Educause Security Discussion mailing list archives
Re: SOP for Managing Phishing/Ransomware Attempts
From: "Hollis, Michael" <Michael.Hollis () UNTHSC EDU>
Date: Wed, 17 Aug 2016 12:51:15 +0000
Count me in, too. Thanks, Mike Michael Hollis Information Security Analyst/Senior Systems Analyst ITS, Product Development and Engineering, University of North Texas Health Science Center Fort Worth, TX -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SECURITY automatic digest system Sent: Tuesday, August 16, 2016 11:02 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: SECURITY Digest - 16 Aug 2016 (#2016-129) There are 2 messages totalling 2161 lines in this issue. Topics of the day: 1. SECURITY Digest - 16 Aug 2016 - Special issue (#2016-127) 2. SOP for Managing Phishing/Ransomware Attempts ---------------------------------------------------------------------- Date: Wed, 17 Aug 2016 02:07:37 +0000 From: Marty Leidner <marty () MAIL ROCKEFELLER EDU> Subject: Re: SECURITY Digest - 16 Aug 2016 - Special issue (#2016-127) Count me in CISO The Rockefeller University Marty
On Aug 16, 2016, at 3:58 PM, Tallman, Dean <DTallman () WLU EDU> wrote: Please count me in. Dean Tallman Chief Information Security Officer Washington and Lee University 301 Davis Hall Lexington, VA 24450 T: (540) 458-8089 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SECURITY automatic digest system Sent: Tuesday, August 16, 2016 3:38 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: SECURITY Digest - 16 Aug 2016 - Special issue (#2016-127) There are 2 messages totalling 20793 lines in this issue. Topics in this special issue: 1. SOP for Managing Phishing/Ransomware Attempts (2) ---------------------------------------------------------------------- Date: Tue, 16 Aug 2016 19:34:39 +0000 From: David D Grisham <DGrisham () SALUD UNM EDU> Subject: Re: SOP for Managing Phishing/Ransomware Attempts Please count me in. Cheers.-grish David Grisham David Grisham, PhD, CISM, CRISC, CHS III Manager, ITSecurity, UNM Hospitals, UNM Health Science Center 505.272.5657 Dgrisham () salud UNM edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bertone, John Sent: Tuesday, August 16, 2016 1:17 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts Keith, I would be interested . Thanks, John John Bertone Director of Network Operations Bunker Hill Community College 250 Rutherford Ave Boston, MA 02129 Email: jbertone () bhcc mass edu<mailto:jbertone () bhcc mass edu> Phone: 617-228-3460 Mobile: 617-959-4366 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Keith Hartranft Sent: Tuesday, August 16, 2016 1:22 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts Hi all, I've been asked by some folks to share our flow processes for anti-phishing and please know I'm happy to do so. If there is sufficient interest I'd also be happy to arrange a Webcast of some sort to do a walk through of the process. Thanks, Keith On Sat, Aug 13, 2016 at 12:11 PM, Joel Anderson <joela () umn edu<mailto:joela () umn edu>> wrote: FWIW, I describe a lot of what we've been doing in a SANS paper, including using "honeypeeps" to identify phisher's source IP addresses. We also maintain a blog (phishing.it.umn.edu<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fphishing.it.umn.edu&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=r1g%2bnxHLXRUEFw5soN%2bdHdbvHNow1MgPNEk6c6aqLU4%3d>) to highlight phishing campaigns and post advisories. Reducing the Catch: Fighting Spear-Phishing in a Large Organization https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.s ans.org%2freading-room%2fwhitepapers%2fforensics%2freducing-catch-figh ting-spear-phishing-large-organization-35547&data=01%7c01%7cmichael.ho llis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480 fa318a1afcba03983%7c0&sdata=wShk402F5kR7Aho7n%2bp6DZhg8VMysQdt6%2bsK6G EcM58%3d On Thu, Aug 11, 2016 at 8:39 AM, Keith Hartranft <kkh288 () lehigh edu<mailto:kkh288 () lehigh edu>> wrote: Hello all, We do have a somewhat formalized process for Phishing emails and it has been flowcharted. I'd be happy to share these with RI folks and we've talked about (Doug help please?) a central place/wiki for that. I will say the process is specific to how our systems are structured but I think there are some things that all organizations might find useful in our process. A few things to note: * We have not "pulled" phishing emails from mailboxes. We do however note particularly good ones, note who has "opened" them, and watch for suspicious logons from those users with our SIEM dashes. Particularly good phishes we also "seed" with peep accounts and then monitor those locations more closely * We run our own DNS block (Malwaredomains) which helps mitigate on campus access. You may get that feed as well ..... in a variety of ways. We also report to Google Safebrowsing, Phishtank, Symantec, ThreatStream via HiTrust .... which gets links into Browser and many AV Browser/reputation blocks VERY quickly. * We use GMail content filters to protect many users from common phishes that would have gotten through in the past. We react with new rules when new "more inventive?" phishes occur. I think this has had significant impact on phish reduction ...... but with the semester about to begin, we'll see for certain. * We post phishes to our Help pages and warnings. If the phish is particular good or generates a high level of calls or response .... we send a campus notification. (As we had last year with a "Terror Threat Email") It should be noted that a second round of "Terror Threat" attempts was almost totally mitigated by the content compliance filters. * We do some limited data mining via Vault for new phishes that miss the content compliance net and respond accordingly. * We notify senders of possible account compromise if in the edu or gov spaces. We sometimes notify hosts if they are particularly responsive (Formcrafts you can 404 the site by reporting) I think those are the highlights. Any questions ...... fire away! Thanks, Keith On Thu, Aug 11, 2016 at 1:46 AM, Steven Alexander <steven.alexander () kccd edu<mailto:steven.alexander () kccd edu>> wrote: I'm new to my role so I don't know if we've had objections in the past, but we do pull phishing/malicious emails from our user's inboxes. Once we've identified that the content is dangerous, the safest option is to remove it. Simply alerting people that the content is dangerous might reduce click rates substantially, but it won't reduce them to zero. I'd rather have to defend the decision to pull than deal with a breach or a ransomware infection. I think the best approach is to be up front set clear ground rules for when this capability can be used. If it's only used to pull emails with malicious attachments and phishing links, there shouldn't be many objections. If it's used to stifle a discussion, even once, it will be hard to regain the trust of your faculty and other users. Steven Alexander Director of IT Security Kern Community College District ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> ] on behalf of James Valente [jvalente () SALEMSTATE EDU<mailto:jvalente () SALEMSTATE EDU>] Sent: Wednesday, August 10, 2016 3:31 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts <snip> Also, RE: Removing malicious messages. I know this has come up in other discussions amongst schools and a few people have mentioned that there have been members of the faculty who get very upset if messages are deleted. We haven't tried to pull or delete messages here, however. Thanks, James Valente Associate Director of Information Security Salem State University -- Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP Chief Information Security Officer Lehigh University 610-758-3994<tel:610-758-3994> -- -- --------------------------------------------------- joel anderson * joela () umn edu<mailto:joela () umn edu> * @joelpetera --> 612-625-7389<tel:612-625-7389> --> pager: 612-648-6823<tel:612-648-6823> Security Analyst University Information Security - University of Minnesota https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fit.umn.edu%2fpractices-information-security-policy&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=XUp%2bkxIi5KwtWRKERxxjNpP7UBYdWUIqkmqeyNYuv4M%3d "Email is the thermal exhaust port on the Death Star of IT infrastructure." - me [https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2facclaim-production-app.s3.amazonaws.com%2fimages%2f410bb477-13b7-49bb-a019-8ebbe087a565%2fTemplate_GSNA.png&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=FbNvOdRCoOgDXRnlSofuQqGm7DpFPx3D0LIIj9xh63w%3d] -- Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP Chief Information Security Officer Lehigh University 610-758-3994 ------------------------------ Date: Tue, 16 Aug 2016 15:37:41 -0400 From: Keith Hartranft <kkh288 () LEHIGH EDU> Subject: Re: SOP for Managing Phishing/Ransomware Attempts Hello David, Attached are the anti-phishing flow processes you requested. They may need some explanation for the steps to be most effective and I'm working to arrange a Zoomcast or meeting of some sort to do just that. I'll let you know when that is arranged. Thanks, Keith On Tue, Aug 16, 2016 at 3:34 PM, David D Grisham <DGrisham () salud unm edu> wrote:Please count me in. Cheers.