Análisis de riesgos - Universidad Siglo 21

The purpose of this proposed study is to focus on whether the treatment impacts the vulnerability to being successfully phished. Age and length of employment (confounded with gender) are taken into consideration as potentially impacting the likelihood of being successfully phished. However, there are still more interesting questions to raise surrounding this topic which can be addressed in other future studies. These include:

Are women in the financial sector more susceptible to phishing than men? Are financial employees in the age range of 30-39 more vulnerable to phishing

than other ages?

Which departments are truly most vulnerable to phishing and why? How can these departments be better secured against this attack vector?

Which positions are most vulnerable to phishing and why? How can these positions be better secured against this attack vector?

Does length of employment really impact the level of vulnerability an employee has to phishing and social engineering? Is this related to the number of times an employee has taken the security training course?

There are many more questions related to this topic and all deserve investigation. This paper explained the importance of research into social engineering, phishing, and effective defense techniques. Humans have been shown to be the

weakest link in need of understanding, education, training, and securing. The research done here should benefit future research into this realm of security and help future researchers in the design process of phishing experiments.

REFERENCES

[1] D. P. Twitchell, "Social Engineering and its Countermeasures," in Handbook of

Research on Social and Organizational Liabilities in Information Security, Idea Group Inc, 2008, pp. 228-242.

[2] M. Allen, "Social Engineering: A Means to Violate a Computer System," SANS Institute, 2007.

[3] Harl, "The Psychology of Social Engineering," in Access All Areas III, 1997.

[4] K. Mitnick and W. L. Simon, The Art of Deception: Controlling the Human Element of Security, Indianapolis, Indiana: Wiley Publishing Inc., 2002.

[5] S. Granger, "Social Engineering Reloaded," 2 November 2010. [Online]. Available: http://www.symantec.com/connect/articles/social-engineering-reloaded.

[6] S. Granger, "Social Engineering Fundamentals, Part I: Hacker Tactics," 18 December 2001. [Online]. Available: http://www.securityfocus.com/infocus/1527. [7] K. D. Mitnick and W. L. Simon, The Art of Intrusion: The Real Stories Behind the

Exploits of Hackers, Intruders & Deceivers, Indianapolis, IN: Wiley Publishing, Inc., 2006.

[8] J. Baker and B. Lee, "The Impact of Social Engineering Attacks on Organizations: A Differentiated Study," Florida Atlantic University, Boca Raton, FL, 2005.

[9] S. Granger, "Social Engineering Fundamentals, Part II: Combat Strategies," 9 January 2002. [Online]. Available: http://www.securityfocus.com/infocus/1533. [10] C. E. Lively, Jr., "Psychological Based Social Engineering," SANS Institute, 2003. [11] M. Jackobsson and S. Myers, Phishing and Countermeasures: Understanding the

Increasing Problem of Electronic Identity Theft, Hoboken, New Jersey: John Wiley & Sons, Inc, 2007.

[12] A. Emigh, "Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures," Infosec Technology Transition Council, 2005.

[13] M. Badra, S. El-Sawda and I. Hajjeh, "Phishing Attacks and Solutions," in

MobiMedia '07, Nafpaktos, Greece, 2007.

[14] L. James, Phishing Exposed, Rockland, MA: Syngress Publishing, Inc., 2005. [15] B. Schneier, Secrets & Lies: Digitial Security in a Networked World, Indianapolis,

Indiana: Wiley Publishing, Inc., 2004.

[16] D. P. Twitchell, "Social Engineering in Information Assurance Curricula," in

InfoSecCD Conference 06, Kennesaw, Georgia, 2006.

[17] J. Hiner, "Change your company's culture to combat social engineering attacks," 30 May 2002. [Online]. Available: http://www.techrepublic.com/article/change- your-companys-culture-to-combat-social-engineering-attacks/1047991.

