REVIEW: SocialPET Lures End Users into Exposing Security Ignorance

SocialPET is a SAAS application that tests end users' ability to discern dangerous e-mails by sending fake phishing messages and reporting on users' actions. The app is useful for pointing to security weak links, but it is currently pretty bare-boned.

When it comes to securing a company's infrastructure, there are many different problems to deal with-from unpatched servers to poorly secured networking hardware to security applications that don't address all potential threats.

But probably the biggest problem is the company's employees. Despite training and common awareness of viruses, worms, spam and phishing e-mails after years and years of horror stories, there are some people who will continue to trust anyone who sends them an e-mail, obliviously clicking on every attachment and link that comes their way.

In a column I wrote several years ago, I called these people "security idiots" and opined that it might not be a bad idea to shame them into finally learning how to practice good Internet security. At the time, several companies wrote to me about systems they had put in place to send fake virus and phishing e-mails to their own employees to identify the idiots-er, I mean employees-in need of further training.

I thought this was a good idea and that it wouldn't be too hard to do, by either setting up a fake Website or using e-mail scripts. But now it's even easier to test your own employees to find the security weak links.

A new SAAS (software as a service) product from Jetmetric-a security tools vendor spun off from Redspin-lets administrators, in just a few short steps, send fake phishing e-mails to selected employees to determine which ones know enough to ignore the messages and which don't-posing a threat to company security.

The product, called SocialPET (Policy Evaluation Tool), allowed me to send out a number of different security tests and view reports on the results of those tests.

For images of SocialPET in action, click here. 

Getting started with SocialPET was simple. Once signed up for the service, I simply logged in with my browser and began entering the names and e-mail addresses of users I wanted to test. I could also select a fake e-mail address that the message would appear to come from (for example, itperson@yourcompanyname.com).

The next step was to choose the type of test I wanted to conduct. SocialPET includes templates for sending users to a fake offsite e-mail or a fake patch site, and will generate an e-mail message (complete with standard phishing mail misspellings and bad grammar). It was a simple matter to edit these templates.

Among the Website pages that SocialPET can send users to are fake Microsoft Outlook and Novell Groupware Web mail logins, a fake Symantec anti-virus download, a Microsoft patch page and Google Apps.

Once I had all my parameters set, I simply hit Run Job and sent the phishing e-mails to my victims-er, test employees.

The user can ignore the phishing e-mail (smart user), click through in an attempt to get to the Website (not-so-smart user), or click through and attempt to carry out an action such as downloading a patch or entering a company username and password (ignorant user).

If a user clicks to download or enters a login and password, the page simply refreshes, which may lead some users to continue trying other usernames and passwords. But the page isn't just refreshing; it is also sending information back to SocialPET on users' actions.

The reports that SocialPET generates are fairly basic. A graph displays a letter grade for the performance of the subjects in your test. The report also tells you how your organization's users performed compared with users at other organizations that have conducted similar testing.

A more detailed technical report shows the test sent, the e-mails sent to each subject and what each subject did (clicked through, downloaded or entered credentials). There is also an option to generate a PDF report that includes both the graphs and the technical report.

That's pretty much all there is to SocialPET-at least right now. Like many other SAAS applications, while SocialPET is open for use and is charging customers, it is still considered a beta.

The "beta" label is appropriate, as the application could be much better.

For example, the link site in SocialPET phishing e-mails is always the same root site, and there is currently no way to choose a different domain name. In addition, the reports could use more detail, such as how many times a user entered usernames and passwords and even which ones they entered. (So you could determine, for example, whether users exposed every single one of their company usernames and passwords.)

But SocialPET is still useful for finding out which of your employees could become a threat to your corporate security infrastructure.

A free trial of SocialPET provides all core features but allows tests of only 10 users or fewer and doesn't save historical reports. An enterprise subscription that lets you test an unlimited number of users and provides historical reporting is priced at $99 per month.

For more information on SocialPET and to check out the trial, go to www.jetmetric.com.

Chief Technology Analyst Jim Rapoza can be reached at jrapoza@eweek.com.