|
What is the common perception on running 'blind' phishing tests on employee's? Wouldnt you be better off running tests against your IT team to see if they can pick up indicators of compromise or if their tech controls can pick up phishing emails and for your employees run awareness campaigns and training?
|
![]() |
|
![]()
|
# ? Jun 11, 2024 00:05 |
|
Defenestrategy posted:What is the common perception on running 'blind' phishing tests on employee's? Wouldnt you be better off running tests against your IT team to see if they can pick up indicators of compromise or if their tech controls can pick up phishing emails and for your employees run awareness campaigns and training? They're completely worthless and just piss people off. Anyone can get phished.
|
![]() |
|
You'd think they would have known better after seeing all the bad press Tribune Publishing got just a few months ago when they did exactly the same thing. https://www.washingtonpost.com/opinions/2020/09/23/tribune-publishing-apologizes-fake-bonus-offer-phishing-simulation-email/
|
![]() |
|
Defenestrategy posted:What is the common perception on running 'blind' phishing tests on employee's? Wouldnt you be better off running tests against your IT team to see if they can pick up indicators of compromise or if their tech controls can pick up phishing emails and for your employees run awareness campaigns and training? I've gotten blind tested all the time, but I'm in tech and it's super obvious when I look at the headers and it's blatantly knowbe4 or some other overpriced service That being said, as lovely as this situation is, Godaddy has been the cause of numerous, NUMEROUS social engineering domain hijackings or similar, and their staff very seriously needs to be much much better trained. Impotence fucked around with this message at 21:21 on Dec 24, 2020 |
![]() |
|
Perhaps, but you don't train your staff by being assholes to them.
|
![]() |
|
Biowarfare posted:I've gotten blind tested all the time, but I'm in tech and it's super obvious when I look at the headers and it's blatantly knowbe4 or some other overpriced service GoDaddy is a trash fire of a hosting provider in general. It's abysmal top to bottom. I'm guessing it's not a training problem
|
![]() |
|
Holy poo poo this pisses me off. It's loving evil, cruel, offensive, and squanders all the work being done by people to make cybersecurity more accessible, equitable, and approachable.
|
![]() |
|
Biowarfare posted:I've gotten blind tested all the time, but I'm in tech and it's super obvious when I look at the headers and it's blatantly knowbe4 or some other overpriced service Having just bought knowbe4, I didn’t consider it overpriced. You’re not really paying for the testing service, you’re paying for all the training modules and they’re fairly high quality.
|
![]() |
|
Wait I’m pretty sure they did this exact same stupid stunt last year. I hope the company craters
|
![]() |
|
The Fool posted:Having just bought knowbe4, I didn’t consider it overpriced. You’re not really paying for the testing service, you’re paying for all the training modules and they’re fairly high quality. Can your employees click through until the end and mash the "yes I understand" button, or does it force them to run it on a laptop off to the side with the sound off and occasionally reach over to click "next" when that slide is done?
|
![]() |
|
I actually know someone that work at go daddy in their infosec department. Guess who i am hitting up!
|
![]() |
|
Defenestrategy posted:What is the common perception on running 'blind' phishing tests on employee's? Wouldnt you be better off running tests against your IT team to see if they can pick up indicators of compromise or if their tech controls can pick up phishing emails and for your employees run awareness campaigns and training? CLAM DOWN posted:Holy poo poo this pisses me off. It's loving evil, cruel, offensive, and squanders all the work being done by people to make cybersecurity more accessible, equitable, and approachable. ![]()
|
![]() |
|
evil_bunnY posted:Letting something phish-y through to your employees is 100% an IT failure. While I agree on theory, in practice it is impossible to have a 100% block rate so you need to supplement filters with training, and phishing tests are a part of that training.
|
![]() |
|
evil_bunnY posted:Letting something phish-y through to your employees is 100% an IT failure. Considering how nothing stops all phishing attacks from getting through to the end users inbox, I don't see how this is an IT failure. Whatever org you are in isn't immune either unless you don't don't allow external email in.
|
![]() |
|
Volmarias posted:Can your employees click through until the end and mash the "yes I understand" button, or does it force them to run it on a laptop off to the side with the sound off and occasionally reach over to click "next" when that slide is done? It has a little mini quiz at the end if you wanted to click through and answer 3-5 questions you could be done in a little over a minute. But the trainings are not designed for people like you that already have a grasp of the concepts and could answer those questions blind.
|
![]() |
|
evil_bunnY posted:Letting something phish-y through to your employees is 100% an IT failure How do you prevent a gmail.com message or another compromised domain/email infrastructure that just says "hey can you please reach out to this number its urgent thanks" ? Do you just run a tight allow list?
|
![]() |
|
When has Godaddy not been a burning dumpster fire?
|
![]() |
|
The Fool posted:It has a little mini quiz at the end if you wanted to click through and answer 3-5 questions you could be done in a little over a minute. My point is that the people these trainings ARE for aren't going to pay attention to them, because for them they'll just be another CYA training thingy that they have to do. They'll click through and answer the quiz as often as they need to so that it goes away. You can't force the people who need this the most to actually learn it, and the ones who would be willing to learn you could probably just give an informal 5 minutes class to.
|
![]() |
|
Volmarias posted:My point is that the people these trainings ARE for aren't going to pay attention to them, because for them they'll just be another CYA training thingy that they have to do. They'll click through and answer the quiz as often as they need to so that it goes away. You can't force the people who need this the most to actually learn it, and the ones who would be willing to learn you could probably just give an informal 5 minutes class to. I just had to pass a pre-employment "spot the phishing email" training/quiz thing made up of real examples that were sent to the company. Seems like a decent idea
|
![]() |
|
CommieGIR posted:When has Godaddy not been a burning dumpster fire? And yet somehow better than network solutions?
