Re: DNS checking

["Menne, Michael S" <michael.menne () MNSU EDU>]

We use a combination of Microsoft Office 365 ATP and Cisco Umbrella.

Office 365 ATP does a URL re-write to go through a Microsoft Sandbox.  On Microsoft mail clients (Outlook), it will 
still show the original URL.  On non-Microsoft clients, it will show the undecipherable re-written URL. The original 
URL is embedded in there and can be somewhat deciphered, but not by the average user.

Cisco Umbrella is a DNS layer filtering that protects against not only URLs contained in emails, but any DNS based 
communication.  Umbrella has two options. Option is a simple DNS forward from your DNS server to theirs.  With this, 
all requests appear to come from the DNS server that forwarded the request and only for users that are using those DNS 
severs. Option 2 is an active directory integrated mobile client.  This option allows the client to be mobile and still 
be protected. It also allows easier identification of problematic devices.

Neither solution is perfect. It’s still a struggle to contain things, but I can’t imagine what it would be without 
these tools.


Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
Phone:  (507) 389-5705
Cell: (507) 405-0717
https://mankato.mnsu.edu/cyberaware

[signature_1047146024]

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Nathan Phillips 
<nathanphillips () ACHS EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Thursday, January 21, 2021 at 2:22 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] DNS checking

Regarding DNS checking as an alternative to re-writing URLs (I’m starting this as a new thread/subject, but this 
springs from theURL re-writing thread).

I’ve been looking at Cloudflare’s WARP product, which supposedly can offer some protection.

Curious if anyone else has looked at it?

It’s really consumer based and aimed more at privacy issues, but does offer a “malware” protection setting.  With 
everyone working from home, I would love to have some additional protection (while it may seem late in the game, I’m 
clear that we will likely have a substantial portion of staff wanting to continue to work from home after the pandemic 
ends). All our work from home staff are using institution computers that we manage with MDM, and we have endpoint 
protection on all, so we have the ability to push out a solution like this fairly easily.

I’ve been testing WARP for a few months, and I sometimes have to turn it off—ironically, I had to do that when trying 
to sign into Educause, though I think a recent update to WARP has fixed that issue. It may require too much 
configuration to work at the enterprise level, but it’s free!

-Nathan

--------------------------------------------------------
Nathan Phillips, CIO (he/him)
American College of Healthcare Sciences
Portland, Oregon
--------------------------------------------------------


On Jan 21, 2021, at 10:55 AM, Brian Epstein <bepstein () IAS EDU<mailto:bepstein () IAS EDU>> wrote:

Hi Ravi,

We investigated URL re-writing tools a number of years ago.  We also teach our folks to hover over links and try to 
determine if they are malicious or not.  Another worry was for signed emails.  Changing the URLs will break the 
signature.  I would check with your vendor to see if they have a setting that allows you to address this concern.  
Maybe they can not re-write emails that are signed (although, signing an email isn't that hard, so does it help)?

As opposed to re-writing anything in the email, we chose to go the route of a DNS checking system.  Cisco Umbrella 
(formerly OpenDNS) gives us this ability without having to re-write the URLs.  This is definitely not a full 
protection, either, and also has its own issues.  For example, anyone who checks their email off campus needs to be 
connected to our VPN to get this protection.  Umbrella offers an agent for client devices that aren't on our network, 
but we try to avoid requiring agents.  We could also limit email connectivity from our campus IPs, but that would 
probably create an unwanted burden on our clients.

We found that DNS checking was better received by our clients than URL re-writing.  I would say that this is highly 
dependent upon the culture of your school and expectations of your faculty and staff.

All the best,
Brian

--
Brian Epstein <bepstein () ias edu<mailto:bepstein () ias edu>>                     +1 609-734-8179
Manager, Network and Security, CISO     Institute for Advanced Study
Key fingerprint = A6F3 9F5A 26C5 5847 79ED  C34C C0E5 244A 55CA 2B78

----- Original Message -----
From: "Ravi Kotecha" <kotechar () BRANDEIS EDU<mailto:kotechar () BRANDEIS EDU>>
To: "The EDUCAUSE Security Community Group Listserv" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>>
Sent: Tuesday, January 19, 2021 6:13:05 PM
Subject: [SECURITY] URL re-writing in emails

Greetings,

I'm curious about your experiences using tools that rewrite URLs in emails.
We have Proofpoint's suite and one of the features rewrites URLs in emails
with an 
https://urldefense.com/<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2F&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cadf74af355e14ce812ac08d8be4a3c94%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637468573347964026%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=DUxsMcwWnU%2Buqkv8U15Bokf1wQHVbcZXmoGlpdU4m7c%3D&reserved=0>
 prefix and clicking the link will pass
through Proofpoint's servers.

One piece of feedback we received in a pilot was that we had been teaching
folks to hover over URLs to determine the destination before clicking
links. With re-writing, all links are changed for external sites so that
advice is no longer reliable.

I'm interested in experiences others have had using this feature. For
example:
- Have you received negative feedback? If so, how have you addressed it?
- How have you augmented awareness training?
- Are there any success stories you wish to share?

Thanks in advance,
Ravi Kotecha
kotechar () brandeis edu<mailto:kotechar () brandeis edu>
--
Ravi Kotecha '10, M.S. '14, M.S. '20
Privacy & Information Security Analyst
Information Technology Services
Submit a security request: security () brandeis edu
Report phishing: phishing () brandeis edu

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cadf74af355e14ce812ac08d8be4a3c94%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637468573347964026%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=0JSxP0ggquiJO4PtsMTYV9pjK5aTThrq1NxN0gpZvCM%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community