Educause Security Discussion mailing list archives

Re: Public Facing Faculty listings

From: "Barton, Robert W." <bartonrt () LEWISU EDU>
Date: Mon, 9 Dec 2019 15:14:38 +0000

Morning sir,

We have a public facing staff/faculty directory.  We do see spam, phishing and spear phishing.  I cannot say that the 
directory is the cause, and after a search, we found MANY other Universities that public facing directories.  So, when 
I brought the subject up, the idea was met with 'it is a positive for marketing' and others do it, so....

I've started to do two things.
1)  Look at our phishing tickets or false email requests and note their spoofed source.  If it is not a 'whaling' 
attempt, I point to it has a knowledge point that was collected off the web site.
2)  I have collect all of the alternate communication methods that are used within the University; Blackboard, social 
media, etc.  These alternates, along with the fact that the students DO NOT use email as their primary communication 
means starts to deflate the need to have those addresses out there.

I hope to have an in-depth discussion or a recommendation that goes before our governance committees.  Other ideas are 
welcome.

Robert W. Barton
Executive Director of Information Security and Policy
Lewis University
One University Parkway
Romeoville, IL  60446-2200
815-836-5663

-----Original Message-----
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of George J. Silowash
Sent: Monday, December 9, 2019 7:33 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Public Facing Faculty listings

We have recently seen an uptick in phishing attacks utilizing faculty information published on our website. The 
malicious actors are able to identify department heads and their subordinates. The malicious actors then use this 
information to target a department head’s subordinates utilizing “legitimate” Gmail accounts posing as the department 
head to send phishing emails.

I have proposed removing individual contact information on the website and use contact forms, a department email 
account, along with several other methods to make it more difficult for the bad actors. I have been met with a great 
deal of resistance. 

Have you seen this problem? What are you doing to mitigate the risk (beyond training)? Does your website list faculty 
information? Are faulty required to have their information posted and/or can they opt out? Does your site take any 
steps to make it more difficult or costly (ie using CAPTCHAs to obtain information)? I am looking for options to help 
balance leadership’s desire to have public facing directory information with that of risks to individuals and the 
institution.

Any thoughts on this would be helpful.

V/R,
George
----------------------------------------------------------------
George J. Silowash, MSIA, CISSP-ISSMP, CCFP, GCFE, GCFA Chief Information Security Officer Norwich University
158 Harmon Drive
Northfield VT 05663
http://www.norwich.edu 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

This message (including any attachments) is intended only for
the use of the individual or entity to which it is addressed and
may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone at (815)-836-5950 and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.

Thank you.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

Re: [EXTERNAL][SECURITY] Public Facing Faculty listings, (continued)
- Re: [EXTERNAL][SECURITY] Public Facing Faculty listings Stromer, Wade (Dec 09)
  - Re: [EXTERNAL][SECURITY] Public Facing Faculty listings Gregg, Christopher S. (Dec 09)
    - Re: [EXTERNAL][SECURITY] Public Facing Faculty listings Scantlin, Aaron J. (Dec 09)
    - Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Howard, Christopher (Dec 09)
    - Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Barton, Robert W. (Dec 09)
    - Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Michael Young (Dec 09)
    - Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Beth Albertson (Dec 09)
    - Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Jamie Schademan (Dec 09)
    - Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Scott Norton (Dec 09)
    - Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Beth Albertson (Dec 09)
- Re: Public Facing Faculty listings Barton, Robert W. (Dec 09)
- Re: Public Facing Faculty listings Mark Rogowski (Dec 09)
- Re: Public Facing Faculty listings Benjamin Schwartz (Dec 09)