Re: attempts sending fake phishing messages to students and/or employees

[Sam Hooker <samuel.hooker () UVM EDU>]

On 20100607 23:26 , Dave Kovarik wrote:
> Those that are "hooked" by it won't take kindly to having taken
> the bait - and some of these will be outspoken faculty members.

That concern looms large here, too. You could, I suppose, exclude
faculty from your target population.

(Warning: opinion piece, free of supporting data beyond my career
experience.)

To the larger issue, though: It's admittedly difficult to consider
willingly endangering whatever goodwill exists, given that the
archetypal relationship between clients and IT staff has been strained
by the imposition of what are (rightly?) felt to be cumbersome and
draconian security measures. That said, I feel like backlash from active
probes like "phishing expeditions" can be managed with a combination of
prep and tactful, personalized follow-up.

By "prep", I mean garnering the express support of top management, and
then clearing and coordinating probe activities well in advance with HR
and management in target departments.

What about recruiting someone nontechnical to be available for help with
the follow-up? This could help make the point that yours is a serious
undertaking with implications beyond just IT (and not a puerile attempt
by IT staff to demean and embarrass users). Also, to translate. ;-)

Could your phishing expeditions be announced to all users beforehand?
The infosec equivalent of a pop quiz? The mere mention might have a
positive effect on users' vigilance. (That effect may be unquantifiable,
but I'll take what I can get.)

Anyway, unless we suss the resistance to actively testing our user
populations for susceptibility to phishing (which as a concept currently
enjoys some modicum of recognition among users and management), it seems
unlikely that *any* sort of social engineering will gain acceptance as
part of institutional vulnerability assessment or penetration testing.
And that would be a shame, since it means failing to methodically assess
what appears to be a significant portion of many institutions' attack
surfaces.


Cheers,

-st(long-winded)h

-- 
Sam Hooker | samuel.hooker () uvm edu
Systems Architecture and Administration
Enterprise Technology Services
The University of Vermont


  I think your efforts would
> be better spent on
> continuing education of your user community and resolving the incidents
> that occur as
> a result of actual phishing incidents.
> Dave Kovarik
> Northwestern University
> 847-467-5930
>
> On 6/7/10 7:59 PM, Valdis Kletnieks wrote:
> > On Mon, 07 Jun 2010 15:41:18 PDT, "Miller, Don C." said:
> >
> >   
> > > Has anyone attempted, or thought about, sending fake phishing messages
> > > to your students and/or employees?
> > >      
> > If your message is "We will never ask you for your password", this is a
> > *really* bad idea because it confuses your users and shoots your
> > credibility.
> >
> > We usually just wait for a real phish to get reported, then block the
> > address
> > outbound and trap any attempts to reach it.  Anybody who tries it gets
> > targeted for re-education.

Attachment: signature.asc
Description: OpenPGP digital signature