Educause Security Discussion mailing list archives
Re: DNS checking
From: "Menne, Michael S" <michael.menne () MNSU EDU>
Date: Thu, 21 Jan 2021 20:44:01 +0000
We use a combination of Microsoft Office 365 ATP and Cisco Umbrella. Office 365 ATP does a URL re-write to go through a Microsoft Sandbox. On Microsoft mail clients (Outlook), it will still show the original URL. On non-Microsoft clients, it will show the undecipherable re-written URL. The original URL is embedded in there and can be somewhat deciphered, but not by the average user. Cisco Umbrella is a DNS layer filtering that protects against not only URLs contained in emails, but any DNS based communication. Umbrella has two options. Option is a simple DNS forward from your DNS server to theirs. With this, all requests appear to come from the DNS server that forwarded the request and only for users that are using those DNS severs. Option 2 is an active directory integrated mobile client. This option allows the client to be mobile and still be protected. It also allows easier identification of problematic devices. Neither solution is perfect. It’s still a struggle to contain things, but I can’t imagine what it would be without these tools. Michael Menne, CISSP Chief Information Security Officer IT Solutions Information Security Minnesota State University, Mankato Phone: (507) 389-5705 Cell: (507) 405-0717 https://mankato.mnsu.edu/cyberaware [signature_1047146024] Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Nathan Phillips <nathanphillips () ACHS EDU> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Thursday, January 21, 2021 at 2:22 PM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] DNS checking Regarding DNS checking as an alternative to re-writing URLs (I’m starting this as a new thread/subject, but this springs from theURL re-writing thread). I’ve been looking at Cloudflare’s WARP product, which supposedly can offer some protection. Curious if anyone else has looked at it? It’s really consumer based and aimed more at privacy issues, but does offer a “malware” protection setting. With everyone working from home, I would love to have some additional protection (while it may seem late in the game, I’m clear that we will likely have a substantial portion of staff wanting to continue to work from home after the pandemic ends). All our work from home staff are using institution computers that we manage with MDM, and we have endpoint protection on all, so we have the ability to push out a solution like this fairly easily. I’ve been testing WARP for a few months, and I sometimes have to turn it off—ironically, I had to do that when trying to sign into Educause, though I think a recent update to WARP has fixed that issue. It may require too much configuration to work at the enterprise level, but it’s free! -Nathan -------------------------------------------------------- Nathan Phillips, CIO (he/him) American College of Healthcare Sciences Portland, Oregon -------------------------------------------------------- On Jan 21, 2021, at 10:55 AM, Brian Epstein <bepstein () IAS EDU<mailto:bepstein () IAS EDU>> wrote: Hi Ravi, We investigated URL re-writing tools a number of years ago. We also teach our folks to hover over links and try to determine if they are malicious or not. Another worry was for signed emails. Changing the URLs will break the signature. I would check with your vendor to see if they have a setting that allows you to address this concern. Maybe they can not re-write emails that are signed (although, signing an email isn't that hard, so does it help)? As opposed to re-writing anything in the email, we chose to go the route of a DNS checking system. Cisco Umbrella (formerly OpenDNS) gives us this ability without having to re-write the URLs. This is definitely not a full protection, either, and also has its own issues. For example, anyone who checks their email off campus needs to be connected to our VPN to get this protection. Umbrella offers an agent for client devices that aren't on our network, but we try to avoid requiring agents. We could also limit email connectivity from our campus IPs, but that would probably create an unwanted burden on our clients. We found that DNS checking was better received by our clients than URL re-writing. I would say that this is highly dependent upon the culture of your school and expectations of your faculty and staff. All the best, Brian -- Brian Epstein <bepstein () ias edu<mailto:bepstein () ias edu>> +1 609-734-8179 Manager, Network and Security, CISO Institute for Advanced Study Key fingerprint = A6F3 9F5A 26C5 5847 79ED C34C C0E5 244A 55CA 2B78 ----- Original Message ----- From: "Ravi Kotecha" <kotechar () BRANDEIS EDU<mailto:kotechar () BRANDEIS EDU>> To: "The EDUCAUSE Security Community Group Listserv" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Sent: Tuesday, January 19, 2021 6:13:05 PM Subject: [SECURITY] URL re-writing in emails Greetings, I'm curious about your experiences using tools that rewrite URLs in emails. We have Proofpoint's suite and one of the features rewrites URLs in emails with an https://urldefense.com/<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2F&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cadf74af355e14ce812ac08d8be4a3c94%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637468573347964026%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=DUxsMcwWnU%2Buqkv8U15Bokf1wQHVbcZXmoGlpdU4m7c%3D&reserved=0> prefix and clicking the link will pass through Proofpoint's servers. One piece of feedback we received in a pilot was that we had been teaching folks to hover over URLs to determine the destination before clicking links. With re-writing, all links are changed for external sites so that advice is no longer reliable. I'm interested in experiences others have had using this feature. For example: - Have you received negative feedback? If so, how have you addressed it? - How have you augmented awareness training? - Are there any success stories you wish to share? Thanks in advance, Ravi Kotecha kotechar () brandeis edu<mailto:kotechar () brandeis edu> -- Ravi Kotecha '10, M.S. '14, M.S. '20 Privacy & Information Security Analyst Information Technology Services Submit a security request: security () brandeis edu Report phishing: phishing () brandeis edu ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cadf74af355e14ce812ac08d8be4a3c94%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637468573347964026%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=0JSxP0ggquiJO4PtsMTYV9pjK5aTThrq1NxN0gpZvCM%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- URL re-writing in emails Ravi Kotecha (Jan 19)
- Re: [EXTERNAL] [SECURITY] URL re-writing in emails Jason Edelstein (Jan 19)
- Re: URL re-writing in emails Brian Epstein (Jan 21)
- DNS checking Nathan Phillips (Jan 21)
- Re: DNS checking Menne, Michael S (Jan 21)
- DNS checking Nathan Phillips (Jan 21)
- <Possible follow-ups>
- Re: URL re-writing in emails Walter Roshon (Jan 20)
- Re: URL re-writing in emails Bole, Jim A (Jan 20)
- Re: URL re-writing in emails Beth Albertson (Jan 20)
- Re: URL re-writing in emails Bole, Jim A (Jan 20)