If I was a hacker…err cracker…

  1. I would be very busy the week of Christmas, while IT security staff is probably operating at 20% normal strength. Not only is it the weakness in numbers, but also the holiday mood.  How many of you are actually working full days? IDS logs – thats probably the last thing on your mind now that you have Guitar Hero III in the breakroom.
  2. I would get busy if I heard that a company was being acquired. From my experience, most companies put a freeze on all discretionary spending from the time a deal is announced untill it closes. Unfortunately, security is often thrown into that discretionary spending budget, making it easy on the bad guys for several months!
  3. If I really wanted to spend Christmas with my family, I would just come back another time and phish employees…that works irrespective of season.

Wishing you all a very Happy New Year! Stay safe.

-Rohyt

Carnegie Mellon Findings Second PhishMe Concept

Carnegie Mellon researchers presented a paper at the Anti-Phishing Work Group’s E-Crime Researchers Summit in October 2007. The results of the study indicated the following:

  • Users learned more effectively when the training materials were presented after they fell for a phishing attack (embedded training), rather than when the training materials were simply emailed
  • Users also retained more knowledge and transfered more knowledge about how to avoid phishing attacks when trained with embedded training

These are the underlying principles of PhishMe.com – Phish n’ Educate. PhishMe.com will facilitate the execution of mock phishing attacks against employees. Those that fall “victim” will be presented appropriate training materials.

-Rohyt