I worked for a defense contractor that had a 3 strikes policy for security violations. Failing the phishing emails was a strike. Other breaches of security policy (like getting caught letting someone tailgate you in) could be strikes too. You got fired at 3. Nobody thought this was unreasonable. Part of your job when you work in defense or finance is giving a sufficient number of fucks about things that people in other industries don't have to give many fucks about, like security. If you don't care enough about security that you click on obvious phishing emails then you're not doing your job. Don't do your job and get fired.
They also did have a reporting system. Presumably you wouldn't get a strike if you clicked and reported. People who reported "legitimate" phishing attempts were rewarded. Spear phishing is a totally different game and nobody in their right mind would fail people for clicking on a (well crafted) spear phishing email.
I actually like the idea of having consequences for allowing tailgating, assuming the company cares about it. Maybe not firing, at least right away, or if you get tricked/someone sneaks in behind you, but put some teeth in the policy and actually enforce it.
If the company just says "don't do it" there is still social pressure to be polite and not slam the door in someone's face. But if there are consequences that everyone knows about then no one is going to begrudge you if you tell them they have to swipe their own way in.
Heck, put up signs that say "allowing tailgating is a serious offense" so that visitors are aware as well.
You can wave any object at the sensor. Maybe an unauthorized tag will yield a different beep or make the light flash a different color. Maybe the person in front of you will be in a position to see the light on the reader, maybe they'll notice, and maybe they'll consider it odd. Getting that far, and then actually deciding to challenge you or report it, is a vanishingly small chance.
There is no point in badging an unlocked door, or in expecting people to do so. You have to actually close it between entries. This is a physically and socially ridiculous thing to do with traditional doors; if it's what you want, you need a turnstile.
The whole idea of 'challenging tailgating' falls apart because someone walking in after you is not performing a strange act.
You would have to actively close the door _on_ people, including your colleagues, which goes against social norms to such an extreme extent that it's just not happening.
If, as a company, you actually care about tailgating, there is no "challenge" aspect. There's a barrier that lets one person through at a time at most, and you remove any and all social aspects to it.
Right, which is why you need a more secure system of entry. I've worked in finance and defense. Finance used turnstiles, defense used some light in person security.
We have passcarded doors and then inside we have gates like many subway stations do that are timed only long enough for one person to pass through.
So I can hold the door open for someone on the way in—especially if they have their badge out— but there's nothing I can do about those giant plexi gates once inside. They have to swipe.
The German U-Bahn has a brilliant solution to this. No turnstiles or gates, you're just expected to have a ticket. The penalty for getting caught without a ticket is considered sufficiently high to make "Schwarzfahren" statistically more expensive.
While I agree that the solution is brilliant (and obvious), I'd like to note that freeriding (Schwarzfahren) is not statistically more expensive in monetary terms (the fine is not that large, controls are not that frequent and tickets are not that cheap).
The social stigma, unpredictability and inconvenience of having to pay the fine is a big part of it (not having a ticket is just stressful). Another part is that you don't need to prevent freeriding, nor recoup all the lost ticket sales. You just need enough of a nudge to keep most people honest most of the time.
Indeed. The city I live in has this random-fare-inspection system, and considered turnstiles. The study's result was surprising: the additional fare from mandatory inspections was much lower than the capital and ops cost. Of course, this depends on an overwhelming majority of people being honest.
Obviously "not having too many unauthorized riders" is a very different objective from "only allowing authorized access and refusing all else".
But I don't think that will work for corporate building security, where a single attacker could cause a large amount of damage, not just losing a ticket fare.
"Screw 'em hard enough for breaking the rules and they'll follow the rules out of fear" is generally not considered to be a good model for organizational policy.
For public transport it makes perfect sense. You don't care about people getting on for free, you care about ticket profits falling because of people getting on for free. If the fine is high enough that they totally cover all the lost profit from people not paying the you are doing well.
I feel you've made a huge blanket statement here. Militaries are one organisation where the rules have really sharp teeth and it works well enough. In fact, military organisations have had strong selection pressure applied to them over the past few thousand years and heavy-handed punishments are the norm.
The City does not want to be sued by the estate of someone cut in half by a turnstile gate. This limits the available force and material strength.
The specifications for those gates almost certainly include a requirement that they allow a sufficiently determined person through without breaking themselves, and probably sound an audible alert.
True for turnstiles that open and close. New York's full-height subway gates are just metal revolving doors that only revolve enough for one person per card.
BART gates are entry and exit, but require card entry on both entry and exit (there are separate emergency exits which set off alarms). So it's not possible to trick them to open, though their current configuration does make it easy to jump over.
I haven't been on BART in a few years, but I remember many stations having a wheelchair entrance that anyone could go through if security wasn't watching.
Some revolving door systems (not the ones you mean, probably) actually improve a lot on the classic turnstiles or gates.
