The idea is great, don't get me wrong. I'm just not a fan of being asked to flat out tell them a lie. I'm more afraid of the backlash from some of the users being all "You lied to me" and shit. Users are stupid like that.
While I agree that being insensitive is an issue, so is being oversensitive.
My boss initiated a phishing test this morning from IT@domain.gov saying that a password reset was required and to click a link. I'm cool with that. What I think is a bit sketchy is that his response to everyone's email has been "We did not send that." The white lie could end up pissing some people off, including the executive staff (of which only 1 of them was aware that we were doing that). Saying "This is a bogus email. Please delete" would have been much better. I'm just not a big fan of blatantly lying about it.
I mean isn't that part of the test though?
I can see his point on not wanting to come clean about it. Does the link get logged and then the users who click it get training?
That actually sounds like a great idea if I worked in a bigger place but I know who'd fail it and who wouldn't here.
lwt1973King of ThievesSyndicationRegistered Userregular
Two things that had me shaking my head this morning:
1) I told a user how to remove people from a shared spreadsheet after unsharing it if those people are no longer connected as it'll make the spreadsheet smaller and speed up the opening it. I did this because about once every two weeks I need to do this. I thought it would save me some work. I get a call that the user removed people still on the spreadsheet (he never unshared it) and now people are getting they are no longer connected to the file error. Moral of that: if you teach a person how to fish, they will poke their eye out with the pole.
2) We need to repair a piece of equipment outside that had a IP address assigned to it. The equipment's software needed to be completely wiped and installed with new that an outside firm was going to do. They install the equipment and software come in here, and ask what the IP address was. We give it to them and they try to log into it. No connection. They mess around with some settings and such and still can't connect to it. Finally, they ask if that's the correct IP address. We check the sheet and say yes it is, can you double check on the equipment? Their response: "You didn't assign the IP to the software?" Ours: "You just installed the software, how could we assign it?"
Theirs: "Hmm, I'll have to look up how to do that."
"He's sulking in his tent like Achilles! It's the Iliad?...from Homer?! READ A BOOK!!" -Handy
outright lying to people sucks, but yea, it can be part of the job. heck lying about a test phishing email is a pretty small white lie. I wish that's all I ever had to lie about.
Being in a department that by it's nature has access to privileged/sensitive information means that it is just part of life for us.
Two things that had me shaking my head this morning:
1) I told a user how to remove people from a shared spreadsheet after unsharing it if those people are no longer connected as it'll make the spreadsheet smaller and speed up the opening it. I did this because about once every two weeks I need to do this. I thought it would save me some work. I get a call that the user removed people still on the spreadsheet (he never unshared it) and now people are getting they are no longer connected to the file error. Moral of that: if you teach a person how to fish, they will poke their eye out with the pole.
2) We need to repair a piece of equipment outside that had a IP address assigned to it. The equipment's software needed to be completely wiped and installed with new that an outside firm was going to do. They install the equipment and software come in here, and ask what the IP address was. We give it to them and they try to log into it. No connection. They mess around with some settings and such and still can't connect to it. Finally, they ask if that's the correct IP address. We check the sheet and say yes it is, can you double check on the equipment? Their response: "You didn't assign the IP to the software?" Ours: "You just installed the software, how could we assign it?"
Theirs: "Hmm, I'll have to look up how to do that."
mac based static IP via DHCP is the way to go!
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
0
Options
RandomHajileNot actually a SnatcherThe New KremlinRegistered Userregular
My boss initiated a phishing test this morning from IT@domain.gov saying that a password reset was required and to click a link. I'm cool with that. What I think is a bit sketchy is that his response to everyone's email has been "We did not send that." The white lie could end up pissing some people off, including the executive staff (of which only 1 of them was aware that we were doing that). Saying "This is a bogus email. Please delete" would have been much better. I'm just not a big fan of blatantly lying about it.
Man, I've wanted to do that for years. And have it ultimately redirect to a web page that logs their exact username.
But if someone asked about it, I'd probably be more likely to respond, "Thank you for asking rather than just blindly clicking on the link. I will give you more details at a later time." Because you better believe I'm going to keep statistics about how many people asked about it and how many people blindly clicked on it.
Yeah, but if you let the cat out of the bag too soon the watercooler talk spins up and you don't catch as many people who would ultimately need to be trained.
You're not there to be anyone's friend. You're there to protect them and their computer systems.
Mostly just huntin' monsters.
