Discussion

Email Security

“Spoof Email:” To alter the name in the “from” field.

“Phishing Email:” Act of sending spoofed email messages that pretend to originate from a source that the user trusts and has a previous relationship with.

© Copyright 2012 – 2013 (ISC)², Inc. All Rights Reserved.

For Personal Use of (ISC)2 Seminar Attendee Only.

Contents May Not Be Copied or Otherwise Distributed Under Any Circumstances

Types of Phishing Emails

Generic Phishing

Aimed at general public or all users of a particular company

Spear Phishing

Aimed specifically at high-level corporate users whose credentials could be used for high-level attacks. Typically comes from a user that you think you know.

Whale Phishing

Aimed at wealthier individuals. Because of their relative wealth, if such a user becomes the victim of a phishing attack he can be considered a “big phish,” or, alternately, a whale.

© Copyright 2012 – 2013 (ISC)², Inc. All Rights Reserved.

For Personal Use of (ISC)2 Seminar Attendee Only.

Contents May Not Be Copied or Otherwise Distributed Under Any Circumstances

Spam and Phishing Mitigation Techniques

Educate the End User

Implement some type of security awareness training that teaches uses how to look for spam and phishing messages and what to do when they receive one

Work with upper management to require the training at all levels, especially at hire

Personalize Emails

Make a habit to personalize emails instead of staring with a generic “Hello:” title. This reinforces the end users instincts when they receive a generic message.

© Copyright 2012 – 2013 (ISC)², Inc. All Rights Reserved.

For Personal Use of (ISC)2 Seminar Attendee Only.

Contents May Not Be Copied or Otherwise Distributed Under Any Circumstances

Spam and Phishing Mitigation Techniques

Authenticate

Include partial data (name, partial account number, partial address, etc.) in the email so the user can confirm their information

Do not break PII rules

Use digital email signatures

Implement Spam Controls

Employ a spam firewall device to check all email before entering your mail system

Purchase a subscription service to keep the settings up to date

Include, modify, and maintain spam controls at the end users device level

© Copyright 2012 – 2013 (ISC)², Inc. All Rights Reserved.

For Personal Use of (ISC)2 Seminar Attendee Only.

Contents May Not Be Copied or Otherwise Distributed Under Any Circumstances

Spam and Phishing Mitigation Techniques

Beware of Communications

Look for secure web pages (https://....)

Double check the site before entering information

Don’t provide personal information over an incoming phone call

Do not click on links, download files or open attachments in emails from unknown senders

Hover over the link to confirm its identity

Never email personal or financial information, even if you are close with the recipient

You don’t know who is between you and the end user

© Copyright 2012 – 2013 (ISC)², Inc. All Rights Reserved.

For Personal Use of (ISC)2 Seminar Attendee Only.

Contents May Not Be Copied or Otherwise Distributed Under Any Circumstances

Spam and Phishing Mitigation Techniques

Beware of PII

If a web page or email asks for lots of PII, beware of that situation

Contact the supposed sender

Check your online accounts and bank statements regularly

End users need to know that their financial information may be at risk if they do not follow these rules

Corporations should also keep a close eye on finances

© Copyright 2012 – 2013 (ISC)², Inc. All Rights Reserved.

For Personal Use of (ISC)2 Seminar Attendee Only.

Contents May Not Be Copied or Otherwise Distributed Under Any Circumstances

This Week

Review for Midterm

Case Assignment due Wednesday

© Copyright 2012 – 2013 (ISC)², Inc. All Rights Reserved.

For Personal Use of (ISC)2 Seminar Attendee Only.

Contents May Not Be Copied or Otherwise Distributed Under Any Circumstances