They allow one authorized person to pass from one side through but sensors on both sides can easily detect if another person is trying to piggy back from the other side of the door. And there's no way over or around them. In higher security environments where unauthorized persons getting on the other side of the door is already an unacceptable risk they can also allow security personnel to trap someone in the door (rotate only 90 degrees).
And as far as usability and efficiency goes, they can allow traffic both ways at the same time (as long as both people are authorized).
It might be easier to try detection (and embarrassing alarms) instead of physical prevention. For example, floor sensors could detect when multiple sets of feet are enter on the same activation.
Granted, they might not know the difference between one person and a handcart versus two people where one is in a wheelchair, but I doubt many would-be infiltrators would draw attention to themselves that way.
I know for a fact that people will ignore it and set off the alarm anyway even with a large sign covering the entire top half of the door. Then the alarm goes off so often that all the bystanders ignore it too, so there really is no point.
The company has a one strike policy for letting someone use your badge, or letting someone tailgate.
They also have people who go out and try to tailgate, and say they left their badge on the other side of the door and ask if you can badge them in, or let them borrow your badge to get theirs. If you help, they walk in and get security and HR and you're done.
In my building, we have a similar tailgating policy, and its quite strict. A sign states that it's a federal offense and that police will be contacted.
At first I thought it was weird, but since being here I've noticed more and more unmarked and federal police vehicles parked downstairs, and several offices/floors that are unlabeled and used mainly by those guys.
I'm guessing there's some kind of diplomatic etc services that go on here which not everyone's privy to.
Are you prepared to pay your employees a significant premium for the requirement that they engage in fisticuffs with random strangers who may try to tailgate into the building?
Tailgating is a problem for your physical security staff, not your run of the mill white collar employee.
> Are you prepared to pay your employees a significant premium for the requirement that they engage in fisticuffs with random strangers who may try to tailgate into the building?
I have zero experience with this, but I imagine the policy would be "Don't enter the building if someone is too close behind you."
If you don't feel comfortable asking for space (fine!), turn around, go back to your car, and call building security as necessary.
The policy at our building is that, if you don't feel comfortable, let the person follow you in, but let security know.
We have the advantage that all entrances end up going through a central area, and we have ample camera coverage, such that security can reliably find people who tailgated if they are informed.
Tailgating is actually a very frequent and problematic occurrence for us, sometimes by people who will be aggressive, and this has seemed like the safest solution for us.
Good point. My brother was radiated into his condo building in D.C. one night. They robbed the office after he went up to his condo. He didn't feel safe refusing then entry, and knew this was a risk of letting them in.
After the incident, he was contacted by the building management, who asked him what happened and warned him not to do it again.
This seems like a reasonable policy since many people would not have thought in advance what to do if a potentially threatening person tries to tailgate.
Tailgating is a problem when you must keep a log of employee entries (and possibly exits).
If you’re just trying to ensure only employees are on-site, tailgating is less of an issue (unless somebody got fired but their colleagues were never told).
That’s not true. My workplace has employee only entrances where even visitor/temporary badges don’t work. No one is standing guard and they tell everyone to not allow tailgating.
That's the point. I was in the infantry, am 6'2, and a guy. I don't have a problem with challenging folks who are tailgating. That is not the case for everyone. Do you expect disabled folks to challenge tailgaters? What about physically small people? Setting aside the office dynamics around discrimination issues, how many people actually have the confidence to challenge an unknown person who is tailgating, knowing that there are practically no repercussions for allowing it, versus the fallout of alienating coworkers, potentially senior folks who might react negatively?
It's one thing to say "don't let people tailgate", it's quite another to actually enforce a policy that says that unless you provide proper physical security onsite. During security awareness training I always stress that people know who to notify onsite as well as telling them that they can choose to challenge them directly if they encounter someone tailgating.
We expect tiny people making minimum wage to ask thieves to pay for the cheese they’re shoplifting. This seems pretty minor by comparison.
I wouldn’t expect any physical force to be used. If asking politely doesn’t work, call security. If they threaten you into letting them in, comply, then call security.
> We expect tiny people making minimum wage to ask thieves to pay for the cheese they’re shoplifting.
We don't actually. All sane employers have them record and report the incident and not engage, because petty shoplifting isn't worth somebody getting shot and it's built into the margins anyway. If the store is big enough, they may have "loss prevention", who are people who are very much not tiny and will verbally engage the shoplifter and pretend to be scary, but they are also not allowed to engage physically, because again, it's not worth somebody getting shot, and liability is going to be a nightmare even if they were stealing.
I’ve heard of policies that cashiers are not to chase, let alone fight, but never that they’re not even supposed to ask someone to pay. Is that really true?
It might vary by chain, but everywhere I'm familiar with you're not supposed to accuse people of stealing, which has the same effect, perhaps for different reasons.
But you can report that it happened, taking silent note of their details, demeanor,direction, description. Nobody is challenging little Stacey from accounting to take on an intruder barehanded.
You are getting really hung up on a very tiny edge case. No reasonable manager would punish you for being physically overpowered. That doesn't mean you should encourage people to ignore the security policy.
99.99% of the time, saying to the tailgater "you need to swipe" is enough. If you do work somewhere where people are physically trying to break in often, then you ought to have real security personnel.
It's not about being punished for being physically overpowered - it's about being a five foot 3 intern and having someone 6'1 250 lbs, in a suit and in a hurry, behind you, tailgating.
The implications are enough to make it a shitty situation for such a person have to turn around and say "sorry person that looks c-suite, you can't come in with me."
This triggered a memory from my second "real" job.
We had a secure building with glass entry turnstyles. In my second week, a suited important-looking person was standing behind the gates at 8:20AM (we started at 8:30AM). It was busy and everyone was ignoring him (that seemed odd).
The suited guy picked me from the line of drones going through the turnstyles and asked if he could jump in behind me (he didn't even mention if he worked for the company).
I was still doing the HR training program stuff (the general wear deodorant, don't plug in flash drives from outside, don't ask for teamviewer, etc stuff) and the last thing we did the day before was end on the tailgating policy.
I told the suited guy that I couldn't let him in due to company policy. He smiled and said "all good" and went back to the corner.
He ended up being the head of logistics. Apparently, he liked to scope out the new hires and "test" their compliance. He tried this with 5 or 6 of the new hires and only managed to get let in once. The lady that let him in wasn't fired, but she did get a warning.
Rules are rules in Australia, even if you are a 20-times Grand Slam champion and one of the most recognizable people on the planet.
Roger Federer found that out this week when he was blocked access to a locker room at the Australian Open by a security guard who took his job very seriously.
A video circulating Twitter on Saturday showed the Swiss double defending champion stalled at the entrance for lacking his tournament accreditation.
I’ve had it done to me when I was hired and they explained we don’t allow tailgating here. Even though they know explicitly who I am, they are my bosses boss, I still need to swipe my badge on every locked door.
I’ve done it to VP level and I’d do it to my CIO too. I’d be that guy who badged the CIO but I try to take basic security and company policy seriously. I’d like an intern who is professional enough to “challenge” someone. Not sure I would’ve at that time.
There’s no need to confront anybody. Just notify security immediately if you see someone go through a security gate without swiping their access card, or if they tailgate you.
It's also a very tiny edge case that someone is trying to gain improper or unlawful entry to a workplace. It's not my job to put myself at risk in order to stop an intruder. It's not my job to play policy police with my co-workers, either.
My employer recognizes this and uses mantraps to physically prevent tailgating at unguarded entries.
You don’t have to put yourself at any risk, but if you work in a secure facility, you are usually explicitly required by contract to “play policy police”. That is, report any security violation like someone jumping the turnstile, or not having a badge.
Then why bother? If most of the time, asking is enough, then why bother at all? Because occasionally a bad actor wants in, I don't want to have to confront a bad actor.
The only response that’s reliable across doors, sites, and institutions is the door actually unlocking, which you may or may not be able to discern when already opened. Do you know the beep and light pattern by heart for valid credential vs. recognized but unauthorized credential vs. bus pass at every door you use? Each one in my office is a bit different, my apartment is something else entirely, in college they were uniform within buildings but different across buildings.
Electric mortise locks and strikes will click, though sometimes they are held in unlocked state for a few seconds so you won’t hear a second click, or the second click might be reverting to locked state. Depends on hardware and configuration, and maybe a what the person in front is doing with the handle, and when/whether the exit sensor trips. Different things on the door can make clicking sounds, they’re a bit different from each other, but pretty close. Magnetic locks, forget it. Sliding doors, forget it.
I’m an engineer interested in security, I pay close attention to these systems, I’ve run their cabling and installed their admin panels, and I doubt I could tell even if I were actively paying attention.
I do not agree. This should also be implemented in financial institutions and any company that has access to overly sensitive information, especially that which you can not easily change or that would put your family at risk of harm.
I would add in my proposal that if a percentage of employees under a director fall for it, the director gets let go. If a number of directors are let go, the C-Level is let go and so on.
Like the sibling comment, I think it all should depend on the roles of the people as well. You need strict access controls in place to ensure that access rights are well defined such as no/read-only access for certain data in certain environments, physical access control, etc. Someone who does client-facing retail at a financial institution should not have access to production data. As such, them getting phished won't have the same impact as senior developer with production read access.
I completely agree. If the company has performed proper compartmentalization of access and clearly documented who has access to what and it isn't just pencil-whipping, but you can prove the access is really compartmentalized, then the risk is reduced.
