Educause Security Discussion mailing list archives

Re: Repeat offenders during phishing campaign

From: James Valente <jvalente () SALEMSTATE EDU>
Date: Tue, 21 Mar 2017 20:42:28 +0000

We’ve only ran a very small number of simulated phishing attacks but none have captured credentials thusfar, so in the  
past we haven’t considered them compromised because we’ve lacked the tracking to do so. Because of this, the only users 
I’ve considered compromised have been “actual” compromises or leaked credentials.

 

I’m prepping for a phishing exercise using GoPhish soon and I’ll be capturing usernames for better reporting and 
followup. 

 

The procedure I’ve got in place for a compromised account is immediately disabling it in AD once it’s confirmed, and 
then cleaning up any queued messages within our Barracuda and exchange since it’s likely to impact mailflow for other 
users and increases the chance we’ll get placed on a blacklist, which is a pain to deal with. 

 

Unfortunately, in the case of repeat offenders I don’t think the inconvenience of getting locked out and having to call 
to regain access serves as a deterrent. Often the users just deny they fell for a phish and it’s not worth the argument 
to provide all of the evidence/IoC showing that is most likely the case.

 

I’ve just started to send training material on phishing AND good password practices (avoiding PW reuse, regular 
changes, strong passwords/passphrases), so they can get the benefit of the doubt while also avoiding them picking 
Trustno2 after being phished with the password Trustno1. 

 

--James

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Frank 
Barton
Sent: Tuesday, 21 March, 2017 16:35
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Repeat offenders during phishing campaign

 

James, (et.al <http://et.al> .) When a user falls for a [simulated] phish, do you consider their account to be 
compromised? our procedure for a compromised account is to immediately lock it down until we have gone through our set 
of cleaning checks. This can take some time, and, if an account is compromised outside of normal hours, we typically 
lock it out, and then clean the next day.

 

If this matches your process (at least generally) do you find that the time during which they are locked out is a 
deterrent?

 

Frank

 

On Tue, Mar 21, 2017 at 4:20 PM, James Valente <jvalente () salemstate edu <mailto:jvalente () salemstate edu> > wrote:

I’ve inquired about forcing users to attend education training but we’re not allowed to mandate any training like this, 
especially for faculty.

 

However, we are allowed to request they attend training. I sent out a bunch of emails to repeat offenders last week 
with training material, and a little note hoping the guilt of the workload created by them falling for a phish (because 
they only  see the inconvenience of having a password reset, not cleaning up a mess at 11:30pm on a Saturday night) 
encourages them to check the material and be more cautious in the future.

 

--James

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () 
LISTSERV EDUCAUSE EDU> ] On Behalf Of Rob Milman
Sent: Tuesday, 21 March, 2017 15:53


To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: Re: [SECURITY] Repeat offenders during phishing campaign

 

Thanks Ben,

 

I have 17 repeat offenders so far(pretty low since we are phishing all our staff). We are using SANS STH Phishing that 
does train the clickers on what they should have looked for in the message. The repeat offenders have technically had 
that training at least twice and some may have had my more in depth awareness training if I’ve hit their 
school/department in the last year.

 

Rob

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ben Woelk
Sent: Tuesday, March 21, 2017 1:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: Re: [SECURITY] Repeat offenders during phishing campaign

 

Rob,

Define “small number!” That’s going to impact what you can do.

Are the offenders automatically forwarded to learning content about phishing or otherwise notified they’ve taken the 
bait?

 

Ben Woelk '07 CISSP

ISO Program Manager

Information Security Office

Rochester Institute of Technology

ROS 10-A204

151 Lomb Memorial Drive

Rochester, New York 14623 

585.475.4122 <tel:(585)%20475-4122> 

585.475.7920 <tel:(585)%20475-7920>  fax

ben.woelk () rit edu <mailto:ben.woelk () rit edu> 

http://www.rit.edu/security/

 

Become a fan of RIT Information Security at  <http://rit.facebook.com/profile.php?id=6017464645> 
http://rit.facebook.com/RITInfosec

 

Follow us on Twitter: http://twitter.com/RIT_InfoSec

 

CONFIDENTIALITY NOTE:  The information transmitted, including attachments, is intended only for the person(s) or entity 
to which it is addressed and may contain confidential and/or privileged material.  Any review, retransmission, 
dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other 
than the intended recipient is prohibited.  If you received this in error, please contact the sender and destroy any 
copies of this information. 

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rob 
Milman
Sent: Tuesday, March 21, 2017 12:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: [SECURITY] Repeat offenders during phishing campaign

 

Hi everyone,

 

We have been running a phishing campaign since last fall. There have been a small number of repeat offenders, which our 
vendor has identified as high-risk individuals. Have any of you dealt with this situation and developed a process that 
you’d like to share?

 

Thanks,

 

Rob

 




Rob Milman

Security & Compliance Analyst

Information Systems

 

Southern Alberta Institute of Technology

EH Crandell Building, GA 214

1301 – 16 Avenue NW, Calgary AB, T2M 0L4

 

(Office) 403.774.5401 <tel:(403)%20774-5401>   (Cell) 403.606.3173 <tel:(403)%20606-3173> 

rob.milman () sait ca <mailto:rob.milman () sait ca> 

 

 





 

-- 

Frank Barton

ACMT

IT Systems Administrator

Husson University

Attachment: smime.p7s
Description:

Current thread:

Repeat offenders during phishing campaign Rob Milman (Mar 21)
- Re: Repeat offenders during phishing campaign Barton, Robert W. (Mar 21)
- Re: Repeat offenders during phishing campaign Greg Williams (Mar 21)
  - Re: Repeat offenders during phishing campaign McCrary, Barbara (Mar 21)
- Re: Repeat offenders during phishing campaign Ben Woelk (Mar 21)
  - Re: Repeat offenders during phishing campaign Rob Milman (Mar 21)
    - Re: Repeat offenders during phishing campaign James Valente (Mar 21)
    - Re: Repeat offenders during phishing campaign Frank Barton (Mar 21)
    - Re: Repeat offenders during phishing campaign James Valente (Mar 21)
    - Re: Repeat offenders during phishing campaign Urrea, Nick (Mar 21)
    - Re: Repeat offenders during phishing campaign Steven Alexander (Mar 21)
    - Re: Repeat offenders during phishing campaign Brad Judy (Mar 21)
    - Re: Repeat offenders during phishing campaign Vest, Shawn E (Mar 26)