 Then we'll get launched here. Go for it. Welcome, everyone, to session number six of Become a Cyber Security Ninja, Gone Fishing. Today, we're going to be talking about fishing, social engineering, and ransomware. Thank you so much, those of you who have come today. I am Joshua Peske. I am, of course, here with Ben Gardner, and we are going to get on the way with today's session. Social engineering. Next week, by the way, we're now officially halfway through our ninja plan. So if you have attended all five of these sessions, you are officially half a ninja. Congratulations on that. Next week, I've just updated the title. It's not going to be, I'm sorry, in two weeks. It's not going to be digital privacy. We're going to, well, it is digital privacy, but the title will be a little privacy please. And that will be April 18th, and we will have a guest for that one, and you'll see that in the emails that will come up. I, of course, am Joshua Peske, the Vice President of Technology Strategy for Round Table Technology. Round Table Technology provides services to nonprofits and small businesses all around the country really, but predominantly in New York City and in Maine. And that just has to do with the history of our organization. Our learning objectives today, what is social engineering, how it works, how fishing works, fishing is a subtype of social engineering, different types of fishing that can be used. Ransomware, checklist for best practices of how to protect yourself and your organization from all of these different things, as we always have with each of these sessions and resources, for further learning. And without further ado, we're going to get into our first poll. So then on these ones, wait until we see the website, leave it up for 10 seconds, and then we'll launch the poll, okay? I'll let you know when to launch on these. Here we go. So here's how this is going to work. We're going to have four of these throughout the webinar today. We're going to play a little game. So this is the first webinar. We have a nice game for everybody. It's called Fish or Not a Fish. And I'm going to show you a website. I'm going to leave it up for about 10 seconds, and then we're going to shoot your poll and we're going to ask you to say fish. Not a fish, just a quick note. You'll notice a little watermark that says fish tank across the side of them. That is not indicative of whether in fact it is a fish or not. That's just where I pulled some of these images from. So please ignore that. And without further ado, let's take a look at our first website. We're going to leave this up for about 10 seconds. And then I will have Ben launch the poll. So everybody take a look at this website. Decide whether you think this American Airlines website is a legitimate website or whether this is a fish. And then go ahead and launch that first poll for me. And everybody go ahead and pick. Is that a fish or is that not a fish? Let's see what people think. Got about 60% of voted. Other folks still thinking. I'll give everybody a few more seconds. See if anybody else wants to respond in. All right, let's go ahead and close that poll and show the results for me. So 56% of people think that's a fish and 44% say not a fish, that's a legitimate website. Go ahead and close that up then. And let's take a look here. That was in fact a fish that was a fraudulent website. Why was that a fraudulent website? And part of the goals today, I was talking with Ben because you're here early, I do this training a couple of times a week at this point because of all the different projects I'm doing. And by the end of this little session today, I'm hoping that people will be able to get this with a 100% accuracy. So no pressure everybody, but that's my goal that no one will get fooled by the next one. And another thing to point out is if you got fooled, please don't feel bad. Everybody gets fooled. This is why these fishing attacks keep working and working and working and working. Everybody can be fooled. The CEO of a cybersecurity company that also the government contractor was fooled into his fished into providing the W-2s for about 200 employees within the last two weeks. CEO of a cybersecurity firm. So anybody can be fooled. Two things to look at here. One, it's a login page. And we would like a login page generally to be secure, meaning we'd have an HTTPS in the front of it. And the fact that it doesn't have that here means it's not a secure login. That's something to look out for. The other thing is the URL. If you read the website address from right to left instead of from left to right and look at where the last kind of dot com comes from, that's the actual website you're at. So the website you're at is not aa.com. It's airlines a-a-m-e-b-e-r.com. And for those people who kind of know what they're looking for, this is a fairly easy one to spot because of that misspelling of the URL name. But if you don't know what you're looking for, obviously that doesn't help you at all. So those are two things to really look out for here and with that we will move on. Let's talk about social engineering. Fishing is a form of social engineering. What social engineering, and it's been around literally for thousands of years, this sort of way of exploiting the human instinct to help. And that's one of the things that's so upsetting but also so effective about social engineering is that it manipulates our instinct to kind of help other people. And it is a tremendous threat to organizations. So social engineering is, you know, perhaps the biggest threat to the cybersecurity of organizations. It's every major breach that I can easily bring to mind, including the DNC breach that impacted the election, it traced back to fishing and or social engineering. It is by far the biggest way that information is going to compromise your organization. And how social engineering works is that someone gets in touch with you in some way and gets you to try to do something. And I want everybody to be on the lookout for these different characteristics of a social engineering attack. And as these start to mount up and accumulate, you should become more and more suspicious that something fishy is going on here. So let's start with initiation. You don't initiate this thing, this thing comes to you. So you get an email, you get a phone call, someone walks into your office, someone else initiates the interaction. You don't walk into the Verizon store and say, I'd like help with my iPhone. A Verizon representative shows up at your office and says, I'd like to help you with your iPhone, right? That's a big difference in how that happened. So initiation. Second thing, this is a big thing is urgency. This needs to be resolved right now. The easiest example, because it works so well for all of these, is the IRS phone call. And I don't know if anybody's been either victimized or attempted to be victimized by one of these, but it's a fairly common thing at this point where you'll get a phone call from someone who's putting big air quotes from the IRS. And they will say something like, you are in arrears on your tax payments over the last three or four years and you're subject to prosecution for tax evasion. If you're willing to pay this $1,100 fine by a credit card right now, then we can get this cleared up for you. If you refuse to do this, then you will be prosecuted and maybe subject to fines in the tens of $1,000 or even jail time. Sounds really scary. What they're doing is they're initiated. They call, they're giving me urgency. You have to do it right now. They're giving you fear. If you don't do this, something really bad will happen to you. They're authority. We are the IRS. They want money from you. They're trying to get money out of you. All of those things added up should be streaming really loud and clear. This is almost certainly a scam or a social engineer. Someone is trying to work me. Other things that can trigger that are a request for information that are not appropriate, especially over the phone, especially with someone you don't know. This on the round table certainly struggles with or works to try to defend ourselves. We have thousands of people and anyone of them could call and say, I need the credentials for this particular account or this reset. And our staff have to be trained regularly to verify these requests and make sure that they're appropriately responding to those requests. And again, the W-2 scam, if someone emails and says, I need the W-2s for all your employees, well, those W-2s contain all sorts of sensitive information about those employees. So that's a request that needs to be verified. And the most basic defense against social engineering is the simple act of verification. Independently verify where this request is coming from through some other channel, a means of your own. And that's the best advice I can give for you. If anyone has any questions, by the way, go ahead and throw them into the questions box. I'm happy to try to address them either over the course of the webinar or later. But with that, I do want to move on. We're going to take our next fish, not a fish. Can everybody have a chance here? And here's another site. Go ahead and take a look at this. We'll leave this up for about 10 seconds, let everybody get a nice, hard look at it. And I like people to decide whether they think this is a fish or whether this is a legitimate website. And I'll see how everybody does on this. We'll leave it up for just a couple more seconds. Ben, can you go ahead and launch the poll for me? All right, so everybody tell me. This ConEd website, is this a fish or is this not a fish? Let everybody vote, give it a few more seconds. See if anybody else wants to squeeze a vote in. All right, Ben, go ahead and show us the results. 