I mention the pencil whipping because I have seen financial institutions put on a really good show, but under the covers they are not doing proper management of ssh key trusts, ssh multiplexing, port forwarding, sudo or network access or encryption keys and they know which engineers to put in front of the auditors.
In practice there's often a way to escalate privilege. Defense in depth requires that one be good at each layer. Being good against phishing attacks is important even when the victim has apparently-inconsequential access.
At a financial institution I worked for, they had a separate entrance with separate badges and alarms for the really sensitive stuff.
I only entered that area once, as I was a low-level programmer.
It was also the only company where I never ever made a query on the production server :) (I worked for another financial institution on a more senior role and I did have scary access to the production DB).
I agree that a very strict version of this is too draconian for most workplaces, but depending on the person's role and how many times they've failed a phish test I think it's reasonable to have consequences. For positions where getting phished would be disastrous, something along the lines of a warning or training after the first and second strikes then firing after the third doesn't strike me as exceptionally draconian.
Seagate had all of its employees W2s phished because someone in HR messed up badly. If you have access to PII or other confidential information, phishing is a big deal.
That’s the problem with HR: the same role deals with lots of outside emails and lots of employee data.
They have to compromise between security and keeping it easy for people to apply.
The more companies that have complicated application portals, the fewer applicants they’ll have. Particularly from occasional job-seekers that already have other jobs.
> b) Does the phishing test service detect if the link is accessed via a sandboxed env?
In any company likely to be doing phishing testing internally, there are two kinds of people who might try this. One is the infosec group, which isn't going to do this because they're running the test. The other is engineers who think they're clever and are equipped to fsck around with things.
The former are professionals. The latter are dangerous and not actually an exception. The frequency with which their confidence is justified approaches zero and in the vast majority of shops simply not worth the time it takes to contemplate.
I wouldn't classify the majority of "Blue teams" I've worked with as professional. I'm currently dealing with a new Infosec group at my company that thinks the CEH is a high quality cert, that doesn't understand how open relays can be a problem, and believe that everything Qualys spits out is the word of God. I feel sorry for the CSO we just hired, but he's not much better, and a classic example of why "CSO" often stands for Chief Sacrificial Officer.
Good lord, you make it sound like dealing with highly radioactive plutonium. This is a site called hacker news, if you're a web developer and you can't figure out how to pull an html page without executing the scripts involved (a TRIVIAL thing to do) you shouldn't have a job. And honestly if your network is so insecure that someone running a wget on a domain poses a risk then your network has almost assuredly already been hacked.
> Good lord, you make it sound like dealing with highly radioactive plutonium.
That sounds about right. Your average developer dealing with malware is roughly as safe and sane as playing pool with 6-kilo balls of pu-239. Especially since a lot of places, developers are trusted with things like access to production from their workstations.
> This is a site called hacker news, if you're a web developer and you can't figure out how to pull an html page without executing the scripts involved (a TRIVIAL thing to do) you shouldn't have a job.
You know what's interesting? Even if you can do that, you've already made a mistake and leaked information. You've demonstrated for an attacker deliverability, who is curious and amateurish enough to think they can handle it (but hasn't thought it through), and some useful information about how they believe they are protecting themselves. Fetching a malicious server's HTML safely isn't as easy as might be readily supposed - both curl and wget (https://www.cvedetails.com/vulnerability-list/vendor_id-72/p...) have suffered remote exploits in the past. Those are almost certainly the tools a random dev would reach for and they cannot be assumed to be safe. The odds that said random dev is equipped to set up a sandbox to do so reasonably safely are not great, and the odds of them doing so much smaller.
Curiosity isn't a bad thing. It's a wonderful and powerful trait that has driven humanity relentlessly forward through the ages. Unfortunately, it can also be used against people. Being curious when playing with fire can be dangerous. Especially if you just think the fire is pretty and haven't figured out that it burns yet.
This site may be called hacker news, but it's not full of the kind of hacker that congregates at DEFCON and understands the House of Prime. It's full of the other kind.
Deliverability is pretty trivial to prove, and if they knew enough to get something in your inbox they probably already knew enough to be confident of that anyway. With regard to wget: 15 vulnerability’s in the last 20 years for such a highly used peace of software doesn’t scare me that much, and I can easily run it from a sandboxed container or vm since I’m using those all the time anyway. And if I don’t want to confirm deliverability, since I’m a web developer and I have a brain, I realise they probably included a unique token to know I’m the one that clicked the link, so I’ll leave that token off the request.
Look the problem with this kind of attitude is people take security less seriously when security experts go overboard. It’s classic boy who cried wolf. If you want people to take security seriously it starts with honest conversations where you treat people like adults and don’t immediately go to hyperbole.
OK. How should we - I - go about this differently?