|
![]() |
|
Sickening posted:I actually know someone that work at go daddy in their infosec department. Guess who i am hitting up! I suspect that you won't be well compensated at GoDaddy. Just a hunch.
|
![]() |
|
Weird question messing around with my newly setup virtualbox lab. I did an arpspoof just to see what would happen, and I noticed that my windows machine when I ran a tracert seems to "know" that something is wrong, as the IP address of the attacker machine shows up even though the victim machine thinks the router's mac address is the kali linux machine's mac. If it's this easy to detect, why is that feature not automated? Would automating that create a whole bunch of networking issues? Tracing route to dns.google [8.8.8.8] over a maximum of 30 hops: 1 * * <1 ms 10.0.2.15 2 <1 ms <1 ms <1 ms 10.0.2.1 Butter Activities fucked around with this message at 21:52 on Dec 25, 2020 |
![]() |
|
BonHair posted:Now, now, it could be worse. You could be at a company with three distinct IT departments, whose systems are interconnected, but are at best completely ignoring each other. And, hypothetically, responsibilities would be clear as mud. Also outsourcing with lovely contracts and no follow-up. Sears?
|
![]() |
|
Potato Salad posted:Sears? Nope, and I'm not gonna tell you where it is either, because it's frankly beyond embarrassing. It's in Europe though. Half the problem is Operational Technology/OT, which in theory is completely separated from IT, but in practice, you guess where the user accounts are. If you guessed "the IT AD", that would be correct, but also we have two ADs, that operate in mostly the same environments.
|
![]() |
|
https://twitter.com/0xAmit/status/1344729790843121664
|
![]() |
|
There's so much more to this that isn't being shared with the wider public.
|
![]() |
|
Yeah, this is very, very bad. There's probably crazy amounts of stuff locked behind clearances that we won't learn about for decades.
|
![]() |
|
What's the consensus on the Web Cryptography API for storing low-risk information with end-to-end encryption? I'm writing a tool that will store W-9 information and let the user distribute a link to people to automatically create a filled-out W9 with the business's information. I'd like to have zero knowledge of the information sent by the user, even though the information itself isn't necessarily confidential (EINs are public information, but a user could submit an SSN I guess?) I was thinking of doing something like Firefox Send's E2E implementation, but crypto is not my specialty.
|
![]() |
|
Ynglaur posted:Yeah, this is very, very bad. There's probably crazy amounts of stuff locked behind clearances that we won't learn about for decades. And not nearly as much fun as VENONA.
|
![]() |
https://www.bankinfosecurity.com/dc-rioters-open-capitols-doors-to-potential-cyberthreats-a-15715 In the wake of yesterday's riots
|
|
![]() |
|
Yeah I was flabbergasted when I saw some photo yesterday of a staffer’s unlocked desktop with Outlook open. In my mind I’m trying to think about what a playbook scenario that would be from a defender perspective. I need to amend our security training I guess. “Leaving your desk to print? Use the bathroom? Flee a riot? Did you remember to lock your computer?”
|
![]() |
|
Or implement some kind of proximity device. If you're not there, not touching or your smart card isn't inserted then the computer auto locks. When I worked in a high security area we would just be fired if we left our computer unlocked 3 times.
|
![]() |
|
Martytoof posted:Yeah I was flabbergasted when I saw some photo yesterday of a staffer’s unlocked desktop with Outlook open. Have remote kill switches for your desktop computers in case of rioting and evacuation?
|
![]() |
|
droll posted:Or implement some kind of proximity device. If you're not there, not touching or your smart card isn't inserted then the computer auto locks. I got learned real quick when a supervisor emailed herself grounds to fire me even with my autolock set to 1 minute. She was pretty slick.
|
![]() |
|
droll posted:Or implement some kind of proximity device. If you're not there, not touching or your smart card isn't inserted then the computer auto locks. Yeah, this. Basically all DoD systems are set up to require a token card inserted and as soon as it's removed the system locks--it was surprising to see that Congress's systems are not set up similarly. And then I remembered that the specific system that was photographed as being unlocked belonged to the Speaker of the House, who probably gets to play the same "just do what I say" game that many other powerful figures do. Trump's kids have been repeatedly cited for using personal email accounts for government business. CEOs and C-suite employees everywhere are often poster children for "yes I know security is important but I want my (computer|phone|whatever) to be exempt from the restrictions because having to deal with (VPN|2FA|password rotation|whatever) is bothersome and I'll fire you if you don't do what I say." Etc. But yeah, those IT teams are gonna be putting in a ton of overtime to re-image every system in there. And good luck trying to sweep the entire Capital for rogue devices that might have been shoved somewhere.
|
![]() |
|
droll posted:Or implement some kind of proximity device. If you're not there, not touching or your smart card isn't inserted then the computer auto locks. They use CAC cards for that. It looks like in the panic, a few people forgot to pull the card from their machine.
|
![]() |
|
DrDork posted:Yeah, this. Basically all DoD systems are set up to require a token card inserted and as soon as it's removed the system locks--it was surprising to see that Congress's systems are not set up similarly. It was one of her staffer's workstations in her office.
|
![]() |
|
I was under the impression Government used CAC for everything and you'd have to remove it prior to leaving. Shocked that isn't true.
|
![]() |
|
They also clearly have no policy against wireless keyboards and mice on computers facilitating discussion of state secrets.
|
![]() |
|
![]()
|
# ? Jun 11, 2024 00:05 |
It's probably true that the stuff given to staffers is not the same things the congresspeople have access to. Federal government has lots of disparate networks and depending on how congressional staffers are classified as employees those might not have had any sensitive info on them. I know my state government has an entire separate org to deal with legislatures stuff.
|
|
![]() |