Educause Security Discussion mailing list archives

Re: The Slate breakin

From: Nicholas Garigliano <ngarigl8 () NAZ EDU>
Date: Fri, 8 Mar 2019 14:04:57 -0500

If you have Active Directory, then you already are using SSO and have been
since it was implemented.

Not using SSO, whether it is AD or some other solution, makes Identity
Management a nightmare (been there).  Accounts never get cleaned up or
deactivated.  Provisioning and deprovisioning is also problematic,
especially if applications authorization schemes are not tied to a central
user repository.  And the Auditors will not be happy.

And the users just use the same credentials for all accounts anyway, as
mentioned before.  Make them use unique usernames (if possible) and they
write them all down on sticky notes next to the PC or taped to the laptop
and then use the same password.

Education is key, with extra focus given to Executives (i.e. Deans, VP
Finance etc) as well as System Admins.    Spam filtering and monitoring
access obviously are key as well.

Nick Garigliano CISSP, GCIH
Network Security Engineer
Enterprise & Network Solutions
Nazareth College
585 389-2109


On Fri, Mar 8, 2019 at 1:32 PM Jon Miner <
000000c6eeb80cc9-dmarc-request () listserv educause edu> wrote:

Unfortunately, odds are the person would use the same username and
password for both accounts anyway.

jon
------------------------------
*From:* The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Mahmud Rahman <
mrahman () MILLS EDU>
*Sent:* Friday, March 8, 2019 12:11
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] The Slate breakin

I'm assuming most folks in this group have read this morning's news. We
received the alert from Slate yesterday that something had happened, but
details were few.

https://www.insidehighered.com/admissions/article/2019/03/08/three-private-colleges-have-admissions-files-hacked

http://fortune.com/2019/03/08/college-applicant-ransomware-hack/

I've seen some blame directed at password reset systems. But it appears
that the source of the breach was compromised accounts in admissions staff,
gained through phishing. The more our colleges go to Single Sign On for
everything, the greater the risk from compromised accounts. SSO provides
convenience but escalates the risk. It would appear now that universal SSO
has to be combined with universal multi-factor authentication systems. I
wonder, though, about universal SSO since the keys now open way more doors
into the kingdom.

Other than education about phishing, what are other schools doing today? I
imagine that the attacks will get more targeted and more ingenious.

-Mahmud

Mahmud Rahman MFA '04
Director of Systems and Banner Services, ITS
Mills College, Oakland CA
(510)430-2257
mrahman () mills edu

Current thread:

Re: Phishing Blog, (continued)
- - Re: Phishing Blog Frank Barton (Feb 22)
  - Re: Phishing Blog Telfer, Will (Feb 22)
    - Re: [External] Re: [SECURITY] Phishing Blog Gregg, Christopher S. (Feb 22)
    - Re: [EXTERNAL]Re: [SECURITY] Phishing Blog Eyachabbe, Lynnetta J. (Feb 22)
- Re: Phishing Blog Tom Miller (Feb 22)
- Re: Phishing Blog PACC (Feb 22)
  - Re: Phishing Blog Ed Jalinske (Feb 22)
    - The Slate breakin Mahmud Rahman (Mar 08)
    - Re: The Slate breakin Mahmud Rahman (Mar 08)
    - Re: The Slate breakin Jon Miner (Mar 08)
    - Re: The Slate breakin Nicholas Garigliano (Mar 08)
    - Re: The Slate breakin Ruth Ginzberg (Mar 08)
    - Re: The Slate breakin Allan Chen (Mar 08)
    - Re: The Slate breakin Mahmud Rahman (Mar 08)