92% of our respondents believe that this is a legitimate website and only 8% believe it is a fish. Ben, go ahead and close that up. And let's take a look. That is not a fish. And if anyone wonders why I have a picture of a whale there, I guess you just got to look it up. The whale's a babble, not a fish. I keep trying to find a good picture for not a fish. Hopefully that one, people find somewhat amusing. But that was a legitimate website. That was that actual ConEd website. So let's talk a little bit about fishing. This cartoon, for those of you who are into meta humor, funny variety of levels. But anyway, so the person who wants to go get a fishing license, the fish people got fished by the people and got arrested for that. Anyway, it's kind of a meta joke. Hopefully someone out there thinks that's funny. Fishing is the attempt to acquire sensitive information or get money or things like that via usually email. But I want to be really clear and I'm seeing this in all sorts of ways. Fishing attacks can come in via all sorts of means. I'm seeing them happen via Skype. I'm seeing them happen via chat. I'm seeing them happen via text. People have probably received texts that try to get you to click on some links, try to get you to take some action. Any communications channel, especially if it's digital but not exclusively, is a potential vector for someone to try and fish you. And that takes us back to this idea of the social engineering being aware of how it's going to work. Again, that idea that if someone's going to initiate something with you, they're going to try to get you to take some action quickly. The bigger danger is that just clicking on links, especially if you are vulnerable in other ways, meaning you're on unpatched systems or with unpatched software, even just clicking on a malicious link from a fishing email can result in bad things happening and that's what we're going to talk about a little bit as we move on. This is an example of what's known as a spearfish. A more general fish is where someone who's emailed thousands of people and tries to get them to click on a link or put in some credentials or take some action. A spearfish is where there's a little bit of research or smarter software being used to generate a specific email to a specific person from another specific person using information that can be known about those parties. So if I can go on to Roundtable's website and see that Evan is the president and that Ben is in charge of finance because the title is admin of, I think administrator of finance, then I can craft an email, a spoofed email from Evan the president to Ben who's in charge of finance and try and get Ben to wire out some money. If Ben does not follow our verification or we don't have our controls in there. Yeah, sorry, Ben, what is your title? I'm so sorry. Sorry, I'm just being pedantic and sorry. Sales and finance admin, right? Sales and finance administrator, yeah. I just said in the middle of the web, I can pull it to my sales and finance administrator. So I could go on the website, find that out. Sorry, Ben. But if I can craft that email and Ben doesn't follow this idea of verification and pick up the phone and call Evan and he knows what Evan sounds like. So that's a nice easy verification then that's a potential exploit. So that's an example of a sphere session. There's lots of other ways that that can happen. And if you're a very large organization, it will let me back up. If you're a small organization where everybody knows what everybody sounds like over the phone or you all work in the same office and you can walk in and say hi to somebody, then the verification is really easy. You just pick up the phone, you talk to the person. If you're a many hundreds or thousands person organization where you might not know what the person sounds like that can become a little bit harder. However, still if you get an email for Ben if let's say we're a thousand person organization and Ben gets an email from Evan, he can still pick up the phone and call Evan. That is an independent verification tapping over a different channel. He got an email, but then he places a phone call himself. And now what the attackers would have had to do to exploit him still would be to like reroute that phone call to someone who isn't Evan, hope that Ben doesn't actually know what Evan sounds like and then have whoever answers the phone and then verify the transaction. That's a much higher bar to clear for an attacker to try to get that to happen. So even if you didn't know what Evan sounds like that verification stuff, especially through a different channel, not just emailing back and saying, hey Evan, did you really mean me to do this? But calling him or texting him or some different channel is a really good stuff to try to verify that. Our third fish, not a fish. This one's a little bit different. We're gonna look at an email message. So here is an email message from IT at Roundtable Technology about a password reset. And I'm gonna give everybody a few seconds to look at this and then we're gonna pop up our fish not a fish quiz and go ahead and throw that up there and let's see what people think. You think this is a legitimate email or is this a fish? And let's see what people think. We've got a bunch of votes in here, but it's still coming in. Give it just a few more seconds. See if everybody wants to get a vote in. Don't be afraid, there's no consequence for being wrong here. We're all among friends. I'm not gonna give everybody a report card on this. Okay, let's go ahead and show the results then. Wow, we got a very even mathematical breakdown here. So we got 75% believe it's a fish and a quarter of us believe that was a legitimate email. Take a look. That was a fish, that was a fishing email. Why was that a fishing email? I created this little GIF so we can watch this. I don't know how well this is gonna show up on people's screens, but as you watch the mouse moves through these different things, you'll see that the IT aroundtabletechnology.com that is a legitimate email address, but