Re: The Slate breakin

[Ruth Ginzberg <rginzberg () UWSA EDU>]

Providing all users with a password manager might also be a relatively effective strategy.  Or even letting users know 
that a BYO-PasswordManager would be allowed under the institutional policies they need to follow.  I think many end 
users don’t know anything about password managers, wouldn’t know how to choose one even if they did know about them, 
aren’t sure whether they are more or less of a security risk than not having one, and wouldn’t know whether using a 
password manager would or wouldn’t violate their university I.T. policies even if they did know they wanted one and 
know how to select it.


Ruth Ginzberg
608-890-3961

From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Nicholas 
Garigliano
Sent: Friday, March 08, 2019 1:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] The Slate breakin

If you have Active Directory, then you already are using SSO and have been since it was implemented.

Not using SSO, whether it is AD or some other solution, makes Identity Management a nightmare (been there).  Accounts 
never get cleaned up or deactivated.  Provisioning and deprovisioning is also problematic, especially if applications 
authorization schemes are not tied to a central user repository.  And the Auditors will not be happy.

And the users just use the same credentials for all accounts anyway, as mentioned before.  Make them use unique 
usernames (if possible) and they write them all down on sticky notes next to the PC or taped to the laptop and then use 
the same password.

Education is key, with extra focus given to Executives (i.e. Deans, VP Finance etc) as well as System Admins.    Spam 
filtering and monitoring access obviously are key as well.

Nick Garigliano CISSP, GCIH
Network Security Engineer
Enterprise & Network Solutions
Nazareth College
585 389-2109


On Fri, Mar 8, 2019 at 1:32 PM Jon Miner <000000c6eeb80cc9-dmarc-request () listserv educause 
edu<mailto:000000c6eeb80cc9-dmarc-request () listserv educause edu>> wrote:
Unfortunately, odds are the person would use the same username and password for both accounts anyway.

jon
________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Mahmud Rahman <mrahman () MILLS EDU<mailto:mrahman () MILLS EDU>>
Sent: Friday, March 8, 2019 12:11
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] The Slate breakin

I'm assuming most folks in this group have read this morning's news. We received the alert from Slate yesterday that 
something had happened, but details were few.

https://www.insidehighered.com/admissions/article/2019/03/08/three-private-colleges-have-admissions-files-hacked

http://fortune.com/2019/03/08/college-applicant-ransomware-hack/

I've seen some blame directed at password reset systems. But it appears that the source of the breach was compromised 
accounts in admissions staff, gained through phishing. The more our colleges go to Single Sign On for everything, the 
greater the risk from compromised accounts. SSO provides convenience but escalates the risk. It would appear now that 
universal SSO has to be combined with universal multi-factor authentication systems. I wonder, though, about universal 
SSO since the keys now open way more doors into the kingdom.

Other than education about phishing, what are other schools doing today? I imagine that the attacks will get more 
targeted and more ingenious.

-Mahmud



Mahmud Rahman MFA '04
Director of Systems and Banner Services, ITS
Mills College, Oakland CA
(510)430-2257
mrahman () mills edu<mailto:mrahman () mills edu>