Educause Security Discussion mailing list archives
Re: attempts sending fake phishing messages to students and/or employees
From: Dave Kovarik <david-kovarik () NORTHWESTERN EDU>
Date: Thu, 10 Jun 2010 08:21:32 -0500
I'm a firm believer in testing all aspects of controls especially wherepeople (near simultaneously the strongest and weakest link in security chain)
are involved but I believe Sam Hooker identified the key component in the words "garnering the express support of top management"... With one exception, I have yet to have top level management agree in practice that phishing one's own community was a good idea. The exception was when I was operating as a consultant and charged with testing security of the client - if it went badly from a PR view, the client management could lay it off on the consultant (which they did). - Dave Kovarik, Northwestern University On 6/9/10 4:04 PM, Sam Hooker wrote:
On 20100607 23:26 , Dave Kovarik wrote:Those that are "hooked" by it won't take kindly to having taken the bait - and some of these will be outspoken faculty members.That concern looms large here, too. You could, I suppose, exclude faculty from your target population. (Warning: opinion piece, free of supporting data beyond my career experience.) To the larger issue, though: It's admittedly difficult to consider willingly endangering whatever goodwill exists, given that the archetypal relationship between clients and IT staff has been strained by the imposition of what are (rightly?) felt to be cumbersome and draconian security measures. That said, I feel like backlash from active probes like "phishing expeditions" can be managed with a combination of prep and tactful, personalized follow-up. By "prep", I mean garnering the express support of top management, and then clearing and coordinating probe activities well in advance with HR and management in target departments. What about recruiting someone nontechnical to be available for help with the follow-up? This could help make the point that yours is a serious undertaking with implications beyond just IT (and not a puerile attempt by IT staff to demean and embarrass users). Also, to translate. ;-) Could your phishing expeditions be announced to all users beforehand? The infosec equivalent of a pop quiz? The mere mention might have a positive effect on users' vigilance. (That effect may be unquantifiable, but I'll take what I can get.) Anyway, unless we suss the resistance to actively testing our user populations for susceptibility to phishing (which as a concept currently enjoys some modicum of recognition among users and management), it seems unlikely that *any* sort of social engineering will gain acceptance as part of institutional vulnerability assessment or penetration testing. And that would be a shame, since it means failing to methodically assess what appears to be a significant portion of many institutions' attack surfaces. Cheers, -st(long-winded)h
Current thread:
- Re: attempts sending fake phishing messages to students and/or employees Sam Hooker (Jun 09)
- Re: attempts sending fake phishing messages to students and/or employees Eric Case (Jun 09)
- Re: attempts sending fake phishing messages to students and/or employees Jesse Thompson (Jun 11)
- Re: attempts sending fake phishing messages to students and/or employees Andrew Daviel (Jun 25)
- SSH password capture Andrew Daviel (Jun 25)
- Re: SSH password capture Yonesy F. Nunez (Jun 28)
- Re: attempts sending fake phishing messages to students and/or employees Dave Kovarik (Jun 10)
- Re: attempts sending fake phishing messages to students and/or employees Davis, Thomas R (Jun 11)
- Re: attempts sending fake phishing messages to students and/or employees Ben Woelk (Jun 11)
- Re: attempts sending fake phishing messages to students and/or employees Sam Hooker (Jun 14)
- Re: attempts sending fake phishing messages to students and/or employees Davis, Thomas R (Jun 11)
- Re: attempts sending fake phishing messages to students and/or employees Eric Case (Jun 09)