Back in February, we had mandatory training for all users in the building, about what to do about suspicious emails, attachments, and anything else that could constitute a Phishing attempt.

So, yesterday afternoon, one of our users gets an unexpected "view information in spreadsheet" email, allegedly from a client.

E-mail address is not the client's. Not even close.
The e-mail recipient is not her, nor that of the account exec.
There is no Excel spreadsheet attached. There is a PDF that tells the reader to go to a portal site and create a login.

Classic signs. Almost exactly what we covered in the class. So what does she do? In order:

Opened the email
Opened the PDF
Followed the link
Entered her company email address on the site, and created a password (which she swears she has never used anywhere else)
Attached the suspicious email & attachment to our file management system
Forwards the email, with attachment, to the account exec
Forwards the email back to the original sender, which verifies it's a legit email address
Forwards the email to the client, at his actual email address, and asks if he really sent this.
Finally, opens a Help Desk ticket to let us know.

I was on my way home when this happened, so I immediately replied to her via email DON'T OPEN THE EMAIL UNTIL FURTHER NOTICE. Her reply? "Oh, he changes his email all the time." followed by "Maybe it's his father's email"

KB3ERQ, who was still "on duty", took over at that point and went to talk with her. She denied she did anything wrong, and insisted that we had to help her open the "spreadsheet". Only after the actual client replied to her, 3 hours later, saying "my email was hacked, don't open anything" would she admit that maybe, just maybe, something wasn't quite right.

(They had a long and somewhat unpleasant conversation, which I'm skipping over. To put it bluntly, we can't figure out if she's stupid, stubborn, or trying to cover her anatomy -- or some combination thereof)

*sigh*

No, I'm not allowed to shoot her.

We are going to sit down and have a word with our boss, followed by the three of us having a word with the company Compliance Officer who ran the seminar, and then a word with the user's supervisors. HR might have to get involved as well. Suffice to say that she won't be happy with us afterwards. I THINK we dodged a bullet -- this time. We won't get so lucky the next time, though.

[ No, I can't summarily fire her. Or I would have. ]

(... To put it bluntly, we can't figure out if she's stupid, stubborn, or trying to cover her anatomy -- or some combination thereof)

To paraphrase from one of my favorite movies: "Woman, you don't know whether you've been shot, fucked, powder-burned or snake-bit."

In some circles, the first strike is a mandatory write up and suspension if A) You've taken said security training, and B) Your actions caused your employer to experience significant loss, damage to brand or both.

In certain other (tighter) circles, it wasn't a game of baseball. Strike 2 involved you being escorted to the parking lot via the HR office by me and one or more of my contemporaries (when I worked Operations).

This kind of scenario belongs as a set of questions in the interview process, as an idiot screen.

what a mess

In some circles, the first strike is a mandatory write up and suspension if A) You've taken said security training, and B) Your actions caused your employer to experience significant loss, damage to brand or both.

In certain other (tighter) circles, it wasn't a game of baseball. Strike 2 involved you being escorted to the parking lot via the HR office by me and one or more of my contemporaries (when I worked Operations).

This kind of scenario belongs as a set of questions in the interview process, as an idiot screen.
Ah, yup.

Unfortunately, I don't believe (Middle) Management will take this type of thing seriously until someone gets hosed. And we've had some close scares before, but nothing... yet. They are not grasping that just because we keep dodging bullets doesn't mean we will always be able to do so.

The owners do take it seriously, but when it comes to things like this person's actions, they may not hear about it from middle management until it is too late.

IT takes it VERY seriously. And our boss is dealing with this. Suffice to say that the excuse of "oh, she's been here many years and is set in her ways" is NOT an acceptable answer -- to us.

...
IT takes it VERY seriously. And our boss is dealing with this. Suffice to say that the excuse of "oh, she's been here many years and is set in her ways" is NOT an acceptable answer -- to us.

Your firm may need to implement detective and preventative controls if the owners aren't willing to take the heavy-handed approach. IDS/IPS and DLP technologies are a good starting point, but what you'll need to be truly effective in that space is behavior-based detection, coupled with white-listing of permitted actions and resources.

In a nutshell: If Suzie is attempting to use her domain credentials outside of her work domain (i.e., registering a profile on an external URL) that action is blocked and an alert sent to Operations. Products in this space are available in inline, endpoint and hybrid configurations. If your staff is permitted to take their laptops home with them, I strongly recommend the use of comprehensive endpoint protection, controlled by a central management server (with no way for users to defeat it).

Was her last name Podesta?

Your firm may need to implement detective and preventative controls if the owners aren't willing to take the heavy-handed approach. IDS/IPS and DLP technologies are a good starting point, but what you'll need to be truly effective in that space is behavior-based detection, coupled with white-listing of permitted actions and resources.

In a nutshell: If Suzie is attempting to use her domain credentials outside of her work domain (i.e., registering a profile on an external URL) that action is blocked and an alert sent to Operations. Products in this space are available in inline, endpoint and hybrid configurations. If your staff is permitted to take their laptops home with them, I strongly recommend the use of comprehensive endpoint protection, controlled by a central management server (with no way for users to defeat it).
I hear you.

A recommendation to that effect was already made. I do not know where it stands at the moment.

Was her last name Podesta?No, but it ought to be "Putz"

In all fairness, there've been about 20, 25 or so of these types of phishing emails that we've been made aware of in the last few weeks. I'm sure there have been more... most of our more savvy users simply nuke them to begin with and don't bother to tell us.

But, as we all know, it just takes one, just one, stubborn idgit...

Has HR started an investigation into her past action(s) regarding her disregard for the security and reputation of the company?

