PING: William Pelgrin

How this exercise works Logistics Advisory partnership with SANS and Anti-Phishing Working Group AT&T routed messages from a network outside the state's, lending credibility to the mock exercise Cooperation with state agency commissioners; all agree to participate Keeping those in the know to a minimum Scenario An informational e-mail message on phishing is sent from CSCIC's No. 2 security officer to five state agencies in sequence Two weeks later, phase 1 is launched to 10,000 state employees First exercise comes from ISO@CSCIC.org, which is not the office's naming convention (the only clue this was a scam) Message, featuring a CSCIC banner, prompts users to link to a site where they can check password strength If a user clicked on the password form, they failed the exercise. A tutorial followed explaining this was an exercise and the perils of phishing scams. An informational video and quiz were also included. If a user deleted the e-mail, they got a congratulatory message. If a user cut and pasted the URL into another browser, a congratulatory page appeared A month later, a second exercise is conducted to five state agencies simultaneously Message informs users of a potential cyber event causing Internet connectivity issues. Users are prompted to follow a link to a Web page where they are asked their user name, password, e-mail address, phone number and whether they had experienced connectivity problems in last 72 hours. Users are taken to a survey depending on the answer they provide. Results Phase 1: 17 percent followed the link to the password-checker site 15 percent tried to interact with the password checker 3 percent cut and pasted the URL into a browser Phase 2: 14 percent followed the link 8 percent interacted with the form 5 percent cut and pasted the URL into a browser 40% improvement from phase 1 to phase 2

Why combine cybersecurity and critical infrastructure protection in your office?

Pelgrin: [Governor Pataki] is a visionary in this area. He blessed the concept of creating a unique office focusing on cyber-preparedness and being as resilient as we could be in New York state. We are made up of individuals on the cyber side and from geographic information systems and critical infrastructure coordination. We take our assets, depict them geographically and relate them to incidents. We can see the two converging; if the event is cyber, we can see what potential physical consequences there may be.

We want the office to stay small. This is about collaboration, not about mandates or control. We want to be a role model for partnerships.

What is the reporting structure and information sharing like between your groups?

Pelgrin: All state agencies have an information security officer. We work collaboratively with them, creating a joint security policy. I'm a big believer this has to be about building relationships on the private side as well.

There are eight committees: health, financial, agricultural, telecommunications, education and public safety among them. It's a real collaborative effort. We meet monthly by phone and share information about risk and vulnerabilities. We also have major player meetings where all major utilities are invited to a conference call.

Every year, we take a hindsight view to see if we're providing a value-add. One of my guiding principles is that we do no harm to the private sector. We've got enough structure and processes in place that we can tap in and get information as appropriate. We don't want to see everything. They respond favorably to that. Trust has been building, it's not a right, it's something we earn.

Why the mock phishing exercises? Was there a problem?

Pelgrin: We tend to do a good job filtering out the crud. However, the concern of hackers moving from phishing to spear phishing where the apparent sender is a real trusted source, forced us to say 'Let's get ahead of it before becomes a problem.' We wanted to use this as an opportunity to forestall that from becoming an issue.

What did you do with those who failed?

Pelgrin: Part of this is a tactile approach to learning. Repetition is very important; it's true with kids that the only way to teach is through repetition.

This is not the only event; it's part of our standard awareness program. We are asking agencies to deal with phishing in their annual awareness training as well. We are also providing this template to anyone willing to use it. All states in the union have got it. One other state is in the process of doing a similar exercise.

We did start to change some of the culture where no one in one department saw this as an exercise but as an illegitimate phishing scam. Everyone in the department was told to just delete it. That's what this is all about, changing the culture.

This is not about 'I got you.' If it's about blame, we all lose. You learn about the past to make the future better.

Aren't you concerned state employees will lose trust with legitimate e-mail messages coming from your office?

Pelgrin: We debated that at length. Here's why I did this and why I concluded it was the right thing to do. It came from the agency ISO, a trusted source. What better way to say if I get something from the ISO and he wants personal information, I still have to say no. That's the biggest clue: an ISO will not ask for personal information.

There's no negative impact that they can't trust e-mail. It gave them time to pause and think that no matter who it is, they should not lower their security standards. There are ways to handle this securely. If you get one of these e-mail messages, even if it's from a trusted source, end the session, phone that person and talk to them about it then go back and deal with the information they may or may not need.

About the author
Michael S. Mimoso is Senior Editor of Information Security magazine.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security News Makers Citrix executive named Sourcefire CEO Face-Off: Is vulnerability research ethical? RSA's Coviello: Security professionals must spark innovation Thompson calls for marriage of data and security management Microsoft's Mundie: Let's talk privacy RSA Conference 2008: Special news coverage Interview: Arizona CISO David VanderNaalt Dan Geer: No excuse for skipping security metrics Interview with Macbook Hacker Dino Dai Zovi Interview with Troon Golf's Cary Westmark

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Palladium  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary