Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings

[Michael Young <Michael.Young () RIT EDU>]

We’re in the same boat.

We saw a definite uptick after our marketing directory went live. Prior to that, I had a short list of ten high profile 
individuals that were being spoofed. After the directory went live, it spread to any manager on campus.

We now have a rule that identifies any email from a short list of sources (@gmail.com, etc.) containing certain 
specific words or phrase combinations in subject/body/sending address. Actions range from annotation to policy 
quarantine based on likelihood of false positive match.

Michael Young
Sr. Infrastructure Engineer
Rochester Institute of Technology
o: (585) 475-6031 | Michael.Young () rit edu<mailto:Michael.Young () rit edu>


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Barton, Robert W.
Sent: Monday, December 9, 2019 10:36 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings

For those that have two locations for email (for example, fac/staff on O365 & students on Google), what do you do?  
We’ve tried a few things and been limited in options.  As a side note, our DNS sink has stopped those that send URLs.  
Direct requests still happen all the time.

Robert W. Barton
Executive Director of Information Security and Policy
Lewis University
One University Parkway
Romeoville, IL  60446-2200
815-836-5663

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Howard, Christopher
Sent: Monday, December 9, 2019 9:28 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings

Something I mentioned to our web people before was perhaps they could put a conditional into the code that if the user 
was visiting from a campus IP address, show the email/phone info, but otherwise don't. They still haven't done that so 
our info is out there, too.  I wish they would do something like this as the phishing attempts are getting worse.

-Christopher


On Mon, 2019-12-09 at 15:14 +0000, Gregg, Christopher S. wrote:
External Email

We’re in a similar boat.  Faculty information on departmental pages is seen as part of the marketing for the 
university.  That is a good point though that perhaps e-mail addresses could be omitted and still accomplish the same 
goals.

We’re using some of the built in anti-impersonation rules within Office365 as well as custom rules to block certain 
patterns we are seeing.  That has reduced the number of “Are you there?” scams, or at least the ones we need to deal 
with.  User awareness is getting out there compared to a year ago so the scams that get through are more of an 
annoyance than a threat at this point.  Finding some wood to knock on right now…

Chris


Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Innovation & Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265
University of St. Thomas | stthomas.edu<https://www.stthomas.edu/>





From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Stromer, Wade
Sent: Monday, December 9, 2019 9:09 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings

We are in the same boat as you, George.  From what I've heard, it's an uphill battle that we've been fighting for quite 
some years now.  We have seen a pretty significant increase of impersonation email attacks in the last year or so and I 
blame it on having too much of our employee information out there on our public website also. It's very easy to find 
out what department, what title, and who their supervisor is and their email address.

These attacks are the typical "Are you on campus?" or "Are you available?" and the goal is to get the tricked employee 
to send pictures of gift cards to the perpetrator. The 'supervisor' is always in a meeting and can't talk on the phone 
and they need it done 'ASAP as possible' 🙂

We have some email securities in place that catch impersonation email attacks and those securities are helping us 
thwart some of these particular of attacks.

Removing our employee/staff/faculty information from the public eyes is not an option but 'scrubbing' the information 
should be an option.  We know we can't stop end users from publishing their credentials/positions/titles to the public 
- this is where end user training becomes critical and pertinent.

Hopefully some others have been in this situation and can shed some light on what they have done to overcome the 
sharing of too much user info on their institution's public sites.

-Wade
________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of George J. Silowash <gsilowas () NORWICH EDU<mailto:gsilowas () NORWICH EDU>>
Sent: Monday, December 9, 2019 6:33 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [EXTERNAL][SECURITY] Public Facing Faculty listings

CAUTION: This email originated from outside of the organization. Do not click links, open attachments, or correspond 
with the sender unless you recognize the sender and know the content is safe.

We have recently seen an uptick in phishing attacks utilizing faculty information published on our website. The 
malicious actors are able to identify department heads and their subordinates. The malicious actors then use this 
information to target a department head’s subordinates utilizing “legitimate” Gmail accounts posing as the department 
head to send phishing emails.

I have proposed removing individual contact information on the website and use contact forms, a department email 
account, along with several other methods to make it more difficult for the bad actors. I have been met with a great 
deal of resistance.

Have you seen this problem? What are you doing to mitigate the risk (beyond training)? Does your website list faculty 
information? Are faulty required to have their information posted and/or can they opt out? Does your site take any 
steps to make it more difficult or costly (ie using CAPTCHAs to obtain information)? I am looking for options to help 
balance leadership’s desire to have public facing directory information with that of risks to individuals and the 
institution.

Any thoughts on this would be helpful.

V/R,
George
----------------------------------------------------------------
George J. Silowash, MSIA, CISSP-ISSMP, CCFP, GCFE, GCFA
Chief Information Security Officer
Norwich University
158 Harmon Drive
Northfield VT 05663
https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.norwich.edu&amp;data=02%7C01%7Cwstromer%40SHERIDAN.EDU%7Ccac2cefc08ec46baf93608d77cac56de%7C4692dd647f4c4fdc8daf050695478412%7C0%7C0%7C637114951946107540&amp;sdata=2OrE26uh5Ary62TtHLR4OI1Uga6juEytPqjixPR5DY0%3D&amp;reserved=0<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.norwich.edu&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cad0ac9b34e784eaaf29208d77cb9afff%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637115009321252306&sdata=yNx%2Bp4%2BV9VR9%2F%2FtnjUp3owORVEtJDyiCON2xUQxTfSQ%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&amp;data=02%7C01%7Cwstromer%40SHERIDAN.EDU%7Ccac2cefc08ec46baf93608d77cac56de%7C4692dd647f4c4fdc8daf050695478412%7C0%7C0%7C637114951946107540&amp;sdata=7aU1n%2FeQANlqyG2jTdc2p6PjbO0qxj6OrlM0hGSmY0Q%3D&amp;reserved=0<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cad0ac9b34e784eaaf29208d77cb9afff%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637115009321257294&sdata=GccfkUVkE%2B1kD0IuMbvI7Em6uFviScvWNtRo6hBix0Q%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cad0ac9b34e784eaaf29208d77cb9afff%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637115009321257294&sdata=GccfkUVkE%2B1kD0IuMbvI7Em6uFviScvWNtRo6hBix0Q%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
This message is not from a UTC.EDU address. Caution should be used in clicking links and downloading attachments from 
unknown senders or unexpected email.


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

This message (including any attachments) is intended only for the use of the individual or entity to which it is 
addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from 
disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you 
are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. 
If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy 
this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community