-grish *David Grisham* David Grisham, PhD, CISM, CRISC, CHS III Manager, ITSecurity, UNM Hospitals, UNM Health Science Center 505.272.5657 Dgrisham () salud UNM edu *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Bertone, John *Sent:* Tuesday, August 16, 2016 1:17 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts Keith, I would be interested . Thanks, John John Bertone Director of Network Operations Bunker Hill Community College 250 Rutherford Ave Boston, MA 02129 Email: jbertone () bhcc mass edu Phone: 617-228-3460 Mobile: 617-959-4366 *From:* The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Keith Hartranft *Sent:* Tuesday, August 16, 2016 1:22 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts Hi all, I've been asked by some folks to share our flow processes for anti-phishing and please know I'm happy to do so. If there is sufficient interest I'd also be happy to arrange a Webcast of some sort to do a walk through of the process. Thanks, Keith On Sat, Aug 13, 2016 at 12:11 PM, Joel Anderson <joela () umn edu> wrote: FWIW, I describe a lot of what we've been doing in a SANS paper, including using "honeypeeps" to identify phisher's source IP addresses. We also maintain a blog (phishing.it.umn.edu) to highlight phishing campaigns and post advisories. *Reducing the Catch: Fighting Spear-Phishing in a Large Organization* https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.sans.org%2freading-room%2fwhitepapers%2fforensics%2f&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=i055zLzP1FdNPbcixP1%2by2kyH9jJmpyYOsl25NQ8Nnw%3d reducing-catch-fighting-spear-phishing-large-organization-35547 On Thu, Aug 11, 2016 at 8:39 AM, Keith Hartranft <kkh288 () lehigh edu> wrote: Hello all, We do have a somewhat formalized process for Phishing emails and it has been flowcharted. I'd be happy to share these with RI folks and we've talked about (Doug help please?) a central place/wiki for that. I will say the process is specific to how our systems are structured but I think there are some things that all organizations might find useful in our process. A few things to note: - We have not "pulled" phishing emails from mailboxes. We do however note particularly good ones, note who has "opened" them, and watch for suspicious logons from those users with our SIEM dashes. Particularly good phishes we also "seed" with peep accounts and then monitor those locations more closely - We run our own DNS block (Malwaredomains) which helps mitigate on campus access. You may get that feed as well ..... in a variety of ways. We also report to Google Safebrowsing, Phishtank, Symantec, ThreatStream via HiTrust .... which gets links into Browser and many AV Browser/reputation blocks VERY quickly. - We use GMail content filters to protect many users from common phishes that would have gotten through in the past. We react with new rules when new "more inventive?" phishes occur. I think this has had significant impact on phish reduction ...... but with the semester about to begin, we'll see for certain. - We post phishes to our Help pages and warnings. If the phish is particular good or generates a high level of calls or response .... we send a campus notification. (As we had last year with a "Terror Threat Email") It should be noted that a second round of "Terror Threat" attempts was almost totally mitigated by the content compliance filters. - We do some limited data mining via Vault for new phishes that miss the content compliance net and respond accordingly. - We notify senders of possible account compromise if in the edu or gov spaces. We sometimes notify hosts if they are particularly responsive (Formcrafts you can 404 the site by reporting) I think those are the highlights. Any questions ...... fire away! Thanks, Keith On Thu, Aug 11, 2016 at 1:46 AM, Steven Alexander < steven.alexander () kccd edu> wrote: I'm new to my role so I don't know if we've had objections in the past, but we do pull phishing/malicious emails from our user's inboxes. Once we've identified that the content is dangerous, the safest option is to remove it. Simply alerting people that the content is dangerous might reduce click rates substantially, but it won't reduce them to zero. I'd rather have to defend the decision to pull than deal with a breach or a ransomware infection. I think the best approach is to be up front set clear ground rules for when this capability can be used. If it's only used to pull emails with malicious attachments and phishing links, there shouldn't be many objections. If it's used to stifle a discussion, even once, it will be hard to regain the trust of your faculty and other users. Steven Alexander Director of IT Security Kern Community College District ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [ SECURITY () LISTSERV EDUCAUSE EDU] on behalf of James Valente [ jvalente () SALEMSTATE EDU] Sent: Wednesday, August 10, 2016 3:31 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts <snip> Also, RE: Removing malicious messages. I know this has come up in other discussions amongst schools and a few people have mentioned that there have been members of the faculty who get very upset if messages are deleted. We haven't tried to pull or delete messages here, however. Thanks, James Valente Associate Director of Information Security Salem State University -- *Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP* *Chief Information Security Officer* *Lehigh University 610-758-3994 <610-758-3994>* -- -- --------------------------------------------------- joel anderson * joela () umn edu * @joelpetera --> 612-625-7389 --> pager: 612-648-6823 Security Analyst University Information Security - University of Minnesota https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fit.umn.edu%2fpractices-information-security-policy&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=XUp%2bkxIi5KwtWRKERxxjNpP7UBYdWUIqkmqeyNYuv4M%3d "Email is the thermal exhaust port on the Death Star of IT infrastructure." - me -- *Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP* *Chief Information Security Officer* *Lehigh University 610-758-3994 <610-758-3994>*-- *Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP* *Chief Information Security Officer* *Lehigh University610-758-3994* ------------------------------ End of SECURITY Digest - 16 Aug 2016 - Special issue (#2016-127) ****************************************************************
------------------------------ Date: Tue, 16 Aug 2016 22:34:38 -0400 From: Alexandre Adao <alexandre.adao () MORGAN EDU> Subject: Re: SOP for Managing Phishing/Ransomware Attempts I am interested. Thanks, --Alex Adao On Tue, Aug 16, 2016 at 9:56 PM, Amir Akbari <aa3840 () tc columbia edu> wrote:
The Infosec team at teachers college is interested too. Please count us in. Thanks, Amir Amir Akbari Chief Information Security Officer 525 West 120th Street, Box 43 New York, N.Y. 10027 T. 212.678.3920 E. amir.akbari () tc columbia edu <husain () tc columbia edu> On Aug 16, 2016, at 9:49 PM, Rob Cherveny <Rob.Cherveny () UNG EDU> wrote: UNG is in. -- Rob Cherveny, PMP Director, Information Security University of North Georgia On Aug 16, 2016, at 18:02, Kyle Kniffin <kyle () POLK EDU> wrote: Please add myself as well. Thanks, Kyle Kniffin Network Engineer Polk State College 999 Ave. H. NE Winter Haven, FL 33881 (863) 298-6840 ________________________________ From: The EDUCAUSE Security Constituent Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Taylor Randle < TRandle () PARKER EDU> Sent: Tuesday, August 16, 2016 5:51 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts Interested as well. Thanks! Taylor Randle IT Security Manager [Description: Description: Description: https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.parker.edu%2f&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=%2bG1U7zTPnD2rIzo2pvyBiTsQyZReGUOxJRB%2bWsJdDJw%3d uploadedImages/0000_Home/0012_Images/Email_Signature/Parker_H_RGB.png] <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttps-3A__www.parker.edu_uploadedImages_0000-5FHome_0012-5FImages_Email-5FSignature_Parker-5FH-5FRGB.png-5D%26d%3dDQMFaQ%26c%3d0CCt47_3RbNABITTvFzZbA%26r%3dHtvpF_Lhld9M3sO_mZdHw9Ab6uI2MVoIQAAZj4-LRs8%26m%3dRWgD9697CIqYRcF9pPbY-qbMAo5bzqbBSorrydNNnCc%26s%3dKUD4Q75VYzD7V_HS3LlWrUUsxIUgl_zjPmnaSqdd4zQ%26e&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=esanCv2Kb6BYa%2fijH9xu6aR0ILMKn4Wempjaaq5oZME%3d=> 2540 Walnut Hill Lane, Dallas, TX 75229 T: 214.902.2439 | F: 214.902.2431 trandle () parker edu<mailto:trandle () parker edu <trandle () parker edu>> https://na01.safelinks.protection.outlook.com/?url=www.parker.edu&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=2PePN9K0YvM2jGLICmZtrFpRwNvx2Lqwsn%2bLC9xmQ4M%3d <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttp-3A__www.parker.edu%26d%3dDQMFaQ%26c%3d0CCt47_3RbNABITTvFzZbA%26r%3dHtvpF_Lhld9M3sO_mZdHw9Ab6uI2MVoIQAAZj4-LRs8%26m%3dRWgD9697CIqYRcF9pPbY-qbMAo5bzqbBSorrydNNnCc%26s%3dHA86CAJHYK-iflCrCc7oeARtJhITLiRZYzEEmfTWkh4%26e&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=hoph9te%2fIx%2br5LTCklfOAgw1Ab1r1WdIk0akw1aR4Ic%3d=> <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.parker.edu%2f&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=j3PItFJTG%2flkrOmZKehDv%2bThpFfdS9Vio8E251LDHmQ%3d <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttp-3A__www.parker.edu_%26d%3dDQMFaQ%26c%3d0CCt47_3RbNABITTvFzZbA%26r%3dHtvpF_Lhld9M3sO_mZdHw9Ab6uI2MVoIQAAZj4-LRs8%26m%3dRWgD9697CIqYRcF9pPbY-qbMAo5bzqbBSorrydNNnCc%26s%3dr9aiixESQVt38M1UeQcH_Hk0izOCna1LoyUWFp9bk24%26e&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=754AyfU0ix5nLIfg712XH7y3h3KkK%2beKDIN84tYuWbU%3d=>> | https://na01.safelinks.protection.outlook.com/?url=www.parkerseminars.com&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=DJMlny0m7Wrjq5PSZqb0DRSMuK9Pvb%2bIYdDy2hvEmsA%3d <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttp-3A__www.parkerseminars.com%26d%3dDQMFaQ%26c%3d0CCt47_3RbNABITTvFzZbA%26r%3dHtvpF_Lhld9M3sO_mZdHw9Ab6uI2MVoIQAAZj4-LRs8%26m%3dRWgD9697CIqYRcF9pPbY-qbMAo5bzqbBSorrydNNnCc%26s%3doN7x7InimpA5-0qvgn99DVzwLgb_8c0wlq6sq-Ut3NU%26e&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=JIy38x8Hmcrl%2fA4lv5SIew3fAgfDcB8RJLYqI7kxJm8%3d=> <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.parkerseminars.com%2f&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=vL9yIdP9T0vcG7yAzZulZFv6QdvO1%2fz%2bcT8RAgiS%2bQU%3d <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttp-3A__www.parkerseminars.com_%26d%3dDQMFaQ%26c%3d0CCt47_3RbNABITTvFzZbA%26r%3dHtvpF_Lhld9M3sO_mZdHw9Ab6uI2MVoIQAAZj4-LRs8%26m%3dRWgD9697CIqYRcF9pPbY-qbMAo5bzqbBSorrydNNnCc%26s%3dFKFFrIsqDZXV6sEd7_w9X5KtzJlg0XTZbp4hjp1AM4k%26e&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=n6recDGZqoVdm017emp1KXKZggu%2bz8DsMklRGeiiNJA%3d=>[Description: Description: Description: https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.parker.edu%2f&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=%2bG1U7zTPnD2rIzo2pvyBiTsQyZReGUOxJRB%2bWsJdDJw%3d uploadedImages/0000_Home/0012_Images/Email_Signature/ Facebook_Square_RGB.png]<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.facebook.com%2fParkerUniversity&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=D82jJPHMQETfTr4yeDt%2fLKtNwdywlAuJp6cIX1gi2Qs%3d> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttps-3A__www.parker.edu_uploadedImages_0000-5FHome_0012-5FImages_Email-5FSignature_Facebook-5FSquare-5FRGB.png-5D-26lt-3Bhttp-3A__www.facebook.com_ParkerUniversity-26gt-3B%26d%3dDQMFaQ%26c%3d0CCt47_3RbNABITTvFzZbA%26r%3dHtvpF_Lhld9M3sO_mZdHw9Ab6uI2MVoIQAAZj4-LRs8%26m%3dRWgD9697CIqYRcF9pPbY-qbMAo5bzqbBSorrydNNnCc%26s%3d5jVDYCJncqiw4d01K1NzjUdlHKrkpKEArqdtg3ZSkpQ%26e&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=RfCmGM3%2fydiZtl4O4wLJDTsL%2ffq1dJASYtNW9uZBlyM%3d=> [Description: Description: Description: https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.parker.edu%2f&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=%2bG1U7zTPnD2rIzo2pvyBiTsQyZReGUOxJRB%2bWsJdDJw%3d uploadedImages/0000_Home/0012_Images/Email_Signature/ YouTube_Square_RGB.png]<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.youtube.com%2fParkerUniversity&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=D6g3y5rOTz8qlNicyj4V0wUNm0wZu%2fmnRCPx%2bA6Zfjc%3d> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttps-3A__www.parker.edu_uploadedImages_0000-5FHome_0012-5FImages_Email-5FSignature_YouTube-5FSquare-5FRGB.png-5D-26lt-3Bhttp-3A__www.youtube.com_ParkerUniversity-26gt-3B%26d%3dDQMFaQ%26c%3d0CCt47_3RbNABITTvFzZbA%26r%3dHtvpF_Lhld9M3sO_mZdHw9Ab6uI2MVoIQAAZj4-LRs8%26m%3dRWgD9697CIqYRcF9pPbY-qbMAo5bzqbBSorrydNNnCc%26s%3dUvzcCKCOK0yRbAwQpylf8yeGyRPMHrRnYbk776MO1ck%26e&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=nM8IDkCGIe2VQV3LFbZmsJbpIXySu7FIxYoyHMX6LOc%3d=> [Description: Description: Description: https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.parker.edu%2f&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=%2bG1U7zTPnD2rIzo2pvyBiTsQyZReGUOxJRB%2bWsJdDJw%3d uploadedImages/0000_Home/0012_Images/Email_Signature/ Twitter_Icon_RGB.png]<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.twitter.com%2fParkerUniv&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=nd%2bSARu8wk3sFuFxMwhxj2qaD72HKcCvRMx3bPGbKJU%3d> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttps-3A__www.parker.edu_uploadedImages_0000-5FHome_0012-5FImages_Email-5FSignature_Twitter-5FIcon-5FRGB.png-5D-26lt-3Bhttp-3A__www.twitter.com_ParkerUniv-26gt-3B%26d%3dDQMFaQ%26c%3d0CCt47_3RbNABITTvFzZbA%26r%3dHtvpF_Lhld9M3sO_mZdHw9Ab6uI2MVoIQAAZj4-LRs8%26m%3dRWgD9697CIqYRcF9pPbY-qbMAo5bzqbBSorrydNNnCc%26s%3dYjFfsL8gE_jp9tMhBeXsVpOB7whHsSbo5MA2r9oxAN8%26e&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=YK53rABWwXDoYqfuL5bU5dt%2fyV1%2bljsRT8t1X1lk450%3d=> ................................................ From: The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Miguel Angel Gonzalez de la Torre Sent: Tuesday, August 16, 2016 4:47 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts Count me in… and thanks for sharing… Ing. Miguel Angel González de la Torre, MCC Director Seguridad de la Información Dirección de Tecnologías de Información Contáctame por Skype for Bussines<sip:mglez () itesm mx> Tel.: 52 (81) 8158 2000, ext. 2936. Fax: 81 81582287 Enlace intercampus: 80-689-2936. From: The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Jeff Choo Sent: martes, 16 de agosto de 2016 04:18 p. m. To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts Me too! Thanks! Jeff Choo - Director, Information Technology | Information Security Officer William James College One Wells Avenue, Newton, MA 02459 Helpdesk: 617-327-6777 x1600 Direct: 617-564-9344 Email: jeff_choo () williamjames edu<mailto:jeff_choo () williamjames edu <jeff_choo () williamjames edu>> From: The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Theresa Semmens Sent: Tuesday, August 16, 2016 5:11 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts Count NDSU in please. Theresa Semmens, CISA NDSU Chief Information Security Officer Director, Records Management Office: 210D Quentin Burdick Building Mail: NDSU Dept 4500 PO Box 6050 Fargo, ND 58108-6050 P: 701-231-5870 F: 701-231-8541 E: Theresa.Semmens () ndsu edu<mailto:Theresa.Semmens () ndsu edu <Theresa.Semmens () ndsu edu>> https://na01.safelinks.protection.outlook.com/?url=www.ndsu.edu%2fits%2fsecurity&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=dkniohEDCRSPUb6yc4OTbI1287kyrA71eYAKuFjIH08%3d <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttp-3A__www.ndsu.edu_its_security%26d%3dDQMFaQ%26c%3d0CCt47_3RbNABITTvFzZbA%26r%3dHtvpF_Lhld9M3sO_mZdHw9Ab6uI2MVoIQAAZj4-LRs8%26m%3dRWgD9697CIqYRcF9pPbY-qbMAo5bzqbBSorrydNNnCc%26s%3dib1PVYU3tR_pR92AEvm94PI8FijpnQBIaMYZeDYTbSA%26e&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=ii%2bNsJc%2fP8bw%2b158bJQOSTivhL3ok6Vg26PtFpMHMr0%3d=> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttp-3A__www.ndsu&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=qRf13rzbEzb%2b3tfdr%2fIC2r6Ufgm1RO6Dd3ZkI9GnkY0%3d. edu_its_security&d=CwMGaQ&c=Gm3BBxc8aT6kWRgL0BN82PxksiHdQKp4W7aI7_AdSxA&r= xDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc&m= FOLZnPoCGyTUZIXQa90OLoYS6HoVim6k63qCrXxxzUM&s=-olvvXYgT4Vx-gUGao4S_ iClPLMiUw0ZIj901UU3MI0&e=> From: The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Andy Morgan Sent: Tuesday, August 16, 2016 2:39 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>> Subject: [SECURITY] SOP for Managing Phishing/Ransomware Attempts Count me in From: The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of David D Grisham. Sent: August 16, 2016 3:35 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts Please count me in. Cheers.-grish David Grisham David Grisham, PhD, CISM, CRISC, CHS III Manager, ITSecurity, UNM Hospitals, UNM Health Science Center 505.272.5657 Dgrisham () salud UNM edu<mailto:Dgrisham () salud UNM edu <Dgrisham () salud UNM edu>> From: The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Bertone, John Sent: Tuesday, August 16, 2016 1:17 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts Keith, I would be interested . Thanks, John John Bertone Director of Network Operations Bunker Hill Community College 250 Rutherford Ave Boston, MA 02129 Email: jbertone () bhcc mass edu<mailto:jbertone () bhcc mass edu <jbertone () bhcc mass edu>> Phone: 617-228-3460 Mobile: 617-959-4366 From: The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Keith Hartranft Sent: Tuesday, August 16, 2016 1:22 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts Hi all, I've been asked by some folks to share our flow processes for anti-phishing and please know I'm happy to do so. If there is sufficient interest I'd also be happy to arrange a Webcast of some sort to do a walk through of the process. Thanks, Keith On Sat, Aug 13, 2016 at 12:11 PM, Joel Anderson <joela () umn edu< mailto:joela () umn edu <joela () umn edu>>> wrote: FWIW, I describe a lot of what we've been doing in a SANS paper, including using "honeypeeps" to identify phisher's source IP addresses. We also maintain a blog (phishing.it.umn.edu <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttp-3A__phishing.it.umn.edu%26d%3dDQMFaQ%26c%3d0CCt47_3RbNABITTvFzZbA%26r%3dHtvpF_Lhld9M3sO_mZdHw9Ab6uI2MVoIQAAZj4-LRs8%26m%3dRWgD9697CIqYRcF9pPbY-qbMAo5bzqbBSorrydNNnCc%26s%3dwhU2e5KG4xQmslQSvlN5EpZ_vn8gVtEeUTfCGvlOYvI%26e&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=pXhwYVTwpUJWsCfBA8hL0Ch91GQz6BaA1%2bUAcKNNjiY%3d=> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttp-3A__phishing.it&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=oilN9mj%2fLTyUCtz6pKFj%2bXe1tJ9%2fDDV1lnYEpqhM7ws%3d. umn.edu&d=CwMGaQ&c=Gm3BBxc8aT6kWRgL0BN82PxksiHdQKp4W7aI7_AdSxA&r= xDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc&m= FOLZnPoCGyTUZIXQa90OLoYS6HoVim6k63qCrXxxzUM&s= i66JthojdOlcA91D4VaNLB6tOhFWTGZS-FZ6eTkcZw8&e=>) to