Re: Mitigating Phishing Attacks

[Oscar Knight <knightod () APPSTATE EDU>]

Hello All,

I initially was a fan of the 'no links' course of action.  Thou I never
really pushed the idea I did suggest it to our IT group.  I got strange
looks and was called names that I can't mention here.   And in the end
I more or less agree.  But is there another viable way to point our
users in the right direction?

I just entered "password" on a dozen edu sites.  They all gave me
results that would be appropriate if I were a user and in search of
info regarding my password and or account.

Is it too much to ask the user to enter a search string on the
institutions home page?   For those that manage their own search
appliance you can even create your on search string/results.

Example: For more information on changing your password please search
"password" on the Baylor/COD/Appstate website.

Do I still deserve to be called those names? :)  Is anyone doing this
as a regular practice?

I firmly believe that every time an institution sends a mass
communication and users click the link and it all works then trust is
built in that communication method.  Do this a lot and you get a lot of
trust.

odk


On 12/4/2012 1:31 PM, Tonkin, Derek K wrote:
> My initial thought is that it may be more dangerous to teach users that copying and pasting URLs into their browser is 
> safe than to continue to send links.  We have a ban on links in emails regarding user accounts.  It is a pain and I 
> doubt the degree to which users grasp the concept of us not sending them links when EVERYONE else does.  I think 
> awareness training including an address to send suspicious emails to plus being quick to block both the URL and the 
> sender of phishing messages you do discover is the most effective method.
>
> Derek Tonkin
> Information Security Analyst
> Baylor University
> ITS - Security
>
> "Conlee, Keith"<conlee () COD EDU>  wrote:
>
>
> Sorry for the delay, but I am playing catch up.  We also have experienced an increase of phishing attacks and a couple 
> users have taken the hook causing us to get blacklisted, etc. and the clean-up that follows.
>
> This last phishing attack the sender masqueraded as the "System Administrator" by either spoofing the sender's address, or sending from a previously 
> compromised email account and signing as "System Administrator."  It was the old phishing scam warning the user " Your mailbox has exceeded the storage 
> limit."  As the IT department we have told our users that we (IT) will never send them an unsolicited email asking them for any sensitive input (e.g. ID and password, 
> etc.).  We (IT) are thinking of making a new  policy decision that we will not send out any "active" links in email that will take the user to a webpage and ask for 
> their sensitive data (e.g., ID and password).  Instead we will provide a description of the webpage they need to go to (e.g. Employee Portal) and provide an 
> "inactive" text link and instruct them to cut and paste (or type) the text into the address bar of their browser (for convenience).  It is MOST convenient to just 
> provide the link, but since links !
can be s
poofed and take you elsewhere, an inactive text link that can either be cut-and-pasted or typed into a browser location 
bar provides some convenience and we think is safer.  The only way we can go wrong is if our College website gets 
hacked.  ANY THOUGHTS - Good or Bad?
> Thanks for any responses.
>
> Keith Conlee, JD, CISSP, CISA, CBCP
> Chief Security Officer, IT
> College of DuPage
> 425 Fawell Blvd.
> Glen Ellyn, IL 60137-6599
>
> Ph. - 630.942.3055
> Fax. - 630.790.0325


--
NOTE: ASU ITS will NEVER ask you for your password in an email!
Oscar D. Knight                           knightod at appstate dot edu
ITS                                                Voice: 828-262-6946
Appalachian State University, Boone, NC 28608        FAX: 828-262-2236