Educause Security Discussion mailing list archives
Re: attempts sending fake phishing messages to students and/or employees
From: Sam Hooker <samuel.hooker () UVM EDU>
Date: Wed, 9 Jun 2010 17:04:01 -0400
On 20100607 23:26 , Dave Kovarik wrote:
Those that are "hooked" by it won't take kindly to having taken the bait - and some of these will be outspoken faculty members.
That concern looms large here, too. You could, I suppose, exclude faculty from your target population. (Warning: opinion piece, free of supporting data beyond my career experience.) To the larger issue, though: It's admittedly difficult to consider willingly endangering whatever goodwill exists, given that the archetypal relationship between clients and IT staff has been strained by the imposition of what are (rightly?) felt to be cumbersome and draconian security measures. That said, I feel like backlash from active probes like "phishing expeditions" can be managed with a combination of prep and tactful, personalized follow-up. By "prep", I mean garnering the express support of top management, and then clearing and coordinating probe activities well in advance with HR and management in target departments. What about recruiting someone nontechnical to be available for help with the follow-up? This could help make the point that yours is a serious undertaking with implications beyond just IT (and not a puerile attempt by IT staff to demean and embarrass users). Also, to translate. ;-) Could your phishing expeditions be announced to all users beforehand? The infosec equivalent of a pop quiz? The mere mention might have a positive effect on users' vigilance. (That effect may be unquantifiable, but I'll take what I can get.) Anyway, unless we suss the resistance to actively testing our user populations for susceptibility to phishing (which as a concept currently enjoys some modicum of recognition among users and management), it seems unlikely that *any* sort of social engineering will gain acceptance as part of institutional vulnerability assessment or penetration testing. And that would be a shame, since it means failing to methodically assess what appears to be a significant portion of many institutions' attack surfaces. Cheers, -st(long-winded)h -- Sam Hooker | samuel.hooker () uvm edu Systems Architecture and Administration Enterprise Technology Services The University of Vermont I think your efforts would
be better spent on continuing education of your user community and resolving the incidents that occur as a result of actual phishing incidents. Dave Kovarik Northwestern University 847-467-5930 On 6/7/10 7:59 PM, Valdis Kletnieks wrote:On Mon, 07 Jun 2010 15:41:18 PDT, "Miller, Don C." said:Has anyone attempted, or thought about, sending fake phishing messages to your students and/or employees?If your message is "We will never ask you for your password", this is a *really* bad idea because it confuses your users and shoots your credibility. We usually just wait for a real phish to get reported, then block the address outbound and trap any attempts to reach it. Anybody who tries it gets targeted for re-education.
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: attempts sending fake phishing messages to students and/or employees Sam Hooker (Jun 09)
- Re: attempts sending fake phishing messages to students and/or employees Eric Case (Jun 09)
- Re: attempts sending fake phishing messages to students and/or employees Jesse Thompson (Jun 11)
- Re: attempts sending fake phishing messages to students and/or employees Andrew Daviel (Jun 25)
- SSH password capture Andrew Daviel (Jun 25)
- Re: SSH password capture Yonesy F. Nunez (Jun 28)
- Re: attempts sending fake phishing messages to students and/or employees Dave Kovarik (Jun 10)
- Re: attempts sending fake phishing messages to students and/or employees Davis, Thomas R (Jun 11)
- Re: attempts sending fake phishing messages to students and/or employees Ben Woelk (Jun 11)
- Re: attempts sending fake phishing messages to students and/or employees Sam Hooker (Jun 14)
- Re: attempts sending fake phishing messages to students and/or employees Davis, Thomas R (Jun 11)
- Re: attempts sending fake phishing messages to students and/or employees Eric Case (Jun 09)