XBL:Phenyhelm - 3DS:Phenyhelm
+2
Options
lwt1973King of ThievesSyndicationRegistered Userregular
Two things that had me shaking my head this morning:
1) I told a user how to remove people from a shared spreadsheet after unsharing it if those people are no longer connected as it'll make the spreadsheet smaller and speed up the opening it. I did this because about once every two weeks I need to do this. I thought it would save me some work. I get a call that the user removed people still on the spreadsheet (he never unshared it) and now people are getting they are no longer connected to the file error. Moral of that: if you teach a person how to fish, they will poke their eye out with the pole.
2) We need to repair a piece of equipment outside that had a IP address assigned to it. The equipment's software needed to be completely wiped and installed with new that an outside firm was going to do. They install the equipment and software come in here, and ask what the IP address was. We give it to them and they try to log into it. No connection. They mess around with some settings and such and still can't connect to it. Finally, they ask if that's the correct IP address. We check the sheet and say yes it is, can you double check on the equipment? Their response: "You didn't assign the IP to the software?" Ours: "You just installed the software, how could we assign it?"
Theirs: "Hmm, I'll have to look up how to do that."
mac based static IP via DHCP is the way to go!
I had to explain to them about DHCP as they were confused about it.
"He's sulking in his tent like Achilles! It's the Iliad?...from Homer?! READ A BOOK!!" -Handy
Yeah, but if you let the cat out of the bag too soon the watercooler talk spins up and you don't catch as many people who would ultimately need to be trained.
You're not there to be anyone's friend. You're there to protect them and their computer systems.
Well, like someone else said, I know the people who will click on it vs. the people who will ask, and would tailor my email depending on the individual.
Yeah, but if you let the cat out of the bag too soon the watercooler talk spins up and you don't catch as many people who would ultimately need to be trained.
You're not there to be anyone's friend. You're there to protect them and their computer systems.
Well, like someone else said, I know the people who will click on it vs. the people who will ask, and would tailor my email depending on the individual.
I said that. I feel it only really applies to my small office environment.
In the stated test I would want it to be 100% identical and I would want it to be denied for a period of time. Otherwise why even bother running the experiment? You're trying to get data on who is and isn't an attack vector in your organization so you can train the ones who are.
Any specialized treatment of any users in that scenario runs the risk of contaminating the experiment.
Mostly just huntin' monsters.
XBL:Phenyhelm - 3DS:Phenyhelm
Yeah, but if you let the cat out of the bag too soon the watercooler talk spins up and you don't catch as many people who would ultimately need to be trained.
We ran into some people being upset that we hadn't sent a company-wide email about it. Someone actually took it upon themselves to do so and has apparently gotten pissy when one person (non-IT) said "You should just let IT do the IT stuff." She basically just ruined the last half of the project because of that email, so it's done the same damage as the watercooler talk.
Another interesting thing that we've discovered through this is that apparently people just run around like chickens with their heads cut off instead of talking to us about it.
While I agree that being insensitive is an issue, so is being oversensitive.
...aaaand I almost sent an email to a user named Denis that started with "Hey Penis." Glad I saw that. I'm also not sure why I accidentally hit the P instead of the D, considering they are on the opposite sides of the keyboard.
While I agree that being insensitive is an issue, so is being oversensitive.
Yeah, but if you let the cat out of the bag too soon the watercooler talk spins up and you don't catch as many people who would ultimately need to be trained.
We ran into some people being upset that we hadn't sent a company-wide email about it. Someone actually took it upon themselves to do so and has apparently gotten pissy when one person (non-IT) said "You should just let IT do the IT stuff." She basically just ruined the last half of the project because of that email, so it's done the same damage as the watercooler talk.
Another interesting thing that we've discovered through this is that apparently people just run around like chickens with their heads cut off instead of talking to us about it.
See? Don't be mad at your Boss.
They just provided you with a Friday full of mirth and entertainment.
Seidkona on
Mostly just huntin' monsters.
XBL:Phenyhelm - 3DS:Phenyhelm
...aaaand I almost sent an email to a user named Denis that started with "Hey Penis." Glad I saw that. I'm also not sure why I accidentally hit the P instead of the D, considering they are on the opposite sides of the keyboard.
Because you were letting your true feelings stream forth.
...aaaand I almost sent an email to a user named Denis that started with "Hey Penis." Glad I saw that. I'm also not sure why I accidentally hit the P instead of the D, considering they are on the opposite sides of the keyboard.
