Educause Security Discussion mailing list archives
Re: [External] [SECURITY] Flagging external emails and exceptions
From: "Gregg, Christopher S." <csgregg () STTHOMAS EDU>
Date: Thu, 1 Oct 2020 01:24:46 +0000
Hi Beth, We mark external messages from senders not in our SPF record with [External] in the subject line for employees. We don't apply the tags for students since the main issue we were trying to solve were spoofed sender attacks which primarily targeted employees. The only exception we are making is for Office365 notifications because at the time we were trying to push adoption. Even that has burned us a couple of times when scammers compromised other O365 tenants since Microsoft uses the same address for all notifications. For the most part our strategy hasn't caused too many issues or complaints. Two services that sometimes cause questions or concerns are e-mails from Qualtrics and from Instructure (Canvas). We contemplated a different tag for trusted external service providers but that got complicated pretty quickly and we decided against it. We do have a lot of anecdotal feedback that the [External] tag is helping people spot suspicious messages, and it seems to be a good compromise between doing nothing and some of the more invasive header warning options. Thanks, Chris Chris Gregg Associate Vice President of Information Security & Risk Management, CISO Innovation & Technology Services (ITS) csgregg () stthomas edu<mailto:csgregg () stthomas edu> p 1 (651) 962-6265 University of St. Thomas | stthomas.edu<https://www.stthomas.edu/> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Beth Albertson Sent: Wednesday, September 30, 2020 7:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [External] [SECURITY] Flagging external emails and exceptions Colleagues, We are thinking of flagging emails coming in external from our O365 tenant with either a red header at the top of each email or adding something like <EXTERNAL> to the subject line. I wanted to ask other schools that are doing this whether they are adding exceptions for external organizations that are trusted. For example, we use Jira, and I thought we could add this to an exception list. Some have argued that maintaining such a list could be cumbersome and could potentially confuse users because some external emails would be flagged and others would not. Does anyone have experience or thoughts on this matter? Sincerely, Beth Albertson, CISSP(r), PMP(r) Director of Information Security Western Washington University beth.albertson () wwu edu<mailto:beth.albertson () wwu edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C9a3683dd652848518edf08d8659d17d5%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637371072686033832&sdata=rCaY17zsXESmW%2BtD8sfgC8%2FgI0tyPUau1Yhcq6ljArI%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Flagging external emails and exceptions Beth Albertson (Sep 30)
- Re: Flagging external emails and exceptions Blake Brown (Sep 30)
- Re: Flagging external emails and exceptions Bandy, John (Sep 30)
- Re: [External] [SECURITY] Flagging external emails and exceptions Gregg, Christopher S. (Sep 30)
- Re: Flagging external emails and exceptions Blake Brown (Sep 30)