Educause Security Discussion mailing list archives
Re: Account Lockout Communications Policy
From: "Barton, Robert W." <bartonrt () LEWISU EDU>
Date: Thu, 26 Sep 2019 18:36:27 +0000
We’ve had many account issues as well. 1) When an issue is found, the account is disabled immediately. 2) If a source IP is identified, a block is put in place. 3) A ticket is created for the issues (single ticket if more than one account involved in same incident). 4) The Service Desk is notified and instructed to contact the user and support their reactivation. 5) The notification is done by phone. 6) Once the user is reached, the Service Desk will verify the user and then support their reactivation 7) Tickets are updated. I don’t want to put tools and be more specific in an open list. I’m willing to talk by phone, if that is wanted. Robert W. Barton Executive Director of Information Security and Policy Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jim A. Bole Sent: Thursday, September 26, 2019 10:58 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Account Lockout Communications Policy Students must register an external email account as part of our self-service password reset process. Thankfully, our IMAP policy blocked any access to their on-prem exchange mailbox. So the only thing the malicious actors could do was get a successful login. So I sent out notifications to the students’ registered external email after we had reset their accounts (disabled, kill active sessions, reset password, re-enable): Dear Stevenson University Student, The Office of Information Technology (OIT) has determined that a malicious actor successfully logged onto your account sometime between Sept. 12-16. They were not able access any of your information after they logged in. There are indications that the malicious actor may have used information from a 2018 data breach from Chegg. In some cases when you attempt to access your Stevenson account you may see a message stating your access has been blocked due to suspicious activity; there, we ask that you reset your password as soon as possible. Here are the steps to reset your password: 1. Go to https://myaccount.stevenson.edu 2. Click Reset Password. 3. Enter your Stevenson single sign-on username in the prompt and click Next. 4. Choose your external email address in the drop down list. 5. A verification code will be sent to the e-mail address you used for Self Service registration. 6. You have 30 minutes to input the verification code on the next page. 7. Reset password using the stated requirements. Jim Bole Director of Information Security Stevenson University 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Chrisinger, Cory A Sent: Thursday, September 26, 2019 11:33 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Account Lockout Communications Policy External Email: This email originated from outside of Stevenson University. Do not click links or open attachments unless you recognize the sender and know the content is safe. -Stevenson University, Office of Information Technology Hello, I’m looking for how different organizations handle account compromise notifications to individuals. Due to the Chegg breach we reset 319 accounts towards the end of the day. We do not necessarily have out of band communication methods for affected parties. I’m hesitant to send a notification to an affected email due to tipping off the attackers. The attackers seem to be able to execute additional payload very quickly when they assume the account will be deactivated. We do notify our customer services areas, but overnight a student may not have access until business hours resume. Thoughts, strategies, ideas are appreciated. Thank You, Cory Chrisinger CISO, CISSP ID#581915 Phone: (608) 243-4575 Email: cchrisinger () madisoncollege edu<mailto:cchrisinger () madisoncollege edu> Want to discuss a technology project? Please contact me, or complete the Technology Services Project Request<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmadisoncollege365.sharepoint.com%2Fsites%2Fpwaprod%2FLists%2FPMO%2520Intake%2520Form%2FNewForm.aspx%3FSource%3D%2Fsites%2Fpwaprod%2FPages%2FThank%2520you%2520for%2520your%2520request.aspx&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C1a34f2dbd1c145abed3208d74296d14a%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637051087833631158&sdata=Q8cZFv5O6063OkCQvD%2BJgAR5LxQdEhGBMGo5ILKdG%2F0%3D&reserved=0> form, and we’ll talk! ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C1a34f2dbd1c145abed3208d74296d14a%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637051087833631158&sdata=TV3VbUUvMzZX7bFJ5S9oWDCWOsRHBFuYtbQsu7zHp2Y%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Account Lockout Communications Policy Chrisinger, Cory A (Sep 26)
- Re: Account Lockout Communications Policy Menne, Michael S (Sep 26)
- Re: Account Lockout Communications Policy Jim A. Bole (Sep 26)
- Re: Account Lockout Communications Policy Barton, Robert W. (Sep 26)