Adults are perfectly capable of believing that their expertise extends further than it actually does and taking risks they do not fully understand or appreciate. I see it daily in the developers I work with. I have worked with more than one developer brimming with confidence in their ability to tackle areas beyond their expertise, who will try to engineer on-the-fly around any shortcomings pointed out in their approach (this is unrealistic, in real attacks adversaries don't give you friendly feedback iteratively).
I'm plenty willing to listen and take on board feedback here. What attitude should I take? How do I convince responsible adults, in a constructive and serious way, that they are not equipped to entertain their curiosity in this arena and should not try? How should I communicate to you, and to hundreds of developers at once, this message without going overboard or crying wolf?
It's one thing to play with malware and phishing at home, on your own hardware, on your own network, and with your own data. That's all your own risk to assume as you like. It's quite another to do so with company hardware, network, and data. That's not your risk to run and not your risk decisions to make. If you can advise me on how to communicate this to engineers who honestly and earnestly believe in their ability to safely handle things well beyond their expertise, I am absolutely all ears.
It would start by taking an honest assessment of what the other person actually knows before you make blanket statements about what they don't know. I mean, don't get me wrong I'm not personally insulted, but in my case you have zero idea what my actual expertise is but you're already telling me that retrieving link is beyond what I can safely handle -- and you literally have no idea what my experience is. (I used to work in security!) Part of my job as a developer is security, I need to know attack vectors people use, so that sites I build aren't vulnerable, and besides that, I'm not some criminal mastermind but you don't even know if when I was younger I had fun hacking people and creating mischief. Point being, you can't come at people with this blanket statement of "you have no idea what you're dealing with!" because YOU don't know what they know. If you do that you're going to lose their empathy and attention before you even communicate what you want to communicate.
Here's what you can do: tell them what can go wrong, with specifics, and don't make assumptions about them. Be realistic about what the likely consequences are and what the worst case is.
If we wanted perfect security we'd never connect machines to the internet and superglue the usb ports shut. But in a realistic world, the level of security we choose is measure against how much risk we're willing to take. Lets say my risk profile is this: I don't work for the NSA and I'm not important enough that someone is going to try a unique zero day exploit on me. But it would be trivial to figure out my work email based on my linked in and my name, so I don't really care about them discovering deliver-ability. If the phishing attempt is bad, I'll probably spot it immediately and not bother to even open the email, but if it's good I'll probably at least investigate because I'll want to know if it was a legitimate email. Chances are, they're just trying to convince me to type my password into a web form (and assuming I use the same password everywhere). Of course, chances are also that, just based on my past experiences, about 90% of phishing attempts come from corporate security departments anyway. If someone really has a very clever zero day exploit of wget then they'll get access to a container with little sensitive data that I rebuild about a hundred times a day.
Yes it's not my hardware, but on the other hand, my company has entrusted me with local admin to get my work done and use of the internet. That's the risk profile they're comfortable with, and sometimes I get external emails and need to figure out if they are legit or not, and I don't work for a giant company with a huge security department so sometimes I need to take a glance to see if it's a legit email or not.
That's an excellent and highly empathetic approach!
My only issue with what you've described is that I cannot scale it. When I have hundreds of developers to educate, sitting down with each of them and spending hours hashing out what they do and don't know and educating them over the gaps can at times become somewhat time-consuming.
How do I deal with hundreds of developers, the vast majority of whom have no significant background in security, many of whom earnestly and honestly believe that their understanding of web development protects them? How do I collectively treat them like adults and not lose their empathy or attention in a scalable way? A highly individualized approach isn't workable in this context.
>Does the phishing test service detect if the link is accessed via a sandboxed env?
Does it really matter? I used to play these games with my org's absurdly obvious phishing trainers, but the truth is it's not my job to determine whether an apparent phishing email is genuine or not. If you know that getting phished is a fireable offense, then just don't access the links, obvious fake or not.
I forward all emails that are not directly from people in the company to the trash.
I also forward anything with the word "phishing", "test", "audit", and our our IT and security department.
The other strategy I have is simply not checking email.
This is so useful, while others are taking security test, and failing phishing link test. I am in the clear.
What test? I did not get the email.
You clicked what? Humm, I did not get that email.
Man you got a virus -- I run Linux and access my email via Emacs/Mu4e -- also I did not get that email.
The env it was accessed in shouldn't matter too much. Simply clicking on a link is a fairly small risk. Not zero risk but unlikely to be an issue. The real issue is when the link you clicked on asks you for a password and you type it in. You should only fail the test for giving a password.
* That their attack was delivered successfully to inboxes.
* What email addresses are live.
* Who is curious enough that they will investigate.
* Who believes they understand and can handle the risks.
These are not small things for an attacker to learn. Further, in a world where drive-by browser attacks are real, it's worth thinking very carefully if clicking a link in a phishing email should be regarded as essentially harmless.