[18] M. A. Sasse, S. Brostoff and D. Weirich, "Transforming the 'weakest link' - a human/computer interaction approach to usable and effective security," BT

Technol, vol. 19, no. 3, July 2001.

[19] W. Arthurs, "A Proactive Defence to Social Engineering," SANS Institute, 2001. [20] I. Flechais, J. Riegelsberger and M. A. Sasse, "Divide and Conquer: The role of trust

and assurance in the design of secure socio-technical systems," in New Security

Paradigms Workshop '05, Lake Arrowhead, CA, 2005.

[21] L. Laribee, "Development of Methodical Social Engineering Taxonomy Project," Naval Postgraduate School, Monterey, California, 2006.

[22] N. J. Evans, "Information technology social engineering: an academic definition and study of social," Iowa State University, Ames, Iowa, 2009.

[23] P. Finn and M. Jakobsson, "Designing and Conducting Phishing Experiments," IEEE Technology and Society Magazine, Special Issue on Usability and Security,

66 2007.

[24] The National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research, "The Belmont Report: Ethical Principles and Guidelines for the Protection of Human Subjects of Research," U.S. Department of Health, Education, and Welfare.

[25] M. Jakobsson and J. Ratkiewicz, "Designing Ethical Phishing Experiments: A study of (ROT13) rOnl query features," in International World Wide Web (WWW)

Conference, Edinburgh, Scotland, 2006.

[26] R. Dhamija, J. D. Tygar and M. Hearst, "Why Phishing Works," in CHI-2006:

Conference on Human Factors in Computing Systems, Montreal, Canada, 2006. [27] M. Jackobsson, "The Human Factor in Phishing," Indiana University at

Bloomington, Bloomington, Indiana, 2007.

[28] E. Kirda and C. Kruegel, "Protecting Users Against Phishing Attacks with AntiPhish," Technical University of Vienna, Vienna, Austria.

[29] Anti-Phishing Working Group, "Phishing Activity Trends Report 2nd Quarter 2012," Anti-Phishing Working Group, 2012.

[30] JPMorgan Chase & Co, "Fraudulent E-mail Examples," 2009. [Online]. Available: http://www.social-engineer.org/wiki/archives/Phishing/Phishing-Chase.html. [31] Wachovia Corporation, "Phishing Examples," 2009. [Online]. Available:

http://www.social-engineer.org/wiki/archives/Phishing/Phishing-Wachovia.html. [32] R. Dragani, "Big US Banks Under Active Attack, Napolitano Warns," 1 November

2012. [Online]. Available: http://www.ecommercetimes.com/story/76533.html. [Accessed 4 November 2012].

[33] T. UcedaVelez, "Phishing for Banks: A Timely Analysis on Identity Theft & Fraud in the Financial Sector," SANS Institute, Atlanta, Georgia, 2004.

[34] T. Armerding, "Cybercriminals shift focus to bank employees," 20 September 2012. [Online]. Available: http://www.csoonline.com/article/716685/cybercriminals- shift-focus-to-bank-employees. [Accessed 15 October 2012].

[35] W. G. Zikmund, B. J. Babin, J. C. Carr and M. Griffin, Business Research Methods, 8th ed., Mason, Ohio: South-Western Cengage Learning, 2010.

[36] J. E. Dunn, "Too Many People Reuse Logins, Study Finds," PC World, 7 February 2010. [Online]. Available: http://www.pcworld.com/article/188763/ too_many_people_reuse_logins_study_finds.html. [Accessed 28 October 2012]. [37] T. Samson, "Study finds high rate of password reuse among users," InfoWorld, 10

February 2011. [Online]. Available: http://www.infoworld.com/t/data- security/study-finds-high-rate-password-reuse-among-users-188. [Accessed 28 October 2012].

[38] C. Williams, N. Campbell and G. Chan, "Phishing – Methods," 17 April 2010. [Online]. Available: http://phishyfraud.wordpress.com/2010/04/17/phishing- methods/. [Accessed 24 11 2012].

