Keeping Information Security Simple – You’re smart and getting smarter, but…

Letter from the CISO, Vol 2 Issue 5

Washington University Community:

Everyone loves to hear how smart they are! Right?

I don’t know anyone who doesn’t like hearing how they are “smart,” “bright,” “clever,” “hard-working,” “correct,” and best of all, “you’re right; I was wrong.”

Today I have good news, better news, bad news, and more good news.

The Good News

Over the past five months, my office has sent monthly phishing simulations to all WashU faculty and staff. In June, the “phish-prone” score for all WashU faculty and staff was 12.4%. Compared to our industry average of 18.8%, that’s pretty good.

The Better News

As of September, our phish-prone score had decreased to 9.1%, while the industry average remained unchanged, so that’s even better.

The Bad News

The bad guys never rest and are always trying new ways to grab our attention, hijack our amygdala, subvert our rational thinking, and socially engineer us into doing things against our best interests.

Over the past six months, as we’ve implemented more and better defenses against malicious links and attachments in email messages and changed the way we use DUO 2-Factor Authentication, the malicious actors have rapidly adapted to try to, and sometimes succeed in, circumventing our new defenses.

For example, when we disabled DUO Passcodes, they convinced a small number of us to accept DUO “pushes” with pretty (almost) believable situations.

Furthermore, when we implemented “smart email links,” they sent shortcut URLs and asked us to cut and paste them. This strategy is pretty clever, as it plays upon a common theme in legitimate emails, wherein senders sometimes encourage you to “cut and paste the link below if you don’t like clicking on buttons.”

An Important Aside

I attended a work event on an outdoor patio during the first relaxation of COVID-19 restrictions, where I was given a name tag reading “Chris ‘Don’t click that link’ Shull.” Everyone, myself included, thought this was quite clever and funny.

Except it captures the core problem we are facing: Links are designed to be clicked on! Moreover, you’re being asked to somehow, magically, figure out which ones are safe and which are not!

While this is often difficult, there are clues that a message has malicious intent. As we’ve pointed out in previous articles about “Social Engineering Red Flags” and in short videos like “Phish Alert Button: When You Report, We Get Stronger – YouTube”, there are lots of indicators if you slow down just a little. Slowing down and turning a critical eye towards a message will give you a chance to notice the hints foretelling danger.

The More Good News

Over the coming months, we will continue testing you with an array of new phishing email messages, including more difficult ones. Most are based on real-world examples that cybersecurity experts have identified in the wild, targeting WashU or other companies and institutions.

We are also preparing to offer, and sometimes require, short training videos, games, and activities in our system. We’re working with representatives from key areas across the university to choose valuable training that gets straight to the essential information in ten minutes or less.

We know that while we have an exceptionally intelligent community here at the university, we are all also very busy. Thanks to the KnowBe4 system, we have hundreds of training materials to pick from, many of which are quite entertaining.

Bonus Good News

We’ve been encouraging everyone to please, please, please use the Phish Alert Button (PAB) in Outlook to report phishing messages, and many of you have responded positively. In September, we broke our single-day phish-reporting record when many in our community received a malicious message that sneaked by our normal defenses.

The great work you did in reporting these messages was invaluable! With your help, the InfoSec team was able to quarantine and eliminate the offensive messages and block similar attacks in the future.

Bottom Line:

It’s great to have smart, adaptable, and diligent users. My office will do everything we can to ensure that you have the information and experience you need to avoid becoming the victim of the next phishing scam, which will undoubtedly land in our mailboxes soon.

Thank you for reading and being smart parts of the University’s Information Security team!

Good luck, and be careful out there!

-Chris Shull, CISO