Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
How I Would Hack Your Network (If I Woke Up Evil)
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
RetiredUser
RetiredUser,
 User Rank: Ninja
7/31/2017 | 2:28:06 PM
Re: %
I love that idea, Joe, of forcing completion of a 5-minute InfoSec training :-)  I've worked at orgs before where you essentially worked within a locked down piece of software with no access to anything else, but freeing up the desktop with the illusion of freedom presents lots of "teachable moment" opportunities for getting training compliance up-to-snuff quickly!
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
7/18/2017 | 1:33:31 PM
Re: Phishing emails (responding to Joe's comment)
@Peter: Wow. Awesome insights. Thanks for trying this and sharing!

I guess you'd really need an A/B grouping while testing frequency. Group A gets subject line A, Group B gets subject line B. Then that would give you a better idea on if it was more the frequency or the subject line.

But this is cool info to go on. I think people are on to the "pretending to be your bank" scam...but the HR stuff has been pretty hot among scammers lately because it's new (and, also, I suspect, because it's about something interesting enough to be worth an email open but not so jarringly enticing that it's automatically suspicious). 
Petar Zivovic
Petar Zivovic,
 User Rank: Apprentice
7/14/2017 | 5:30:27 PM
Re: Phishing emails (responding to Joe's comment)
I did exactly one a week for May, then did only one for June.

Result: Frequency seems to have little to no effect. Content has a big effect.

Examples: testing "Outlook password change required" and "Mint Financial Access" got few or no clicks.

But I got over two dozen clicks on "HR Notification re:Vacation policy change".

"Mint" was the one sent a month after the weekly tests were done.
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
3/17/2017 | 11:53:36 AM
Re: Phishing emails (responding to Joe's comment)
@Petar: Fascinating.  I wonder what would happen if you upped the frequency (say, once a week) for a month or so, and then dropped back down to "normal" levels.
Petar Zivovic
Petar Zivovic,
 User Rank: Apprentice
3/16/2017 | 12:29:55 PM
Re: Phishing emails (responding to Joe's comment)
The service we use allows for a number of templates, sender domains, subjects, etc. Given the wide variety of testing, I would lean towards the 16% being an accurate measure of susceptibility within the company as of that point in time. Note: I am seeing actual phishing emails being submitted for analysis using our phish tool on a daily basis, along with the usual spam and unwanted email, so at least some people are in fact paying attention.

"It's the difference between not slowing down on the highway as a matter of safety vs. slowing down on the highway because you think there's a speed trap ahead." This is a very good point. The number did go up when I missed a month of testing, so people apparently let down their guard. Seems to me that is just part of human nature for some people - they won't discipline themselves unless someone else is watching them. That being said, it's still way better than the initial baseline test.
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
3/16/2017 | 11:25:40 AM
Re: Phishing emails (responding to Joe's comment)
@Petar: Does the 16% refer to overall phishing susceptibility, or susceptibility to the fake phishing email itself?

How much of this do you think is potentially attributed to people "learning" what's a "fake" phishing email?

For instance, I wonder to what extent people are thinking, "Oh, that's that wily IT department again.  I don't want to have to do another 5-minute training" (or whatever), vs. "Oh, I shouldn't click on that because it might be bad"?

It's the difference between not slowing down on the highway as a matter of safety vs. slowing down on the highway because you think there's a speed trap ahead.
Petar Zivovic
Petar Zivovic,
 User Rank: Apprentice
2/28/2017 | 2:00:30 PM
Re: Phishing emails (responding to Joe's comment)
Re: sending fake phishing emails to train: Exactly right. It's effective when done on an ongoing basis (at least once a month.) I have seen the susceptibility rate fall to below 1% and stay there, which I consider phenomenal - until I forgot to do it one month. Then next month, it went up to 16%.

As Jefferson said, the Price of Freedom is Eternal Vigilance.
Kumzy
Kumzy,
 User Rank: Apprentice
2/19/2017 | 8:04:34 AM
Re: %
That is a very great idea. My organization did the same thing about last week IT security sent out an e-mail that webcams had been installed in tbe breakroom refrigerators to forestal people stealing other peoples lunches a link was then provided to view the cam when you click on this link it takes you to a log in page which asks for your log in credentials, needless to say rumor started going round among staff about the webcams and people were curious about the issue so some clicked on the link and supplied their credentials and a message popped up that they have just willingly given up their credentials for a phising attack.
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
2/2/2017 | 4:07:24 AM
Re: AV vs. DDOD or social engineering
I wouldn't go so far as to say that antivirus = outdated -- at least as a sole lines of defense.

Maintaining up-to-date antivirus is like locking your door.  Sure, there are more exciting and terrible things that can happen to bypass antivirus, but if you're not even doing that, then that's pretty lax.
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
1/31/2017 | 1:00:42 PM
Re: %
@Dr.T: Perhaps the thinking was "Well, the link says not to click, but it's clearly from my own organization, so it can't be *truly* bad."

The better way to do this is to send fake phishing emails (without letting the users know what they are), and then those who click are brought to a page where they are alerted that they fell for a phishing scam -- and their computer is locked up until they complete a 5-minute InfoSec training so they don't fall for it again.  This technique has been shown to reduce successful email phishing attacks by up to 75%.
Page 1 / 3   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file