Educause Security Discussion mailing list archives
Re: SOP for Managing Phishing/Ransomware Attempts
From: Frank Barton <bartonf () HUSSON EDU>
Date: Thu, 11 Aug 2016 09:30:53 -0400
Steven, you make a very good point about the use of pulling of messages, We have used that ability a total of 3 times here, all for malicious (in a technical, not in a personal sense) content. Who in your organization makes the final call as to if a message can be pulled? We're a fairly small school, and a GAFE School, and we use GAM in those cases where we do pull a message - even so, it can take over 90 minutes for a full pass to happen to pull a message. This is "okay" when we are talking about a single message that we can identify easily (say a single MessageID sent to a large number of people) When we have to check for multiple MessageIDs, it takes substantially longer to check all of the mailboxes. When we do run a pull, I live in fear of casting my net to wide, and pulling messages that should not have been pulled. What tool(s) do you use for pulling messages, and how do you filter the messages to make sure you only hit those messages that you want to hit, while still hitting all of them? We also have outbound spam filtering, which has detected a number of account compromises - though I have noticed this being less effective as time goes on (more compromised accounts are sending out a lower quantity of a "higher" quality spam/phishing messages that don't get caught) Thank You Frank On Thu, Aug 11, 2016 at 1:46 AM, Steven Alexander <steven.alexander () kccd edu
wrote:
I'm new to my role so I don't know if we've had objections in the past, but we do pull phishing/malicious emails from our user's inboxes. Once we've identified that the content is dangerous, the safest option is to remove it. Simply alerting people that the content is dangerous might reduce click rates substantially, but it won't reduce them to zero. I'd rather have to defend the decision to pull than deal with a breach or a ransomware infection. I think the best approach is to be up front set clear ground rules for when this capability can be used. If it's only used to pull emails with malicious attachments and phishing links, there shouldn't be many objections. If it's used to stifle a discussion, even once, it will be hard to regain the trust of your faculty and other users. Steven Alexander Director of IT Security Kern Community College District ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [ SECURITY () LISTSERV EDUCAUSE EDU] on behalf of James Valente [ jvalente () SALEMSTATE EDU] Sent: Wednesday, August 10, 2016 3:31 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts <snip> Also, RE: Removing malicious messages. I know this has come up in other discussions amongst schools and a few people have mentioned that there have been members of the faculty who get very upset if messages are deleted. We haven't tried to pull or delete messages here, however. Thanks, James Valente Associate Director of Information Security Salem State University
-- Frank Barton ACMT IT Systems Administrator Husson University
Current thread:
- SOP for Managing Phishing/Ransomware Attempts Christopher Jones (Aug 10)
- Re: SOP for Managing Phishing/Ransomware Attempts Rob Cherveny (Aug 10)
- Re: SOP for Managing Phishing/Ransomware Attempts David D Grisham (Aug 10)
- Re: SOP for Managing Phishing/Ransomware Attempts Frank Barton (Aug 10)
- Re: SOP for Managing Phishing/Ransomware Attempts James Valente (Aug 10)
- Re: SOP for Managing Phishing/Ransomware Attempts David D Grisham (Aug 10)
- Re: SOP for Managing Phishing/Ransomware Attempts Rob Cherveny (Aug 10)
- Re: SOP for Managing Phishing/Ransomware Attempts James Valente (Aug 10)
- Re: SOP for Managing Phishing/Ransomware Attempts Steven Alexander (Aug 10)
- Re: SOP for Managing Phishing/Ransomware Attempts Frank Barton (Aug 11)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 11)
- Re: SOP for Managing Phishing/Ransomware Attempts Joel Anderson (Aug 13)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Wall Wofford (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Sue Rivera (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts McDowell, Karen (krm6r) (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Fisch, Neal (Aug 18)
- Re: SOP for Managing Phishing/Ransomware Attempts Steven Alexander (Aug 10)