Home > Information Security Magazine > Columns > Ping
EMAIL THIS LICENSING & REPRINTS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Ping
by Michael S. Mimoso
Issue: Mar 2006
printer-friendly
licensing & reprints

Phishing For Awareness
Below is the methodology of the mock phishing exercises conducted last year by New York's CSCIC.

Logistics

  • Advisory partnerships formed with SANS and Anti-Phishing Working Group.
  • AT&T routed messages from an outside network.
Scenario
  • Phase 1 launched to 10,000 state employees from iso@cscic.org--not the CSCIC naming convention (the only clue that it was a scam).
  • The message prompted users to link to a password checker; clicking in the form denoted failure.
  • A month later, Phase 2 launched, and users were led to a link where they were asked to enter personal information.
  • Surveys, tutorials and quizzes were offered depending on the user action taken.
Results
Phase 1:
  • 17% followed the link to the password-checker site.
  • 15% tried to interact with the password checker.
  • 3% cut and pasted the URL into a browser.
Phase 2:
  • 14% followed the link.
  • 8% interacted with the form.
  • 5% cut and pasted the URL into a browser.
There was a 40 percent improvement from Phase 1 to Phase 2.

Spear-phishing scams won't find any targets among New York's state government agencies if William Pelgrin, director of New York's Office of Cyber Security and Critical Infrastructure Coordination, has anything to say about it. A pair of mock phishing exercises against state agencies ruffled a few feathers, but raised awareness.

Why the mock phishing exercises? Was there a problem? We were concerned about hackers who were moving from phishing to spear phishing, where the apparent sender is a real trusted source. This forced us to say "Let's get ahead of it before becomes a problem."

What did you do with those who failed? If it's about blame, we all lose. Those who failed the exercises viewed a tutorial and video on the perils of phishing and were quizzed. Names of those who failed were not forwarded to a commissioner.

This is not the only event; it's part of our standard awareness program. We are asking agencies to deal with phishing in their annual awareness training as well. We did start to change some of the culture; that's what this is all about.

Aren't you concerned that state employees will lose trust in legitimate e-mails coming from your office? We debated that at length. There's no negative impact that they can't trust e-mail. It gave them time to pause and think that no matter who it is, they should not lower their security standards. There are ways to handle this securely. If you get one of these e-mails--even if it's from a trusted source--end the session, phone that person and talk to them about it, then go back and deal with the information they may or may not need.

Read the complete interview at searchsecurity.com/ismag.





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts