for her personal situation. I emailed her back that I could call her and get the details asap. The criminal responded with the details of the account and a bogus check…in retrospect signs of fraud where there too.Anyway….a $x,xxx lesson and a blow to my self esteem.Feel free to share this with other clients…but no names.X
Improvement for Payroll Fraud
External email tags RDP port check 2FAMobile device
management
External vulnerability
scanBackup checking Disk encryption Dedicated backup server
Email filtering IMAP/POP removal Email encryption Internal vulnerability scan
Entrance/Exit process Anti-virus management Firewall review Penetration testing
Compliance reporting Self-service passwords Conditional access Secure workstation image
AD Scan Risky login alerts Intrusion protection Password protection
DNS filtering Patch management Data loss preventionService account ad hoc
login removal
Security metrics Phishing test with training Single sign-on DDOS protection
Next gen passwordsDisappear from Business
Social Media
Enhanced financial
controls
Email compromise
recovery
In Research: Yubikey Next gen anti-virus
Our Implementation Approach• Baseline Testing
• Simulated phishing attack assesses starting Phish-Prone %
• Train Your Users• Large library of security awareness training including interactive modules,
videos, games, posters and newsletter. Training includes scheduled reminders
• Phish Your Users• Automated simulated phishing attacks, hundreds of templates with unlimited
usage and community phishing templates.
• See Results• Management reporting - stats and graphs for training and phishing
Best Practices for Implementation
• Use Smart Groups so staff with multiple phishing failures receive more training
• Phish weekly over a 2-3 day period with moderate to high level campaign difficulty to not be too obvious
• Phish HR, accounting and other at-risk roles along with standard campaign
• AD integration for easy user additions and controlled portal access
• Initial phishing campaign for a baseline to assess progress
• Use Kevin Mitnick’s 30 min Security Awareness training for all users with additional 15 min training for users with phishing failure.
• Vishing is an extra level of security awareness (requires DID?)
• Management reporting for training accountability and risk assessment
System Source and KnowBe4
• Partnering for training and phishing tests
• Most popular Security Awareness Training and Phishing platform
• Training using Kevin Mitnick’s 30+ years’ in dark side hacking
• We’ve helped 5,503 6,559 people purchase and deploy
KnowBe4!
• Gartner Peer Insights ranks KnowBe4 at top for:
• Product capabilities
• Willingness to recommend
Gartner Magic Quadrant for Security Awareness Computer-Based Training 2019
Silver Level
Admin Management Console
Unlimited Phishing Security Tests
Automated Security Awareness Program
Training Access Level I
Automated Training Campaigns
Crypto-Ransom Guarantee
Phish Alert Button
Active Directory Integration
Phishing Reply Tracking
Security ‘Hints & Tips’
Gold Level
Training Access Level II
Monthly Email Exposure Check
Vishing Security Test (voice mail)
Platinum Level
“Automated Human Pentesting”
USB Drive Test
Vulnerable Browser Plugin Detection
Social Engineering Indicators
Diamond Level
Training Access Level III
SubscriptionPrice and Benefits
Seats (Per Year) Corporate Education/Non-Profit
25-50 $17.00-$29.50 $15.30-$26.55
51-100 $15.00-$26.50 $13.50-$23.85
101-500 $11.00-$20.50 $9.90-$18.45
501-1000 $10.00-$19.00 $9.00-$17.10
Optional Setup Fee is $20/person to maximum of $1000
Kindly complete the survey sent after this webinar.
We will use your feedback to help us improve.
THANK YOU!
