 |
| Image from Pixabay |
“You're the one who writes those blogs about security,
aren't you?” asked a colleague who came to our lunch table. “I need advice from
a security officer.” “You're lucky,” I replied with a wide arm gesture,
“there's a whole table full of security officers here!”
Earlier that day I had already received an email from
someone else about the same matter. Both colleagues had received an email:
there was a survey about the coffee in the office. Please complete before the
end of the week, fifty coffee packages will be raffled among the first five
hundred participants. Click on this link! If you did, you were taken to a page
where you were prompted to enter your username and password. Then you proceeded
to the survey. Only then did they realize that there was something suspicious
going on.
Since I'm writing about it here, you probably already
understood halfway through the previous paragraph that this was a typical case
of phishing. The special thing about this phish, however, was that we all had
it in our mailbox: it was a test, commissioned by the ministry.
Many organizations send phishing tests to their
employees, on the one hand to test how alert people are, and on the other hand
to make them aware of the dangers lurking ahead of us. It is better for them to
fail a test than to fall for a real phishing email, is the underlying idea. Hopefully
they don't fall for it the next time, in the event of a real attack.
A few facts about this test. The e-mail was sent to about
30,000 employees, spread over two days. Of these, quite a lot clicked on the link and a significant number of them also entered their password. That's a lot of people, and if a real attacker
was after login details, he would have harvested quite some passwords. But if this
had been a real attack, no one would have clicked at all – the attack would
have been contained by our technical measures. For example, because so many
incoming e-mails from one address are suspicious. Or because the link you had
to click pointed to an untrusted domain. For this test, gates were deliberately
opened that are normally closed.
What could a criminal have done with such a fat catch?
Well, basically nothing at all! Our security has
several layers and this example illustrates nicely why this is necessary. That
is not a reason to loosen any layer. Vigilance remains important.
A test like this one is still quite complicated. For
example, I heard that it took some persuasion not to have the entered passwords
saved in a file. Some saw this as a great opportunity to investigate how many
employees use weak passwords. They didn’t realize at first that storing all
those passwords could pose a threat to our security. Furthermore, the privacy
of employees has to be honoured; the hired agency will only report at
department level, and those departments are anonymized.
At the end of the second day of action, it was revealed via the intranet that this was a test. At
the moment there are 69 comments under that article and to my surprise there is
not one angry reaction. In fact, people are enthusiastic – terms like fun,
eye-opener and top-action have been used. People who failed the test come
forward, and I think it's great that they feel that they can do that in our
organization. There was also someone who regretted that his manager had warned
the team, because now he doesn't know if he would have fallen for it. But as
far as I'm concerned, tribute to this manager, who has understood that security
goes further than his own laptop.
October has been Europe's cybersecurity month for ten
years now. In that month we ask for extra attention for this important topic.
We do this with all kinds of internal activities ,
but all
kinds of initiatives are also taking place outside of our
organization. This month, the Security (b)logs are aligned with the internal
program.
And in the big bad world…
- you need to update your WhatsApp app. Now. [DUTCH]
- Ukraine has an IT Army, with a Dutch colonel. [DUTCH]
- an American colleague wanted to sell secret documents abroad, but that turned out differently.
- you can even hide malware in the Windows logo.
- the municipality of Buren has released the investigation report on the hacking attack they suffered. [DUTCH]
- Swiss police officers were locked in their own smart car. [DUTCH]
- parking apps leak a lot of information about their users. [DUTCH]
- your spell checker may also leak information.
- political parties in the Netherlands are afraid of data breaches by sharing information about cyber threats. [DUTCH]
- some commas are very expensive. [DUTCH]
- you should only download your software from known, reliable sources.
- the Dutch government will soon have a nice job for you if you don't have a diploma. [DUTCH]
- the State Secretary wants to make the Baseline for Information Security mandatory by law. [DUTCH]
- the IRS faces the same problem as the Dutch tax administration: smishing.
- two Dutch Tax Administration employees are going to jail for selling license plate information. [DUTCH]
.jpg)
No comments:
Post a Comment