Educause Security Discussion mailing list archives
Re: Response to phishing e-mails
From: Paul Chauvet <chauvetp () NEWPALTZ EDU>
Date: Thu, 30 Oct 2014 10:29:48 -0400
Hi Nick, I appreciate the response. Our remaining phishing issues are extremely rare compared to what we once had. It used to be 5-6 people a month falling for phishing scams, now its down to not that many in 2014 all together. Our training program has led to a large drop in malware issues on client PCs as well. Aside from two-factor (which we will have eventually), we already have in place many of the features you've had. I won't go into specifics, but most important services are only accessible via Campus IPs (or via VPN for some users). Doing that with email will never really be a viable option. We do have notices and alerts for 'abnormal' IP connections to our SMTP server. Faculty/staff who frequently travel to other countries do get whitelisted for these issues. The impact of a phished email account has been reduced. What we haven't done is implement DMARC and SPF hard fails. DMARC has its own problems, especially with regards to mailing lists. In my opinion it is a solution that causes more problems than it fixes. SPF hardfail causes similar issues in my opinion. The phishing attempts we do receive (that get through) aren't spoofing our domain. Just to clarify though - the two people who were reprimanded fell for three simulated phishing attacks as well as two or three actual phishing scams (not just simulations). One of those two users who eventually did receive an official reprimand didn't just stop falling for scams but became a proactive reporter of phishing emails. We made sure that even that reprimand was not done in a vacuum. It was done in concert with in person discussions letting the individual know that we are there to assist them - not just to warn and run away. The other user is not proactive about reporting, but has also been far better about not falling for these issues (simulated or otherwise). Punishment is the absolute last quiver in the arrow - not the first one we fire by any means. I've studied the psychological aspects of security and we've included a lot of positive reinforcement with regards to security which we favor, but reprimand/punishment isn't though something that can be completely ignored as an option. Paul Chauvet Information Security Officer State University of New York at New Paltz Phone: (845) 257-3828 chauvetp () newpaltz edu ----- Original Message -----
We've only had two egregious repeat offenders. Each of these users responded to three simulated phishing exercises and two or three actual phishing scams. For these two users we've had to have an official letter to their supervisor, Dean, and HR notifying them that continued issues may result in suspension or revocation of computer access. We don't like to have to get to that point, but sometimes it is necessary. Thankfully - that has worked well. They have not fallen for any additional phishing scams/simulations in the last year and a half. It has turned one of the two users into an excellent reporter of phishing messages. Sometimes you are forced to take a more forceful approach to impress upon them that there are potential consequences to the individual (and not just the college). Paul Chauvet Information Security Officer State University of New York at New Paltz
The larger issue is whether to treat security as a problem with your users, or a problem with what you've set up for them.
When it's treated as a problem with your users, it's a never ending stream of new students & staff, one-off punishments, etc. -- and it's too easy to put the problem on others.
For the users who get phished, the question shouldn't be "How can we make our users better?" but instead -- "How can *we* be better?"
Why not ask:
- How is it that our users can secure their Twitter accounts with two-factor, but not their access to our e-mail systems, HR, and payroll? (That arguably borders on negligence in more regulated fields, like banking and healthcare.)
- Why is it even *possible* that having just a single user's (probably weak) password can result in high levels of access (VPN connectivity, spam/phishing mail sent, payroll changes, educational FERPA-protected records, etc.)?
- Why do we allow a user, who's been connecting to Webmail from the US, to suddenly authenticate to POP from China or EC2 and send 10,000 messages to domains we've never sent mail to before?
Punishing the two users who responded to simulated phishing improved a *tiny* aspect of those two user's security, but it doesn't address the larger problem (and you probably left them feeling like IT was an adversary, and not a friend).
- What if instead, you just required their accounts use two-factor? (Looks like you're using Jasig's CAS -- have you tried Chris Hyzer/UPenn's Open Two Factor?)
- What if you scoped important services (HR / payroll, registrar, etc.) to campus IPs only?
- What if you set SPF hardfail, published a _domainkey policy, and established a basic DMARC policy? (A bunch of servers in China are sending mail as @newpaltz.edu -- how many of those do you think are phishing attacks?)
I don't mean to pick on New Paltz by any means -- you at least have a sane SPF policy. A number of people discussing phishing in this thread don't even publish SPF records (!!!), and show huge volumes of spam/phishing impersonating their domains from lack of DMARC / sane SPF, etc.
- Nick
-- Nick Semenkovich Laboratory of Dr. Jeffrey I. Gordon Medical Scientist Training Program School of Medicine Washington University in St. Louis https://nick.semenkovich.com/
Current thread:
- Re: Response to phishing e-mails, (continued)
- Re: Response to phishing e-mails Brandon Hume (Oct 28)
- Re: Response to phishing e-mails Thomas Carter (Oct 29)
- Re: Response to phishing e-mails Nick Semenkovich (Oct 29)
- Re: Response to phishing e-mails Brandon Hume (Oct 29)
- Re: Response to phishing e-mails Robert Meyers (Oct 29)
- Re: Response to phishing e-mails Paul Chauvet (Oct 29)
- Re: Response to phishing e-mails Nick Semenkovich (Oct 29)
- Re: Response to phishing e-mails Brandon Hume (Oct 29)
- Re: Response to phishing e-mails Jones, Mark B (Oct 29)
- Re: Response to phishing e-mails Kalal, Robert (Bob) (Oct 29)
- Re: Response to phishing e-mails Paul Chauvet (Oct 30)
- Re: Response to phishing e-mails Nick Semenkovich (Oct 31)
- Re: Response to phishing e-mails Andrew Daviel (Nov 13)