it happens to not be an actual email address that we use, that's new. The sense of urgency would be the big red flag for me. Change your Office 365 password immediately. That immediately gets that spidey sense tingling. The dear user would be another big red flag in that they didn't even know my first name. The most good fishing attacks will, at least have mail merge capability and will use your first name, but sometimes they won't. And then always when there's links in emails like this, you always wanna hover over them and take a good hard look at the URL it's sending you to and see if it in fact seems to report. But your general bet when you get an email like this would be to just not even click it at all, just throw it in the trash, and then go on your own to your Office 365 website, log in and see if there are any administrative messages or anything there that would suggest that you need to change your password. That would be the best way to do it, or just contact your IT administrator and say, hey, I got this, is this legitimate on any level? And with that, we're going to talk a little bit about ransomware. And what this is, this little ad you're looking up, I was gonna play a little bit of the video, but I decided to spare everybody the kind of horrors of it. But there's a five, if anyone wants it, I can give you a link to it. But if you, I think you can Google Philadelphia ransomware. And there's an actual YouTube video that you can go find and watch that is an ad for ransomware. Meaning it is, if you wanted to, and I wanna be very clear, in case anybody would think otherwise, I'm not suggesting that I wanna slip into this, but if anyone wanted to start a ransomware business and go in and start infecting folks with ransomware and extorting money from them, this is an ad to go and purchase the software that would allow you to do that. And it's about a five minute walkthrough of how the software works. It shows a map of all the places where the ransomware attacks are running, how much money is coming in, how much time is left in each of the ransomware attacks and things like that. And it's pretty kind of horrifying in the sense that that's now being sold as in, people have gotten into business not only of ransomware people, but of selling the software that allows anyone to start their own ransomware business. This is every thing that I've read, every cybersecurity person I know, ransomware was over a billion dollar business in 2016. It is expected to grow substantially in 2017. This is a massive, massive industry. Josh, it's not an exception, it's fundraising. Now, I think it's illegal, yeah, I think it's illegal. I think it's good, right, I think it starts it, yeah. All right, okay. What does it look like when you get ransomware? This is one example, which is a very, very common one called crypto locker. And ransomware can cause all sorts of different panics for people. And essentially, in its most basic form, here's what happens. If I have a computer and I have files on that computer and I open up a link and I am not passed for that particular malware that, you know, ransomware exploit that's there, the ransomware runs, the exploit runs on my computer and it goes and locks up all the files on my computer, all my family photos, all my Word documents, my letters to grandma, my email, everything like that is all encrypted and nothing works. And I just see this message. And this message says until you pay in Bitcoin and some of the advanced ones actually give you, you know, because they assume that person might not know how to pay something in Bitcoin. So they give you a very helpful walkthrough. A lot of the ransomware, I don't even know what to call them, companies actually have support lines where you can go and get help on how to get your Bitcoin account set up and how to transfer money to them by a Bitcoin and then how to use the key that they gave you to decrypt your files. Again, big business. So all the things that come around that kind of big business. And they give you that, you know, very, very scary looking time range because this is how long you have left. And after that either it will get more expensive to get your data unlocked or you won't be able to unlock it anymore. It is obviously horrifying if you've never been through it and if you don't have really good backups of your data can be potentially very devastating to you. If this happens on a network, the extent of the damage will depend on who gets hit with the ransomware and the level of access they have both to the network in general in terms of privileges to install software and things of that nature. And then of course also to the files that they have access to and the level of sophistication of that particular ransomware. And it can range anywhere from it's gonna encrypt just the files in that person's, you know, user folder or on their own computer which wouldn't be too bad all the way up to it can encrypt literally everything on the whole network if the network is pretty open and the person has a lot of access. And if you're an organization that can be obviously very, very devastating to you. And again, even if you have backups this can be very disruptive because your access to your files is disrupted until such time as you can restore from