[39] H. Metcalf and H. Rolfe, "Employment and earnings in the finance sector: A gender analysis," National Institute of Economic and Social Research.

[40] S. Sheng, M. Holbrook, P. Kumaraguru, L. Cranor and J. Downs, "Who Falls for Phish? A Demographic Analysis of Phishing Susceptability and Effectiveness of Interventions," in CHI 2010, Atlanta, Georgia, 2010.

[41] S. Boslaugh and D. P. A. Watters, Statistics in a Nutshell, O'Reilly Media, 2012. [42] T. F. Jaeger, "Categorical Data Anlysis: Away from ANOVAs (transformation or not)

and towards Logit Mixed Models," Journal of Memory and Language, vol. 59, no. 4, pp. 434-446, 2008.

[43] Institutional Review Board, "Eastern Washington University Policy and Procedures for the Protection of Human Subjects in Research".

68 [44] I. Mann, Hacking the Human, Gower, 2008.

[45] A. Dolan, "Social Engineering," SANS Institute, 2004.

[46] D. B. Bailey, "Age Classifications: When Considering the Age of Users, How Old is "Old"?," August 2002. [Online]. Available: http://webusability.com/article_age_classifications_8_2002.htm. [Accessed 8 July 2009].

[47] K. Poulsen, "Mitnick to Lawmakers: People, Phones are the Weakest Links," 2 March 2000. [Online]. Available: http://www.politechbot.com/p-00969.html. [Accessed 11 July 2009].

[48] D. A. Dillman, J. D. Smyth and L. M. Christian, Internet, Mail, and Mixed-Mode Surveys: The Tailored Design Method, 3rd ed., Hoboken, New Jersey: John Wiley & Sons, Inc., 2009.

[49] S. Presser, J. M. Rothgeb, M. P. Couper, J. T. Lessler, E. Martin, J. Martin and E. Singer, Methods for Testing and Evaluating Survey Questionnaires, Hoboken, New Jersey: John Wiley & Sons, Inc., 2004.

[50] D. T. Campbell and J. C. Stanley, Experimental and Quasi-Experimental Designs for Research, Wadsworth Publishing, 1963.

[51] T. Turner, "Social Engineering - Can Organizations Win the Battle?," East Carolina University, Greenville, NC, 2005.

Social Engineering and Information Security Training Slides

Training Questions

Multiple choice and true/false questions. Answers are highlighted in red.

1. What is considered by some to be the greatest security risk to any company? a. Viruses

b. Social Engineering

c. Spam

2. Social engineering bypasses all security efforts put forth by the IT and security departments via _____________.

a. Breaking encryption

b. Cracking through the network firewalls

c. The employees

3. What can be at risk if social engineer gains access to your company’s network or to your specific computer?

a. Work documents stored on your work computer or on the network b. Personal documents stored on your work computer

c. Personal email access via your work computer

d. All of the above

4. What do you call an email that tries to trick you into scams by pretending to be a legitimate business that you may have an account with?

a. Phishing

b. Cracking c. Virus d. Encryption

5. Social engineering affects you outside of work.

a. True

b. False

6. The size of a company matters when a social engineer chooses a target. a. True

b. False

7. Only obvious criminals could be social engineers, not someone I know and work with on a regular basis.

a. True

b. False

8. An ex-employee could potentially turn into a social engineer.

a. True

b. False

9. What is the weakest link in security?

a. Physical security (e.g. cameras, locks, guards) b. Technological security (e.g. firewalls, encryption)

10. What do you call the social engineering technique where the attacker pretends to be someone they are not or invents a scenario to engage the target victim in?

a. Phishing

b. Pretexting

c. Dumpster diving d. Sniffing

11. What should you do if you receive a phishing text message (SMiShing)? a. Call the number provided in the message

b. Reply to the message via text message

c. Notify the helpdesk immediately and do not reply to the message

12. When typing in your password on a keyboard, you should make sure no one sees what you type; even if that means covering your hand as you type or asking someone to look away.

