Educause Security Discussion mailing list archives
Re: Faculty Acceptance of Security Awareness Education?
From: Matthew Wollenweber <mjw () CYBERWART COM>
Date: Tue, 1 Dec 2009 12:50:24 -0500
Vladis, We seldom sent out 100 emails, but I mean we'd get X percent shells back - so say we sent 20 emails out we might get 8 callbacks. These were generally targeted and customized to avoid AV signatures. Also my stats are averaged by job. Meaning that a job with 20 emails sent counts as much as a job with 100 emails sent. I can't provide the raw data or methdology as I no longer have it and it would contain customer and proprietary data. I can't recall ever not getting some success at organizations with at least 1000 people. Phishme's success rate may be higher given that they don't have a payload. For their metrics, I believe the user only needs to click a link and be forwareded to their educational presentations. In my case, success was a callback. So the user had to click and the background magic had to occur. On Tue, Dec 1, 2009 at 12:39 PM, Valdis Kletnieks <Valdis.Kletnieks () vt edu>wrote:
On Tue, 01 Dec 2009 12:29:02 EST, Matthew Wollenweber said:While I was doing pen testing, our phishing service tended to have a40-60%success rate for unsophisticated targeted attacks.At this point, I think we need to make sure we're all on the same page. Do we mean 60% success that "60% of the time, we got back *A* credential that allowed us to continue", or "we send 100 copies of the phish, and get back 60 credentials"? I suspect that may explain why some groups are reporting 75% success and others are reporting 7%...
-- Matthew Wollenweber mjw () cyberwart com 240-753-0281
Current thread:
- Re: Faculty Acceptance of Security Awareness Education?, (continued)
- Re: Faculty Acceptance of Security Awareness Education? Ozzie Paez (Nov 30)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Nov 30)
- Re: Faculty Acceptance of Security Awareness Education? Delaney, Cherry L. (Nov 30)
- Re: Faculty Acceptance of Security Awareness Education? Steve Romig (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Ken Connelly (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Ozzie Paez (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Hugh Burley (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Valdis Kletnieks (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Dec 01)
- Re: Faculty Acceptance of Security Awareness Education? Allison Dolan (Dec 02)