Re: Account Lockout Communications Policy

["Jim A. Bole" <jbole () STEVENSON EDU>]

Students must register an external email account as part of our self-service password reset process.

Thankfully, our IMAP policy blocked any access to their on-prem exchange mailbox. So the only thing the malicious 
actors could do was get a successful login.

So I sent out notifications to the students’ registered external email after we had reset their accounts (disabled, 
kill active sessions, reset password, re-enable):

Dear Stevenson University Student,


The Office of Information Technology (OIT) has determined that a malicious actor successfully logged onto your account 
sometime between Sept. 12-16. They were not able access any of your information after they logged in. There are 
indications that the malicious actor may have used information from a 2018 data breach from Chegg.



In some cases when you attempt to access your Stevenson account you may see a message stating your access has been 
blocked due to suspicious activity; there, we ask that you reset your password as soon as possible.



Here are the steps to reset your password:


1.      Go to https://myaccount.stevenson.edu
2.      Click Reset Password.
3.      Enter your Stevenson single sign-on username in the prompt and click Next.
4.      Choose your external email address in the drop down list.
5.      A verification code will be sent to the e-mail address you used for Self Service registration.
6.      You have 30 minutes to input the verification code on the next page.
7.      Reset password using the stated requirements.

Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu | O: 443-334-2696



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Chrisinger, Cory A
Sent: Thursday, September 26, 2019 11:33 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Account Lockout Communications Policy

External Email:
This email originated from outside of Stevenson University. Do not click links or open attachments unless you recognize 
the sender and know the content is safe.  -Stevenson University, Office of Information Technology
Hello,

I’m looking for how different organizations handle account compromise notifications to individuals.  Due to the Chegg 
breach we reset 319 accounts towards the end of the day.  We do not necessarily have out of band communication methods 
for affected parties.  I’m hesitant to send a notification to an affected email due to tipping off the attackers. The 
attackers seem to be able to execute additional payload very quickly when they assume the account will be deactivated.  
We do notify our customer services areas, but overnight a student may not have access until business hours resume. 
Thoughts, strategies, ideas are appreciated.


Thank You,

Cory Chrisinger
CISO, CISSP ID#581915
Phone: (608) 243-4575
Email: cchrisinger () madisoncollege edu<mailto:cchrisinger () madisoncollege edu>

Want to discuss a technology project? Please contact me, or complete the Technology Services Project 
Request<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmadisoncollege365.sharepoint.com%2Fsites%2Fpwaprod%2FLists%2FPMO%2520Intake%2520Form%2FNewForm.aspx%3FSource%3D%2Fsites%2Fpwaprod%2FPages%2FThank%2520you%2520for%2520your%2520request.aspx&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C1a34f2dbd1c145abed3208d74296d14a%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637051087833631158&sdata=Q8cZFv5O6063OkCQvD%2BJgAR5LxQdEhGBMGo5ILKdG%2F0%3D&reserved=0>
 form, and we’ll talk!



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C1a34f2dbd1c145abed3208d74296d14a%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637051087833631158&sdata=TV3VbUUvMzZX7bFJ5S9oWDCWOsRHBFuYtbQsu7zHp2Y%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community