Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How I Would Hack Your Network (If I Woke Up Evil)
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
7/31/2017 | 2:28:06 PM
Re: %
I love that idea, Joe, of forcing completion of a 5-minute InfoSec training :-)  I've worked at orgs before where you essentially worked within a locked down piece of software with no access to anything else, but freeing up the desktop with the illusion of freedom presents lots of "teachable moment" opportunities for getting training compliance up-to-snuff quickly!
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/18/2017 | 1:33:31 PM
Re: Phishing emails (responding to Joe's comment)
@Peter: Wow. Awesome insights. Thanks for trying this and sharing!

I guess you'd really need an A/B grouping while testing frequency. Group A gets subject line A, Group B gets subject line B. Then that would give you a better idea on if it was more the frequency or the subject line.

But this is cool info to go on. I think people are on to the "pretending to be your bank" scam...but the HR stuff has been pretty hot among scammers lately because it's new (and, also, I suspect, because it's about something interesting enough to be worth an email open but not so jarringly enticing that it's automatically suspicious). 
Petar Zivovic
50%
50%
Petar Zivovic,
User Rank: Apprentice
7/14/2017 | 5:30:27 PM
Re: Phishing emails (responding to Joe's comment)
I did exactly one a week for May, then did only one for June.

Result: Frequency seems to have little to no effect. Content has a big effect.

Examples: testing "Outlook password change required" and "Mint Financial Access" got few or no clicks.

But I got over two dozen clicks on "HR Notification re:Vacation policy change".

"Mint" was the one sent a month after the weekly tests were done.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/17/2017 | 11:53:36 AM
Re: Phishing emails (responding to Joe's comment)
@Petar: Fascinating.  I wonder what would happen if you upped the frequency (say, once a week) for a month or so, and then dropped back down to "normal" levels.
Petar Zivovic
50%
50%
Petar Zivovic,
User Rank: Apprentice
3/16/2017 | 12:29:55 PM
Re: Phishing emails (responding to Joe's comment)
The service we use allows for a number of templates, sender domains, subjects, etc. Given the wide variety of testing, I would lean towards the 16% being an accurate measure of susceptibility within the company as of that point in time. Note: I am seeing actual phishing emails being submitted for analysis using our phish tool on a daily basis, along with the usual spam and unwanted email, so at least some people are in fact paying attention.

"It's the difference between not slowing down on the highway as a matter of safety vs. slowing down on the highway because you think there's a speed trap ahead." This is a very good point. The number did go up when I missed a month of testing, so people apparently let down their guard. Seems to me that is just part of human nature for some people - they won't discipline themselves unless someone else is watching them. That being said, it's still way better than the initial baseline test.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/16/2017 | 11:25:40 AM
Re: Phishing emails (responding to Joe's comment)
@Petar: Does the 16% refer to overall phishing susceptibility, or susceptibility to the fake phishing email itself?

How much of this do you think is potentially attributed to people "learning" what's a "fake" phishing email?

For instance, I wonder to what extent people are thinking, "Oh, that's that wily IT department again.  I don't want to have to do another 5-minute training" (or whatever), vs. "Oh, I shouldn't click on that because it might be bad"?

It's the difference between not slowing down on the highway as a matter of safety vs. slowing down on the highway because you think there's a speed trap ahead.
Petar Zivovic
50%
50%
Petar Zivovic,
User Rank: Apprentice
2/28/2017 | 2:00:30 PM
Re: Phishing emails (responding to Joe's comment)
Re: sending fake phishing emails to train: Exactly right. It's effective when done on an ongoing basis (at least once a month.) I have seen the susceptibility rate fall to below 1% and stay there, which I consider phenomenal - until I forgot to do it one month. Then next month, it went up to 16%.

As Jefferson said, the Price of Freedom is Eternal Vigilance.
Kumzy
50%
50%
Kumzy,
User Rank: Apprentice
2/19/2017 | 8:04:34 AM
Re: %
That is a very great idea. My organization did the same thing about last week IT security sent out an e-mail that webcams had been installed in tbe breakroom refrigerators to forestal people stealing other peoples lunches a link was then provided to view the cam when you click on this link it takes you to a log in page which asks for your log in credentials, needless to say rumor started going round among staff about the webcams and people were curious about the issue so some clicked on the link and supplied their credentials and a message popped up that they have just willingly given up their credentials for a phising attack.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/2/2017 | 4:07:24 AM
Re: AV vs. DDOD or social engineering
I wouldn't go so far as to say that antivirus = outdated -- at least as a sole lines of defense.

Maintaining up-to-date antivirus is like locking your door.  Sure, there are more exciting and terrible things that can happen to bypass antivirus, but if you're not even doing that, then that's pretty lax.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
1/31/2017 | 1:00:42 PM
Re: %
@Dr.T: Perhaps the thinking was "Well, the link says not to click, but it's clearly from my own organization, so it can't be *truly* bad."

The better way to do this is to send fake phishing emails (without letting the users know what they are), and then those who click are brought to a page where they are alerted that they fell for a phishing scam -- and their computer is locked up until they complete a 5-minute InfoSec training so they don't fall for it again.  This technique has been shown to reduce successful email phishing attacks by up to 75%.
Page 1 / 3   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-4020
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-23654
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
CVE-2021-43785
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...
CVE-2021-43776
PUBLISHED: 2021-11-26
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other se...
CVE-2021-41243
PUBLISHED: 2021-11-26
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be add...