Re: attempts sending fake phishing messages to students and/or employees

[Dave Kovarik <david-kovarik () NORTHWESTERN EDU>]

I'm a firm believer in testing all aspects of controls especially where
people (near simultaneously the strongest and weakest link in security 
chain)
are involved but I believe Sam Hooker identified the key component
in the words "garnering the express support of top management"...
With one exception, I have yet to have top level management
agree in practice that phishing one's own community was a good idea.
The exception was when I was operating as a consultant and charged
with testing security of the client - if it went badly from a PR view,
the client management could lay it off on the consultant (which they did).
- Dave Kovarik, Northwestern University

On 6/9/10 4:04 PM, Sam Hooker wrote:
> On 20100607 23:26 , Dave Kovarik wrote:
>    
> > Those that are "hooked" by it won't take kindly to having taken
> > the bait - and some of these will be outspoken faculty members.
> >      
> That concern looms large here, too. You could, I suppose, exclude
> faculty from your target population.
>
> (Warning: opinion piece, free of supporting data beyond my career
> experience.)
>
> To the larger issue, though: It's admittedly difficult to consider
> willingly endangering whatever goodwill exists, given that the
> archetypal relationship between clients and IT staff has been strained
> by the imposition of what are (rightly?) felt to be cumbersome and
> draconian security measures. That said, I feel like backlash from active
> probes like "phishing expeditions" can be managed with a combination of
> prep and tactful, personalized follow-up.
>
> By "prep", I mean garnering the express support of top management, and
> then clearing and coordinating probe activities well in advance with HR
> and management in target departments.
>
> What about recruiting someone nontechnical to be available for help with
> the follow-up? This could help make the point that yours is a serious
> undertaking with implications beyond just IT (and not a puerile attempt
> by IT staff to demean and embarrass users). Also, to translate. ;-)
>
> Could your phishing expeditions be announced to all users beforehand?
> The infosec equivalent of a pop quiz? The mere mention might have a
> positive effect on users' vigilance. (That effect may be unquantifiable,
> but I'll take what I can get.)
>
> Anyway, unless we suss the resistance to actively testing our user
> populations for susceptibility to phishing (which as a concept currently
> enjoys some modicum of recognition among users and management), it seems
> unlikely that *any* sort of social engineering will gain acceptance as
> part of institutional vulnerability assessment or penetration testing.
> And that would be a shame, since it means failing to methodically assess
> what appears to be a significant portion of many institutions' attack
> surfaces.
>
>
> Cheers,
>
> -st(long-winded)h
>
>