Re: A user granted with admin rights failed a phishing test

["Smith, Jason" <Jason_Smith () BSMCON EDU>]

The idea of fostering an open relationship with users is an important one, but at the end of the day a user who falls 
for a phish today (real or test) has signaled they present significantly more risk than your other users who avoided 
it.  Hopefully additional training will help that person, but attackers iterate new attack methods much faster than we 
can train them (or even detect them).

With all the tools out there for a support desk to quickly and easily grant a user temporary admin access in the 
increasingly rare situations where they would even need it – I would immediately pull the plug on admin rights for the 
test victim.  With power comes responsibility.

This question/conversation is a good reminder that all schools should have all staff & faculty on 2-factor for all 
remote access because some of them will get successfully phished (not a test) at some point.  It’s inevitable.


Jason E. Smith, MS PMP CPHIMS CSM
Director of IT, Bon Secours Memorial College
8550 Magellan Parkway #1100, Richmond, VA 23227
[cid:image001.png@01D6B6A4.9BD30D00]

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Ken Munro
Sent: Monday, November 9, 2020 2:15 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] A user granted with admin rights failed a phishing test

Hi.

I also think that punitive measures should not be taken. Our cybersecurity training platform automatically notifies the 
user they click on a phishing link, and assigns them a contemplative survey asking questions about why they clicked it. 
We also have the option to assign them a remedial phishing module, which I do for staff but not faculty.

We say that no one will be reprimanded for clicking on simulated phishing links. We do not require our staff and 
faculty take cybersecurity training, so if they think they are going to be reprimanded due to opting into the training, 
fewer people will sign up for it.

You want people to report security incidents (real ones especially), not be afraid to report them, hide them. If you 
punish clickers, they may try to hide the fact that they were really phished. You might be decreasing your security by 
taking a punitive approach.

Cheers.

Ken Munro
________________________________________
Ken Munro
Security Compliance and Training Specialist
Information Technology and Services
Mount Saint Vincent University
166 Bedford Highway
Halifax, NS B3M 2J6
(902) 457-6150
ken.munro () msvu ca<mailto:ken.munro () msvu ca>

Confidentiality Notice: This email may be private and confidential. If you have received this e-mail by mistake, please 
immediately notify the sender by e-mail or telephone, delete it from your system, and do not copy or distribute it.

Phishing Warning: IT&S does not request passwords or other personal information via email. Messages requesting such 
information are phishing attempts and should be deleted.




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Jerry Tylutki
Sent: Monday, November 9, 2020 3:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] A user granted with admin rights failed a phishing test

I disagree that any punitive action should be taken. Phishing tests are in their nature deceptive and attempt to trap 
the individual; revoking access, potentially impacting the responsibilities of that person, is not the path I would 
take. Phishing campaigns are one part of a larger security education and training program. Raise awareness. Increase 
education.

I am open and communicative when preparing to send out a phishing email -- I want the end users to expect it and be on 
the lookout for a phishing message. Nothing makes me more satisfied then when I get an actual phishing message 
forwarded to me with a "you can't trick me" type message.

-------
Jerry Tylutki
Information Security Officer
Hamilton College
(315) 859-4289 -- office

*****The contents of this email are CONFIDENTIAL. If you have received this email by mistake, please notify the sender 
and delete the email and its contents.*****


On Mon, Nov 9, 2020 at 12:28 PM Apollo Dalamar <apollodalamar () gmail com<mailto:apollodalamar () gmail com>> wrote:
G'day Jared,

I would most certainly revoke Admin Rights until the individual can pass some of the assessments associated with the 
Cyber Security Training.
Allude the individual that there would be some form of auditing / supervision for a graceful period. In the interim, 
monitor appropriate audit logs for a graceful period to make sure the individual is adhering to protocols.
Additionally, have the individual sign some form of legal binding paperwork with the understanding and acknowledging 
that the individual is obligated to operate within protocols and anything otherwise would result in some form of 
disciplinary action, with the prospect of work dismal.

Cheers,
Pete


On Mon, Nov 9, 2020 at 10:48 AM Jared Evans <jared.evans () gallaudet edu<mailto:jared.evans () gallaudet edu>> wrote:
Hello,

I would ask about what actions are typically taken when a user who has been granted admin rights (limited to few 
workstations within their workspace) failed a phishing test with the user giving out the user credentials.

Additional cybersecurity training is a given but are the admin rights temporarily revoked until the training is 
completed?

--
[https://drive.google.com/a/gallaudet.edu/uc?id=0B06ctamGLs2hSzVkWTREblhkS0E&export=download]
Jared Evans
Information Security Officer
Gallaudet Technology Services
Gallaudet University
jared.evans () gallaudet edu<mailto:jared.evans () gallaudet edu>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community