Has HR started an investigation into her past action(s) regarding her disregard for the security and reputation of the company?
I would not be privy to such action, at least not at this time, due to company policies regarding confidentiality. Nor would I need to be; Ben might be called in, since he actually talked with her.

In the past, you may have heard me refer to a company VP (VP over manufacturing) at the last "big manufacturing facility" I worked at as a "professional finger pointer." When I was let go for gross insubordination (no details, just gross insubordination) I was told that I wasn't a good fit for a company that I was already with for 13 years before she and her cronies got there.
A year after that incident the company was sold and the new company, part of a world wide collection of facilities, moved this vice president to customer service. I mean she was literally the customer service person answering the phone at a desk in the foyer. You could call it some kind of Karmic justice etc because for the last several years she believed that she was at the top of the heap.
The new company looked at her past actions within the company and realized that she didn't even pass the minimum requirements to hold a VP position much less posses the decision making qualities they expected out of a person in her position. Can we say, pettiness?

I don't know if this story really relates. Sometimes I just like to watch myself type.

... realized that she didn't even pass the minimum requirements to hold a VP position much less posses the decision making qualities they expected out of a person in her position. Can we say, pettiness?

The term you're looking for is "cronyism". That, and possibly what she had on a few people.

Well, the paraphrased word from above is...

The official decision is that despite the poor judgement shown, there was no "incident" since nothing actually happened. (I know, but that's the way Management is looking at it)

Because of the poor judgement and the technical (personally, I think not so "technical") violation of security procedures, the user will be undergoing re-education, err, retraining. There will be a severe warning.

Yes, she will be approached, and informed of her transgression in an even firmer tone of voice, adding "or else".

... do I think it's enough? Knowing the user? Nope. She's going to sit there, agree with everything, and forget every word the moment Ben is done. She is of the mindset that she does things her way and that's all there is to it.

However, I'm not unaware that considering her age, management is concerned about unintended consequences. In other words, if they summarily fire her, or severely discipline her, she is the type to go crying "discrimination!", make a lot of noise, and create a lot of bad press. Never mind the bad press etc. we'd get if we actually did get hacked through her actions.

Feh. Well, it's out of my hands at the moment anyway.

The important thing here is to get a record of her actions on file with your HR department, complete with punitive measures and corrective plans.

If it can be proven - that in spite of such direction and mandate - she continues to knowingly and willingly flaunt your company's Information Protection Policy (assuming you have one) it won't matter if her name is Methuslaeh when the issue of termination comes up.

Here's where the detective and preventive technical controls I mentioned earlier can be of great benefit: All the proof you need regarding an evidentiary trail is in the logs.

Without going into the gory and boring details, suffice to say that HR is aware, and the documentation is in order.

The term you're looking for is "cronyism". That, and possibly what she had on a few people.

Well yes, there was cronyism. She was ex side piece of one of the other VPs and an ex sister in law of the CEO.
Her decisions were oft based on us floor people being the scum of the Earth.

Well yes, there was cronyism. She was ex side piece of one of the other VPs and an ex sister in law of the CEO.

Quoting Ron's post above yours as relates to a past situation:

Without going into the gory and boring details, suffice to say that HR is aware...
...and in this case, their lead investigator was one of my teammates, who - along with me - watched said Side Piece derail more than a few promising careers due to personal bias.

The thing about cronies, protectionism, affairs with the boss(es) and so forth is that these things too are subject to discovery, and once Counsel gets hold of such information it doesn't matter who you are...you're outta there.

Ah, yup.

Unfortunately, I don't believe (Middle) Management will take this type of thing seriously until someone gets hosed. And we've had some close scares before, but nothing... yet. They are not grasping that just because we keep dodging bullets doesn't mean we will always be able to do so.

The owners do take it seriously, but when it comes to things like this person's actions, they may not hear about it from middle management until it is too late.

IT takes it VERY seriously. And our boss is dealing with this. Suffice to say that the excuse of "oh, she's been here many years and is set in her ways" is NOT an acceptable answer -- to us.

We've got a sys admin who is hanging some windows servers out on the net without being patched for wannacry. I noticed it and bounced it up the chain loudly.

Monday when I come in and the sans are encrypted, I expect a promotion... right after he is exited from the building.

We've got a sys admin who is hanging some windows servers out on the net without being patched for wannacry. I noticed it and bounced it up the chain loudly.

Monday when I come in and the sans are encrypted, I expect a promotion... right after he is exited from the building.
Exposing SMB/CIFS through a firewall without benefit of a VPN and inline IDS/IPS ought to be grounds for termination itself.

Exposing SMB/CIFS through a firewall without benefit of a VPN and inline IDS/IPS ought to be grounds for termination itself.

I'm new at the company... give me time to fix everything :)

It's hard to understand some peoples actions, especially after signing off on a class specifically dealing with the action. People can be just plain fucking stupid. We used to have that training every single year, with refreshers every so often.

On another note, I'm waiting to hear back on winning 43 million dollars in a South African lottery. Boy, what luck. I was so surprised when I received that lucky email. I'm already loading up my credit card accounts getting all the stuff I've always wanted but could not afford. I gave them all the numbers to all my accounts to make sure they can verify my identity and deposit the money in the right account. I'll just pay all the cards off when the deposit posts. Of course, I'll drive my new red Ferrari to the bank to do all this. Man, the Gods have shirley smiled on me. Who Gnu? Maybe I'll set up a round the world ham operator cruise for all you guys. What a blast it will be. Radios, Girls, Guys, Putting up long wires, Beams, and a boat load of all kings of erections, Food, Girls, Guys, Drink, Girls, Guys, Fishing, Girls, Guys, Water Skiing, and of course, Girls and Guys. Everyone is sure to have a hoot.