If tailgating is that big of a deal, especially for the defense industry, then they need to install man traps at the entrances. Make tailgating physically impossible. It's unreasonable to expect, say, a smaller female employee to stop a larger male who she only realizes is tailgating her after she's already swiped her badge. If physical employee is that important, install physical security or have guards. Plenty of important facilities have both.
I don't think any company's policy requires every employee to physically stop the tailgater. It would be enough that she e.g. alert security to the situation.
Not immediate, but they have been tipped off by the employee who made the call, as you noted, so they can review the most recent video from just a few minutes ago for the specific corridor where that employee was tailgated.
I had to take a security training class because I failed to report a phishing attempt. Didn’t click the link and likely ignored the email altogether. My boss was confused why they contacted him. I don’t work there anymore.
I work at a financial company and we have a similar policy around phishing email. Embarrassingly, I failed this once and then created an email rule which filters out the fake Phish. No idea if it gets real Phish.
...and now we see why such policies are bad, and it's even covered in the article: while people falling for phishing are bad, what's even worse is when they fall for it and don't report. Creating a culture where the security is the enemy is _not_ good.
I mean, sure, if it's 20 times, we're getting into outrageous territory and you have reasons to suspect employee is trolling you. But other than that, the reality is that your employees _will_ get phished eventually. Reduce the risk and work on reducing the harm caused when it happens, instead of antagonising your workforce.
Edit: also, if you could just "filter out" the test means that the tests were about as good as most corporate "compliance" training is. Just as the firings, it feels designed more to coddle the C-levels than actually achieve anything.
I also incidentally found an easy a filter for these. I found once that our proxy auto config has 10 misspelled domain names. Those are all used for the Phishing Tests.
This can be equalized by having a perk or bonus on reporting phishing attacks to IT. Anything from casual Friday (for offices that are not relaxed wear) to a Starbucks card or whatever. IMHO the act of timely reporting the click on a phishing email should negate the email click penalty. The idea is make the wanted behavior pleasurable and the unwanted ones painful.
> This can be equalized by having a perk or bonus on reporting phishing attacks to IT.
...there is no way you can equalise "you're going to lose your job" with anything less than "we're going to give you enough money that you won't really need the job anymore."
And with a Starbucks card or casual Friday? I'm not even sure if you're being serious, because that sounds like a joke.
I was trying to make the case that you can give perks for natural reporting to IT (passive and active) + ensure that a user that has acted on a phishing email that reports it in a timely manor is treated as a non-fail (at least at some level).
Both of these things together leave a system in place where:
users are highly penalized for failing a phish test (or real life phishing attempts)
User's that fail the test (or real phishing attempt), but follow it with a timely notice have less pain.
Users that notify on apparent phishing attempts get small rewards.
> Embarrassingly, I failed this once and then created an email rule which filters out the fake Phish.
how did it get you, if you don't mind sharing? It seems if someone who works in IT (guessing you do) and is very careful fails it, this is an impossibly high standard to meet.
I recently failed a suspicious email / phishing test for the first time, and I am also one of those people who never thought it would happen to me...
The email was a newsletter I didn't care about, and the unsubscribe link was (fake) malicious. That one impressed me because it preyed on what is now a pure reflex to click the unsubscribe link.
From this and other comments in this thread it seems you have failed these phishing tests as soon as you click a link. Is the assumption here that you are completely pwned as soon as you visit an url controlled by an attacker? I can't imagine myself compromising company data/funds via a website where I ended up through a newsletter unsubscribe link so this seems quite unfair on the part of the phish-testers.
That's exactly how my organization does it as well. I had to go to an incredibly asinine training because I clicked on a fake phishing link after verifying that the domain was owned by a computer security company that sold phishing prevention services. The link just went to a static "you could have been phished" page and a few weeks later I got an email telling me that I had to got to a phishing awareness training. There was no attempt at all to actually collect any credentials from me.
This is exactly the case. If you click on a link in the fake phishing email you've failed the test. It does not require you to install anything, open an attachment, etc.
If you think visiting a webpage in Chrome, or any other browser, even inside a VM, is totally safe, especially against a nation-state level actor, I have some bad news for you.
You would literally have to never click on any link that isn't 100% under your own control in that case. Yes 0-days exist, but if I'm in an environment where that level of security is necessary, why do I even have access to a web browser?
If you think that just clicking a link is so dangerous that it needs to be a firing offense, then you should probably lock down the computers so that the browsers cannot view anything besides approved domains.
From the original article which that page links to [0]:
The breach centered around a hacker getting hold of a Microsoft customer support worker’s login credentials; from there, the hacker could dive into the content of any non-corporate Outlook, Hotmail, or MSN account
This is a security concern for any mail that an administrator can read, although it isn't at the same level as being compromised just through parsing an email.
