|
What is the common perception on running 'blind' phishing tests on employee's? Wouldnt you be better off running tests against your IT team to see if they can pick up indicators of compromise or if their tech controls can pick up phishing emails and for your employees run awareness campaigns and training?
|
#
?
Dec 24, 2020 20:59
|
|
|
|
| # ? May 19, 2024 19:37 |
|
|
Defenestrategy posted:What is the common perception on running 'blind' phishing tests on employee's? Wouldnt you be better off running tests against your IT team to see if they can pick up indicators of compromise or if their tech controls can pick up phishing emails and for your employees run awareness campaigns and training? They're completely worthless and just piss people off. Anyone can get phished.
|
|
#
?
Dec 24, 2020 21:11
|
|
|
You'd think they would have known better after seeing all the bad press Tribune Publishing got just a few months ago when they did exactly the same thing. https://www.washingtonpost.com/opinions/2020/09/23/tribune-publishing-apologizes-fake-bonus-offer-phishing-simulation-email/
|
|
#
?
Dec 24, 2020 21:13
|
|
|
Defenestrategy posted:What is the common perception on running 'blind' phishing tests on employee's? Wouldnt you be better off running tests against your IT team to see if they can pick up indicators of compromise or if their tech controls can pick up phishing emails and for your employees run awareness campaigns and training? I've gotten blind tested all the time, but I'm in tech and it's super obvious when I look at the headers and it's blatantly knowbe4 or some other overpriced service That being said, as lovely as this situation is, Godaddy has been the cause of numerous, NUMEROUS social engineering domain hijackings or similar, and their staff very seriously needs to be much much better trained. Impotence fucked around with this message at 21:21 on Dec 24, 2020 |
|
#
?
Dec 24, 2020 21:19
|
|
|
Perhaps, but you don't train your staff by being assholes to them.
|
|
#
?
Dec 24, 2020 21:26
|
|
|
Biowarfare posted:I've gotten blind tested all the time, but I'm in tech and it's super obvious when I look at the headers and it's blatantly knowbe4 or some other overpriced service GoDaddy is a trash fire of a hosting provider in general. It's abysmal top to bottom. I'm guessing it's not a training problem
|
|
#
?
Dec 24, 2020 21:35
|
|
|
Holy poo poo this pisses me off. It's loving evil, cruel, offensive, and squanders all the work being done by people to make cybersecurity more accessible, equitable, and approachable.
|
|
#
?
Dec 24, 2020 21:38
|
|
|
Biowarfare posted:I've gotten blind tested all the time, but I'm in tech and it's super obvious when I look at the headers and it's blatantly knowbe4 or some other overpriced service Having just bought knowbe4, I didn’t consider it overpriced. You’re not really paying for the testing service, you’re paying for all the training modules and they’re fairly high quality.
|
|
#
?
Dec 24, 2020 21:43
|
|
|
Wait I’m pretty sure they did this exact same stupid stunt last year. I hope the company craters
|
|
#
?
Dec 24, 2020 22:27
|
|
|
The Fool posted:Having just bought knowbe4, I didn’t consider it overpriced. You’re not really paying for the testing service, you’re paying for all the training modules and they’re fairly high quality. Can your employees click through until the end and mash the "yes I understand" button, or does it force them to run it on a laptop off to the side with the sound off and occasionally reach over to click "next" when that slide is done?
|
|
#
?
Dec 24, 2020 22:33
|
|
|
I actually know someone that work at go daddy in their infosec department. Guess who i am hitting up!
|
|
#
?
Dec 24, 2020 22:41
|
|
|
Defenestrategy posted:What is the common perception on running 'blind' phishing tests on employee's? Wouldnt you be better off running tests against your IT team to see if they can pick up indicators of compromise or if their tech controls can pick up phishing emails and for your employees run awareness campaigns and training? CLAM DOWN posted:Holy poo poo this pisses me off. It's loving evil, cruel, offensive, and squanders all the work being done by people to make cybersecurity more accessible, equitable, and approachable. 
|
|
#
?
Dec 25, 2020 01:27
|
|
|
evil_bunnY posted:Letting something phish-y through to your employees is 100% an IT failure. While I agree on theory, in practice it is impossible to have a 100% block rate so you need to supplement filters with training, and phishing tests are a part of that training.
|
|
#
?
Dec 25, 2020 01:33
|
|
|
evil_bunnY posted:Letting something phish-y through to your employees is 100% an IT failure. Considering how nothing stops all phishing attacks from getting through to the end users inbox, I don't see how this is an IT failure. Whatever org you are in isn't immune either unless you don't don't allow external email in.
|
|
#
?
