Source URL: https://www.schellman.com/blog/penetration-testing/phishing-tests-what-your-provider-should-be-telling-you
Source: CSA
Title: Phishing Tests: Key Questions to Ask
Feedly Summary:
AI Summary and Description: Yes
**Summary:** The text provides valuable insights into the considerations organizations must evaluate when engaging third-party providers for phishing assessments. It highlights best practices that enhance the effectiveness of these assessments, emphasizing the evolving nature of phishing threats, particularly the role of advanced AI technologies. This guidance is highly relevant for cybersecurity professionals focused on improving organizational resilience against phishing attacks.
**Detailed Description:**
The article discusses the necessity of elevating the rigor of phishing assessments, moving beyond traditional checkbox methods to more strategic and insightful approaches. Key highlights include:
– **Understanding Security Controls:** Phishing assessments should primarily evaluate user response, rather than the efficacy of existing security controls. If security controls are to be tested, a red team assessment may be more appropriate.
– **Campaign Preparation:** Organizations should allowlist specific phishing exercise campaigns to ensure they are not blocked by security systems. This preparation aids in achieving authentic results.
– **Use of Advanced Language Models:** The text points out the evolution in phishing attacks, where AI-generated emails can present professionally crafted messages, making it crucial to avoid obvious “tells” in phishing exercises.
– **Sensitive Topics Limitation:** Organizations are advised to define sensitive topics that should not be included in phishing scenarios to prevent unnecessary anxiety among employees.
– **Targeted Campaigns:** The text encourages organizations to consider if the phishing campaign will be broad or targeted, suggesting that specific departments may have increased susceptibility based on prior experiences.
– **Defining Failures:** Compliance-driven parameters for what constitutes a failure during an assessment must be established, such as clicking a link or entering credentials.
– **Training Expectations:** Organizations must clarify if they require subsequent training after the phishing assessment and discuss training needs with the provider.
– **Provider Assessment Questions:** Key questions to vet third-party providers include:
– Demo of the campaign email prior to launch.
– Confirmation on whether user credentials will be captured.
– Inquiries about the use of technology for session retrieval.
– Understanding how to handle incidents if a third-party system flags the campaign.
– **Cybersecurity Strengthening:** Overall, the text emphasizes the importance of phishing assessments in bolstering an organization’s cybersecurity posture, advocating for thorough preparation and the right inquiries to gain maximum value from these engagements.
By addressing these points, professionals in security and compliance can better tailor their phishing assessments, ensuring relevance and efficiency in their defenses against the ever-evolving landscape of cyber threats.