Re: Differentiating Between Real and Phishing Emails to Staff and Students

[Ozzie Paez <ozpaez () SPRYNET COM>]

Sarah - Good points - as always -

I ran into an interesting approach that might be useful, particularly in a
university environment.  There is a company that, as part of its training
and auditing services, specializes in setting up fake sites and sending
phishing e-mails for end users to log on.  The fake sites look just like
their company's site, except for a number of clues that hint of potential
problems.  They send out their phishing e-mails routinely and/or on a
pre-planned basis.  They then measure the response and provide direct
feedback to those who fell for the scam, plus overall feedback to the
population at large.  No actual username-passwords or any other info is kept
on their servers.  They indicated that within a few months of deploying the
system, the success rates for their phishing attempts dropped by well over
50%.

If structured as a kind of fun training with actual results meaningful to
the population in question, it seems like it would be very helpful as both
an awareness and training tool.  It would also be great for an organization
to know just how susceptible they are, over time, to such attacks.  Right
now, we have many anecdotes, but limited actual performance numbers.  It
would also allow specific phishing designs to be tested in terms of banners,
language, etc., along with some understanding of the most affected groups.
As an example, I remember years ago how people whose mastery of English was
growing but still a work in progress could get confused by messages that
looked 'official'.  So, if a university has many foreign students, it would
be good to know if they are being targeted and if they need more specific
assistance in detecting fraudulent messages.

By the way, the approach I saw ensured that the target population was
advised that the 'game is on' before it began; so there is no attempt at
pure trickery.  Trust is a valuable commodity and playing games of gotcha is
a good way to waste it.  Obviously, it is critical to only try methods that
do not have legal ramifications and these guys seemed to know how to do it.
In fact they did their presentation at several events sponsored by the Feds.
If anyone is interested, let me know and I will dig out their contact info.

Ozzie Paez
SSE/CISSP
SAIC
303-332-5363



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Sarah Stevens
Sent: Tuesday, May 13, 2008 9:52 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Differentiating Between Real and Phishing Emails to
Staff and Students


Tim,

I hope you are doing well.  The last time that I heard from you, I believe
that you were developing some policies and procedures for IT Security.  :-)

I find the following statement interesting:

As the frequency of targeted phishing scams increase, I continue to get more
queries by staff and students questioning if the very emails I send to staff
and students are valid or a scam.

What types of email are you sending out?  Are you actually requesting
something of the student?  A true phishing attack would include a link in
the email such as "Click here to change your password", or "Respond to this
email with your password."

An email from IT Security might say "If you feel that the integrity of your
password could have been jeopardized, please contact IT Security
immediately.  Remember that the IT Security department will never make a
direct request for your password."

Most password reset systems send the new password to the user via email, and
then demand an immediate password change upon initial login to the system.
However, some password reset systems send the user to a link and the user
must login via the link to access the system.  I would say that the former
is a better system, but if you have the type of system that uses a link, a
compensating control would be the training that you provide to the user
indicating that they should always call IT Security immediately if they
receive an unsolicited password reset email link.

Digital signatures are not usually helpful in the University users'
environment, as they are not commonly validated by students and staff.

With that being said, I agree with Mike.  Your best defense is a good
offense, and training your users on possible phishing schemes is paramount
to any successful information security awareness program.  I also agree that
the training methods used to train users must vary in order to continue to
capture your user community's attention.  Your IT Security Department should
also be accessible to your user community.  Encourage open communication
between IT Security and your users by setting up lunch and learns, contests,
etc. to build the enthusiasm of the IT Security Department.  (Building off
of one of Mike's suggestions below, IT Security could hold a contest and
award a prize for finding the latest informational notice released by IT
Security on campus.)

Hope this helps!


Sarah E Stevens, CISSP
President
Stevens Technologies, Inc.
(704) 625-8842 x500

"Security solutions for your organization."



  _____

From: The EDUCAUSE Security Constituent Group Listserv on behalf of Mike
Waller
Sent: Tue 5/13/2008 11:08 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Differentiating Between Real and Phishing Emails to
Staff and Students


We wrestled with this at my last job, which was at a medical research
institution. On the one hand, we wanted to educate and increase the
awareness of the many scams out there, but we didn't want to push our campus
audience into tuning out.

I think the best thing you can do is to vary your delivery method and focus
on those areas that have some novelty -- either a new type of scam, a new
delivery method or something new in the world of social engineering. If
you're doing that, you're probably going to see your best results. Too many
emails builds up a certain fatigue and will cause your emails to wind up as
part of that vast hiss of email white noise users ignore. Focus on varying
the delivery methods. In addition to email, use alerts on various campus
websites, mention the scams in meetings/training, use posters, etc. There
are a lot of ways to get the word out.

Mike


On Tue, May 13, 2008 at 1:04 AM, Tim Lane < tlane () scu edu au
<mailto:tlane () scu edu au> > wrote:


Hi All,



I regularly send out emails to staff and students advising on phishing
scams, general security alerts, password changes etc.  As the frequency of
targeted phishing scams increase, I continue to get more queries by staff
and students questioning if the very emails I send to staff and students are
valid or a scam.



I would be interested in knowing how other institutions are providing
increasing assurance to staff and students that emails from their IT or
Security section are valid.



Examples might include disclaimers, digital signatures or encryption etc,
but if this is an area you have looked at and addressed could you please
advise.



Thanks,



Tim







Tim Lane

Information Security Manager

IT&TS

Southern Cross University

Ph (02) 6620 3530

Mobile 0418 248 571