Systech Solutions LTD.

By Lynn Haber , Network World , 04/27/2009New York State is extremely concerned about phishing in general, and more specifically spear phishing, highly targeted phishing attacks designed to penetrate organizations, government agencies and groups.

Read story about end user security training.

Beginning in 2005, the state Office of Cyber Security & Critical Infrastructure (NYS-CSCIC) along with the Anti-Phishing Working Group, AT&T, and the SANS Institute ran its first antiphishing pilot project.

The goal was to raise employee awareness of the danger of phishing scams and to provide employees with information to help protect themselves and the agency. The project was also designed to gain a better understanding of the effectiveness of security training.

Related Content

• Data-breach costs rising, study finds
• Heartland tries to rally industry in wake of data breach
• Heartland breach raises questions about PCI standard’s effectiveness
• Oracle WebLogic Suite: A Middleware Foundation for Application GridWHITE PAPER
• Debit-card processor claims data breach part of global fraud operation

• Will Top 25 list of software errors rescue you from rotten software?
• Top 25 software screw-ups
• Encryption top IT security initiative in 2009
• TJX identity theft saga continues: 11 charged with pilfering millions of credit cardsBLOG

View more related contentView all related articles

The first exercise was conducted with 10,000 end users who were unaware of the project. The first step was to distribute an informational bulletin alerting users to the perils of phishing and providing steps to take if they encounter malicious activity.

Next, the mock phishing scam exercise involved sending an e-mail to the group that appeared to be coming from a legitimate source, the agency’s Information Security Office, and contained a link to the NYS-CSCIC Web site that were instructed to visit to check the security of their password.

If they clicked on the link and attempted to type in their password they failed the test. While 17% followed the link, 15% of the e-mail recipients attempted to interact with the fake password form.

Click to see: Top 5 mistakes users makeThose individuals who passed the test received a congratulatory message; those who were duped were directed to a tutorial on how to be aware of phishing scams.

Another mock phishing exercise was conducted on the same employee audience two months later. The goal was to assess if they learned anything from the first exercise. This time, employees were sent an e-mail that appeared to come from the agency’s Help Desk with a subject line that read “Internet Connection Problems.”

The e-mail informed users of Internet connection outages because of a suspected cybersecurity event, and contained a link to a dummy NYS-CSCIC Web site where they were asked to assist the agency by answering some questions about connectivity issues.

Those who followed the link and attempted to answer questions were notified that they fell prey to the exercise and were given a feedback survey to explain their actions. Fourteen percent followed the link but only eight percent attempted to input information.

• 1
• 2
• Next >