highlight phishing campaigns and post advisories. Reducing the Catch: Fighting Spear-Phishing in a Large Organization https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.sans.org%2freading-room%2fwhitepapers%2fforensics%2f&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=i055zLzP1FdNPbcixP1%2by2kyH9jJmpyYOsl25NQ8Nnw%3d reducing-catch-fighting-spear-phishing-large-organization- 35547<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttps-&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=nRdcERwlGa5DGPrN9L%2fyK1C%2fr6iMPBCk7iJjgv5vpW0%3d 3A__www.sans.org_reading-2Droom_whitepapers_forensics_ reducing-2Dcatch-2Dfighting-2Dspear-2Dphishing-2Dlarge- 2Dorganization-2D35547&d=CwMGaQ&c=Gm3BBxc8aT6kWRgL0BN82PxksiHdQK p4W7aI7_AdSxA&r=xDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc&m= FOLZnPoCGyTUZIXQa90OLoYS6HoVim6k63qCrXxxzUM&s=buD-sRg0k82ERSiNNo3rd_ oVbCZNEdhcD9xFX-suQRQ&e=> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2furldefense.proofpoint.com%2fv2%2furl%3fu%3dhttps-3A__www.sans.org_reading-2Droom_whitepapers_forensics_reducing-2Dcatch-2Dfighting-2Dspear-2Dphishing-2Dlarge-2Dorganization-2D35547-26lt-3Bhttps-3A__urldefense.proofpoint.com_v2_url-3Fu-3Dhttps-2D3A-5F-5Fwww.sans.org-5Freading-2D2Droom-5Fwhitepapers-5Fforensics-5Freducing-2D2Dcatch-2D2Dfighting-2D2Dspear-2D2Dphishing-2D2Dlarge-2D2Dorganization-2D2D35547-26d-3DCwMGaQ-26c-3DGm3BBxc8aT6kWRgL0BN82PxksiHdQKp4W7aI7-5FAdSxA-26r-3DxDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc-26m-3DFOLZnPoCGyTUZIXQa90OLoYS6HoVim6k63qCrXxxzUM-26s-3DbuD-2DsRg0k82ERSiNNo3rd-5FoVbCZNEdhcD9xFX-2DsuQRQ-26e-3D-26gt-3B%26d%3dDQMFaQ%26c%3d0CCt47_3RbNABITTvFzZbA%26r%3dHtvpF_Lhld9M3sO_mZdHw9Ab6uI2MVoIQAAZj4-LRs8%26m%3dRWgD9697CIqYRcF9pPbY-qbMAo5bzqbBSorrydNNnCc%26s%3d3O3boAuYHG9RQxAMcOjdiGzwQb0HAMdRE_pijrgz7Gk%26e&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=0SkL6uO6xPXwTAR0WNDwg07pplK9l%2fYJdTwFYABAS%2bQ%3d=> On Thu, Aug 11, 2016 at 8:39 AM, Keith Hartranft <kkh288 () lehigh edu <mailto:kkh288 () lehigh edu>> wrote: Hello all, We do have a somewhat formalized process for Phishing emails and it has been flowcharted. I'd be happy to share these with RI folks and we've talked about (Doug help please?) a central place/wiki for that. I will say the process is specific to how our systems are structured but I think there are some things that all organizations might find useful in our process. A few things to note: * We have not "pulled" phishing emails from mailboxes. We do however note particularly good ones, note who has "opened" them, and watch for suspicious logons from those users with our SIEM dashes. Particularly good phishes we also "seed" with peep accounts and then monitor those locations more closely * We run our own DNS block (Malwaredomains) which helps mitigate on campus access. You may get that feed as well ..... in a variety of ways. We also report to Google Safebrowsing, Phishtank, Symantec, ThreatStream via HiTrust .... which gets links into Browser and many AV Browser/reputation blocks VERY quickly. * We use GMail content filters to protect many users from common phishes that would have gotten through in the past. We react with new rules when new "more inventive?" phishes occur. I think this has had significant impact on phish reduction ...... but with the semester about to begin, we'll see for certain. * We post phishes to our Help pages and warnings. If the phish is particular good or generates a high level of calls or response .... we send a campus notification. (As we had last year with a "Terror Threat Email") It should be noted that a second round of "Terror Threat" attempts was almost totally mitigated by the content compliance filters. * We do some limited data mining via Vault for new phishes that miss the content compliance net and respond accordingly. * We notify senders of possible account compromise if in the edu or gov spaces. We sometimes notify hosts if they are particularly responsive (Formcrafts you can 404 the site by reporting) I think those are the highlights. Any questions ...... fire away! Thanks, Keith On Thu, Aug 11, 2016 at 1:46 AM, Steven Alexander < steven.alexander () kccd edu<mailto:steven.alexander () kccd edu>> wrote: I'm new to my role so I don't know if we've had objections in the past, but we do pull phishing/malicious emails from our user's inboxes. Once we've identified that the content is dangerous, the safest option is to remove it. Simply alerting people that the content is dangerous might reduce click rates substantially, but it won't reduce them to zero. I'd