backups and of course clear the ransomware infection. There is a new site it's called no more ransom.org and they have some resources that can help you decrypt. They actually provide decryption tools that you can use to decrypt your data if and a lot of it they continuously update them to try to stay ahead of the malware people they're trying to disrupt the malware business by providing these tools that people don't have to pay it because if people stop paying because they can decrypt it for free then it ceases to become a good business model and it will stop happening as much. Obviously prevention is better but if you do wind up either personally or your organization winds up suffering a ransomware attack this is a not bad place to go take a look and see if you can get some help decrypting those files. Key success factors around this. One, and I the, if we go back a little bit training your folks there are and I have links to a few of them later some services that will allow you to fish your own staff. The one that I'm most familiar with is no before and the gift that I showed here this is from no before. So this is a sample message that they let you fish your staff with. If anyone wants to try this they do offer a free trial that actually lets you fish your staff. It doesn't require a bit of technical awareness because you have to whitelist but you can actually periodically fish your own staff and if they fall for the fish you both collect data about what percentage of your staff are getting fooled or are clicking on links or are providing credentials through these emails and then you can also route the staff into appropriate training resources so that they are less likely to fall for similar kinds of fishing attacks in the future and simply the fact that staff know that they are being fished by their own organization will obviously have an impact on their awareness and kind of mindfulness about clicking on things and that helps by itself whether or not the training is even effective just the fact that staff know they're getting fished is going to certainly increase the likelihood that they'll not fall for something. So training your folks and providing obviously a link to this webinar which is just half an hour and free is something you can certainly do. Having really good backups, preferably cloud-based backups, Crash Plan Pro is a place that I always tell people to go because they have an unlimited backups for $10 a month. It's a very small price to play. Their backups are absolutely protected from ransomware. Just make sure you keep the administrative passwords for your Crash Plan account different from any credentials that are connected to your network accounts and your Crash Plan backups will be safe. And that's true of any backup system but any good backup system that you use especially if it's cloud-based is going to give you good protection against ransomware. Other best practices are things that we've talked about in previous webinars. You could certainly look at our basic network security which was our second session that we offered was session number two. Lots there about patch management and keeping your network safe and account hygiene and general network security access control. So what we mean by account hygiene is not having a whole bunch of accounts that are no longer active within the organization. We saw one organization get ransomware due to two different problems here. One is that they had some open ports on their firewall that they didn't need to have anymore that were a legacy leftover from when they used a remote and into a particular application. And then they also had some old accounts one of which was an administrative account that we're no longer used. One of those had a weak password and basically the attacker brute strength, the weak password for one of those administrative accounts and then was able to log into the network and simply install the ransomware themselves. So no one in their organization self-reficient email they were actually not doing too bad on patch management but because they missed that account hygiene and network security of closing unneeded port states they were able to be compromised. That's a fairly rare thing. I haven't heard of too many instances of that but I do know at least one client that that happened to you exactly that way. And then of course access controls people not having access to any more information than they need to have access to. Our last one, our last fish not a fish I'm hoping for a hundred percent. So we haven't gotten a hundred percent on any of these. This is one I'm hoping we got. So everybody take a look at this website and leave this up just for a few seconds. Hopefully by this time everybody's pretty confident about their choice on this one and Ben go ahead and launch it up. I'd like everybody to tell me is this a fish or is this not a fish? We'll leave that open a few seconds. Let me know whether you think this is a legitimate website or whether this is a fraudulent website. Ben let's go ahead and show the results. And so the very first one and I always enjoy this and this is very self-serving because obviously I'm the one training but the first one that we did the American Airlines is ranked as a slightly easier one to identify than this