Security Testing
The link in the email message should initiate the termination process.
Network security for the US State of Michigan has been rated as "moderately sufficient" in an audit of its Department of Technology, Management, and Budget (DTMB). Michigan's DTMB, according to auditor Doug Ringler this month, got some things right but has a number of deficiencies in its IT security practices that need to be …
ORLY? I regularly get phishing tests, I also get random emails from some of the various cobbled together systems that constitute every large corporate network telling me I need to relogin, that my password has or will expire, that my first-born has been kidnapped by HR etc. etc. All expecting me to take action IMMEDIATELY, none of them explained to me in advance, none with permanent DNS addresses or IP addresses, so it's not apparent that they're not rubbish.
I've been routinely told by the helpdesk to ignore certificate alerts, that it's okay that an internal site is not SSL because apparently it can only be accessed on the VPN (who knew?), and that the IT security hotline has been demobilised as the people who manned it were made redundant in the last round of rightsizings.
That only a fifth entered their credentials is nothing short of a miracle.
yoganmahew, I fully agree.
first-born has been kidnapped by HR
I used to work in a place where this probably could have happened. This being in the mid naughties, among other things they also tried to dump sub-prime securities products on to employees after the clients started to be suspicious and refused buying that crap. So, the company was sitting on a steaming pile of dung and wanted to sell it to its staff. Abducting close ones, blackmailing into submission - wouldn't have suprised me.
Got an auto-phish test email at a previous employer. No one except people who "should" know this address had it. So no vendors, friends, logins for anything outside etc had this particular work email address. His alias would not have been simple to derive He is a pretty savvy guy so he thought it should be ok, mainly due to the fact that barely no one outside of the organisation had his email address. It even looked ok to me too when he showed me. It was clearly a very well devised robotest.
He clicks the link and gets some robo-response telling him he was a bad man etc and it triggered off some mandatory security awareness training he had to do in 28 days or risk being told off etc.
From then on, he ignored all attachments from everyone, never clicked on a single link, even when the source was almost infallible. When queried his response was simple, "Got the nastygram last time I did something like this, don't want another". Never got an argument from me.
My point - careful with what you want these tests to achieve.
If it was me I wouldn't even open email and would demand that all future work requests are delivered in person by a company director accompanied by corporate legal council.
I need ensure that all instructions by somebody who appears to be my supervisor (pending DNA tests) are approved by shareholders
Beware internal messages. After all, during an audit we had found unprotected e-mail servers. And the next thing I know is that someone (no, it wasn't me, honestly... anyway it's a long time since and I can't remember any of this) sent e-mails apparently from the CEO to some people making them aware of their wide-open SMTP servers hanging out in the network.
careful with what you want these tests to achieve.
Funny thing, I get excited when I see new phish. I phish them out and put them in a VM just to see what it does. Most of the time, it dies. But if it was able to swim, then it becomes something really cool!
Totally related.
https://www.xkcd.com/350/
Sounds like what happened to me at my last employ. I could TELL the message was from Security ("from" address was clean), and I honestly thought they wanted information. The link was to an INTERNAL server with /phish.html -- thought they would just explain what was going on, so I clicked and got the "your username has been logged" message. I didn't fall for an internal phish again, but not quite as dramatically as Mayday's peer.
(And like most of the employees at the place and time, we ran Lotus Notes with a preview pane, so we all SAW it; the only option was to click the link.)
A fair test would have come from outside (or at least appeared that way) with a link that also went outside. THOSE are the red flags they train(ed) us to look for, so THAT'S what they should use to test us lusers.
We had a phishing test apparently from a helpdesk worker who was in fact non-existent. Result? A small number of calls to the helpdesk, who were not made aware of the test, asking to speak to him.
I understand this does not normally happen. Maybe the correct English and readily-available but business-specific terms in the email were the reason.
Wet ware is the hard part of InfoSec. It just is.
You have to consider phishing delivered by personal communication aswell.
That's why we introduced "simon says" to confirm an instruction is genuine
People think it's stressful being an air traffic controller - but these little games make it fun
Some of the places I've known, 20% sounds pretty good to me.
I do remember one client where the manager instructed staff that they had to click on every attachment, just to see what it was, in case it was important. One of the many cases where our "that's not a good idea" lectures had no effect until it got to the "we told you so - and here's a fat invoice to clean up your mess" stage.
At the moment there is no appetite to address this.
Appetite is beside the point, though a concerted push to roll out S/MIME would make forgeries a bit less rampant. (Phishers would have a smaller set of the more-plausible forgeable accounts to choose from, along with non-reputable and compromised accounts. It would not be a huge improvement.)
Mostly this is a difficult problem to solve. People are not good at being continuously vigilant. Sometimes even people who are well-aware of the risks make mistakes.
I just went through our corporate mandatory security refresher course, where I was told that behaviors that increase the chance of being phished include "multitasking" and "being distracted". Well, there you go: simply never be distracted, and you'll be fine! As advice, this is impressively useless.
And the same is true of all "blame the user" approaches, like the various nasty suggestions about phishing victims in the comments here. Snark isn't helping. User education is unlikely to help much more than it already has; in the typical organization most people have heard the message. Better tools help somewhat, but when it's cheap to mount a phishing attack against a thousand employees, and fairly cheap to mount a decent spearphishing attack against a dozen, the asymmetrical advantage is very good for the attacker.
Also the organisation now knows what problems it has and is under pressure to fix them. This is better than a company which is blissfully ignorant.
Yes we can point and laugh at some of the details in the report, but that's my point - they are in a report so the senior management can be held accountable for a change so things will happen. Let's turn that around on the UK organisations, how many of us are confident in our local councils, whitehall etc having all this done?
How many think senior management in those places can/will ever be held to account for the failings when there is an incident?
So I pressed it to see how it worked and an email got reported immediately, no information or dialog box confirming anything. The amount of false positives they get must be astronomical, at least at the start of rolling out. Then after that you only get false positives from the ones who meant to hit the button next to it on the toolbar.
Sometimes the cure is worse than the disease.
32 per cent opened the phishing message, 25 per cent clicked on the link in the message, and 19 per cent entered credentials. I think the more important numbers would be 1600 people for sure saw the email; of those 1250 clicked the link and 950 entered credentials. My grade would be 78 per cent for sure failed and 59 per cent failed badly. Also probably somewhere in the neighborhood of 68 per cent potentially don't read their emails.
Those of us who are penetration testers aren't shocked by the number of individuals who fall victim to phishing. With moderate training, 20% rate is right at the norm with a medium complexity phishing email.
Depending on how the mail is formatted, you can get a much higher rate.
Don't judge too harshly. At work, it's quite likely I can send you a phishing email you'd click on or open an attachment. If I catch you at a very busy time, and get everything on the mail just right to entice you or to fortunately provide information you're working on... you'd fall victim.
It's about the complexity of the phishing email. Shockingly, you find those age 20-30 will fall victim in higher numbers than those over 30 or even those over 50 years of age.
Younger individuals are easier to catch with a phishing, which is "mistakenly" sent to them and contains an attachment with what appears to be confidential information. The younger you are, the more likely you will give into your curiosity over security.