Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How I Would Hack Your Network (If I Woke Up Evil)
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
7/31/2017 | 2:28:06 PM
Re: %
I love that idea, Joe, of forcing completion of a 5-minute InfoSec training :-)  I've worked at orgs before where you essentially worked within a locked down piece of software with no access to anything else, but freeing up the desktop with the illusion of freedom presents lots of "teachable moment" opportunities for getting training compliance up-to-snuff quickly!
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/18/2017 | 1:33:31 PM
Re: Phishing emails (responding to Joe's comment)
@Peter: Wow. Awesome insights. Thanks for trying this and sharing!

I guess you'd really need an A/B grouping while testing frequency. Group A gets subject line A, Group B gets subject line B. Then that would give you a better idea on if it was more the frequency or the subject line.

But this is cool info to go on. I think people are on to the "pretending to be your bank" scam...but the HR stuff has been pretty hot among scammers lately because it's new (and, also, I suspect, because it's about something interesting enough to be worth an email open but not so jarringly enticing that it's automatically suspicious). 
Petar Zivovic
50%
50%
Petar Zivovic,
User Rank: Apprentice
7/14/2017 | 5:30:27 PM
Re: Phishing emails (responding to Joe's comment)
I did exactly one a week for May, then did only one for June.

Result: Frequency seems to have little to no effect. Content has a big effect.

Examples: testing "Outlook password change required" and "Mint Financial Access" got few or no clicks.

But I got over two dozen clicks on "HR Notification re:Vacation policy change".

"Mint" was the one sent a month after the weekly tests were done.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/17/2017 | 11:53:36 AM
Re: Phishing emails (responding to Joe's comment)
@Petar: Fascinating.  I wonder what would happen if you upped the frequency (say, once a week) for a month or so, and then dropped back down to "normal" levels.
Petar Zivovic
50%
50%
Petar Zivovic,
User Rank: Apprentice
3/16/2017 | 12:29:55 PM
Re: Phishing emails (responding to Joe's comment)
The service we use allows for a number of templates, sender domains, subjects, etc. Given the wide variety of testing, I would lean towards the 16% being an accurate measure of susceptibility within the company as of that point in time. Note: I am seeing actual phishing emails being submitted for analysis using our phish tool on a daily basis, along with the usual spam and unwanted email, so at least some people are in fact paying attention.

"It's the difference between not slowing down on the highway as a matter of safety vs. slowing down on the highway because you think there's a speed trap ahead." This is a very good point. The number did go up when I missed a month of testing, so people apparently let down their guard. Seems to me that is just part of human nature for some people - they won't discipline themselves unless someone else is watching them. That being said, it's still way better than the initial baseline test.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/16/2017 | 11:25:40 AM
Re: Phishing emails (responding to Joe's comment)
@Petar: Does the 16% refer to overall phishing susceptibility, or susceptibility to the fake phishing email itself?

How much of this do you think is potentially attributed to people "learning" what's a "fake" phishing email?

For instance, I wonder to what extent people are thinking, "Oh, that's that wily IT department again.  I don't want to have to do another 5-minute training" (or whatever), vs. "Oh, I shouldn't click on that because it might be bad"?

It's the difference between not slowing down on the highway as a matter of safety vs. slowing down on the highway because you think there's a speed trap ahead.
Petar Zivovic
50%
50%
Petar Zivovic,
User Rank: Apprentice
2/28/2017 | 2:00:30 PM
Re: Phishing emails (responding to Joe's comment)
Re: sending fake phishing emails to train: Exactly right. It's effective when done on an ongoing basis (at least once a month.) I have seen the susceptibility rate fall to below 1% and stay there, which I consider phenomenal - until I forgot to do it one month. Then next month, it went up to 16%.

As Jefferson said, the Price of Freedom is Eternal Vigilance.
Kumzy
50%
50%
Kumzy,
User Rank: Apprentice
2/19/2017 | 8:04:34 AM
Re: %
That is a very great idea. My organization did the same thing about last week IT security sent out an e-mail that webcams had been installed in tbe breakroom refrigerators to forestal people stealing other peoples lunches a link was then provided to view the cam when you click on this link it takes you to a log in page which asks for your log in credentials, needless to say rumor started going round among staff about the webcams and people were curious about the issue so some clicked on the link and supplied their credentials and a message popped up that they have just willingly given up their credentials for a phising attack.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/2/2017 | 4:07:24 AM
Re: AV vs. DDOD or social engineering
I wouldn't go so far as to say that antivirus = outdated -- at least as a sole lines of defense.

Maintaining up-to-date antivirus is like locking your door.  Sure, there are more exciting and terrible things that can happen to bypass antivirus, but if you're not even doing that, then that's pretty lax.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
1/31/2017 | 1:00:42 PM
Re: %
@Dr.T: Perhaps the thinking was "Well, the link says not to click, but it's clearly from my own organization, so it can't be *truly* bad."

The better way to do this is to send fake phishing emails (without letting the users know what they are), and then those who click are brought to a page where they are alerted that they fell for a phishing scam -- and their computer is locked up until they complete a 5-minute InfoSec training so they don't fall for it again.  This technique has been shown to reduce successful email phishing attacks by up to 75%.
Page 1 / 3   >   >>


Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34390
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
CVE-2021-34391
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
CVE-2021-34392
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
CVE-2021-34393
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
CVE-2021-34394
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.