Educause Security Discussion mailing list archives
Re: phishing irony
From: Zach Jansen <zjanse20 () CALVIN EDU>
Date: Fri, 13 Feb 2009 11:42:06 -0500
We did this a few months ago in an attempt to reach a broader group of people in our anti-phishing education efforts. Like most of you we've put up posters, sent emails both direct and broadcast, etc in an attempt to educate folks about the need to keep their institutional passwords to themselves. The only education method I found relatively (and measurably) effective was emailing people who had fallen for attacks. Most people didn't fall for an attack twice after I pointed out to them what they had done. Nicely of course. Sending out a fake phishing attack was a natural next step in educating folks about phishing as we could educate those likely to fall for attacks before the attackers did. We did it as part of Cyber Security Awareness month after sending out the usual forms of education about phishing and password sharing just to make sure everyone had a chance to be educated on their own before we sent out the email. The hardest part of the whole exercise was getting buy in. What made it easier to get buy in was pointing our that there was nothing in the exercise that wasn't already being done to our users on a regular basis by phishers. What we did was very similar to the phishing emails educational institutions have been getting for the last year or so. The fake phishing email itself was pretty easy to setup. I used non edu domain to setup a web page which looked like one of our login pages and sent an email to our users "from" an entity on our campus (forged, just like the phishing emails we've been getting). The email contained a good sampling of the kinds of grammatical and spelling errors frequently seen in phishing emails. The web page redirected to an educational page explaining what had happened, and had a nice graphic from our anti-phishing training and summary of what the signs were that the email was a phishing attack. We kept statistics of the number of people who responded and were able to develop some demographic data as well which was very interesting. We made no effort to single out any of the "victims" for further education, we figured the web page would be enough and didn't want to rub in the victim feeling. I think that's important. The issue of trust with respect to this exercise has been discussed quite a bit, with those choosing not to implement this kind of exercise generally stating that they chose not to because they were afraid of losing trust with their users. Statements such as "IT will never ask you for your password" are thrown around. However, I suggest that statement is not true. "IT SHOULD never ask you for your password" is more correct and "You should never share your password" is correct. Training efforts should be training our staff/students/faculty on how to react appropriately to situations that may arise in the real world. In an ideal world nobody (not even IT attempting a legitimate support function) will ever ask for someone else's password, in reality it happens all the time . We chose to train people here on how to react to real world situations, such as someone asking for their password. That said, you have to evaluate for your own institution whether this is an effective exercise. Maybe your faculty/staff/students will be so deeply offended it will prevent you from being effective in other areas. There may be cultural reasons for that, but we didn't run into that here. Having done the exercise I can understand not wanting to do it at another institution. It may not be appropriate or necessary there. However, I have been pleased with the results here and hope it will be proven an effective method for training on phishing. I can't say whether this has improved phishing education here as I don't have any hard data to show improvement. These appear to be relevant companies selling this kind of training as a service, though I don't have experience with companies, the wombat security folks appear to be a spin off from the anti-phishing phil group. http://www.phishme.com/ http://wombatsecurity.com Zach -- Zach Jansen Information Security Officer Calvin College Phone: 616.526.6776 Fax: 616.526.8550
On 2/12/2009 at 10:45 AM, in message <012501c98d28$e345a3d0$a9d0eb70$@com>,
Ozzie Paez <ozpaez () SPRYNET COM> wrote:
One of the more useful and interesting approaches to awareness and training that I have seen involved a company that would come into the organization and create a fake web site that looked similar to the real one. They would then send out phishing messages to the 'target' population and track the response. When someone used the fake link to log on, they would get a message telling them in a nice, funny, serious (pick your style) way that they 'got phished'; the message would explain the implications, policies and provide a training link. The statistics from the program would then be provided to the client so that they could track how well their users were doing in avoiding phishing attacks. While I could not independently verify it, they claimed that the approach improved the effectiveness of security training in this area by over 85%. Anyway, this sounds like a fairly simple and low cost method to assess how well users are doing avoiding phishing attacks and for measuring training performance. My guess is that it could also be done in-house without much effort. Ozzie Paez SSE/CISSP SAIC 303-332-5363 Email/IM: jesse.thompson () doit wisc edu
Current thread:
- Re: phishing irony, (continued)
- Re: phishing irony Valdis Kletnieks (Feb 12)
- Re: phishing irony Gary Flynn (Feb 13)
- Re: phishing irony James (Feb 13)
- Re: phishing irony Ozzie Paez (Feb 13)
- Re: phishing irony Falcon, Patricia (Feb 13)
- Re: phishing irony HALL, NATHANIEL D. (Feb 13)
- Re: phishing irony Leo Song (Feb 13)
- Re: phishing irony Ozzie Paez (Feb 13)
- Re: phishing irony Chris Edwards (Feb 13)
- Re: phishing irony Leon DuPree (Feb 13)
- Re: phishing irony Zach Jansen (Feb 13)
- Re: phishing irony Valdis Kletnieks (Feb 13)
- Re: phishing irony HALL, NATHANIEL D. (Feb 13)
- Re: phishing irony Harris, Michael C. (Feb 13)
- Re: phishing irony Allison Dolan (Feb 13)