Educause Security Discussion mailing list archives

Re: Repeat offenders during phishing campaign

From: Frank Barton <bartonf () HUSSON EDU>
Date: Tue, 21 Mar 2017 16:34:43 -0400

James, (et.al.) When a user falls for a [simulated] phish, do you consider
their account to be compromised? our procedure for a compromised account is
to immediately lock it down until we have gone through our set of cleaning
checks. This can take some time, and, if an account is compromised outside
of normal hours, we typically lock it out, and then clean the next day.

If this matches your process (at least generally) do you find that the time
during which they are locked out is a deterrent?

Frank

On Tue, Mar 21, 2017 at 4:20 PM, James Valente <jvalente () salemstate edu>
wrote:

I’ve inquired about forcing users to attend education training but we’re
not allowed to mandate any training like this, especially for faculty.



However, we are allowed to request they attend training. I sent out a
bunch of emails to repeat offenders last week with training material, and a
little note hoping the guilt of the workload created by them falling for a
phish (because they only  see the inconvenience of having a password reset,
not cleaning up a mess at 11:30pm on a Saturday night) encourages them to
check the material and be more cautious in the future.



--James



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Rob Milman
*Sent:* Tuesday, 21 March, 2017 15:53

*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Repeat offenders during phishing campaign



Thanks Ben,



I have 17 repeat offenders so far(pretty low since we are phishing all our
staff). We are using SANS STH Phishing that does train the clickers on what
they should have looked for in the message. The repeat offenders have
technically had that training at least twice and some may have had my more
in depth awareness training if I’ve hit their school/department in the last
year.



Rob



*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Ben Woelk
*Sent:* Tuesday, March 21, 2017 1:42 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Repeat offenders during phishing campaign



Rob,

Define “small number!” That’s going to impact what you can do.

Are the offenders automatically forwarded to learning content about
phishing or otherwise notified they’ve taken the bait?



Ben Woelk '07 CISSP

ISO Program Manager

Information Security Office

Rochester Institute of Technology

ROS 10-A204

151 Lomb Memorial Drive

Rochester, New York 14623

585.475.4122 <(585)%20475-4122>

585.475.7920 <(585)%20475-7920> fax

ben.woelk () rit edu

http://www.rit.edu/security/



*Become a fan of RIT Information Security at *
*http://rit.facebook.com/RITInfosec*
<http://rit.facebook.com/profile.php?id=6017464645>



*Follow us on Twitter: http://twitter.com/RIT_InfoSec
<http://twitter.com/RIT_InfoSec>*



*CONFIDENTIALITY NOTE*:  The information transmitted, including
attachments, is intended only for the person(s) or entity to which it is
addressed and may contain confidential and/or privileged material.  Any
review, retransmission, dissemination or other use of, or taking of any
action in reliance upon this information by persons or entities other than
the intended recipient is prohibited.  If you received this in error,
please contact the sender and destroy any copies of this information.







*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Rob Milman
*Sent:* Tuesday, March 21, 2017 12:30 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] Repeat offenders during phishing campaign



Hi everyone,



We have been running a phishing campaign since last fall. There have been
a small number of repeat offenders, which our vendor has identified as
high-risk individuals. Have any of you dealt with this situation and
developed a process that you’d like to share?



Thanks,



Rob



[image: cid:image004.png@01D18F19.9217E950]

*Rob Milman*

Security & Compliance Analyst

Information Systems



Southern Alberta Institute of Technology

EH Crandell Building, GA 214

1301 – 16 Avenue NW, Calgary AB, T2M 0L4



(Office) 403.774.5401 <(403)%20774-5401>  (Cell) 403.606.3173
<(403)%20606-3173>

*rob.milman () sait ca <rob.milman () sait ca>*




-- 
Frank Barton
ACMT
IT Systems Administrator
Husson University

Current thread:

Repeat offenders during phishing campaign Rob Milman (Mar 21)
- Re: Repeat offenders during phishing campaign Barton, Robert W. (Mar 21)
- Re: Repeat offenders during phishing campaign Greg Williams (Mar 21)
  - Re: Repeat offenders during phishing campaign McCrary, Barbara (Mar 21)
- Re: Repeat offenders during phishing campaign Ben Woelk (Mar 21)
  - Re: Repeat offenders during phishing campaign Rob Milman (Mar 21)
    - Re: Repeat offenders during phishing campaign James Valente (Mar 21)
    - Re: Repeat offenders during phishing campaign Frank Barton (Mar 21)
    - Re: Repeat offenders during phishing campaign James Valente (Mar 21)
    - Re: Repeat offenders during phishing campaign Urrea, Nick (Mar 21)
    - Re: Repeat offenders during phishing campaign Steven Alexander (Mar 21)
    - Re: Repeat offenders during phishing campaign Brad Judy (Mar 21)
    - Re: Repeat offenders during phishing campaign Vest, Shawn E (Mar 26)