Educause Security Discussion mailing list archives
Re: Repeat offenders during phishing campaign
From: "Vest, Shawn E" <svest () IU EDU>
Date: Sun, 26 Mar 2017 14:04:18 +0000
Hello, Thanks for the post, and all who commented. Based on the feedback, there will always be a percentage of individuals falling victim to a phishing scam/training. Are any of you measuring the effectiveness of the endpoint controls for the repeat offenders once the phishing scam delivers the payload? Example of controls below: - What is the user context did the payload run under? - Was there application white-listing? - AV agent installed, running and up-to-date - Patch status - Do you limit or disable macro support Some of the above items could limit the results of the attack, and may be more effective at protecting the individual from themselves. I am just curious if others are tacking results if the payload succeeds? If you find gaps, how do you communicate them to endpoint owners, or IT professionals? -S ________________________________ From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () listserv educause edu> on behalf of Brad Judy <brad.judy () CU EDU> Sent: Tuesday, March 21, 2017 6:34 PM To: SECURITY () listserv educause edu Subject: Re: [SECURITY] Repeat offenders during phishing campaign Small plug – for those going to Educause SPC, there will be a panel session of four of us talking about our experiences with self-phishing from different institutional perspectives. My personal take on repeat offenders is that some different educational approach is needed (since the first one didn’t work). That could be in-person follow-up, or it could be that you create a separate campaign for offenders that lands then on a different style of educational content than the first pass. Or, you simply change the type of content for everyone between campaigns (i.e. text content one time, video the next, etc.). We can’t expect different results from repeating the same process, but I think there are many different options on how to change it up for repeat offenders. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<http://www.cu.edu/> [u-logo_fl] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Steven Alexander <steven.alexander () KCCD EDU> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Tuesday, March 21, 2017 at 3:19 PM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Repeat offenders during phishing campaign Monthly. The idea is to provide continuous reinforcement and help users learn. If you only do it 1-2 times a year, they aren’t getting that. Steven Alexander Director of IT Security Kern Community College District From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Urrea, Nick Sent: Tuesday, March 21, 2017 1:51 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Repeat offenders during phishing campaign How often would the group suggest a phishing campaign be run? Annual, Bi-Annual? --- Nicholas Urrea UC Hastings College of the Law Director of Information and Network Security From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James Valente Sent: Tuesday, March 21, 2017 1:42 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Repeat offenders during phishing campaign We’ve only ran a very small number of simulated phishing attacks but none have captured credentials thusfar, so in the past we haven’t considered them compromised because we’ve lacked the tracking to do so. Because of this, the only users I’ve considered compromised have been “actual” compromises or leaked credentials. I’m prepping for a phishing exercise using GoPhish soon and I’ll be capturing usernames for better reporting and followup. The procedure I’ve got in place for a compromised account is immediately disabling it in AD once it’s confirmed, and then cleaning up any queued messages within our Barracuda and exchange since it’s likely to impact mailflow for other users and increases the chance we’ll get placed on a blacklist, which is a pain to deal with. Unfortunately, in the case of repeat offenders I don’t think the inconvenience of getting locked out and having to call to regain access serves as a deterrent. Often the users just deny they fell for a phish and it’s not worth the argument to provide all of the evidence/IoC showing that is most likely the case. I’ve just started to send training material on phishing AND good password practices (avoiding PW reuse, regular changes, strong passwords/passphrases), so they can get the benefit of the doubt while also avoiding them picking Trustno2 after being phished with the password Trustno1. --James From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Frank Barton Sent: Tuesday, 