Re: [Possible Spam] Re: [SECURITY] Mitigating Phishing Attacks

[Justin Bennett <jbennett () MSJC EDU>]

Good morning,

 

Some of the tactics we have deployed are at our institution are the following:

 

1.       Education - Communicating to the users is crucial to keep them informed to what potential threats are out 
there and what kind of business impacts occur when accounts are compromised. SPAM is the less of the worries, data 
breaches is the bigger concern.

2.       Attack surface - by default, all users must request remote access prior to getting web or mobile access. This 
limits our attack surface as not all staff needs those remote capabilities.

3.       Policy and Procedure - A policy for password complexity, history, expiration, and absolutely no sharing of 
passwords is crucial. Our support staff is only allowed to reset user's accounts passwords and set them to expire. It 
may take longer for the user password reset process, but ingrains a "no sharing of passwords" policy to the 
organization and hopefully setting off red flags when they are requested to "reset" their password.

4.       Spam Protection - Maintaining a SPAM firewall dramatically increases your visibility of incoming messages and 
the ability to create custom content filtering rules.

 

Hope this helps my apologies if my reply is in anyway redundant. I've just joined Educause's listserv.

 

Justin Bennett

Supervisor of Network Technology
Information Technology
jbennett () msjc edu <mailto:jbennett () msjc edu> 

 

Mt. San Jacinto College
Phone 951-639-5090
http://www.msjc.edu <http://www.msjc.edu/> 

 

P Save a Tree - Please don't print this unless you really need to.

 

Security Notice: MSJC Information Technology Staff will never ask for your password. Keep your passwords private to 
protect yourself and the security of our network.

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bateman, 
Darrell
Sent: Friday, November 16, 2012 6:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [Possible Spam] Re: [SECURITY] Mitigating Phishing Attacks
Importance: Low

 

We use similar procedures in our Service Desk as some of the others here who have commented. Additionally, we do the 
following:

 

1.       Insert a warning message in red at the top of incoming emails that have certain keywords used to collect login 
credentials. Users get an NDR if they try to reply to an email that has the warning message inserted, unless they first 
remove the warning text. This used to be fairly effective, but now spammers use URL’s and entice users to click on 
them, rendering this control less effective.

2.       We use outbound spam filtering to block much of the spam that results from compromised accounts.

3.       We have a procedure for repeat “victims” of phishing attacks.

 

We have considered requiring 2nd factor authentication for OWA, required when a user logs in from a new computer and/or 
IP address. The 2nd factor would be the user’s secret question or a code sent to the user’s mobile phone. This would be 
a large undertaking to implement, but it would have other security benefits. I welcome any comments from this group on 
the effectiveness of this proposed strategy.

 

Also, if anyone out there has a network-based DLP solution in place, does it effectively detect and block entry of 
local user credentials to a foreign host?

 

--------------------------------------

Darrell Bateman

Assistant Vice President for IT and ISO

Office of the Chief Information Officer

Information Technology Division

Texas Tech University

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Christopher Jones
Sent: Wednesday, November 14, 2012 2:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Mitigating Phishing Attacks

 

________________________________

 

We have experienced a number of targeted phishing attacks recently.  Because the most recent phish led its victims to 
provide their network credentials via a realistic looking OWA logon page, we took the following steps to deal with some 
resultant compromised accounts:

 

·         immediately reset the passwords for the affected accounts, 

·         restarted, the IIS service to stop any active webmail sessions

·         alerted the user community

 

 

It got me to wondering how other institutions deal with similar situations where user accounts have been compromised.  
If anyone would care to share, I would be interested how you have handled similar situations. It would be useful to 
know your top 3 strategies for preventing and mitigating such occurrences.  Thanks.

 

 

Christopher Jones

IT Security Analyst

University of the Fraser Valley

Christopher.Jones () ufv ca