Re: testing my users' temptation to open a well crafted email

From: sponge (yosponge_at_yahoo.com)
Date: 03/26/04 

Date: 25 Mar 2004 22:58:35 -0800

On Thu, 25 Mar 2004 01:43:08 GMT, "jb" <jbarbett@hotmail.com> wrote:

>Hi. I was curious if anyone has ever, "Tested" their users'
temptation to
>open a well crafted email. What I would like to do is send a message
from
>an external mail address that tempts them to click on a link or open
an
>attachment. Once the attachment or link is selected, they are sent
to an
>internal website that says something like, "You have selected a link
or
>attachment that could be harmful to your system, please call the
helpdesk at
>......" Or it could end by saying, "...You did not cause any harm
today but
>in the future, please follow these guidelines...".
>After a few days, I can run a Websense report to see who selected the
link
>and follow up with them. Please let me know if this sounds workable
and
>what ways this could be delivered.
>Thanks,
>JB

I do this. Many companies do this. You'd be surprised how many people
breach policy this way. It is one of the most effective security and
policy-enforcement tools there is. Obviously, you have to be careful
not to infringe on anybody's copyrights (*cough*Microsoft*cough) and
make sure your own company policy allows for this. Rather than issue a
warning on the website itself, which may tip off users to "an email
going around", I'd use the latter course of action you suggest.

I'd just craft an HTML-ized email, using one of the many MS-Update
kinds as a model, with something to the effect of a "Security
Warning", with some real-sounding security address being used as the
sender's. To be fair to the users, either set up a site with a domain
not tied to the company on a host outside the company, or at least
make sure to masquerade the domain so users don't think it's a company
website and think that it's safe to click on. This would be unfair to
them and generate false positives.

Sponge
Sponge's Secure Solutions
www.geocities.com/yosponge
My new email: yosponge2 att yahoo dott com

Relevant Pages

  • Re: security alert
    ... in 2007, a security warning states: ... "Warning: This document references pictures in untrusted locations. ... Right-click on the image on the website, ...
    (microsoft.public.powerpoint)
  • Re: testing my users temptation to open a well crafted email
    ... >internal website that says something like, ... make sure your own company policy allows for this. ... with something to the effect of a "Security ... Warning", with some real-sounding security address being used as the ...
    (comp.security.misc)
  • RE: Password Checking Tool
    ... a trial version from their website. ... of security, how old it is and lots of other useful information. ... This is a one time deal to "sell" the policy to some of our problematic ... users (which are backbone of our business) so we cannot just say "here it is ...
    (Security-Basics)
  • Re: security warning with https
    ... Is there any legitimate way to remove this security warning... ... > this is because you have links to http and https content on the same page. ... >> I've integrated my ASP.NET website with a portal on web. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • [TOOL] Systrace - Interactive Policy Generation for System Calls
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Systrace enforces system call policies for applications by constraining ... The policy is generated ... policy for the specific system call that caused the warning. ...
    (Securiteam)