Twitter one that we showed just now. But when we showed the American Airlines one at the beginning of the webinar today we were about 50-50 if memory serves I think it was 56 and 44. So about almost half of the folks got fooled. And now this one which is slightly more difficult according to that test we got a hundred percent of people identifying it which shows you this is not incredibly difficult stuff or I'm just the most spectacular teacher that's ever been but we could say both are true. And but this is stuff that you can understand, right? You can learn some basic things to help you identify and not get fooled by things. So great job everybody. Thank you for that Ben. Let's go ahead and close that up. And that was a fish. All right, so some of the fish testing services that I talked about know before the little screenshot I showed you of the Office 365 that was straight from know before is training. So thank you know before for providing that. FishMe is another one, Wombat Security. There's also Sands. They have a project called Secure the Human and they offer some fish training there. In terms of pricing these things are not massively expensive. I wanna say, and by the way we can actually resell know before. So if anybody's interested in working with that and would like to work with Roundtable on that we would be happy to sell that to you but I'm trying to keep these not being super sales on the webinars but I will say that one. They typically are around depending on the level of service you want between $20 and $50 per person per year. So not massively expensive services and some of them can get all the way down to like even like $5 per person per year. And there's a limited amount that you can do for free but it is quite limited. And then I also provide a link to some additional ransomware services. The executive guide to ransomware that just came out a couple of weeks ago. It's a very nice overview of ransomware if anyone wants something that they can share with their executives or a decent quick read for themselves. And then of course the link to Know More Ransom. Our next session will be a little privacy please. We're gonna be talking about digital privacy using VPN, restricting how much metadata you share with the world, talking about social sharing and things of that nature and just how to keep a little bit more privacy. That'll be on April 18th at the same time at 2 p.m. and that'll be our next ninja session. And with that we'll open it up for questions. If anyone has any questions by all means please pop them in. Let's see if I just realized now I didn't even have the questions thing open the full time so let me take a look here. All right. And so someone asked a sweet I'm a half ninja is there a belting ceremony? So if there was forgotten the 10th session which is all the way I think on May 31st if memory serves. The whole session is going to be a test that we're gonna be launching little questions giving you answers to choose and everyone who aces the test will get an official round table cybersecurity ninja certificate and you will also get a choice of a few different security prizes. So we'll offer people like Yubi Keys I think we're gonna offer a canary security system we have a whole list of things I'll mention that. So yes there will be you will get an actual certificate you will have to ace that last test and it's not going to be easy I won't make it crazy hard but it won't be easy. Other questions, let me see. Do you suggest people pay the ransom? Do bad guys keep the word and release data? This is the number one question around ransomware and the best thing I can say is you want to do everything you can to avoid paying the ransom obviously by paying the ransom you have no idea what it's your who you're giving money to, right? So you could be giving money literally to people who are supporting terrorist organizations more likely just giving money to criminals just your basic run of the bill criminals but you're funding additional criminals you're obviously encouraging them to continue this business model by paying that ransom and that's something we prefer not to do. On the other hand if you, if they're gonna charge you a thousand dollars and the data's worth $10,000 to you and you didn't have good backups and you can't decrypt it with the tools from No More Ransom and you really have no other recourse I'm not going to tell you not to pay it you have to make that decision yourself that's probably the best answer I can give to that question. That is a very common question. There's no instance if anyone's concerned about like are you gonna wind up on a some watch list for funding terrorist activities by paying the ransomware? I have not heard of any instance of that happening. The last I checked on the FBI website they discouraged people from paying ransomwares but did not say it was illegal to do so and that's basically where that's at. If anyone knows anything more up to date on that by all means please update me but that is my answer on it. Questions, any other questions? Otherwise I think we will wrap it up today. Finished right on time, nice little half an hour. All right, we'll hopefully see everybody back in two weeks. Thank you Ben, thank you everybody else and we'll see you back in two weeks.