Because you were letting your true feelings stream forth.
Yeah, you pulled a real boner there.
Not sure how you mistyped that. Seems like a hard mistake to make.
...aaaand I almost sent an email to a user named Denis that started with "Hey Penis." Glad I saw that. I'm also not sure why I accidentally hit the P instead of the D, considering they are on the opposite sides of the keyboard.
Because you were letting your true feelings stream forth.
Yeah, you pulled a real boner there.
Not sure how you mistyped that. Seems like a hard mistake to make.
Hey, I was coming clean
While I agree that being insensitive is an issue, so is being oversensitive.
...aaaand I almost sent an email to a user named Denis that started with "Hey Penis." Glad I saw that. I'm also not sure why I accidentally hit the P instead of the D, considering they are on the opposite sides of the keyboard.
Because you were letting your true feelings stream forth.
Yeah, you pulled a real boner there.
Not sure how you mistyped that. Seems like a hard mistake to make.
Hey, I was coming clean
maybe you're just gripping and yanking the keyboard too hard.....
Yeah, but if you let the cat out of the bag too soon the watercooler talk spins up and you don't catch as many people who would ultimately need to be trained.
You're not there to be anyone's friend. You're there to protect them and their computer systems.
Well, like someone else said, I know the people who will click on it vs. the people who will ask, and would tailor my email depending on the individual.
I said that. I feel it only really applies to my small office environment.
In the stated test I would want it to be 100% identical and I would want it to be denied for a period of time. Otherwise why even bother running the experiment? You're trying to get data on who is and isn't an attack vector in your organization so you can train the ones who are.
Any specialized treatment of any users in that scenario runs the risk of contaminating the experiment.
Yeah, that's a good point. And honestly, I'd probably just not respond to emails until I'm done. But in any case, I've found that people who ask questions are not the people who will actually click on links. We've got around 750 employees, but only around 100 of them actually use it regularly. And then I can count about 10 who regularly do dumb stuff.
Actually, I kinda feel like this needs to be three (or more) different phases:
1. Fake an email to look like it came from "IT" to reset your password
2. Shocking news headline (We had one a few years back that multiple people clicked on that was a spoofed CNN.com email that said "Obama in campaign bus crash, feared dead." I don't know if you guys heard, but Obama's still alive.)
3. Some local bank "reset your password"-type email
And roll it out 10 users at a time here or there so the talk doesn't get too loud. Also, yeah, now I'm on-board with just straight up lie to their faces. My supervisor's supervisor would totally be okay with us doing that if we had the time to work on it.
If you were to do these spam drills, like every month or two, you could foster a culture of people being legitimately wary of emails like that.
See, nobody really gives a shit if the company's at risk. They don't think they're going to get fired because how often does it really happen; that somebody lets in a virus and is caught and fired.
But you're not making them scared of viruses, you're making them scared of those jerks in IT dragging them into a boring security training.
Think of it, the old hands telling the newbies "oh yeah you gotta watch out for spam emails, half the time they're from IT and they'll get ya."
People would actually care!
life's a game that you're bound to lose / like using a hammer to pound in screws
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
So I'm sitting on the floor of one of our datacenters.
It's a raised floor, and the section I'm sitting in it's all open grills instead of solid tiles.
I'm changing the drive sled for a replacement drive on a machine. Tiny screws, don't even have a proper screwdriver, just my multitool.
Didn't drop a single screw. :cool:
life's a game that you're bound to lose / like using a hammer to pound in screws
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
+1
Options
Apothe0sisHave you ever questioned the nature of your reality?Registered Userregular
I just have the problem of being an incredible klutz. My mantra is "Yes, of course that just happened. Why would that not have happened?" I'm the type that would drop the screw, look around for it while still holding a part in place, nail my head on the rack, and then the part comes off that I was holding in place with enough skill to then lose the other screw. I'm that talented.
While I agree that being insensitive is an issue, so is being oversensitive.
Posts
XBL:Phenyhelm - 3DS:Phenyhelm
The link goes here.
1) I told a user how to remove people from a shared spreadsheet after unsharing it if those people are no longer connected as it'll make the spreadsheet smaller and speed up the opening it. I did this because about once every two weeks I need to do this. I thought it would save me some work. I get a call that the user removed people still on the spreadsheet (he never unshared it) and now people are getting they are no longer connected to the file error. Moral of that: if you teach a person how to fish, they will poke their eye out with the pole.
