Educause Security Discussion mailing list archives
Re: Repeat offenders during phishing campaign
From: James Valente <jvalente () SALEMSTATE EDU>
Date: Tue, 21 Mar 2017 20:42:28 +0000
We’ve only ran a very small number of simulated phishing attacks but none have captured credentials thusfar, so in the past we haven’t considered them compromised because we’ve lacked the tracking to do so. Because of this, the only users I’ve considered compromised have been “actual” compromises or leaked credentials. I’m prepping for a phishing exercise using GoPhish soon and I’ll be capturing usernames for better reporting and followup. The procedure I’ve got in place for a compromised account is immediately disabling it in AD once it’s confirmed, and then cleaning up any queued messages within our Barracuda and exchange since it’s likely to impact mailflow for other users and increases the chance we’ll get placed on a blacklist, which is a pain to deal with. Unfortunately, in the case of repeat offenders I don’t think the inconvenience of getting locked out and having to call to regain access serves as a deterrent. Often the users just deny they fell for a phish and it’s not worth the argument to provide all of the evidence/IoC showing that is most likely the case. I’ve just started to send training material on phishing AND good password practices (avoiding PW reuse, regular changes, strong passwords/passphrases), so they can get the benefit of the doubt while also avoiding them picking Trustno2 after being phished with the password Trustno1. --James From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Frank Barton Sent: Tuesday, 21 March, 2017 16:35 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Repeat offenders during phishing campaign James, (et.al <http://et.al> .) When a user falls for a [simulated] phish, do you consider their account to be compromised? our procedure for a compromised account is to immediately lock it down until we have gone through our set of cleaning checks. This can take some time, and, if an account is compromised outside of normal hours, we typically lock it out, and then clean the next day. If this matches your process (at least generally) do you find that the time during which they are locked out is a deterrent? Frank On Tue, Mar 21, 2017 at 4:20 PM, James Valente <jvalente () salemstate edu <mailto:jvalente () salemstate edu> > wrote: I’ve inquired about forcing users to attend education training but we’re not allowed to mandate any training like this, especially for faculty. However, we are allowed to request they attend training. I sent out a bunch of emails to repeat offenders last week with training material, and a little note hoping the guilt of the workload created by them falling for a phish (because they only see the inconvenience of having a password reset, not cleaning up a mess at 11:30pm on a Saturday night) encourages them to check the material and be more cautious in the future. --James From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> ] On Behalf Of Rob Milman Sent: Tuesday, 21 March, 2017 15:53 To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Repeat offenders during phishing campaign Thanks Ben, I have 17 repeat offenders so far(pretty low since we are phishing all our staff). We are using SANS STH Phishing that does train the clickers on what they should have looked for in the message. The repeat offenders have technically had that training at least twice and some may have had my more in depth awareness training if I’ve hit their school/department in the last year. Rob From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ben Woelk Sent: Tuesday, March 21, 2017 1:42 PM To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Repeat offenders during phishing campaign Rob, Define “small number!” That’s going to impact what you can do. Are the offenders automatically forwarded to learning content about phishing or otherwise notified they’ve taken the bait? Ben Woelk '07 CISSP ISO Program Manager Information Security Office Rochester Institute of Technology ROS 10-A204 151 Lomb Memorial Drive Rochester, New York 14623 585.475.4122 <tel:(585)%20475-4122> 585.475.7920 <tel:(585)%20475-7920> fax ben.woelk () rit edu <mailto:ben.woelk () rit edu> http://www.rit.edu/security/ Become a fan of RIT Information Security at <http://rit.facebook.com/profile.php?id=6017464645> http://rit.facebook.com/RITInfosec Follow us on Twitter: http://twitter.com/RIT_InfoSec CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rob Milman Sent: Tuesday, March 21, 2017 12:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Repeat offenders during phishing campaign Hi everyone, We have been running a phishing campaign since last fall. There have been a small number of repeat offenders, which our vendor has identified as high-risk individuals. Have any of you dealt with this situation and developed a process that you’d like to share? Thanks, Rob Rob Milman Security & Compliance Analyst Information Systems Southern Alberta Institute of Technology EH Crandell Building, GA 214 1301 – 16 Avenue NW, Calgary AB, T2M 0L4 (Office) 403.774.5401 <tel:(403)%20774-5401> (Cell) 403.606.3173 <tel:(403)%20606-3173> rob.milman () sait ca <mailto:rob.milman () sait ca> -- Frank Barton ACMT IT Systems Administrator Husson University
Attachment:
smime.p7s
Description:
Current thread:
- Repeat offenders during phishing campaign Rob Milman (Mar 21)
- Re: Repeat offenders during phishing campaign Barton, Robert W. (Mar 21)
- Re: Repeat offenders during phishing campaign Greg Williams (Mar 21)
- Re: Repeat offenders during phishing campaign McCrary, Barbara (Mar 21)
- Re: Repeat offenders during phishing campaign Ben Woelk (Mar 21)
- Re: Repeat offenders during phishing campaign Rob Milman (Mar 21)
- Re: Repeat offenders during phishing campaign James Valente (Mar 21)
- Re: Repeat offenders during phishing campaign Frank Barton (Mar 21)
- Re: Repeat offenders during phishing campaign James Valente (Mar 21)
- Re: Repeat offenders during phishing campaign Urrea, Nick (Mar 21)
- Re: Repeat offenders during phishing campaign Steven Alexander (Mar 21)
- Re: Repeat offenders during phishing campaign Brad Judy (Mar 21)
- Re: Repeat offenders during phishing campaign Vest, Shawn E (Mar 26)
- Re: Repeat offenders during phishing campaign Rob Milman (Mar 21)