SocialPET is a SAAS application that tests end users' ability to discern dangerous e-mails by sending fake phishing messages and reporting on users' actions. The app is useful for pointing to security weak links, but it is currently pretty bare-boned.
When it comes to securing a company's infrastructure, there are many
different problems to deal with-from unpatched servers to poorly secured
networking hardware to security applications that don't address all potential
But probably the biggest problem is the company's employees. Despite
training and common awareness of viruses, worms, spam and phishing e-mails
after years and years of horror stories, there are some people who will
continue to trust anyone who sends them an e-mail, obliviously clicking on
every attachment and link that comes their way.
In a column I wrote several years ago, I called these people "security
idiots" and opined that it might not be a bad idea to shame them into finally
learning how to practice good Internet security. At the time, several companies
wrote to me about systems they had put in place to send fake virus and phishing
e-mails to their own employees to identify the idiots-er, I mean employees-in
need of further training.
I thought this was a good idea and that it wouldn't be too hard to do, by
either setting up a fake Website or using e-mail scripts. But now it's even
easier to test your own employees to find the security weak links.
A new SAAS (software as a service) product from Jetmetric-a security tools
vendor spun off from Redspin-lets administrators, in just a few short steps,
send fake phishing e-mails to selected employees to determine which ones know
enough to ignore the messages and which don't-posing a threat to company
The product, called SocialPET (Policy Evaluation Tool), allowed me to send
out a number of different security tests and view reports on the results of
For images of SocialPET in action, click here.
Getting started with SocialPET was simple. Once signed up for the service, I
simply logged in with my browser and began entering the names and e-mail
addresses of users I wanted to test. I could also select a fake e-mail address
that the message would appear to come from (for example, email@example.com
The next step was to choose the type of test I wanted to conduct. SocialPET
includes templates for sending users to a fake offsite e-mail or a fake patch
site, and will generate an e-mail message (complete with standard phishing mail
misspellings and bad grammar). It was a simple matter to edit these templates.
Among the Website pages that SocialPET can send users to are fake Microsoft
Outlook and Novell Groupware Web mail logins, a fake Symantec anti-virus
download, a Microsoft patch page and Google Apps.
Once I had all my parameters set, I simply hit Run Job and sent the phishing
e-mails to my victims-er, test employees.
The user can ignore the phishing e-mail (smart user), click through in an
attempt to get to the Website (not-so-smart user), or click through and attempt
to carry out an action such as downloading a patch or entering a company username
and password (ignorant user).
If a user clicks to download or enters a login and password, the page simply
refreshes, which may lead some users to continue trying other usernames and
passwords. But the page isn't just refreshing; it is also sending information
back to SocialPET on users' actions.
The reports that SocialPET generates are fairly basic. A graph displays a
letter grade for the performance of the subjects in your test. The report also
tells you how your organization's users performed compared with users at other
organizations that have conducted similar testing.
A more detailed technical report shows the test sent, the e-mails sent to
each subject and what each subject did (clicked through, downloaded or entered
credentials). There is also an option to generate a PDF report that includes
both the graphs and the technical report.
That's pretty much all there is to SocialPET-at least right now. Like many
other SAAS applications, while SocialPET is open for use and is charging
customers, it is still considered a beta.
The "beta" label is appropriate, as the application could be much
For example, the link site in SocialPET phishing e-mails is always the same
root site, and there is currently no way to choose a different domain name. In
addition, the reports could use more detail, such as how many times a user
entered usernames and passwords and even which ones they entered. (So you could
determine, for example, whether users exposed every single one of their company
usernames and passwords.)
But SocialPET is still useful for finding out which of your employees could
become a threat to your corporate security infrastructure.
A free trial of SocialPET provides all core features but allows tests of
only 10 users or fewer and doesn't save historical reports. An enterprise
subscription that lets you test an unlimited number of users and provides
historical reporting is priced at $99 per month.
For more information on SocialPET and to check out the trial, go to www.jetmetric.com
Chief Technology Analyst Jim Rapoza can be reached at firstname.lastname@example.org.