Gone phishing: Army uses Thrift Savings Plan in fake e-mail to test cybersecurity awareness

[InfoSec News <alerts () infosecnews org>]

http://www.washingtonpost.com/politics/gone-phishing-army-uses-thrift-savings-plan-in-fake-email-to-test-cybersecurity-awareness/2014/03/13/8ad01b84-a9f3-11e3-b61e-8051b8b52d06_story.html

By Lisa Rein and Eric Yoder
The Washington Post
March 13, 2014

An ominous e-mail message landed in the inboxes of a small group of U.S. 
Army employees last month, warning of a security breach in their federal 
retirement plans and urging them to log in and check their accounts.

The e-mail was a fake -- a classic spear phishing expedition looking for 
unwitting victims willing to share their personal financial information.

But the perpetrator was not a criminal hacker. It was an Army combat 
commander, acting on his own authority to test whether anyone on his staff 
would fall for the trick. In the process of sussing out internal 
vulnerabilities, though, the commander sowed panic across the government: 
Employees forwarded the e-mail to thousands of friends and colleagues at 
the Defense Department, the FBI, Customs and Border Protection, the Labor 
Department and other agencies.

Even the Pentagon’s Chief Information Office, which oversees computer 
networks across the military, was unaware of the phony e-mail.

The embarrassing play, a security awareness test of the sort that’s become 
increasingly common practice at private companies and federal agencies, 
tested the limits of how far the government should go with quality control 
to protect against cyberthreats. Testing security by toying with federal 
employees’ nest eggs? In hindsight, all agree that should be off-limits.

[...]

--
Find the best IT Security talent without breaking your recruiting budget.
Jobs cross-posted to Simply Hired, Facebook and LinkedIn.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/