WingNews logo WingNews
top | item 45530849

(no title)

Calamitous | 4 months ago

The only anti-phishing program I've ever seen that was even a little effective was at one company I worked at, where there was an ongoing phishing test.

Users were randomly selected to get the test, and each phish was hand-crafted to trick people specifically at our company (but using only publicly available information). Anonymized results were posted quarterly, divided by department.

I only got fooled once, but man, it felt so bad to see Engineering show up on the dashboard with one hit that quarter.

(Sales was usually at the top of the list, which makes sense, since they interface with a lot of folks outside the org)

discuss

order

tptacek|4 months ago

These are exactly the kind of campaigns that studies show not to be effective (or even paradoxically ineffective). "Effective" doesn't mean "manages to successfully phish" (you'll always eventually be successful); it means reducing the likelihood that concerted attacks will be successful.

The actual response to phishing is to use authentication mechanisms that resist phishing.

bee_rider|4 months ago

Although, why limit it to publicly available information? Security is an onion. If somebody gets access to internal documentation, HR lists, etc, the organization should still be resistant to their phishes.

thewebguyd|4 months ago

> If somebody gets access to internal documentation, HR lists, etc,

It's hard to be resistant to phishing at that point and you have bigger problems.

What if Susan in HR falls victim to token theft (let's say conditional access/MDM policies don't catch it or aren't configured, which many businesses don't bother with). Her email account is now pwned, and the company gets an email from her, it passes all verification checks because it's actually from her account.

It's still phishing, but the users have no way to know that. They don't know Susan just got compromised and the email they got from her isn't real. If this is a human attacker and not just bots, they can really target the attack based on the info in her inbox/past emails and anything else she has access to.

So there's no way for the organization to be resistant at that point until IT/security can see thea account compromise and stop it. Ideally, it's real-time and there's an SOC ready to respond. In practice, most companies don't invest that much into security, or they are too small and don't have the budget for a huge security operation like that.

It's a really hard problem to solve

serial_dev|4 months ago

I’m assuming it’s the “easy” mode and they still have many successful phishing attempts, so it didn’t make sense to go to the next level if the company still fails in easy level.