Thanks, Helen, for seconding the idea of video education — and for the scripts!   

ETS has purchased a couple of dozen modules that we hope to make available shortly (we have 5,000 seats).   The Securing the Human series consists of short videos and optional quizzes, plus supplemental material like posters, covering information security, safe computing, and compliance.  There's a list of topics at: 

   http://www.securingthehuman.org/services/demo-training-lab

The target audiences for this education are not set in stone at this point; suggestions are welcome.  Current thinking is that new students would need to view a few key modules and pass the corresponding quizzes.  Perhaps people with responsibilities for certain categories of data would be offered the appropriate compliance-related modules.  Someone whose account is compromised though phishing might need to partake of the phishing module. And so on.  

We're working with SANS to support federated identity so that people can participate using their Net-IDs, and I expect that to be ready shortly.   In the mean time, I'm able to create accounts for anyone who'd like to give it a spin.  

Helen's note described education we would develop here at UVM, and that's a great idea.  We're always challenged to find time for that development, but where I'd like to be, eventually, is to have a combination of locally developed material and professionally done purchased (or free) curriculum.  

-Dean W. 

On Nov 5, 2012, at 7:37 PM, Helen Read wrote:

> Video education is a great idea. What is the holdup on not doing it right away? The script practically writes itself.
> 
> "Have you ever received an email that looks like this?" [Show them a phish.]
> "This is a scam. It goes to a site that's not on the UVM server, and here's how you can tell." Show them how to hover over the URL and explain what to look for.
> 
> "You should never click on a link like that. It will take you to an Evil Form designed to capture your UVM NetID and password." Then click on the bad link anyway and show them what a phony form looks like.
> 
> "UVM will never ask you to enter your credentials on a non-UVM site. Never. If you get an email asking you to do so, it's a scam. Delete it."
> 
> "If you think it's a scam, it probably it is. Delete the email." [Andrew's thing about "What's the worst that can happen if you delete it and it turns out it was real" could go here too.]
> 
> And then go through what to do if you make a mistake and fall for it, complete with someone acting out the part: "Oh, no, I just entered my NetID and password on this form and now I think it might be fake!!!" "I'd better change my password right away." [and show them where and how]
> 
> Helen Read
> Senior Lecturer
> Dept. of Mathematics & Statistics
> University of Vermont
> 
> On 11/5/2012 9:41 AM, Dean Williams wrote:
>> On Nov 5, 2012, at 9:05 AM, Andrew Hendrickson wrote:
>> 
>>> I believe that identifying the page as "non UVM" will be the issue in these cases.  Many of our users do not look at URLs and do not understand what the URL means.
>> Yes, that's a challenge.  One message contained an explicit URL, but "weblogin.uvm.edu" was part of it.  The other message had "Click Here".  So we have to teach people to (1) hover their cursors over links to see what they really are, and (2) recognize the server part of a URL.   In sessions I've taught, I've been pleasantly surprised that in a group of 6-12 people, at least one or two people know these techniques — but that, of course, leaves plenty of people who don't.
>> 
>> Perhaps more encouraging, many people, even those who don't know how to check out a link in email, can still smell a phish, and know to ignore or delete without fully analyzing it.
>> 
>> I think the other step we as IT professionals could teach our students, faculty, and staff, is to change one's password immediately upon having a suspicion that one has just fallen for a phish.  When I ask what to do in that situation, lots of people will say, "contact you", but then we talk about the best first step being to change one's password and shut out the criminals before they can use and abuse one's account.
>> 
>> The fact that UVM has 2500+ new email users every fall certainly works to phishers' advantage.  We need to educate this group early on (and we need more safe computing instruction in K-12!).  We're getting closer to being able to "offer" video-based education in this area, and I see incoming students, faculty, and staff as the primary audience.
>> 
>> Does anyone have successful educational strategies they could share?
>> 
>> -Dean
>> 
>>> 
>>> On Nov 5, 2012, at 9:01 AM, Dean Williams <[log in to unmask]> wrote:
>>> 
>>>> Good morning, all.
>>>> 
>>>> ETS has published an alert for two phishing scams reported over the weekend.
>>>> 
>>>>   http://www.uvm.edu/it/?Page=news&storyID=14741&category=ets
>>>> 
>>>> Both include links to the same Romanian phishing web site, and both appear to come from uvm.edu email addresses.  One addresses people with their [log in to unmask] email addresses, and one includes a nice graphic for "The University of Vermont."  Although those tactics can be convincing, I think the best advice for our non-IT students and colleagues is that UVM will never ask anyone to enter his or her Net-ID and password on a non-UVM web page.
>>>> 
>>>> Thanks to those who reported these phish to us.  Fortunately, the phishing site seems to be down at the moment.
>>>> 
>>>> -Dean Williams
>>> Andrew Hendrickson
>>> CAS IT Administrator
>>> UVM, College of Arts & Sciences
>>> 438 College Street #206
>>> Burlington, VT
>>> 05405
>>> 
>>> 802-656-7971
>>> 802-656-4529 (fax)
>>> 
>>> [log in to unmask]
>>> 
>>> To submit a request for service please use:
>>> http://footprints.uvm.edu/ashelp.html