Blog

Blog
12 Oct 2012

Phishing Assessments - A Simple, Anonymous and Free Approach

4 comments Posted by lspitzner
Filed under Security Awareness, Security Metrics, Social Engineering

Phishing assessments are a powerful way to not only measure the awareness of an organization, but to reinforce key learning objectives. Nothing is more powerful then when people click on a link and then get instant feedback they just fell victim to a test, and then learn more about what phishing is and how they could have detected this was an attack. There are now a number of commercial and open source tools out there to help you run your own phishing assessment, which are listed as part of the STH Phishing Assessment Planning Kit. However today I wanted to cover a simpler approach to awareness assessments, one that has the advantage of being both anonymous and free.

Last week I was teaching the SANS MGT 433 course on building high-impact awareness programs. One student brought up a challenge they had with awareness assessments, both legal and unions were blocking the assessments as they could violate employees' privacy. They did not want management to know the names of who fell victim, nor did they want peoples' career impacted. One of the solutions we discussed is using a URL shortener for your awareness program, such as http://goo.gl. The idea is when creating your phishing email, you use a shortened link in the email (click on image to see what I'm talking about). There are some advantages here.

  1. URL shorteners track and report how many people clicked on the link. They are pretty intelligent on how they do the tracking. So if you click on the link ten times from the same computer, it only counts as one unique hit. As such, the results are pretty accurate.
  2. If your organization is concerned about privacy issues, then this approach addresses those issues as you cannot track who the victims were, only the number. Privacy / anonymity is protected.
  3. You can't beat the price, its free.
  4. If you do use a URL shortener, make sure you use one that protects the privacy of the results, you do not want the URL history publicly available.
Obviously there are disadvantages. For example, you will not be able to track who clicked on the link, or even which department. In addition professional phishing software often provides more in-depth details, such as OS/Email/Browser version of every victim, and perhaps if they have any vulnerabilities. Finally you do not have more advanced attack options, such as tracking open attachments. However, even with all these limitations in mind, if you need a solution that is simple, anonymous, and/or free I recommend you consider this option.

Permalink | Comments RSS Feed - Post a comment | Trackback URL

4 Comments

Posted October 15, 2012 at 2:20 PM | Permalink | Reply
Mike Saurbaugh

I think this makes sense and I agree with the ability to track on a low to no budget. One other consideration if privacy is not a concern, is to populate the URL into the URL/proxy filter within the organization. This would identify the department/user based on the unique URL. Many filtering solutions allow for custom entries, which could be used for statistics as well as a custom message about clicking the URL (ie. this is malicious or are you sure you wish to continue).

Anyway, just a thought but depends on the organization.

Posted October 15, 2012 at 2:22 PM | Permalink | Reply
lspitzner

Great idea Mike, I never thought of this approach!

lance

Posted October 16, 2012 at 8:13 PM | Permalink | Reply
Kel Mohror

The short-sightedness of "both legal and unions were blocking the assessments as they could violate employees' privacy. They did not want management to know the names of who fell victim" illustrates the lack of common sense. If someone is repeatedly getting "hooked by phishing," how can that security hole be "plugged" if the perpetrator remains anonymous? Data security is "trumped" by "job security"? That is stupid.

Posted October 25, 2012 at 8:58 AM | Permalink | Reply
Jeff LoSapio

Kel -- you are correct in calling out the short-sightedness of ignoring the risk of repeat offenders. Unfortunately what Lance describes is reality. I've spoken to a couple of large Federal agencies that had the same issue with their unions. Crazy when you think of the level of phishing attacks against US government agencies.

This is why getting buy-in early from senior management and stakeholders is critical to the success of a phishing assessment and training program.

Fortunately, there are many more enlightened govt agencies that see the value in this type of testing and training.

Post a Comment






* Indicates a required field.

RSS

Search Blog:

Categories

Recent Posts

MGT433 Course

Learn how to build, maintain and measure high-impact awareness programs at SANS two day course MGT433.
 

Latest Blog Posts

Guest Post - Go Beyond ‘Check-the-Box’ Compliance

May 13, 2013 - 1:13 PM

Editor's Note:This guest blog post is from John Andrew at Honeywell. How do we persuade folks who are resistant to ‘Security Awareness’ efforts? Great question! I was fortunate to pick up a rare last minute opening - to go on a 3 day backpacking & camping trip at Cumberland Island National Forest on the coast of Georgia. The backcountry orientation by the National Forest Service was great.  One of the first things they brought to our attention was an old ‘Smokey  [...] More

A New OUCH!

May 09, 2013 - 2:21 PM

Earlier this week we released the latest edition of the OUCH! security awareness newsletter, "Passwords / Passphrases".  We explain in simple terms how you can create strong passwords using passhrases, and some simple steps to using the [...] More

Request Free Trial
Contact Us
(301) 654-SANS(7267)
Mon - Fri | 9am-8pm EST/EDT
info@securingthehuman.org