Re: Response to phishing e-mails

[Brandon Hume <Brandon.Hume () DAL CA>]

On 29/10/2014 5:07 PM, Nick Semenkovich wrote:
> For the users who get phished, the question shouldn't be "How can we
> make our users better?" but instead -- "How can*we*  be better?"

Why not both?  We're talking about .edu... fundamentally, people are 
supposed to be learning.  As you said, there's a steady stream of users 
coming in, and wacking them all in the head is both tiring and useless.  
But by that same token, there's a steady stream of people leaving out 
the other side, and you want them to be able to take care of themselves.

It's absolutely unfair to the user to punish them for a first offence 
when they've been given no idea what to watch out for, I completely 
agree.  But when you're dealing with second or third offences, or "lol, 
who cares" attitudes, the situation becomes a little fuzzier.  I really 
don't consider it any different from coursework... if the student shows 
up but the professor doesn't, they can (and should!) raise hell at the 
exam.  But if the student doesn't even show up to class, we do in fact 
punish them... we punish them by withholding their degree; we punish 
them monetarily by making them take the course over.

> - How is it that our users can secure their Twitter accounts with
> two-factor, but not their access to our e-mail systems, HR, and
> payroll? (That arguably borders on negligence in more regulated
> fields, like banking and healthcare.)

Totally agree, especially in the age of ubiquitous mobile devices. I 
think part of the problem is cost, though.  Remember that IT budgets are 
getting squeezed and squeezed hard... it can be hard to get someone to 
loosen the purse strings to implement something to protect people from 
the consequences of doing something they should never have done in the 
first place.

> - Why is it even*possible*  that having just a single user's (probably
> weak) password can result in high levels of access (VPN connectivity,
> spam/phishing mail sent, payroll changes, educational FERPA-protected
> records, etc.)?

To a certain extent because a) users will recycle passwords, and b) 
hoops placed between services result in users setting up backdoors for 
themselves (and when you shut down those backdoors, they get even more 
resentful and feel more entitled to even *more* backdoors...)  Even the 
two-man rule seems too much for too many people.  We live in an age 
where Cisco deliberately puts backdoors in their products (to 
short-circuit support calls) and developers create software that needs 
Domain Admin to function because they can't be bothered to figure out ACLs.

> - Why do we allow a user, who's been connecting to Webmail from the
> US, to suddenly authenticate to POP from China or EC2 and send 10,000
> messages to domains we've never sent mail to before?

This is a good point, but what mechanisms use this level of bayesian 
analysis?  Educational institutions in particular will have researchers 
travelling far and wide, and it only takes one high-placed researcher 
getting shut down when he tries to email his class list to cause angry 
phonecalls and the demand to "turn the bloody thing off".

Essentially this entire discussion is rooted in the classical conflict: 
what people need to do versus what they want to do.  And as a species 
we're terrible at sorting that out without positive and negative stimulus.

I think thanking users for spotting and reporting phishing emails is a 
good positive stimulus... you want the user to feel like a hero for not 
falling for it and alerting you.  Only speaking for myself, there's 
nothing more satisfying than running into a "mere user" who is actively 
contemptuous of the latest phishing email.  I can understand why heavily 
taxed IT departments with a lot of users might shy from that, though... 
you can feel like you're spending more time thanking the users than 
dealing with the spam!