2) We need to repair a piece of equipment outside that had a IP address assigned to it. The equipment's software needed to be completely wiped and installed with new that an outside firm was going to do. They install the equipment and software come in here, and ask what the IP address was. We give it to them and they try to log into it. No connection. They mess around with some settings and such and still can't connect to it. Finally, they ask if that's the correct IP address. We check the sheet and say yes it is, can you double check on the equipment? Their response: "You didn't assign the IP to the software?" Ours: "You just installed the software, how could we assign it?"
Theirs: "Hmm, I'll have to look up how to do that."
Being in a department that by it's nature has access to privileged/sensitive information means that it is just part of life for us.
Have you ever read a book where a wizard didn't lie?
XBL:Phenyhelm - 3DS:Phenyhelm
mac based static IP via DHCP is the way to go!
But if someone asked about it, I'd probably be more likely to respond, "Thank you for asking rather than just blindly clicking on the link. I will give you more details at a later time." Because you better believe I'm going to keep statistics about how many people asked about it and how many people blindly clicked on it.
This is a clickable link to my Steam Profile.
You're not there to be anyone's friend. You're there to protect them and their computer systems.
XBL:Phenyhelm - 3DS:Phenyhelm
I had to explain to them about DHCP as they were confused about it.
This is a clickable link to my Steam Profile.
I said that. I feel it only really applies to my small office environment.
In the stated test I would want it to be 100% identical and I would want it to be denied for a period of time. Otherwise why even bother running the experiment? You're trying to get data on who is and isn't an attack vector in your organization so you can train the ones who are.
Any specialized treatment of any users in that scenario runs the risk of contaminating the experiment.
XBL:Phenyhelm - 3DS:Phenyhelm
Another interesting thing that we've discovered through this is that apparently people just run around like chickens with their heads cut off instead of talking to us about it.
See? Don't be mad at your Boss.
They just provided you with a Friday full of mirth and entertainment.
XBL:Phenyhelm - 3DS:Phenyhelm
Because you were letting your true feelings stream forth.
Hit 2-5 random people in different departments every other day.
Keep track of who is clicking the links, then after the month, give training to the people who fucked up.
Yeah, you pulled a real boner there.
Not sure how you mistyped that. Seems like a hard mistake to make.
maybe you're just gripping and yanking the keyboard too hard.....
okay, I think that I may have taken it too far
Actually, I kinda feel like this needs to be three (or more) different phases:
1. Fake an email to look like it came from "IT" to reset your password
2. Shocking news headline (We had one a few years back that multiple people clicked on that was a spoofed CNN.com email that said "Obama in campaign bus crash, feared dead." I don't know if you guys heard, but Obama's still alive.)
3. Some local bank "reset your password"-type email
And roll it out 10 users at a time here or there so the talk doesn't get too loud. Also, yeah, now I'm on-board with just straight up lie to their faces. My supervisor's supervisor would totally be okay with us doing that if we had the time to work on it.
This is a clickable link to my Steam Profile.
The lovely day icon was custom made for this conversation.
XBL:Phenyhelm - 3DS:Phenyhelm
If you were to do these spam drills, like every month or two, you could foster a culture of people being legitimately wary of emails like that.
See, nobody really gives a shit if the company's at risk. They don't think they're going to get fired because how often does it really happen; that somebody lets in a virus and is caught and fired.
But you're not making them scared of viruses, you're making them scared of those jerks in IT dragging them into a boring security training.
Think of it, the old hands telling the newbies "oh yeah you gotta watch out for spam emails, half the time they're from IT and they'll get ya."
People would actually care!
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
Anyone, figured my fellow tech nerds would enjoy this.
We were literally talking about keyloggers and bluetooth earlier today. This is on a whole different level, of course, but.. man.
XBL:Phenyhelm - 3DS:Phenyhelm
So I'm sitting on the floor of one of our datacenters.
It's a raised floor, and the section I'm sitting in it's all open grills instead of solid tiles.
I'm changing the drive sled for a replacement drive on a machine. Tiny screws, don't even have a proper screwdriver, just my multitool.
Didn't drop a single screw. :cool:
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
i am the worst at keeping them safe
XBL:Phenyhelm - 3DS:Phenyhelm
My philosophy is, the laptop will still work and we've saved the user from having to carry extraneous weight.
I think I'm going to just start using powershell for even the most mundane tasks this week just to add some challenge and learn a thing.