This article can also be found in the Premium Editorial Download "Information Security magazine: Captive to SOX compliance? A compliance guide for managers."
Download it now to read this article plus other related content.
|Phishing For Awareness|
Below is the methodology of the mock phishing exercises conducted last year by New York's CSCIC.
Spear-phishing scams won't find any targets among New York's state government agencies if William Pelgrin, director of New York's Office of Cyber Security and Critical Infrastructure Coordination, has anything to say about it. A pair of mock phishing exercises against state agencies ruffled a few feathers, but raised awareness.
Why the mock phishing exercises? Was there a problem? We were concerned about hackers who were moving from phishing to spear phishing, where the apparent sender is a real trusted source. This forced us to say "Let's get ahead of it before becomes a problem."
What did you do with those who failed? If it's about blame, we all lose. Those who failed the exercises viewed a tutorial and video on the perils of phishing and were quizzed. Names of those who failed were not forwarded to a commissioner.
This is not the only event; it's part of our standard awareness program. We are asking agencies to deal with phishing in their annual awareness training as well. We did start to change some of the culture; that's what this is all about.
Aren't you concerned that state employees will lose trust in legitimate e-mails coming from your office? We debated that at length. There's no negative impact that they can't trust e-mail. It gave them time to pause and think that no matter who it is, they should not lower their security standards. There are ways to handle this securely. If you get one of these e-mails--even if it's from a trusted source--end the session, phone that person and talk to them about it, then go back and deal with the information they may or may not need.
Read the complete interview at searchsecurity.com/ismag.
This was first published in March 2006