CoSN Community

Expand all | Collapse all

Phishing Education and Prevention

  • 1.  Phishing Education and Prevention

    Posted 09-30-2018 19:26
    Good evening everyone,

    In light of October being National Cybersecurity Awareness Month, I thought I would check into to see what others are doing around education and prevention with the increased presence of phishing campaigns targeting schools.

    I am sure that your district is not different than ours and you have experienced a significant uptick of phishing attacks.  Other than the normal things we can do from a technology standpoint, we have really been hammering home that there is no technology system that can safeguard against human decision making.  We have users accounts become compromised and we have rushed to remediate these actions, however if the end user does not report it to us of suspicious activity sometimes the damage is a already done.

    As far as education, we have been looking at various resources like KnowBe4, CoFense, and a few others. I am curious to here what others have looked at and are using?

    Secondly, and possible more importantly, what other security measures are others are using as counter measures or prevention to safeguard their end-users and districts?  I am curious to find out what others have found to be effective and cost conscious.

    Thank you and I look forward to your resposnes.

    ------------------------------
    Coby Culbertson
    Director of Technology
    Dubuque Community Schools
    Dubuque IA
    (563) 552-3049
    ------------------------------


  • 2.  RE: Phishing Education and Prevention

    Posted 10-01-2018 08:35
    Coby,

    We have used KnowBe4 and are currently deploying Wombat.  I believe both products are very good but decided to switch to Wombat for cost and feature differences.  There was definitely a change in our staff's approach to e-mail after the first campaign.  Not only did the analytics from the KnowBe4  show an improvement, the end user dialog regarding phishing and other threats increased.  These types of programs are well worth the investment.  We did receive some serious nasty grams from some people.  However, we did involve our collective bargaining leaders prior to starting the campaign and received their support. They were instrumental in dealing with their unhappy members.

     We are also looking at our entire security portfolio--from Firewalls to end-user devices.  I don't expect our solutions will be 100 percent foolproof, but doing due diligence is important.  One area that I have been taking a good hard look at is what we have in the cloud.  Gartner calls it Cloud Access Security Brokering and after looking at some preliminary data, it is an area needing close scrutiny.   With the ease of sharing data though cloud services, I am concerned about where our data is, who has access, and where it is being shared.

    At a recent CIO Forum in Pittsburgh, they discussed risk.  Of course many of the people there were focused on financial risk.  School certainly have financial risk, but we have huge brand risk.  All I need is to have an IEP end up in a cloud services and be shared with the world.

    ------------------------------
    Vince Humes
    Director Innovative Technology Solutions
    Northwest Tri-County Intermediate Unit #5
    Edinboro PA
    (814) 734-8390
    ------------------------------



  • 3.  RE: Phishing Education and Prevention

    Posted 10-01-2018 09:26
    We use the free version of phishme.com. It is nice that teachers can see what attempts look like and get education if they click through. We get reports of who has clicked through and if their was a login presented if the user typed in any login information which makes for great follow up.

    ------------------------------
    Chris Stammerman Saydel Community School District
    Director of Technology
    Saydel Community School District
    Des Moines IA
    (515) 264-0866
    ------------------------------



  • 4.  RE: Phishing Education and Prevention

    Posted 10-01-2018 10:30
    I highly recommend a concept called Defense in Depth.  In addition to what you'd find in a Wikipedia article, this idea means that you have several vendors at several layers.

    For example, at the technical level you could have an email filter for phishing and attachment malware scanning, a web filter that checks for malware, something running on the local PC checking for malicious activity, keep your PCs on internal-only IPs, use OS-level packet filtering (often incorrectly called a "firewall") on your servers, use a firewall and DMZ in your network topology design, and an Intrusion Detection System (IDS) at your Internet gateway.  Each layer makes things more complicated for the intruder to break in and more likely that an automated system will report a suspicious action.

    Also, when possible, have intelligent event notifications.  This will enable people to respond on the day of the event and later when (and if) they check the logs.  An IDS with this feature is really useful.  Another great example of this approach is https://haveibeenpwned.com/DomainSearch.  It's free, simple, and will alert you of potential password leaks.

    Lastly, as you pointed out, the so called "human firewall" is important.  Personally, I think getting your staff to understand the impact beyond "yet another annoying regulation" is the key.  I tell my coworkers to call whenever they think something is even remotely suspicious.  I then mimic answering my desk phone over an over while saying, "I'd rather do this over-and-over again for 20 minutes:  '[acting out a phone call] Hello?  Yes, we know and you shouldn't click on that.  Thanks for checking.' instead of spending the next two or three days cleaning up a break-in."  This gives some perspective, so they realize that they're not being a burden by asking a question.  I also made sure my I.T. team knew that any such calls must be treated with respect and gratitude -- under no circumstance should this question be treated as a waste of time.  Otherwise people will think, "I don't want to bother them or be seen as dumb."

    One security expert I spoke to said that she advises I.T. workers to tell their coworkers that something as simple as clicking on a bad attachment could mean that they have to work an all-night shift.  She said that showing staff how a small action on their part could seriously impact someone they know tends to put things in a new light and makes them more receptive.

    I hope those somewhat random thoughts help.

    ------------------------------
    Jaime Kikpole
    Director of Technology and Innovations
    Cairo-Durham CSD
    Cairo NY
    (518) 622-8543 (59500)
    ------------------------------



  • 5.  RE: Phishing Education and Prevention

    Posted 10-01-2018 14:17
    Campaigns that have arrived in our District requested the purchase of iTunes gift cards, requested user credentials and asked for a number of other security-related items. IPSD is using PhishingBox (http://www.phishingbox.com) as our phishing education tool, as well as campaign management. This tool provides phishing simulation e-mails and, if clicked on, associated awareness training. We piloted the tool with small groups and received positive feedback about their experiences, including reaching a 100% success rate in not clicking on or providing information to a phishing campaign.


    We deliver a simulation phishing e-mail to our staff inboxes each month. The simulation e-mails look like a service, provider or e-mail that our users may normally receive, but uses the tactics commonly found in phishing e-mails. These simulation e-mails are non-punitive, educational and structured to be informative. We encourage our staff to treat them as they would any other phishing e-mail by forwarding them to our spam email account and deleting the e-mail.

    With 91% of all cybersecurity incidents starting from an e-mail, phishing e-mails are becoming more aggressive and making it difficult to determine a legitimate e-mail. Because of this, we also implemented a "caution" message at the top of e-mails originating from outside of our District. 



    ------------------------------
    Adam

    Adam Smeets, CETL | Chief Technology Officer
    Indian Prairie School District | 780 Shoreline Drive | Aurora, IL 60504
    email: adam_smeets@ipsd.org | website: http://www.ipsd.org
    ------------------------------