Re: SOP for Managing Phishing/Ransomware Attempts

[Frank Barton <bartonf () HUSSON EDU>]

Steven, you make a very good point about the use of pulling of messages, We
have used that ability a total of 3 times here, all for malicious (in a
technical, not in a personal sense) content. Who in your organization makes
the final call as to if a message can be pulled?
We're a fairly small school, and a GAFE School, and we use GAM in those
cases where we do pull a message - even so, it can take over 90 minutes for
a full pass to happen to pull a message. This is "okay" when we are talking
about a single message that we can identify easily (say a single MessageID
sent to a large number of people) When we have to check for multiple
MessageIDs, it takes substantially longer to check all of the mailboxes.
When we do run a pull, I live in fear of casting my net to wide, and
pulling messages that should not have been pulled. What tool(s) do you use
for pulling messages, and how do you filter the messages to make sure you
only hit those messages that you want to hit, while still hitting all of
them?

We also have outbound spam filtering, which has detected a number of
account compromises - though I have noticed this being less effective as
time goes on (more compromised accounts are sending out a lower quantity of
a "higher" quality spam/phishing messages that don't get caught)

Thank You
Frank

On Thu, Aug 11, 2016 at 1:46 AM, Steven Alexander <steven.alexander () kccd edu
> wrote:

> I'm new to my role so I don't know if we've had objections in the past,
> but we do pull phishing/malicious emails from our user's inboxes.  Once
> we've identified that the content is dangerous, the safest option is to
> remove it.  Simply alerting people that the content is dangerous might
> reduce click rates substantially, but it won't reduce them to zero.  I'd
> rather have to defend the decision to pull than deal with a breach or a
> ransomware infection.
>
> I think the best approach is to be up front set clear ground rules for
> when this capability can be used.  If it's only used to pull emails with
> malicious attachments and phishing links, there shouldn't be many
> objections.  If it's used to stifle a discussion, even once, it will be
> hard to regain the trust of your faculty and other users.
>
> Steven Alexander
> Director of IT Security
> Kern Community College District
>
> ________________________________
> From: The EDUCAUSE Security Constituent Group Listserv [
> SECURITY () LISTSERV EDUCAUSE EDU] on behalf of James Valente [
> jvalente () SALEMSTATE EDU]
> Sent: Wednesday, August 10, 2016 3:31 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts
>
> <snip>
>
> Also, RE: Removing malicious messages. I know this has come up in other
> discussions amongst schools and a few people have mentioned that there have
> been members of the faculty who get very upset if messages are deleted. We
> haven't tried to pull or delete messages here, however.
>
> Thanks,
> James Valente
> Associate Director of Information Security
> Salem State University



-- 
Frank Barton
ACMT
IT Systems Administrator
Husson University