MasterCard

Skills

• Cybersecurity

• Technical Security Awareness

• Problem Solving

• Design Thinking

• Communication

• Security Awareness Training

• Data Analysis

• Data Presentation

• Strategy

Task 1

Background information

You are an analyst in our Security Awareness Team.

Our Chief Security Officer (CSO) relies on our team to help our staff learn how to identify and report security threats to Mastercard.

One of the most common threats organizations face today is phishing. So, what is phishing?

• Phishing is the act of pretending to be someone/something to get information, in most cases, this is usually a password.

• Attackers may send links or attachments designed to infect the recipient's system with malicious software or lure them into providing financial information, system credentials or other sensitive data.

• Successful phishing attempts can cost companies like Mastercard millions of dollars and put our employees at risk. So it’s very important that we keep the business and our staff safe from harm.

At Mastercard, one of the ways we mitigate phishing threats is by educating our people about the risks and how to identify them. An effective way to build awareness is through phishing simulation campaigns:

• We test our staff every month by sending a fake phishing email that is made to look like something a bad actor would send.

• We use the results of the simulated test to help us design and implement future training.

Task 2

Background information

As a member of the cyber security division, your team must handle this incident and the team lead has assigned the issue to you. Below is the timeline of events:

The phishing simulation designed in the first task was run last week. So, what’s next?

We’ve used some tools to analyze the results and we can see the failure rate of each department - it is clear that some teams appear more likely to fall for a phishing email than others.

Now that we have these results, we need to:

• identify which areas of the business need more awareness about phishing, and

• design and implement the appropriate training for those teams to lower our risk of an attack.

This table helps you to identify which teams appear to be more likely to fall for a phishing email than others.

Team	Email open rate	Email click-through rate	Phishing success rate
IT	80%	2%	0%
HR	100%	85%	75%
Card Services	60%	50%	10%
Reception	40%	10%	0%
Engineering	70%	4%	1%
Marketing	65%	40%	38%
R&D	50%	5%	2%
Overall average	66%	28%	18%

Task 3

As a cybersecurity generalist at CommBank, it's important to have a basic understanding of penetration testing. Penetration testing is a way to check the security of computer systems and networks by simulating an attack. This helps identify weaknesses in the system and evaluate the effectiveness of security measures. By regularly doing this, organisations can find and fix potential security problems before they can be exploited by bad people.

In this task, you will be completing the “Basic” web challenge from HackThisSite.org, which is an online platform that provides a safe and legal environment for students like you to improve their cyber security skills through a variety of challenges.

The challenge is divided into 11 levels and each level ranges from easy to difficult. The purpose of this challenge is to test your skills and knowledge in identifying vulnerabilities and exploiting them. By completing this challenge, you will gain a better understanding of how to identify and exploit vulnerabilities in web applications. Additionally, you will also learn how to apply this knowledge to real-world scenarios, which will help you improve your penetration testing skills. How exciting! Look at it like a game that helps you learn about web security.

After completing the challenge, you will need to create a pentest report detailing what you found and learnt, and give recommendations for how to better secure the web application. A penetration testing report is like a summary of the results of a security test. It shows any weaknesses or problems that were found during the test and suggests ways to fix them. This report is important because it helps organisations understand where they need to improve their security and how to do it. It also helps them comply with laws and regulations related to security. In simple terms, a pentest report is like a report card for a company's security and helps them pass security inspections. By having a good security posture, organisations can prevent data breaches, protect sensitive information, and maintain compliance with regulations and industry standards.

Task 1

Design a phishing email simulation

• Recreate and improve the obvious fake email to make it more believable. Remember the end goal is to encourage the user to click on the link.

  To create a ‘good’ phishing email, you should:

  • Add some context at the beginning - make it relevant to a Mastercard employee

  • Mask the hyperlink within text

  • Use correct spelling and grammar

  • Add points of legitimacy

  Once you've submitted your email, we'll show you an example of a good phishing email.

Here is the obvious fake:

From: mastercardsIT@gmail.com
To: employee@email.com 
Subject: URGENT!  Password Reset Required—

Body: 

Hello (insert name)  ,

Your email account has been compromised.  immediate action is required to reset your password!

Click here to reset your password in the next hour or your account will be locked: [https://en.wikipedia.org/wiki/Phishing](https://en.wikipedia.org/wiki/Phishing)
 
Regards,Mastercard IT

REPLY

From: IT-support@mаstercаrd.com To: [employee@email.com] Subject: Immediate Action Required: Security Alert - Password Reset

Dear [Employee Name],

We have detected unusual activity on your account linked to your corporate email. As part of our ongoing efforts to protect Mastercard employees from unauthorized access and phishing attempts, we are implementing a mandatory security review.

To ensure the security of your account, please reset your password by following the secure link below. This action is required to maintain uninterrupted access to your work tools and prevent any unauthorized login attempts.

For your security, the password reset must be completed within the next 24 hours. Failure to act may result in temporary suspension of your account access for further investigation.

Reset Your Password Now (malicious link)

If you believe this message was sent in error or if you encounter any issues, please contact IT support immediately via our secure internal platform.

Thank you for your attention to this urgent matter.

Best regards, Mastercard IT Security Team Mastercard Inc. Phone: +1 800-123-4567 Support Portal: Mastercard Employee Support (malicious link)

[MasterCard logo]

Task 2

Interpret phishing simulation results

Now that we have these results, we need to:

• identify which areas of the business need more awareness about phishing, and

• design and implement the appropriate training for those teams to lower our risk of an attack.

1. Which teams performed poorly in the phishing simulation?

   HR and Marketing teams

2. Create a short presentation (3-5 slides) providing some awareness and training materials for the two teams that appear to be most susceptible

---