rather have to defend the decision to pull than deal with a breach or a ransomware infection. I think the best approach is to be up front set clear ground rules for when this capability can be used. If it's only used to pull emails with malicious attachments and phishing links, there shouldn't be many objections. If it's used to stifle a discussion, even once, it will be hard to regain the trust of your faculty and other users. Steven Alexander Director of IT Security Kern Community College District ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [ SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] on behalf of James Valente [jvalente () SALEMSTATE EDU<mailto: jvalente () SALEMSTATE EDU>] Sent: Wednesday, August 10, 2016 3:31 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts <snip> Also, RE: Removing malicious messages. I know this has come up in other discussions amongst schools and a few people have mentioned that there have been members of the faculty who get very upset if messages are deleted. We haven't tried to pull or delete messages here, however. Thanks, James Valente Associate Director of Information Security Salem State University -- Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP Chief Information Security Officer Lehigh University 610-758-3994<tel:610-758-3994> -- -- --------------------------------------------------- joel anderson * joela () umn edu<mailto:joela () umn edu> * @joelpetera --> 612-625-7389<tel:612-625-7389> --> pager: 612-648-6823<tel:612-648-6823> Security Analyst University Information Security - University of Minnesota https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fit.umn.edu%2fpractices-information-security-policy&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=XUp%2bkxIi5KwtWRKERxxjNpP7UBYdWUIqkmqeyNYuv4M%3d<ht tps://urldefense.proofpoint.com/v2/url?u=http-3A__it.umn. edu_practices-2Dinformation-2Dsecurity-2Dpolicy&d=CwMGaQ&c= Gm3BBxc8aT6kWRgL0BN82PxksiHdQKp4W7aI7_AdSxA&r= xDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc&m= FOLZnPoCGyTUZIXQa90OLoYS6HoVim6k63qCrXxxzUM&s= pgsvPPVj3iMpV33j2cPpmFBaJM54TQbKSmQQxIbzA88&e=> "Email is the thermal exhaust port on the Death Star of IT infrastructure." - me [https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2facclaim-production-app.s3.amazonaws.com%2fimages%2f&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=cJ95JgimK123lsO2%2bK2uJIH9WaLtEdxmDZ%2fW8H4FAds%3d 410bb477-13b7-49bb-a019-8ebbe087a565/Template_GSNA.png] -- Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP Chief Information Security Officer Lehigh University 610-758-3994 This message may contain confidential information intended only for the individual named. If you received this message by mistake, please let the sender know by e-mail reply and delete it from your system. If you are not the intended recipient you are hereby notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ________________________________ Please Note: Due to Florida's very broad public records law, most written communications to or from College employees regarding College business are public records, available to the public and media upon request. Therefore, this email communication may be subject to public disclosure. Save a tree - Think before you print this email
-- ============================================= Alexandre Magno Adão Director of Information Security Morgan State University (CGW 300k) Office of Information Technology (OIT) 443-443-885-4415 Office 443-803-3154 Cell <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.morgan.edu&data=01%7c01%7cmichael.hollis%40UNTHSC.EDU%7c66150e5bea1d4c81e8fe08d3c653414d%7c70de199207c6480fa318a1afcba03983%7c0&sdata=0tqZi546rihDa9EdO8j8vDHMHlE7JYAEQMVfmPho5mk%3d> ------------------------------ End of SECURITY Digest - 16 Aug 2016 (#2016-129) ************************************************
Current thread:
- Re: SOP for Managing Phishing/Ransomware Attempts, (continued)
- Re: SOP for Managing Phishing/Ransomware Attempts Barron Felder (Aug 17)
- Re: SOP for Managing Phishing/Ransomware Attempts Jeff Borton (Sep 06)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Sep 07)
- Re: SOP for Managing Phishing/Ransomware Attempts McHugh, Susan (Aug 17)
- Re: SOP for Managing Phishing/Ransomware Attempts Brian Griffith (Aug 17)
- Re: SOP for Managing Phishing/Ransomware Attempts Ravi Tanikella (Aug 17)
- Re: SOP for Managing Phishing/Ransomware Attempts Sburlea, Stefan (Aug 17)
- Re: SOP for Managing Phishing/Ransomware Attempts Dan Wasson (Aug 17)
- Re: SOP for Managing Phishing/Ransomware Attempts Brandon Hume (Aug 17)
- Re: SOP for Managing Phishing/Ransomware Attempts Bonnie Johnson (Aug 17)