Wednesday, May 30, 2012

PhishGuru


Businesses can use PhishGuru (from $10 per user for a 25-person annual license; volume discounts apply), a software-as-a-service offering from Wombat Security Technologies, to train their employees to recognize malicious emails that arrive in their inbox. Malicious emails with booby-trapped attachments or links to suspicious websites flood user inboxes daily. While businesses are investing in spam filters and advanced scanning tools to prevent these messages? from showing up in the inbox in the first place, it's also important that regular users be alert and recognize the malicious few that still make it through. After all, just one user opening a loaded Word document can compromise the entire company.

Security experts emphasize the importance of user awareness training, but they also acknowledge that the common classroom-style of telling users what they shouldn't do is not very effective. This is where PhishGuru's simulations make a difference. The service sends out mail specially crafted to mimic the kind of malicious messages employees are likely to see on a daily basis. If the employee falls for the trick and clicks on the link or opens the attachment, the service displays a message explaining that it wasn't a legitimate message and identifies the suspicious elements that should have given away that message was a phishing attack. Wombat meets the security needs for a small business by offering relevant phishing simulations on an affordable and easy-to-use platform, making PhishGuru our Editors? Choice in antiphishing products.

While employees are getting real-time training, administrators can also monitor the overall performance and test effectiveness from the campaign management portal. This way, the administrator can identify the people who are learning and not learning and also identify which types of malicious emails users may need additional training to recognize.

Pricing is on a per-user basis and gives businesses an annual subscription to send out as many campaigns as desired throughout the year. While a 25-user license would start at about $10 per user, per year, the price would scale down as more users are added, according to Wombat Security. ??

Finding a Phishing Hole
I didn't realize just how hard it would be to set up the pool of users to participate in the test. Businesses planning on running PhishGuru will need to work very closely with IT before attempting the project. It is not something that can be done on the fly, especially if there are spam filters and other Email security products already in place.

My original plan was to pull together a list of my PCMag Labs colleagues to test the service (and their phish smarts!). Wombat said I would need to whitelist the domain that would be sending the simulated messages within Postini, which we use for our mail security. It turns out our in-house setup uses a lot of custom rules along with Postini's filters, so setting up this test would have required our IT team to manually tweak settings on each account being tested.

Our IT head honcho had some post-test concerns, as well. What if the people in the test forgot the simulation was finished and clicked on a "real" malicious message, thinking it was one of the PhishGuru tests? IT would have to deal with the cleanup.

Wombat assured me that it was possible to test across multiple domains, so we toyed with the idea of using personal email addresses, like the ones on Gmail, Hotmail, and Yahoo! Mail. However, I was concerned the test messages may get trapped by the spam filters on various Webmail services.

In the end, I wound up setting up a basic mail server by installing Postfix on an Amazon EC2 instance and created ten user accounts.

Baiting the Hook
The simulations are called "campaigns" in the PhishGuru world and are created using an online management portal. A new customer signs up for PhishGuru online or by contacting Wombat directly. The company currently offers a free simulation campaign, which is one email template sent to a group of users for one day. For the purpose of this review, I worked with Wombat to set up multiple campaigns over the space of one week.

After I received my account information, I logged into the management portal at phishguru.com and had the option to "Create New Campaign." At this point, I could create my test pool by uploading a comma-delimited file containing names, email addresses, and the name of the department for each test account. PhishGuru automatically created groups based on the email address, allowing me to keep track of results by group. An administrator could tell, for example, if the HR group was doing better or worse than Marketing in detecting phishing mail.

I went through the five-step process, deciding the users who should receive the phishing emails, selecting the type of email I would like to use, picking an email template and customizing it, choosing and customizing the training material to display, and scheduling when the messages will be sent. Once the campaign is created, a "test" message is sent to the administrator's account to verify it looks correct. I clicked on a confirmation link in the test mail to verify the test message.

kansas ohio state wrestlemania results womens final four josh hutcherson google april fools office space shell houston open

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.