Educause Security Discussion mailing list archives

Re: attempts sending fake phishing messages to students and/or employees

From: Ben Woelk <fbwis () RIT EDU>
Date: Fri, 11 Jun 2010 09:40:50 -0400

I agree that the fallout is not worth a marginal increase in awareness due to the phishing exercise.

I think the key here is understanding the goals of the phishing exercise. If it's to reduce the phishing success rate, 
there are other awareness methods. You're not going to reach a 100% phish "resistance" rate.

What numbers are you seeing falling for targeted phishing? What resistance levels are you hoping to achieve?

We increased our phishing awareness efforts because of a string of phishing attempts over a two month period, one of 
which had around 25 users fall for the phish. Even with increased efforts, we always see 4-6 victims. That's a very 
small percentage of our 18K users.


Ben Woelk '07
Co-chair, Awareness and Training Working Group
EDUCAUSE/Internet2 Higher Education Information Security Council

Policy and Awareness Analyst
Information Security Office
Rochester Institute of Technology
Ross 10-A204
151 Lomb Memorial Drive
Rochester, New York 14623 
585.475.4122
585.475.7920 fax
ben.woelk () rit edu
http://security.rit.edu/dsd.html 
 
Become a fan of RIT Information Security at http://rit.facebook.com/profile.php?id=6017464645
 
Follow us on Twitter: http://twitter.com/RIT_InfoSec

Follow my Infosec Communicator blog at http://benwoelk.wordpress.com

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Davis, 
Thomas R
Sent: Friday, June 11, 2010 8:10 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] attempts sending fake phishing messages to students and/or employees

On Jun 10, 2010, at 9:21 AM, Dave Kovarik wrote:

With one exception, I have yet to have top level management
agree in practice that phishing one's own community was a good idea.


Agreed.  I can understand the "research" benefits of conducting fake phishing.  However, on the "operational" side of 
the house, the benefits are minimal and the political fall out great.  The real question is, even if you do conduct a 
fake phishing run against your users, what will you do with the results?  Do better awareness training?  If so, why not 
focus on the awareness training instead of fake phishing?

Based on real phishing success rates, I'm pretty certain the fake phishing run will be successful too.  So, why do it?  
There *might* be a couple of legitimate reasons, but none IMHO outweigh the damaged goodwill that others have mentioned.

-- 
Tom Davis, CISSP, CISM
Chief Security Officer
Public Safety and Institutional Assurance
Indiana University
https://informationsecurity.iu.edu/Tom_Davis

Current thread:

Re: attempts sending fake phishing messages to students and/or employees Sam Hooker (Jun 09)
- Re: attempts sending fake phishing messages to students and/or employees Eric Case (Jun 09)
  - Re: attempts sending fake phishing messages to students and/or employees Jesse Thompson (Jun 11)
  - Re: attempts sending fake phishing messages to students and/or employees Andrew Daviel (Jun 25)
  - SSH password capture Andrew Daviel (Jun 25)
    - Re: SSH password capture Yonesy F. Nunez (Jun 28)
- Re: attempts sending fake phishing messages to students and/or employees Dave Kovarik (Jun 10)
  - Re: attempts sending fake phishing messages to students and/or employees Davis, Thomas R (Jun 11)
    - Re: attempts sending fake phishing messages to students and/or employees Ben Woelk (Jun 11)
    - Re: attempts sending fake phishing messages to students and/or employees Sam Hooker (Jun 14)