If you are in a high enough position that nation states are burning zero day exploits to launch targeted attacks against you, there should probably be a security professional filtering your email. (This is also a situation where disabling Javascript would be very reasonable.)
For the remaining 99.999% of the population, I really don't think opening a web page in an up-to-date browser is cause for concern. Certainly if that browser is also in a VM. People have more pressing concerns in their lives.
Did the link take you to a site that auto-ran malware? Or did it take you to some kind of page that said "login to unsubscribe"?
The latter is why password managers can be so valuable. I never type my passwords in so if my auto-fill doesn't activate I immediately become suspicious.
If it's the former, it seems like your company must be using an insecure browser or the site was running some kind of 0-day? I never think twice about clicking links.
When my organization does these, the link just goes to a static page that says "you could have been phished". The fact that in fact no serious attempt at phishing has yet taken place and that my work machine is far too insecure if they're worried about browser 0-days seems totally lost on them.
It's a valid comment, but if you're in a position where you are worried about 0-days from random web browsing then you should be using the internet on a fully segregated machine.
If Firefox or Chrome has an RCE + privilege escalation in it that can be triggered just from browsing to a page then, congrats, you got me.
The recent CPU-level vulnerabilities have exploits that can run in the browser. See https://www.zdnet.com/article/intel-cpus-impacted-by-new-zom... for pointers to video evidence. They're not zero-day attacks once they're made public, just the same as Meltdown and Spectre. Go download the PoC code, switch calc.exe to something useful, and phish away.
https://news.ycombinator.com/item?id=20028108 from earlier this week shows that just loading a page can lead to network information disclosure or other compromise / attack vectors. It's not a zero-day, it's a feature.
I don't think background noise of broad, low-effort phishing emails can be directly compared to a more focused attack. If you work somewhere with interesting data the odds of a good phishing attack leading to an exploit could be much higher because you're being specifically targeted and they're not going to send the message until they have a current exploit ready (probably hoping to get it in before your IT department's change window, too).
> If someone had a working browser exploit, wouldn't they just deliver it to their targets via an ad network?
I've heard more people at enterprises using ad blockers for security so I wouldn't rule that out but in general this is hitting that the broad vs. targeted distinction I mentioned: each time you use an exploit you're risking discovery, which will lead to it being patched & AV signatures going out. Using an ad network increases the number of people who are not your target getting the payload, not to mention any scanning the network does, and since ad networks require payment there's another trail pointing back to you which might not otherwise be the case if you are hosting things on compromised servers.
I'm sure this [reporting spam rather than unsubscribing] happens all the time but it's sort of obnoxious if the email is legit and, especially, if it's a list you requested to get put on at some point.
If you got my email address from a third party, then I do not want to be marketed to.
If you got my email address because I applied for a job, then I do not want to be marketed to.
If you got my email address because I signed up for a service, then I do not want to be marketed to.
If you got my email address because I purchased something, then I do not want to be marketed to.
If you got my email address because someone else "legitimately" entered my email address into your field, then I do not want to be marketed to.
In short: your definition of "legit" likely does not meet my definition of legit. The only email that I deem to be legit is an email that:
1) is @from a domain name that I recognize (walk like a junk, talk like a junk, it's junk)
2) is @from the same domain name as the correspondent (no third party bulk email or proxies; eg mailchimp et al)
3) does not have a no-reply@ as the reply-to address (I must be able to talk to a human)
4) does not hyperlink to third party domains (from@domain must match hyperlinked domain text)
Any legitimate email outside of those parameters are specially treated with liberal amounts of filtering.
Your attitude doesn't account for the possibility that since you do business with somebody, you need or want to receive some of their emails.
This is the nature of any relationship. You can't be ruthless in eliminating aspects you don't like, if you don't want to end it entirely because it's net positive.
> Your attitude doesn't account for the possibility that since you do business with somebody, you need or want to receive some of their emails.
You are incorrect and interpreting my comments very narrowly.
Doing specific business with somebody should not give that somebody carte blanch to use my email address for whatever reason they wish. I absolutely can be ruthless in eliminating aspects I don't like and if businesses don't like that: tough shit. My world doesn't revolve around your business. If that means that the business relationship ends right there, then I'm better off for it.
And, assuming there are clear and reasonable ways to inform them that you don't wish further communications (as there should be with any professional marketing), you should take that route. Otherwise anything is fair game. But I attended an event and got a follow-up email? Calling that spam is mostly being an asshole.
Why is obtaining a follow-up email from an event impervious to being spam? Attending an event is not consent for marketing. Marking spam as spam is not being an asshole.
I know it sucks when an IP gets burned, but when you're acting in good faith it's a rarity - or has been in my experience.
One of the reasons you'll pry Evolution from my cold dead hands is Right Click -> Create Filter -> @domain.co.uk and done.
