Friday, December 29, 2006

Government uses "phishing" techniques to test information security

Internet abuse in the workplace has been a concern for a long time.

Now the federal government is going to phish their own employees to determine if they will "click" on malicious links.

Wade-Hahn Chan of FCW.com reports:

Phishing is a technique of tricking or coercing users into giving up personal information, revealing log-in names and passwords or visiting malware or virus-infected Web sites. The government-sanctioned attacks will be designed to test how well federal workers adhere to organization's e-mail security policies.


FCW.com article, here.

Most stories about phishing concentrate on attacks for personal information, which is later used in financial crimes. While this type of phishing is bad enough, spear phishing targets an organization's information.

With the amount of data breaches - both in the private and public sector - the concerns that employees might be compromising large amounts of information is very real. If anyone wants to see a long list of these breaches (courtesy of the Privacy Rights Clearinghouse) compiled in the past couple of years, you can do so, by clicking here.

No matter how much security you use to protect a system, most of it proves worthless, if a person with access compromises it.

And although most stories about phishing emphasize the impact this has on identity theft and financial crimes, espionage is a valid concern, also.

This might be a very effective tool to raise "employee awareness" on "information security."

1 comment:

Tor said...

Why the government needs to do this study is beyond me. The answer is very obvious to me that just about anyone will click on a link in an email. My wife and I have some friends who keep getting in a panic about phishing emails they receive, thinking their accounts are in jeopardy. They panic, despite our assurances that any authentic account warnings will be apparent when they log onto their accounts.