Educause Security Discussion mailing list archives

Re: Oxford and Google Apps

From: Richard Biever <richard.biever () DUKE EDU>
Date: Tue, 19 Feb 2013 12:47:44 +0000

+1 to Drew's comments. While we have made an effort to block phishing/spam messages to our community, and we do have
technical controls to help us identify compromised accounts as a result of the activity, we still see the occasional
attack get through. Given that students and faculty/staff spend time off-campus checking their mail from home and
while on the road, we have found that education has been the best help in mitigating the issue. Everytime we do an
information session or attend a departmental meeting to discuss security we take the opportunity to explain how to look
at a potentially fraudulent mail message or website, and reiterate that if it looks "phishy", don't click the link. :)

Cheers,
Richard

On Feb 19, 2013, at 7:26 AM, Drew Perry <aperry () MURRAYSTATE EDU<mailto:aperry () MURRAYSTATE EDU>>
wrote:

Interesting. I understand they feel it necessary in light of recent attacks. However, they are only able to block
access from within their own campus resources. Off-campus users can still access Google Docs, and potentially respond
to phishing attempts. To me, it seems like a knee-jerk reaction whose legitimate effects may be less than fully
positive. And may in fact be worse, since limiting access from on-campus could provide a false sense of security to IT
staff.
Instead of a half successful technical response, effort should be placed on Information Security Awareness. Teach your
users to identify phishing attempts themselves and not respond. Now, I fully understand how daunting a task that is,
but it's the only way to truly protect your user base. Technical protections have their place, definitely. But user
education is the best defense against phishing attacks.

Sent from my phone.

Drew Perry
Security Analyst
Murray State University
(270) 809-4414
aperry () murraystate edu<mailto:aperry () murraystate edu>

On Feb 19, 2013 6:11 AM, "Tracy Mitrano" <tbm3 () cornell edu<mailto:tbm3 () cornell edu>> wrote:
Thoughts on this matter among the experts? http://blogs.oucs.ox.ac.uk/oxcert/2013/02/18/google-blocks/

--------------------------------------------
Richard Biever, CISSP
Chief Information Security Officer
Duke University
Office: 919-684-8121
Cell: 919-886-9627
Email: richard.biever () duke edu<mailto:richard.biever () duke edu>

Please remember that Duke will never ask for your password or information about your account in an email.

Current thread:

Oxford and Google Apps Tracy Mitrano (Feb 19)
- Re: Oxford and Google Apps Drew Perry (Feb 19)
  - Re: Oxford and Google Apps Richard Biever (Feb 19)
- Re: Oxford and Google Apps Ken Connelly (Feb 19)
- Re: Oxford and Google Apps Bradner, Scott (Feb 19)
- Re: Oxford and Google Apps Roger A Safian (Feb 19)
- Re: Oxford and Google Apps Hall, Rand (Feb 19)
- Re: Oxford and Google Apps Lorenz, Eva (Feb 19)
  - Re: Oxford and Google Apps Bob Bayn (Feb 19)
    - Re: Oxford and Google Apps Bob Bayn (Feb 19)
    - Re: Oxford and Google Apps Santabarbara, Angelo (Feb 19)
    - Re: Oxford and Google Apps Bob Bayn (Feb 19)
    - Re: Oxford and Google Apps Santabarbara, Angelo (Feb 19)

(Thread continues...)