Ping: William Pelgrin - Information Security Magazine

@exb

Phishing For Awareness

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.
Below is the methodology of the mock phishing exercises conducted last year by New York's CSCIC.

Logistics

  • Advisory partnerships formed with SANS and Anti-Phishing Working Group.
  • AT&T routed messages from an outside network.
Scenario
  • Phase 1 launched to 10,000 state employees from iso@cscic.org--not the CSCIC naming convention (the only clue that it was a scam).
  • The message prompted users to link to a password checker; clicking in the form denoted failure.
  • A month later, Phase 2 launched, and users were led to a link where they were asked to enter personal information.
  • Surveys, tutorials and quizzes were offered depending on the user action taken.
Results
Phase 1:
  • 17% followed the link to the password-checker site.
  • 15% tried to interact with the password checker.
  • 3% cut and pasted the URL into a browser.
Phase 2:
  • 14% followed the link.
  • 8% interacted with the form.
  • 5% cut and pasted the URL into a browser.
There was a 40 percent improvement from Phase 1 to Phase 2.

@exe

Spear-phishing scams won't find any targets among New York's state government agencies if William Pelgrin, director of New York's Office of Cyber Security and Critical Infrastructure Coordination, has anything to say about it. A pair of mock phishing exercises against state agencies ruffled a few feathers, but raised awareness.

Why the mock phishing exercises? Was there a problem? We were concerned about hackers who were moving from phishing to spear phishing, where the apparent sender is a real trusted source. This forced us to say "Let's get ahead of it before becomes a problem."

What did you do with those who failed? If it's about blame, we all lose. Those who failed the exercises viewed a tutorial and video on the perils of phishing and were quizzed. Names of those who failed were not forwarded to a commissioner.

This is not the only event; it's part of our standard awareness program. We are asking agencies to deal with phishing in their annual awareness training as well. We did start to change some of the culture; that's what this is all about.

Aren't you concerned that state employees will lose trust in legitimate e-mails coming from your office? We debated that at length. There's no negative impact that they can't trust e-mail. It gave them time to pause and think that no matter who it is, they should not lower their security standards. There are ways to handle this securely. If you get one of these e-mails--even if it's from a trusted source--end the session, phone that person and talk to them about it, then go back and deal with the information they may or may not need.

Read the complete interview at searchsecurity.com/ismag.

This was first published in March 2006