Re: [EXTERNAL] Re: [SECURITY] Notifications of external emails

[Frank Barton <bartonf () HUSSON EDU>]

The problem that we're seeing is that one internal person gets phished, and
then starts spewing internal emails.
 I'm going to start another chain, but we are seeing some persistant
threads that might help identify compromised accounts.

Frank

On Wed, Feb 8, 2017 at 11:37 AM, Cecka, Benjamin <BCecka () clark edu> wrote:

> Since August we’ve been phished persistently and we also implemented the
> “[EXTERNAL]” subject prefix on all of our inbound email. We also had some
> resistance but it hasn’t gotten to the point where we felt the need to
> reconsider. It took a few days of adjusting as some internal email was
> being flagged incorrectly and there was objection to flagging student
> messages and some hosted web applications. All in all there was also
> positive feedback and the campus seems to have adjusted well to it.
>
>
>
> Best regards,
>
> Ben Cecka
>
> Director, Infrastructure & Security
>
>
> Information Technology
>
> Clark College
>
> (360) 992-2194
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Thomas Carter
> *Sent:* Wednesday, February 8, 2017 7:18 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [EXTERNAL] Re: [SECURITY] Notifications of external emails
>
>
>
> This is more to combat the traditional “HR is validating your last
> paycheck. Click the link and enter your account info” type of phishing.
> Something procedural will get generally ignored by many departments when
> sending out emails, so we’re looking for something more automatic.
>
>
>
> *Thomas Carter*
> Network & Operations Manager / IT
>
> *Austin College*
> 900 North Grand Avenue
> Sherman, TX 75090
>
> Phone: 903-813-2564 <(903)%20813-2564>
> www.austincollege.edu
>
> [image: http://www.austincollege.edu/images/AusColl_Logo_Email.gif]
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [
> mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
> Behalf Of *Napier, Mark E
> *Sent:* Wednesday, February 8, 2017 9:04 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Notifications of external emails
>
>
>
> What about encouraging or requiring your users to use S/MIME to sign their
> emails? That would also cover the situation in which a machine on the
> internal network is engaged in pushing. (In most cases, anyway)
>
>
>
> --
>
> Mark E. Napier   MIS, CIPT
>
> Deputy Director of Information Technology /
>
> Chief Information Privacy and Security Officer
>
> School of Informatics and Computing
>
> Indiana University
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Feb 8, 2017, at 9:57 AM, Thomas Carter <tcarter () AUSTINCOLLEGE EDU
> <tcarter () austincollege edu>> wrote:
>
>
>
> We are trying to combat phishing by making users more aware of emails that
> come from outside campus vs internal emails. We’ve trialed using a mail
> rule to modify the subject line and prepend a flag (like “EXTERNAL:” or
> similar) but users complained it caused confusion (?) and they didn’t like
> emails to be modified. I suspect a disclaimer added to the body of the
> message would be either ignored or disliked for the same reasons.
>
>
>
> Has anyone else done something to somehow flag external emails? What was
> the feedback? How well does it work?
>
>
>
> *Thomas Carter*
> Network & Operations Manager / IT
>
> *Austin College*
> 900 North Grand Avenue
> Sherman, TX 75090
>
> Phone: 903-813-2564 <(903)%20813-2564>
> www.austincollege.edu
>
> <image001.gif>



-- 
Frank Barton
ACMT
IT Systems Administrator
Husson University