Re: Faculty Acceptance of Security Awareness Education?

[Matthew Wollenweber <mjw () CYBERWART COM>]

On Tue, Dec 1, 2009 at 11:06 AM, Ken Connelly <Ken.Connelly () uni edu> wrote:

>  Steve Romig wrote:
> > On Nov 30, 2009, at 12:07 PM, Matthew Wollenweber wrote:
> > > I'm friends with the phishme guys and the metrics they have are 25%
> > > of people fall for unsophisticated attacks and 75% fall for
> > > sophisticated attacks.
> >
> > If that's true, then wow.
> >
> > Does anyone know of any actual studies about response rates to
> > phishing attacks and effectiveness of training (or for social
> > engineering attacks in general)?  I've got a friend in the consulting
> > business who does phishing attacks for the banking industry, and he
> > claims a 7% pre-training response rate for semi-sophisticated attacks
> > (some effort made to make the phish look credible - attaching names of
> > actual bank execs, use the bank's name in the email, no
> > spelling/grammar mistakes, etc.)
> >
> > 7% is a far cry from even 25%, let alone 75%.  I've heard other
> > numbers from other people, and I don't have any grounds to disbelieve
> > any of them (and they could all be true in their own contexts, anyway).
> >
> > --- Steve
> Don't forget, the "phishme" guys help their cause by using the highest
> possible numbers they can justify - it helps them make a case that their
> services are needed.  It's the same theory behind why end-user personal
> firewalls are so incredibly noisy - to make the user constantly aware
> that the software is very active and worth the cost.  After all,
> wouldn't you be happy that it stopped an "attack" (single packet) on
> port 23423?  Even though there's no daemon listening to that port?

You're making an assumption there. The "phishme" guys might have a potential
motive to use higher stats to justify their service, but unless you have
other data you shouldn't claim their stats are being tweaked. Measuring
phishing success is difficult and there are lots of ways to do it - most of
which someone can argue about. There are a few things that I think we could
all agree on though:

Trojans, delivered via phishing (which I include fake av, fake flash,
*cough* fake codecs) account for a huge portion of incidents. Also, (in my
data) there is little correlation between patch level and incidents. If you
look back historically, incidents have been tied to patch level because
systems were compromised by an exploit targeting an unpatched
vulnerability. If that's not the case anymore there are few remaining
possibilties. One is that everyone is getting owned by 0day over and over
without detecting it -- which is unlikely en mass. The more you use an
exploit the more likely it is to get known. Or we go back to the users
clicking things. My IDS indicates they're doing that a lot.

Phishing is successful and a huge problem that needs to be addressed.



> --
> - Ken
> =================================================================
> Ken Connelly             Associate Director, Security and Systems
> ITS Network Services                  University of Northern Iowa
> email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373



--
Matthew Wollenweber
mjw () cyberwart com
240-753-0281