Dec 25, 2020 01:35
|
|
|
Volmarias posted:Can your employees click through until the end and mash the "yes I understand" button, or does it force them to run it on a laptop off to the side with the sound off and occasionally reach over to click "next" when that slide is done? It has a little mini quiz at the end if you wanted to click through and answer 3-5 questions you could be done in a little over a minute. But the trainings are not designed for people like you that already have a grasp of the concepts and could answer those questions blind.
|
|
#
?
Dec 25, 2020 01:35
|
|
|
evil_bunnY posted:Letting something phish-y through to your employees is 100% an IT failure How do you prevent a gmail.com message or another compromised domain/email infrastructure that just says "hey can you please reach out to this number its urgent thanks" ? Do you just run a tight allow list?
|
|
#
?
Dec 25, 2020 01:40
|
|
|
When has Godaddy not been a burning dumpster fire?
|
|
#
?
Dec 25, 2020 01:42
|
|
|
The Fool posted:It has a little mini quiz at the end if you wanted to click through and answer 3-5 questions you could be done in a little over a minute. My point is that the people these trainings ARE for aren't going to pay attention to them, because for them they'll just be another CYA training thingy that they have to do. They'll click through and answer the quiz as often as they need to so that it goes away. You can't force the people who need this the most to actually learn it, and the ones who would be willing to learn you could probably just give an informal 5 minutes class to.
|
|
#
?
Dec 25, 2020 01:50
|
|
|
Volmarias posted:My point is that the people these trainings ARE for aren't going to pay attention to them, because for them they'll just be another CYA training thingy that they have to do. They'll click through and answer the quiz as often as they need to so that it goes away. You can't force the people who need this the most to actually learn it, and the ones who would be willing to learn you could probably just give an informal 5 minutes class to. I just had to pass a pre-employment "spot the phishing email" training/quiz thing made up of real examples that were sent to the company. Seems like a decent idea
|
|
#
?
Dec 25, 2020 03:36
|
|
|
CommieGIR posted:When has Godaddy not been a burning dumpster fire? And yet somehow better than network solutions?
|
|
#
?
Dec 25, 2020 05:03
|
|
|
Sickening posted:I actually know someone that work at go daddy in their infosec department. Guess who i am hitting up! I suspect that you won't be well compensated at GoDaddy. Just a hunch.
|
|
#
?
Dec 25, 2020 09:19
|
|
|
Weird question messing around with my newly setup virtualbox lab. I did an arpspoof just to see what would happen, and I noticed that my windows machine when I ran a tracert seems to "know" that something is wrong, as the IP address of the attacker machine shows up even though the victim machine thinks the router's mac address is the kali linux machine's mac. If it's this easy to detect, why is that feature not automated? Would automating that create a whole bunch of networking issues? Tracing route to dns.google [8.8.8.8] over a maximum of 30 hops: 1 * * <1 ms 10.0.2.15 2 <1 ms <1 ms <1 ms 10.0.2.1 Butter Activities fucked around with this message at 21:52 on Dec 25, 2020 |
|
#
?
Dec 25, 2020 09:24
|
|
|
BonHair posted:Now, now, it could be worse. You could be at a company with three distinct IT departments, whose systems are interconnected, but are at best completely ignoring each other. And, hypothetically, responsibilities would be clear as mud. Also outsourcing with lovely contracts and no follow-up. Sears?
|
|
#
?
Dec 31, 2020 09:04
|
|
|
Potato Salad posted:Sears? Nope, and I'm not gonna tell you where it is either, because it's frankly beyond embarrassing. It's in Europe though. Half the problem is Operational Technology/OT, which in theory is completely separated from IT, but in practice, you guess where the user accounts are. If you guessed "the IT AD", that would be correct, but also we have two ADs, that operate in mostly the same environments.
|
|
#
?
Dec 31, 2020 12:19
|
|
|
https://twitter.com/0xAmit/status/1344729790843121664
|
|
#
?
Dec 31, 2020 20:40
|
|
|
There's so much more to this that isn't being shared with the wider public.
|
|
#
?
Dec 31, 2020 22:48
|
|
|
Yeah, this is very, very bad. There's probably crazy amounts of stuff locked behind clearances that we won't learn about for decades.
|
|
#
?
