Educause Security Discussion mailing list archives
Re: [External] Re: [SECURITY] Initial Phishing Simulation - Do you tell them first?
From: "Gregg, Christopher S." <csgregg () STTHOMAS EDU>
Date: Thu, 13 Jun 2019 15:12:21 +0000
We started down the path of phish testing, and then dropped it in favor of working on more pressing/effective activities such as our campus-wide MFA solution and creating a process for users to report real phishing or suspicious messages. In our initial phish testing though we definitely alerted the targeted groups and ramped up the tests as we went. Test 1 was a an easy one to spot and we told them exactly when it was coming. Test 2 was a little trickier and they knew it was coming within a small timeframe. Test 3 was trickier yet, and they just knew it was coming at some point in the current month. I think it comes down to your end goals. Not telling your users will give you a more accurate and scientific baseline to possibly measure how well your awareness program is working. However if your overall goal is to reduce compromised accounts via phishing (and related scams) by educating your community to be effective phishing spotters/hunters, I would recommend including the community as fully as possible all along the way. I don’t think you want to risk potentially shaming or angering parts of the community in order to have better comparison data. In the end we have been able to use data on real phishing attacks and account compromises to show that our various methods (awareness efforts + MFA + better response processes + better filtering) seem to be working. Thanks, Chris Chris Gregg Associate Vice President of Information Security & Risk Management, CISO Information Technology Services (ITS) csgregg () stthomas edu<mailto:csgregg () stthomas edu> p 1 (651) 962-6265 University of St. Thomas | stthomas.edu<https://www.stthomas.edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Valerie Vogel Sent: Thursday, June 13, 2019 9:44 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [External] Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? In addition to Dr. Jessica Barker’s article on positively influencing behavior (thank you for sharing that resource, Henk!), I wanted to share this blog by Brad Judy about Phishing Your Users: https://er.educause.edu/blogs/2016/4/phishing-your-users<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fer.educause.edu%2Fblogs%2F2016%2F4%2Fphishing-your-users&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C05beabccc1194ab1f5ee08d6f00d9ddc%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636960338609570197&sdata=VXuYM11%2FW6X2ubpXv%2BEDxdciws8LavRrqB%2FEwXOyx08%3D&reserved=0>. It offers 10 key points to consider when implementing a phishing assessment program. Thank you, Valerie Valerie Vogel Senior Manager, Cybersecurity Program EDUCAUSE Uncommon Thinking for the Common Good direct: 202.331.5374 | Follow HEISC on LinkedIn<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fhigher-education-information-security-council-heisc-%2F&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C05beabccc1194ab1f5ee08d6f00d9ddc%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636960338609580190&sdata=yZyS1q%2Be8YA1G%2FyT6IPTZFv%2BDo9xr2cWE7fxqTavhd4%3D&reserved=0> | twitter: @HEISCouncil | vvogel () educause edu<mailto:vvogel () educause edu> From: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of "Sonder, Henk E." <hsonder () RIC EDU<mailto:hsonder () RIC EDU>> Reply-To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Thursday, June 13, 2019 at 5:26 AM To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? Dave, Although I cannot speak with authority, as I do not have my own data to back this up, but I am a proponent of making an announcement in general terms. We are still toying with idea of phishing simulation as part of an awareness campaign, but I would announce (by email) that we will be doing phishing simulations during the upcoming semesters and that all or part of the community may be included in these simulations. I would provide them with background information on what to look out in order to identifying phishing emails (fake or real). What is your goal of a simulation and what are your metrics? More so, what is the culture at the Maricopa Community Colleges that leads to the outcomes you are looking for? The first simulation will still be your baseline, whether you announce or not, it all comes down to the defining the metrics you are measuring. My goal is to raise alertness and awareness. If I tell them they can expect a phishing simulation, they start looking for that phishing email. However, that means that they have to inspect every other suspicious email and make judgement of risk. You need to same skills to identify the fake phish you need to identify the real phish. I prefer the ‘Gamify’ approach to the ‘Gotcha!’ one. I would not only measure the number of people clicking on a phishing link, but also the number who report the phish. Before hearing Jessica Barker’s SPC2018 keynote<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fevents.educause.edu%2Fspecial-topic-events%2Fwebinar%2F2018%2Fencore-selections-from-the-educause-security-professionals-conference-2018%2Fagenda%2Fkeynote-cybersecurity-awareness-is-dead-long-live-cybersecurity-awareness&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C05beabccc1194ab1f5ee08d6f00d9ddc%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636960338609580190&sdata=WwAK%2FTz9TFV8KHFOIDkAyt%2FHDrUdSBDxGcRi35JchRg%3D&reserved=0> I believed in the ‘surprise simulation’. I no longer believe that is the most effective approach, in particular given the openness of a higher education institution. I prefer empowering them (give them the tools to report a phish). On a side note, when I will announce a phishing simulation campaign via email here at Rhode Island College, the simulation will still surprise the majority of faculty/staff. Read Jessica Barker The Human Nature Of Cybersecurity <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fer.educause.edu%2Farticles%2F2019%2F5%2Fthe-human-nature-of-cybersecurity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C05beabccc1194ab1f5ee08d6f00d9ddc%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636960338609590182&sdata=aXJ10LHQaqKRQ9bdk8Bokr063KOix%2FxH93MnGr%2BC12o%3D&reserved=0> Like you, I am interested to hear form those who have a number of simulation campaigns under their belt. Henk E. Sonder Director Information Security Rhode Island College 600 Mount Pleasant Ave Providence, RI 02908 Office: 401-456-9577 Email: hsonder () ric edu<mailto:hsonder () ric edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of David Eilken Sent: Wednesday, June 12, 2019 9:52 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Initial Phishing Simulation - Do you tell them first? All, I have seen some threads on phishing in the past, but have a very specific question. When you started your phishing campaign/ program, did you notify your staff / faculty that the stimulations were coming (and not to worry about getting in trouble for failing)? I know KnowBe4 suggests not informing the population prior to doing a baseline. I've heard some pretty bad horror stories about the faculty not being too happy about getting a test phishing email sprung on them out of the blue. I personally don't see a huge upside to not letting them know what the broader campaign is about and how it supports the infosec program. I would be surprised if it would scewd the results much. We already send out notifications when a real campaign is active. Appreciate your input. Hope your enjoying the summer. Best, Dave -- [Image removed by sender. Maricopa Community College District Office logo] DAVID EILKEN MARICOPA COMMUNITY COLLEGES Information Security Officer | ITS 2411 West 14th Street, Tempe, AZ 85281 david.eilken () domail maricopa edu<mailto:david.eilken () domail maricopa edu> https://www.maricopa.edu/ O: 480-784-0637 LinkedIn <https://linkedin.com/school/maricopa-community-colleges> | Twitter <https://twitter.com/mcccd> | Facebook<https://www.facebook.com/maricopa.edu>
Current thread:
- Initial Phishing Simulation - Do you tell them first? David Eilken (Jun 12)
- Re: Initial Phishing Simulation - Do you tell them first? Scott Stoops (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Dennis Bolton (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Sonder, Henk E. (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Valerie Vogel (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Jason Fried (Jun 13)
- Re: [External] Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? Gregg, Christopher S. (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Brad Judy (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Rob Milman (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Valerie Vogel (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Scott Stoops (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Ken Connelly (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Neal O'Farrell (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Hart, Michael (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Neal O'Farrell (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Watkins, Jameson (Jun 18)
- Re: Initial Phishing Simulation - Do you tell them first? Brian Basgen (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Hart, Michael (Jun 13)