a. True

b. False

13. Information can come in the following forms: a. Print

b. Hand-written c. Digital d. Spoken

e. All of the above

14. ___________________ are rules for the organization to help secure it, its employees, and its assets.

a. Security policies

b. Rules of engagement c. Protective measures

15. You should always be aware of your surroundings, who is near by that could see what you are working on or hear what you are talking about.

a. True

b. False

16. When a visitor comes to your branch, you should:

a. Welcome them openly and let them in wherever they say they need to go b. Have them sign-in, and then show them where they say they need to go

c. Verify their identity and that they are expected, have them sign-in, then allow them togo where they need to

17. Is there ever a reason to not follow the Branch Visitation Procedures laid out in the Branch Security Manual when a visitor comes to your branch?

a. Yes

b. No

18. All passwords must follow Sterling’s strong password policy.

a. True

b. False

19. If you were going on vacation and your boss asked you for your password while you were gone, just in case… should you give it to them?

a. Yes

20. You should lock your computer if you are going to walk away from your desk for _________.

a. Any amount of time, even for just a few minutes

b. More than 5 minutes c. More than 15 minutes

d. You do not need to lock your computer if you walk away from your desk 21. After finishing a transaction with a customer, you should always immediately

clear your computer screen.

a. True

b. False

22. Where should paper documents containing confidential or sensitive information be kept when you are not at your desk?

a. Out in the open, on top of your desk b. In an unlocked desk drawer

c. In a locked desk drawer or filing cabinet

23. Paper documents should be disposed by using ______________. a. The garbage cans

b. A personal shredder

First Phishing Trial: Sample Phishing Email

From:

National Banking Research

[email protected] Subject:

National Bank Association Research

Body:

Dear Sterling Savings Bank Employee,

We at the National Bank Association are conducting a research study on bank cultures at small to medium sized banks. The goal of this research is to learn

how bank employees enjoy working in their bank, what makes it enjoyable or not enjoyable, what qualities in peers and management are considered beneficial to a positive work environment. We hope to use the results of this study to improve the bank culture of not only our member banks but all banks.

By helping us with this research we will be entering you into a drawing to win a 32GB Samsung Galaxy Tab. Five participants will be chosen to win.

Click the link below to participate:

https://www.nationalbankassociation.org/Research/

Thank you for your help! You are helping make your workplace and the workplace of other bank employees like you better.

Sincerely, Scott Johnstone

Director of Human Resources National Bank Association

Second Phishing Trial: Sample Phishing Email

From:

Grapevine Watchdog Specials [email protected]

Body:

Dear Bank Employee,

As part of The Bank’s launch of social media services, a scan of posted content regarding The Bank and its employees has been conducted. Potentially offensive and/or objectionable content associated with your name has been identified. Please use the link below to enroll so that you may review the content and decide what steps need be taken to protect the reputation of The Bank and yourself.

Act now before it’s too late and click the link below!

http://www.grapevinewatchdog.com/Specials/TheBank.aspx?i={employeeTrackingID} Sincerely,

Third Phishing Trial: Sample Phishing Email

From:

[email protected]

Subject:

Notice from IT: Important Security Update for Outlook

Body:

All Bank Employees:

URGENT: The Microsoft Outlook Security April 2012 Patch is required to be performed no later than April 27, 2012 by 5pm or all of your email could be lost due to possible virus attacks from this security vulnerability.

