If You Fall for a Phishing Scam, Should You Lose Your Security Clearance?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nextgov.com/cybersecurity/2015/09/if-you-fall-phishing-scam-should-you-lose-your-security-clearance/121427/

If you fall for a phishing email, should you have your ability to handle
sensitive government information revoked?

At least one federal chief information security officer is concerned about
how frequently even senior-level federal employees fall for the bogus
emails and is considering get-tough solutions.

Paul Beckman, the Department of Homeland security’s chief information
security officer, said he sends his own emails designed to mimic phishing
attempts to staff members to see who falls for the scam.

“These are emails that look blatantly to be coming from outside of DHS --
to any security practitioner, they're blatant,” he said during a panel
discussion on CISO priorities at the Billington Cybersecurity Summit in
Washington on Sept. 17. “But to these general users” -- including senior
managers and other VIPs -- “you'd be surprised at how often I catch these
guys."

Employees who fail the test -- by clicking on potentially unsafe links and
inputting usernames and passwords -- are forced to undergo mandatory online
security training.

But Beckman said a small number of employees continue to fall for the fake
scams -- even in the second of third round of phishing tests.

"There are no repercussions to bad behavior,” he said. “There's no punitive
damage, so to speak. There's really nothing to incentivize these people to
be aware, to be diligent."

Beckman said he wants to start discussions with DHS’ chief security officer
-- who’s responsible for overall personnel security -- about incorporating
employees’ susceptibility to phishing in broader evaluations of their
fitness to handle sensitive information.

“Someone who fails every single phishing campaign in the world should not
be holding a TS SCI with the federal government," he said, using the
government acronym to describe a top-secret security clearance. “You have
clearly demonstrated that you are not responsible enough to responsibly
handle that information.”

Beckman said such discussions are still in their infancy. And not all CISOs
are on board with the tough approach he advocates.

Rod Turk, the Commerce Department’s CISO, said he also runs phishing tests
on his employees, but he said he views it as solely a training exercise.

More broadly, federal CISOs are concerned about the increasing
sophistication of phishing campaigns against high-level federal personnel.

They worry the recent massive breach of background-investigation files at
the Office of Personnel Management -- hackers stole data on 22 million
federal employees and contractors -- could be used to craft even more
convincing phishing attempts.

“One of the things they're going to do with [that information], you can bet
your bottom dollar, is coming up with insidious anti-phishing campaigns
that look very tailored and very personal to these people,” Beckman said.
“Every bit of my personal information is in an attacker's hands right now.
They could probably craft my email that even I would be susceptible to,
because they know everything about me virtually.”

Turk agreed, calling the stolen data a “a goldmine for phishing
expeditions."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!