Iranian military spear-phish of State Department employees detected first by Facebook

Cyber-espionage effort may be tied to the arrest of Iranian American in Tehran.

Read the whole story

 

[andrewb610]

Uxorious[/url]":283h565c]Given that US Government employment is an exam/school-based system as opposed to "at-will" in the private sector, would it be reasonable for the government to create a security school and "red-team" style ongoing validation program that would bar employee access to systems if they succumb to fishing attacks?

Given the increasing technological nature of government business, these attacks will only become more damaging in the future, so up-front investments in technological defense systems and personnel would be cheaper in the long run than relying on an annual review of a Power Point presentation on computer security.

Having been through hands-on anti-phishing training, I found it useful even for people working in software development to be on the receiving end of real exploits that we read about but don't often see as a result of our personal security habits and the skill of our security admins in protecting our corporate systems.

The problem I see is that the mandatory government IA training in all areas is terrible. It becomes to most employees just another process of getting a PDF certificate so that you don't get a wag of the finger from your supervisor. The mentality behind the need for training, then the training itself has to change before any progress will really be made. Unfortunately, it took incidents like this push a mentality change.