sterlingsavings.com/OutlookSecurityUpdate.aspx Thank you,

Michael Garrison

First Phishing Trial: User Interface

FIGURE 10: FIRST PHISHING TRIAL HOOK FIGURE 9: FIRST PHISHING TRIAL HOME PAGE

Second Phishing Trial: User Interface

FIGURE 14: SECOND PHISHING TRIAL SIGN UP PAGE FIGURE 13: SECOND PHISHING TRIAL HOOK

FIGURE 11: FIRST PHISHING TRIAL ACCOUNT CREATION PAGE FIGURE 12: FIRST PHISHING TRIAL LOGON PAGE

Third Phishing Trial

FIGURE 15 FIGURE

Phishing Trial: User Interface

15: THIRD PHISHING TRIAL ERROR MESSAGE FIGURE 16: THIRD PHISHING TRIAL HOOK

FIGURE

FIGURE 17: THIRD PHISHING TRIAL THANK YOU

VITA

Name: Rebecca Long

Place of Birth: Tacoma, Washington

Graduate Schools Attended:

Eastern Washington University

Undergraduate Schools Attended:

Spokane Community College Eastern Washington University

Degrees Awarded: _{Bachelor of Arts in Computer Science, 2006,}

Eastern Washington University

Associate of Arts in Liberal Arts, 2004, Spokane Community College

Associate of Applied Science in Web Development, 2002, Spokane Community College

Honors, Awards, and Memberships:

Agile and Lean Spokane Member, 2012 - Current Systers Member, 2012 - Current

devChix Member, 2012 - Current

Spokane Geek Girls Co-Founder, Spokane, Washington, 2011 – Current

Grace Hopper Conference Hopper, Portland, Oregon, 2011 ACM Professional Member, 2009 - 2010

CRA-W Grad Cohort Workshop, San Francisco, California, 2009

CRA-W Grad Cohort Workshop, Seattle, Washington, 2008 Graduate Service Appointment as Computer Literacy

Instructor, Computer Science Department Eastern Washington University,

2006 - 2008

Google Workshop for Women Engineers, Mountain View, California, 2006

ACM Student Member, 2003 - 2009

Professional Experience:

Software Quality Assurance Engineer, STCU, Liberty Lake, Washington, 2012 – Current

Senior Software Quality Assurance Engineer, NextIT Corp., Spokane, Washington, 2007 - 2012

Spokane, Washington, 2009

Adjunct Instructor, Spokane Community College, Spokane, Washington, 2008 - 2009

Web Developer, AgWebSites,

Spokane, Washington, 2002 - 2004

Publications: _{Tutorial: Usable Security Policies + User Training:}

The Best Method to Counter Social Engineering Attacks, The International Workshop on Infrastructure Assurance, Morioka, Iwate, Japan, 2010

Presentations: _{“Using Phishing to Test Social Engineering Awareness of}

Financial Employees,” Grace Hopper Celebration of Women in Computing

Portland, Oregon, November 2011

“What It Is Like In The Workforce - Things To Know Before You Graduate,” Eastern Washington University ACM Club Meeting,

Cheney, Washington, October 2010

“Social Engineering Awareness in a Financial Institution,” Eastern Washington University - Iwate Prefecture University Workshop, Cheney, Washington, 2010

“Social Engineering Training in a Financial Institution,” Fourth IFIP WG 11.11 International Conference on Trust Management, Morioka, Iwate, Japan, 2010

“Effectiveness of Social Engineering Training in a Financial Institution,” Eastern Washington University Computer Science Department Curriculum Committee, Cheney, Washington, October 2009

“Human Factors and Social Engineering,” CSCD 500

Graduate Student Colloquium, Eastern Washington University Computer Science Department, Cheney, Washington, Fall 2009

“Effectiveness of Social Engineering Training in a Financial Institution,” Eastern Washington University - Iwate Prefecture University Workshop, Spokane, Washington, 2009

“Research into Social Engineering Defenses,” CRA-W Grad Cohort Workshop, San Francisco, California, 2009

“Social Engineering Research Proposal,” Eastern Washington University - Iwate Prefecture University Workshop, Cheney, Washington, 2008

In document Universidad Siglo 21 (página 44-54)