Jan 1, 2021 01:00
|
|
|
What's the consensus on the Web Cryptography API for storing low-risk information with end-to-end encryption? I'm writing a tool that will store W-9 information and let the user distribute a link to people to automatically create a filled-out W9 with the business's information. I'd like to have zero knowledge of the information sent by the user, even though the information itself isn't necessarily confidential (EINs are public information, but a user could submit an SSN I guess?) I was thinking of doing something like Firefox Send's E2E implementation, but crypto is not my specialty.
|
|
#
?
Jan 4, 2021 01:00
|
|
|
Ynglaur posted:Yeah, this is very, very bad. There's probably crazy amounts of stuff locked behind clearances that we won't learn about for decades. And not nearly as much fun as VENONA.
|
|
#
?
Jan 4, 2021 03:01
|
|
|
https://www.bankinfosecurity.com/dc-rioters-open-capitols-doors-to-potential-cyberthreats-a-15715 In the wake of yesterday's riots
|
|
|
#
?
Jan 7, 2021 18:17
|
|
|
Yeah I was flabbergasted when I saw some photo yesterday of a staffer’s unlocked desktop with Outlook open. In my mind I’m trying to think about what a playbook scenario that would be from a defender perspective. I need to amend our security training I guess. “Leaving your desk to print? Use the bathroom? Flee a riot? Did you remember to lock your computer?”
|
|
#
?
Jan 7, 2021 18:24
|
|
|
Or implement some kind of proximity device. If you're not there, not touching or your smart card isn't inserted then the computer auto locks. When I worked in a high security area we would just be fired if we left our computer unlocked 3 times.
|
|
#
?
Jan 7, 2021 18:30
|
|
|
Martytoof posted:Yeah I was flabbergasted when I saw some photo yesterday of a staffer’s unlocked desktop with Outlook open. Have remote kill switches for your desktop computers in case of rioting and evacuation?
|
|
#
?
Jan 7, 2021 18:31
|
|
|
droll posted:Or implement some kind of proximity device. If you're not there, not touching or your smart card isn't inserted then the computer auto locks. I got learned real quick when a supervisor emailed herself grounds to fire me even with my autolock set to 1 minute. She was pretty slick.
|
|
#
?
Jan 7, 2021 18:46
|
|
|
droll posted:Or implement some kind of proximity device. If you're not there, not touching or your smart card isn't inserted then the computer auto locks. Yeah, this. Basically all DoD systems are set up to require a token card inserted and as soon as it's removed the system locks--it was surprising to see that Congress's systems are not set up similarly. And then I remembered that the specific system that was photographed as being unlocked belonged to the Speaker of the House, who probably gets to play the same "just do what I say" game that many other powerful figures do. Trump's kids have been repeatedly cited for using personal email accounts for government business. CEOs and C-suite employees everywhere are often poster children for "yes I know security is important but I want my (computer|phone|whatever) to be exempt from the restrictions because having to deal with (VPN|2FA|password rotation|whatever) is bothersome and I'll fire you if you don't do what I say." Etc. But yeah, those IT teams are gonna be putting in a ton of overtime to re-image every system in there. And good luck trying to sweep the entire Capital for rogue devices that might have been shoved somewhere.
|
|
#
?
Jan 7, 2021 18:50
|
|
|
droll posted:Or implement some kind of proximity device. If you're not there, not touching or your smart card isn't inserted then the computer auto locks. They use CAC cards for that. It looks like in the panic, a few people forgot to pull the card from their machine.
|
|
#
?
Jan 7, 2021 18:50
|
|
|
DrDork posted:Yeah, this. Basically all DoD systems are set up to require a token card inserted and as soon as it's removed the system locks--it was surprising to see that Congress's systems are not set up similarly. It was one of her staffer's workstations in her office.
|
|
#
?
Jan 7, 2021 18:51
|
|
|
I was under the impression Government used CAC for everything and you'd have to remove it prior to leaving. Shocked that isn't true.
|
|
#
?
Jan 7, 2021 21:59
|
|
|
They also clearly have no policy against wireless keyboards and mice on computers facilitating discussion of state secrets.
|
|
#
?
Jan 7, 2021 22:07
|
|
|
|
| # ? May 19, 2024 19:37 |
|
|
It's probably true that the stuff given to staffers is not the same things the congresspeople have access to. Federal government has lots of disparate networks and depending on how congressional staffers are classified as employees those might not have had any sensitive info on them. I know my state government has an entire separate org to deal with legislatures stuff.
|
|
|
#
?
Jan 7, 2021 22:08
|
|
