Slashdot Mirror
1 in 3 Michigan Workers Tested Opened A Password-Phishing Email (go.com)
An anonymous reader quotes the AP:
Michigan auditors who conducted a fake "phishing" attack on 5,000 randomly selected state employees said Friday that nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ID and password. The covert operation was done as part of an audit that uncovered weaknesses in the state government's computer network, including that not all workers are required to participate in cybersecurity awareness training... Auditors made 14 findings, including five that are "material" -- the most serious. They range from inadequate management of firewalls to insufficient processes to confirm if only authorized devices are connected to the network. "Unauthorized devices may not meet the state's requirements, increasing the risk of compromise or infection of the network," the audit said.
the email system never verified the URL nor where the email was from
so your email system is so poor you have to rely on the end user not to click on a link ?
simply block / rewrite URL's that have not been verified
only accept mail from domains that have been verified and claim the email is from them
(for example that have DNSSEC and DANE setup correctly as gov address's have this and can therefore prove that they sent the email)
simple basics that are not the end users fault
... and I dealt with it during my career. I'm a retired IT.
I held seminars, talked to employees one-on-one, and damned if we didn't still get hit.
It was a law firm and the staff never fell for phishing.
My problem was the fucking lawyers, especially the managing partner!
That bastard would click on anything.
He got a goddam email that said his UPS package wasn't going anywhere unless he looked at the invoice and corrected the address.
I asked him if he sent anything via UPS and he said, no.
I asked him if he remembered signing an exclusive with FedEx that I negotiated and he did.
I asked him if he, personally, ever sent a package anywhere or if he let his staff do that -- he said staff.
He did that shit over and over again.
--
I'm waiting for AI to step in; predict the outcome of clicking on a link and forbidding forward progress until an IT person concurs.
It little behooves the best of us to comment on the rest of us.
The 20% is the important statistic and that's scary enough already; no need for ABC News to embellish the story.
I've been a part of aggressive, well crafted phishing tests in Silicon Valley companies. Some of those tests were secret enough that only 3 people were aware of the test in advance... and the results were terrifying. Thanks to HTML abuse, forged headers and very good copy, I've seen 70% of storied security teams fall for the phishing attempt, going as far as to enter their 2fa values for AWS. In a real world situation, just one person falling for it would have been a problem.
In practice, what I have learned is that against a sophisticated opponent, any security system that relies on just usernames, passwords, and simple 2fa might as well not exist. The bare minimum is unique usernames and passwords just to double check that the right human is on the other side, attached to client certificates that are unique to each machine, and strong mechanisms to make sure that nobody generates user + certificate pairs for new computers without big flashing signs popping up. Anything weaker is just relying on being an uninteresting target, which is not a good thing to rely on.
I have found that when the security team sends out "phishing" emails about once a month, that helps. Opening the link takes the employee to a page reminding them about phishing. If instead they click the "report" button in Outlook, they get a happy message. It changes behavior after a few months.