21 March, 2017 16:35 To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Repeat offenders during phishing campaign James, (et.al<http://et.al>.) When a user falls for a [simulated] phish, do you consider their account to be compromised? our procedure for a compromised account is to immediately lock it down until we have gone through our set of cleaning checks. This can take some time, and, if an account is compromised outside of normal hours, we typically lock it out, and then clean the next day. If this matches your process (at least generally) do you find that the time during which they are locked out is a deterrent? Frank On Tue, Mar 21, 2017 at 4:20 PM, James Valente <jvalente () salemstate edu<mailto:jvalente () salemstate edu>> wrote: I’ve inquired about forcing users to attend education training but we’re not allowed to mandate any training like this, especially for faculty. However, we are allowed to request they attend training. I sent out a bunch of emails to repeat offenders last week with training material, and a little note hoping the guilt of the workload created by them falling for a phish (because they only see the inconvenience of having a password reset, not cleaning up a mess at 11:30pm on a Saturday night) encourages them to check the material and be more cautious in the future. --James From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Rob Milman Sent: Tuesday, 21 March, 2017 15:53 To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Repeat offenders during phishing campaign Thanks Ben, I have 17 repeat offenders so far(pretty low since we are phishing all our staff). We are using SANS STH Phishing that does train the clickers on what they should have looked for in the message. The repeat offenders have technically had that training at least twice and some may have had my more in depth awareness training if I’ve hit their school/department in the last year. Rob From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ben Woelk Sent: Tuesday, March 21, 2017 1:42 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Repeat offenders during phishing campaign Rob, Define “small number!” That’s going to impact what you can do. Are the offenders automatically forwarded to learning content about phishing or otherwise notified they’ve taken the bait? Ben Woelk '07 CISSP ISO Program Manager Information Security Office Rochester Institute of Technology ROS 10-A204 151 Lomb Memorial Drive Rochester, New York 14623 585.475.4122<tel:(585)%20475-4122> 585.475.7920<tel:(585)%20475-7920> fax ben.woelk () rit edu<mailto:ben.woelk () rit edu> http://www.rit.edu/security/ Become a fan of RIT Information Security at http://rit.facebook.com/RITInfosec<http://rit.facebook.com/profile.php?id=6017464645> Follow us on Twitter: http://twitter.com/RIT_InfoSec CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rob Milman Sent: Tuesday, March 21, 2017 12:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Repeat offenders during phishing campaign Hi everyone, We have been running a phishing campaign since last fall. There have been a small number of repeat offenders, which our vendor has identified as high-risk individuals. Have any of you dealt with this situation and developed a process that you’d like to share? Thanks, Rob [id:image004.png@01D18F19.9217E950] Rob Milman Security & Compliance Analyst Information Systems Southern Alberta Institute of Technology EH Crandell Building, GA 214 1301 – 16 Avenue NW, Calgary AB, T2M 0L4 (Office) 403.774.5401<tel:(403)%20774-5401> (Cell) 403.606.3173<tel:(403)%20606-3173> rob.milman () sait ca<mailto:rob.milman () sait ca> -- Frank Barton ACMT IT Systems Administrator Husson University
Current thread:
- Re: Repeat offenders during phishing campaign, (continued)
- Re: Repeat offenders during phishing campaign Greg Williams (Mar 21)
- Re: Repeat offenders during phishing campaign McCrary, Barbara (Mar 21)
- Re: Repeat offenders during phishing campaign Ben Woelk (Mar 21)
- Re: Repeat offenders during phishing campaign Rob Milman (Mar 21)
- Re: Repeat offenders during phishing campaign James Valente (Mar 21)
- Re: Repeat offenders during phishing campaign Frank Barton (Mar 21)
- Re: Repeat offenders during phishing campaign James Valente (Mar 21)
- Re: Repeat offenders during phishing campaign Urrea, Nick (Mar 21)
- Re: Repeat offenders during phishing campaign Steven Alexander (Mar 21)
- Re: Repeat offenders during phishing campaign Brad Judy (Mar 21)
- Re: Repeat offenders during phishing campaign Vest, Shawn E (Mar 26)
- Re: Repeat offenders during phishing campaign Rob Milman (Mar 21)
- Re: Repeat offenders during phishing campaign Greg Williams (Mar 21)