I have filters for almost everything, my boss goes into one folder and gets set one color, automated notifications from my internal system another (green if everything is OK, orange if there is something I really need to look at).
What I really* want is a desktop client that exposes a nice clean Python (or similar) API so I can automate even further - I mean Python has everything I want if I want to do that from the CLI/cron but having it built in would be really nice.
Nearly all of them are tech companies trying to sell me stuff because I once bought something from them, tried their service or briefly thought about it.
As I’m the head techie (by dint of been the only techie) , I’d be the one purchasing from them in the first place.
I find a filter that sends everything to Marketing/Hardware and marks as read fairer than flagging them as spam.
If you filter out all the people telling me they’ll be out the office, birthday announcements etc, all the vendors trying to sell me stuff and all the automated stuff (which I do automatically), I get less than 5 emails a day (I put my boss on Trello, it’s just better for what we need) which I check once at 11 and at 10 to 5.
I’m ruthless about my time since I’m the only programmer.
The unsubscribe link is more effective at stopping unwanted emails.
I automatically unsubscribe people who mark email as spam but lots of marketers dont do that so you will still receive emails.
Most legitimate companies will respect the unsubscribe links as that is required by law and they invested more infrastructure around that functionality.
I wouldn't click on links from phishing attempts or emails from sketchy services I never signed up. Anything semi-legit is better handled through the unsubscribe link first.
Heh, you could make a phishing attempt that looks like a really bad phishing attempt, and inside of it have a link that says "CLICK HERE TO REPORT SUSPECTED PHISHING ATTEMPT TO IT"
I nearly fell for a real fishing link once recently, due to changes that have been made by our IT department.
Firstly all external senders have the mail reformatted with a red bar at the top and some text, and secondly all hyperlinks are forced through a proxy, which makes it effectively impossible to know what the URL is from the email.
I'd received a (rare to my work account) fishing email and I was about to click on a link in there just before I started thinking. I'd been trained to trust emails with the red bar, as most external mail I get is trustworthy, and I reflexively check links before I click them but this was just another going through the proxy.
I'm not sure how much these changes help less technical users, but it made me less secure.
That's just it, I simply wasn't being careful. Everyone gets distracted sometimes. I don't remember it in detail, but it was a fairly standard phishing email from a fake domain and I clicked a link. Not only am I in IT, my department is somewhat security related.
I guy I worked with fell for one when he was selling his car online, he got an email from an interested buyer (car thief) the linked to a very good replication of the site he was selling it on. The car thief turns up and scouts the location but the give away was that he showed little interest in the car, at which point he went back and checked the email to discover the phishing.
Even trained intelligent people have momentary lapses of concentration. Imagine opening a link from email on your phone then looking away for a second while it loads, but then the address bar has disappeared and you've missed the ssl indicator.
> It seems if someone who works in IT and is very careful fails it, this is an impossibly high standard to meet.
It's the same reason you automate things. People make mistakes. It's not about messing up once. It's about always being absolutely positively sure that you aren't making a mistake.
If you've ever clicked on a link from an email, you are vulnerable.
I think it's reasonable, but there should also be reasonable common-sense support for these policies.
"No tailgating" can be supported through decent vetted entrances and exits.
"No phishing" could have mailserver and mail client support to properly flag the origin of emails and/or enforce "no remote loading" or "restrict html" or "check attachments" sorts of things
Say what you want about air travel security but the TSA has figured some stuff out. For all of the behind the scenes employees, working in what’s known as the SIDA (security identification display are), there are protocols that must be followed. Most are what seems like security common sense but to really drive the point home there are stiff financial penalties for not following them. Typically the employer will pick up the bill but ring up a couple of them and you better start looking for a new job because you’re definitely going to get fired.
I think some kind of strike system is completely reasonable and if you’re working on sensitive information or systems then phishing most definitely needs to count as a strike.
It is absolutely unreasonable to get fired by putting your life in danger to stop trailgaters.
There are essentially three types of tailgaters, people who belong there, tourists, and nefarious across.
People who belong there are just getting lazy, but it is OK. Tourists you can stop (these are people who might be guests, or are just curious) but these people aren't bad people, and most lonely wing do any harm. Then there are the nefarioys types, the criminals... The ones who are there for a bad reason, and I'm supposed to stop them?
I like the three strikes rule. Sometimes it just slips through.
I got caught by a phishing link once because I had just gotten off the phone with a co-worker John and got an email 5 minutes later that said "hey James, it's John". Didn't even think twice about clicking it.
They also did have a reporting system. Presumably you wouldn't get a strike if you clicked and reported. People who reported "legitimate" phishing attempts were rewarded. Spear phishing is a totally different game and nobody in their right mind would fail people for clicking on a (well crafted) spear phishing email.