Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Faculty Acceptance of Security Awareness Education?

From: Matthew Wollenweber <mjw () CYBERWART COM>
Date: Tue, 1 Dec 2009 12:50:24 -0500
Vladis,

We seldom sent out 100 emails, but I mean we'd get X percent shells back -
so say we sent 20 emails out we might get 8 callbacks. These were generally
targeted and customized to avoid AV signatures. Also my stats are averaged
by job. Meaning that a job with 20 emails sent counts as much as a job with
100 emails sent. I can't provide the raw data or methdology as I no longer
have it and it would contain customer and proprietary data. I can't recall
ever not getting some success at organizations with at least 1000 people.

Phishme's success rate may be higher given that they don't have a payload.
For their metrics, I believe the user only needs to click a link and be
forwareded to their educational presentations. In my case, success was a
callback. So the user had to click and the background magic had to occur.


On Tue, Dec 1, 2009 at 12:39 PM, Valdis Kletnieks
<Valdis.Kletnieks () vt edu>wrote:


On Tue, 01 Dec 2009 12:29:02 EST, Matthew Wollenweber said:


While I was doing pen testing, our phishing service tended to have a

40-60%

success rate for unsophisticated targeted attacks.


At this point, I think we need to make sure we're all on the same page.

Do we mean 60% success that "60% of the time, we got back *A* credential
that allowed us to continue", or "we send 100 copies of the phish, and
get back 60 credentials"?

I suspect that may explain why some groups are reporting 75% success and
others are reporting 7%...





--
Matthew Wollenweber
mjw () cyberwart com
240-753-0281
Previous By Date Next
Previous By Thread Next

Current thread: