Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SOP for Managing Phishing/Ransomware Attempts

From: James Farr <jfarr () UTICA EDU>
Date: Wed, 17 Aug 2016 11:20:28 -0400
I would like an invitation also.



James Farr

Information Security Officer

Utica College

jfarr () utica edu

315-223-2386





*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Aiken Jr, Julian H
*Sent:* Tuesday, August 16, 2016 5:26 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts



Keith,



I would like to be invited as well.




*Julian H Aiken, Jr*
Executive Director of IT Services

*ECPI University* | 5555 Greenwich Road | Virginia Beach, VA 23462
(Phone) 757-490-9090 x55303 | jaiken () ecpi edu | www.ecpi.edu

*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Jeff Choo
*Sent:* Tuesday, August 16, 2016 5:18 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts



Me too!  Thanks!





*Jeff Choo - Director, Information Technology | Information Security
Officer*

William James College

One Wells Avenue, Newton, MA 02459

Helpdesk: 617-327-6777 x1600

Direct: 617-564-9344

Email: jeff_choo () williamjames edu







*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Theresa Semmens
*Sent:* Tuesday, August 16, 2016 5:11 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts



Count NDSU in please.



Theresa Semmens, CISA

NDSU Chief Information Security Officer

Director, Records Management

Office: 210D Quentin Burdick Building

Mail: NDSU Dept 4500

PO Box 6050

Fargo, ND 58108-6050

P: 701-231-5870

F: 701-231-8541

E: Theresa.Semmens () ndsu edu

www.ndsu.edu/its/security



*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Andy Morgan
*Sent:* Tuesday, August 16, 2016 2:39 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] SOP for Managing Phishing/Ransomware Attempts



Count me in



*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *David D Grisham.
*Sent:* August 16, 2016 3:35 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts



Please count me in.

Cheers.-grish

*David Grisham*

David Grisham, PhD, CISM, CRISC,  CHS III

Manager, ITSecurity, UNM Hospitals, UNM Health Science Center

505.272.5657

Dgrisham () salud UNM edu







*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Bertone, John
*Sent:* Tuesday, August 16, 2016 1:17 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts



Keith,



I would be interested .



Thanks,



John



John Bertone

Director of Network Operations

Bunker Hill Community College

250 Rutherford Ave

Boston, MA 02129

Email: jbertone () bhcc mass edu

Phone: 617-228-3460

Mobile: 617-959-4366



*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Keith Hartranft
*Sent:* Tuesday, August 16, 2016 1:22 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts



Hi all,



I've been asked by some folks to share our flow processes for anti-phishing
and please know I'm happy to do so. If there is sufficient interest I'd
also be happy to arrange a Webcast of some sort to do a walk through of the
process.



Thanks,



Keith



On Sat, Aug 13, 2016 at 12:11 PM, Joel Anderson <joela () umn edu> wrote:

FWIW, I describe a lot of what we've been doing in a SANS paper, including
using "honeypeeps" to identify phisher's source IP addresses.  We also
maintain a blog (phishing.it.umn.edu) to highlight phishing campaigns and
post advisories.



*Reducing the Catch: Fighting Spear-Phishing in a Large Organization*

https://www.sans.org/reading-room/whitepapers/forensics/reducing-catch-fighting-spear-phishing-large-organization-35547



On Thu, Aug 11, 2016 at 8:39 AM, Keith Hartranft <kkh288 () lehigh edu> wrote:

Hello all,



We do have a somewhat formalized process for Phishing emails and it has
been flowcharted. I'd be happy to share these with RI folks and we've
talked about (Doug help please?) a central place/wiki for that.



I will say the process is specific to how our systems are structured but I
think there are some things that all organizations might find useful in our
process.



A few things to note:



   - We have not "pulled" phishing emails from mailboxes. We do however
   note particularly good ones, note who has "opened" them, and watch for
   suspicious logons from those users with our SIEM dashes. Particularly good
   phishes we also "seed" with peep accounts and then monitor those locations
   more closely
   - We run our own DNS block (Malwaredomains) which helps mitigate on
   campus access. You may get that feed as well ..... in a variety of ways. We
   also report to Google Safebrowsing, Phishtank, Symantec, ThreatStream via
   HiTrust .... which gets links into Browser and many AV Browser/reputation
   blocks VERY quickly.
   - We use GMail content filters to protect many users from common phishes
   that would have gotten through in the past. We react with new rules when
   new "more inventive?" phishes occur. I think this has had significant
   impact on phish reduction ...... but with the semester about to begin,
   we'll see for certain.
   - We post phishes to our Help pages and warnings. If the phish is
   particular good or generates a high level of calls or response .... we send
   a campus notification. (As we had last year with a "Terror Threat Email")
   It should be noted that a second round of "Terror Threat" attempts was
   almost totally mitigated by the content compliance filters.
   - We do some limited data mining via Vault for new phishes that miss the
   content compliance net and respond accordingly.
   - We notify senders of possible account compromise if in the edu or gov
   spaces. We sometimes notify hosts if they are particularly responsive
   (Formcrafts you can 404 the site by reporting)

I think those are the highlights. Any questions ...... fire away!



Thanks,



Keith



On Thu, Aug 11, 2016 at 1:46 AM, Steven Alexander <steven.alexander () kccd edu>
wrote:

I'm new to my role so I don't know if we've had objections in the past, but
we do pull phishing/malicious emails from our user's inboxes.  Once we've
identified that the content is dangerous, the safest option is to remove
it.  Simply alerting people that the content is dangerous might reduce
click rates substantially, but it won't reduce them to zero.  I'd rather
have to defend the decision to pull than deal with a breach or a ransomware
infection.

I think the best approach is to be up front set clear ground rules for when
this capability can be used.  If it's only used to pull emails with
malicious attachments and phishing links, there shouldn't be many
objections.  If it's used to stifle a discussion, even once, it will be
hard to regain the trust of your faculty and other users.

Steven Alexander
Director of IT Security
Kern Community College District

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [
SECURITY () LISTSERV EDUCAUSE EDU] on behalf of James Valente [
jvalente () SALEMSTATE EDU]
Sent: Wednesday, August 10, 2016 3:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts

<snip>


Also, RE: Removing malicious messages. I know this has come up in other
discussions amongst schools and a few people have mentioned that there have
been members of the faculty who get very upset if messages are deleted. We
haven't tried to pull or delete messages here, however.

Thanks,
James Valente
Associate Director of Information Security
Salem State University





-- 

*Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP*

*Chief Information Security Officer*


*Lehigh University610-758-3994 <610-758-3994>*





-- 

--
   ---------------------------------------------------
   joel anderson * joela () umn edu *  @joelpetera

   -->  612-625-7389  --> pager: 612-648-6823

   Security Analyst

  University Information Security - University of Minnesota

   http://it.umn.edu/practices-information-security-policy



"Email is the thermal exhaust port on the Death Star

 of IT infrastructure." - me



[image: Image removed by sender.]







-- 

*Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP*

*Chief Information Security Officer*


*Lehigh University610-758-3994*

This message may contain confidential information intended only for the
individual named. If you received this message by mistake, please let the
sender know by e-mail reply and delete it from your system. If you are not
the intended recipient you are hereby notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited.

Previous By Date Next
Previous By Thread Next

Current thread: