Educause Security Discussion mailing list archives
Re: [EXTERNAL] Re: [SECURITY] Notifications of external emails
From: "Klein Keane, Justin" <Klein_KeaneJ () MLHS ORG>
Date: Wed, 8 Feb 2017 11:56:02 -0500
Hello, We’ve done the same thing (adding “[EXTERNAL]” to the subject line of incoming emails) here at Main Line Health for nearly a year now. We run regular internal phishing tests and based on metrics we’ve noticed that the subject line addition hasn’t noticeably affected failure rates of people clicking links or opening attachments. It has positively affected rates of reporting suspicious e-mail to our help desk, however, so the value was unexpected but clear. Adding hints to external scam emails is often enough to tip users off and spur them to action, which is obviously beneficial for remediation. This added subject line component has also been extremely effective in preventing targeted spearphishing and CEO fraud (the “hey CFO, this is the CEO and I need $10,000 transferred today” type). The main issue with tagging external e-mail is the reliance on so many authorized external providers for supporting services. The subject line tag can confuse many users and cause them to ignore legitimate e-mail from external providers. I’ve heard stories of some users who write e-mail filter rules to automatically bin anything tagged as external. Cheers, Justin C. Klein Keane MA MCIT CEPT C|EH Security Architect Main Line Health Information Technology https://www.mainlinehealth.org/ klein_keanej () mlhs org<mailto:klein_keanej () mlhs org> 484-596-2203 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Cecka, Benjamin Sent: Wednesday, February 08, 2017 11:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] [EXTERNAL] Re: [SECURITY] Notifications of external emails Since August we’ve been phished persistently and we also implemented the “[EXTERNAL]” subject prefix on all of our inbound email. We also had some resistance but it hasn’t gotten to the point where we felt the need to reconsider. It took a few days of adjusting as some internal email was being flagged incorrectly and there was objection to flagging student messages and some hosted web applications. All in all there was also positive feedback and the campus seems to have adjusted well to it. Best regards, Ben Cecka Director, Infrastructure & Security Information Technology Clark College (360) 992-2194 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas Carter Sent: Wednesday, February 8, 2017 7:18 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [EXTERNAL] Re: [SECURITY] Notifications of external emails This is more to combat the traditional “HR is validating your last paycheck. Click the link and enter your account info” type of phishing. Something procedural will get generally ignored by many departments when sending out emails, so we’re looking for something more automatic. Thomas Carter Network & Operations Manager / IT Austin College 900 North Grand Avenue Sherman, TX 75090 Phone: 903-813-2564 www.austincollege.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.austincollege.edu_&d=DwMGaQ&c=qqcbk_QeabW4Z7GBhIMNtn_B7aQjktEuWNmUvrzri9o&r=T6Gkm-QA6wMUGmtyL0hrMz5ZqqoLGv5jfrNlZvfp68Q&m=1GTP0L_mzw6mWxEm7U1NORO6yQJPhjYRueWi_x-0Q9o&s=dr8v0gbs_qYPJXRXaMW7cvLPH-BQo12zWBwT56W1BoA&e=> [cid:image001.gif@01D28202.41D4DB60] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Napier, Mark E Sent: Wednesday, February 8, 2017 9:04 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Notifications of external emails What about encouraging or requiring your users to use S/MIME to sign their emails? That would also cover the situation in which a machine on the internal network is engaged in pushing. (In most cases, anyway) -- Mark E. Napier MIS, CIPT Deputy Director of Information Technology / Chief Information Privacy and Security Officer School of Informatics and Computing Indiana University On Feb 8, 2017, at 9:57 AM, Thomas Carter <tcarter () AUSTINCOLLEGE EDU<mailto:tcarter () austincollege edu>> wrote: We are trying to combat phishing by making users more aware of emails that come from outside campus vs internal emails. We’ve trialed using a mail rule to modify the subject line and prepend a flag (like “EXTERNAL:” or similar) but users complained it caused confusion (?) and they didn’t like emails to be modified. I suspect a disclaimer added to the body of the message would be either ignored or disliked for the same reasons. Has anyone else done something to somehow flag external emails? What was the feedback? How well does it work? Thomas Carter Network & Operations Manager / IT Austin College 900 North Grand Avenue Sherman, TX 75090 Phone: 903-813-2564 www.austincollege.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.austincollege.edu_&d=DwMGaQ&c=qqcbk_QeabW4Z7GBhIMNtn_B7aQjktEuWNmUvrzri9o&r=T6Gkm-QA6wMUGmtyL0hrMz5ZqqoLGv5jfrNlZvfp68Q&m=1GTP0L_mzw6mWxEm7U1NORO6yQJPhjYRueWi_x-0Q9o&s=dr8v0gbs_qYPJXRXaMW7cvLPH-BQo12zWBwT56W1BoA&e=> <image001.gif>
Current thread:
- Notifications of external emails Thomas Carter (Feb 08)
- Re: Notifications of external emails Napier, Mark E (Feb 08)
- Re: Notifications of external emails Thomas Carter (Feb 08)
- Re: Notifications of external emails Harris, Brent (Feb 08)
- Re: Notifications of external emails Frank Barton (Feb 08)
- Re: Notifications of external emails Thomas Carter (Feb 08)
- Re: Notifications of external emails Valdis Kletnieks (Feb 08)
- Re: Notifications of external emails Thomas Carter (Feb 08)
- Re: [EXTERNAL] Re: [SECURITY] Notifications of external emails Cecka, Benjamin (Feb 08)
- Re: [EXTERNAL] Re: [SECURITY] Notifications of external emails Frank Barton (Feb 08)
- Re: [EXTERNAL] Re: [SECURITY] Notifications of external emails Klein Keane, Justin (Feb 08)
- Re: [EXTERNAL] Re: [SECURITY] Notifications of external emails Alan Amesbury (Feb 08)
- Re: [EXTERNAL] Re: [SECURITY] Notifications of external emails Frank Barton (Feb 08)
- Re: Notifications of external emails Napier, Mark E (Feb 08)
- <Possible follow-ups>
- Re: Notifications of external emails Johnson, Kyle A (Feb 08)