PING: William Pelgrin

A mock phishing exercise against 10,000 state employees conducted by the director of New York's Office of Cyber Security and Critical Infrastructure Coordination provided a measure of user awareness.

Filtering "crud" like malicious code from New York's government agencies was never an overbearing problem for William Pelgrin's security teams at the state's Office of Cyber Security and Critical Infrastructure Coordination. Pelgrin, director of the CSCIC, manages to stay ahead of hackers by recognizing changes in their methodologies and being proactive about defenses, especially user awareness. The escalation of targeted phishing attacks caught his attention a year ago. His response was a pair of phishing exercises organized by his office against 10,000 state employees. Despite the risk of users losing trust in the security group, Pelgrin says the exercises were successful in testing employees' willingness to give up personally identifiable information to a supposedly trusted source. Pelgrin expresses satisfaction with the results, but recognizes areas for improvement and promises more in the future.

How this exercise works

  • Advisory partnership with SANS and Anti-Phishing Working Group
  • AT&T routed messages from a network outside the state's, lending credibility to the mock exercise
  • Cooperation with state agency commissioners; all agree to participate
  • Keeping those in the know to a minimum
  • Scenario

  • An informational e-mail message on phishing is sent from CSCIC's No. 2 security officer to five state agencies in sequence
  • Two weeks later, phase 1 is launched to 10,000 state employees
  • First exercise comes from, which is not the office's naming convention (the only clue this was a scam)
  • Message, featuring a CSCIC banner, prompts users to link to a site where they can check password strength
  • If a user clicked on the password form, they failed the exercise. A tutorial followed explaining this was an exercise and the perils of phishing scams. An informational video and quiz were also included.
  • If a user deleted the e-mail, they got a congratulatory message. If a user cut and pasted the URL into another browser, a congratulatory page appeared
  • A month later, a second exercise is conducted to five state agencies simultaneously
  • Message informs users of a potential cyber event causing Internet connectivity issues. Users are prompted to follow a link to a Web page where they are asked their user name, password, e-mail address, phone number and whether they had experienced connectivity problems in last 72 hours.
  • Users are taken to a survey depending on the answer they provide.
  • Results

    Phase 1:

  • 17 percent followed the link to the password-checker site
  • 15 percent tried to interact with the password checker
  • 3 percent cut and pasted the URL into a browser
  • Phase 2:

  • 14 percent followed the link
  • 8 percent interacted with the form
  • 5 percent cut and pasted the URL into a browser
  • 40% improvement from phase 1 to phase 2

    Why combine cybersecurity and critical infrastructure protection in your office?

    Pelgrin: [Governor Pataki] is a visionary in this area. He blessed the concept of creating a unique office focusing on cyber-preparedness and being as resilient as we could be in New York state. We are made up of individuals on the cyber side and from geographic information systems and critical infrastructure coordination. We take our assets, depict them geographically and relate them to incidents. We can see the two converging; if the event is cyber, we can see what potential physical consequences there may be.

    We want the office to stay small. This is about collaboration, not about mandates or control. We want to be a role model for partnerships.

    What is the reporting structure and information sharing like between your groups?

    Pelgrin: All state agencies have an information security officer. We work collaboratively with them, creating a joint security policy. I'm a big believer this has to be about building relationships on the private side as well.

    There are eight committees: health, financial, agricultural, telecommunications, education and public safety among them. It's a real collaborative effort. We meet monthly by phone and share information about risk and vulnerabilities. We also have major player meetings where all major utilities are invited to a conference call.

    Every year, we take a hindsight view to see if we're providing a value-add. One of my guiding principles is that we do no harm to the private sector. We've got enough structure and processes in place that we can tap in and get information as appropriate. We don't want to see everything. They respond favorably to that. Trust has been building, it's not a right, it's something we earn.

    Why the mock phishing exercises? Was there a problem?

    Pelgrin: We tend to do a good job filtering out the crud. However, the concern of hackers moving from phishing to spear phishing where the apparent sender is a real trusted source, forced us to say 'Let's get ahead of it before becomes a problem.' We wanted to use this as an opportunity to forestall that from becoming an issue.

    What did you do with those who failed?

    Pelgrin: Part of this is a tactile approach to learning. Repetition is very important; it's true with kids that the only way to teach is through repetition.

    This is not the only event; it's part of our standard awareness program. We are asking agencies to deal with phishing in their annual awareness training as well. We are also providing this template to anyone willing to use it. All states in the union have got it. One other state is in the process of doing a similar exercise.

    We did start to change some of the culture where no one in one department saw this as an exercise but as an illegitimate phishing scam. Everyone in the department was told to just delete it. That's what this is all about, changing the culture.

    This is not about 'I got you.' If it's about blame, we all lose. You learn about the past to make the future better.

    Aren't you concerned state employees will lose trust with legitimate e-mail messages coming from your office?

    Pelgrin: We debated that at length. Here's why I did this and why I concluded it was the right thing to do. It came from the agency ISO, a trusted source. What better way to say if I get something from the ISO and he wants personal information, I still have to say no. That's the biggest clue: an ISO will not ask for personal information.

    There's no negative impact that they can't trust e-mail. It gave them time to pause and think that no matter who it is, they should not lower their security standards. There are ways to handle this securely. If you get one of these e-mail messages, even if it's from a trusted source, end the session, phone that person and talk to them about it then go back and deal with the information they may or may not need.

    About the author
    Michael S. Mimoso is Senior Editor of Information Security magazine.

    This was first published in March 2006

    Dig Deeper on Email Security Guidelines, Encryption and Appliances



    Find more PRO+ content and other member only offers, here.



    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: