Security Questionnaires and Wiki’s are all well and good: they tick the auditors boxes and teach those who already have a vague comprehension of security an extra thing or two… but, they fail at reinforcing their teachings. To most they are yet another painful administration exercise that you unwillingly undertake on a regular basis. They are completed, yet people still consistently fall for the same tricks. So, is there any way to begin reinforcing the basic principles that we are forever trying to shove down the throats of staff?
Well… yes. You could hack your entire company and then rub it in their faces. Although, that might not go down so well with the HR department – making it a career limiting exercise. But, there is definitely a balance that can be achieved.
I’ve developed a framework that allows for the automated distribution of phishing campaigns, and accurate, non-offensive measurement of victim responses. The framework consists of two main components:
- Campaign Manager: Produce unique links for a list of defined email addresses, embedding them into an HTML template to send via email to each address. Access is controlled via Forms Authentication and IIS IP and Domain Restrictions.
To make this as effective as possible a legitimate company name was used and a relevantly named domain was registered to provide some credibility. A rule was also created on our mailserver to catch any outgoing mail to the domain, allowing review of it.
I sent the campaign out at 08:30 on a Monday morning, a time when people are likely reading through the many emails that arrived over the weekend – meaning they are perhaps more careless and vulnerable. At 13:00 a follow-up email was sent to all staff informing them of the test, it’s results and their implications.
Whilst I cannot share the exact results of this specific exercise, it’s fair to say there’s plenty of room for improvement. However, feedback from participants has been extremely positive. Most did not know exactly how easy it was to be delivered malware – which is exactly what I wanted to not only illustrate, but develop a natural behavioral defense against.