Educause Security Discussion mailing list archives
Re: Phishing your users
From: Brad Judy <brad.judy () CU EDU>
Date: Wed, 18 Feb 2015 15:16:12 +0000
Take a look at the presentation that Derek Spransy did at SPC on the work we did at Emory: http://www.educause.edu/events/security-professionals-conference/phishing-ourselves-raise-awareness Below is the text of a message I sent in reply to a similar post to this list on 9-5-14 I've written and spoken on this topic several times, and I'll do a quick recap here. It is absolutely possible to take this approach without negative response. We did it at Emory across tens of thousands of users without problem and we're doing a similar process here at U Colorado right now. Here are some of the key points (overlapping with what others have said) and I will try to rank them in rough order of importance in my mind. * Such a process is an alternative to traditional awareness that (from my experience) is far more effective. We work in higher education and exploring the most effective learning techniques is a core of our business. As a wise person once said: if your behavior hasn't changed, you haven't actually learned anything. We are engaged in learning with the goal of behavioral change. This process both provides effective learning to that goal and measures to that goal. * The process *must* be non-punitive. Falling for a phishing message has no negative impact on one's job and no information will be provided to departments that includes specific names or is detailed enough to infer names. We only provided aggregate stats on groups of at least 20 people. We rejected all requests to provide specific names. * The community is fully informed of the process that will occur before it happens. Someone once asked me "aren't you afraid it will skew the results?" This isn't a research paper, this is learning. If the heads-up messages are enough to prevent someone from responding to phishing, then you've already won. * The leadership of the institution (in its various forms from VPs to chancellors to committees) would have a chance to hear about the process, ask questions, express concerns and have issues addressed before proceeding. You can call it "management buy-in" if you'd like. * The educational landing page (for those who fell for a phish) provides contextual information that is actionable. It cites the items in the specific messages sent out that would be the easiest indicators of a fake email. * The process would use content based on real-world phishing of a moderate level. The goal is not to come up with something good enough to fool everyone, the goal is to educate a reasonable person to recognize a typical phish. I have said many times that I don't expect anyone to catch an advanced social engineering attack. Some of the most aware people can be fooled by a sophisticated, targeted attack. * We would continuously evaluate the process as it went for everything from results towards goal to process improvement to community feedback. If the process did not demonstrate measurable improvement in phishing response rates, it would be discontinued. * We would analyze the results across demographic data to look for and hot-spots that might need additional training. Was there a department, job class, student major, etc. that demonstrated a notably higher than average phishing response rate? Were there other trends to investigate. * We worked with the help desks to inform them about the process and monitor their workloads during the message runs. We throttled the sending of messages to ensure that they were not totally overloaded at any one time. * Each run used four or more different messages to both provide variety and allow us to test for response rate differences between various popular phishing message themes. We also tested for differences between phishing messages that were totally generic (did not mention the institution name at all) and those that contained basic targeting (institution mentioned in a couple places). You can see an SPC presentation from Emory on the effort (including charts about response rates and improvements) here: http://www.educause.edu/sites/default/files/library/presentations/SEC12/SESS07/Educause%2BSEC12%2BPhishme%2BPresentation.pptx At the end of the day, the Emory project demonstrated success at reducing response rates while receiving essentially zero negative feedback across quarterly runs with 40,000 users. Our current work at CU has gone through a sampling process to establish a baseline response rate that will next go through some process improvement work and then follow-up phishing awareness work. Please let me know if you have any specific questions. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Fowler, Becky Thurmond Sent: Wednesday, February 18, 2015 7:59 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Phishing your users We've tossed around the idea of phishing our users (as an awareness/education activity) for the past few years. I'm ready to make another push to upper management to move forward with this project but I was wondering if anyone had any war stories (good or bad) to share before I make my pitch. Thanks! Becky Thurmond Fowler Manager, Security Assessments & Incident Response Division of IT - Information Security & Access Management University of Missouri-Columbia becky () missouri edu<mailto:becky () missouri edu> 573.882.5182
Current thread:
- Phishing your users Fowler, Becky Thurmond (Feb 18)
- Re: Phishing your users Brad Judy (Feb 18)
- Re: Phishing your users Jeffrey Sabin (Feb 18)
- Re: Phishing your users Ben Woelk (Feb 18)
- <Possible follow-ups>
- Re: Phishing your users Hillhouse, Bob (Bob) (Feb 18)
- Re: Phishing your users Sol Bermann (Feb 18)
- Re: Phishing your users David Escalante (Feb 18)
- Re: Phishing your users Andrew Lawlor (Feb 18)
- Re: Phishing your users Daniel Robert Adinolfi (Feb 18)
- Re: Phishing your users Sol Bermann (Feb 18)
- Re: Phishing your users Brad Judy (Feb 18)