Educause Security Discussion mailing list archives
Re: Public Facing Faculty listings
From: "Barton, Robert W." <bartonrt () LEWISU EDU>
Date: Mon, 9 Dec 2019 15:14:38 +0000
Morning sir, We have a public facing staff/faculty directory. We do see spam, phishing and spear phishing. I cannot say that the directory is the cause, and after a search, we found MANY other Universities that public facing directories. So, when I brought the subject up, the idea was met with 'it is a positive for marketing' and others do it, so.... I've started to do two things. 1) Look at our phishing tickets or false email requests and note their spoofed source. If it is not a 'whaling' attempt, I point to it has a knowledge point that was collected off the web site. 2) I have collect all of the alternate communication methods that are used within the University; Blackboard, social media, etc. These alternates, along with the fact that the students DO NOT use email as their primary communication means starts to deflate the need to have those addresses out there. I hope to have an in-depth discussion or a recommendation that goes before our governance committees. Other ideas are welcome. Robert W. Barton Executive Director of Information Security and Policy Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 -----Original Message----- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of George J. Silowash Sent: Monday, December 9, 2019 7:33 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Public Facing Faculty listings We have recently seen an uptick in phishing attacks utilizing faculty information published on our website. The malicious actors are able to identify department heads and their subordinates. The malicious actors then use this information to target a department head’s subordinates utilizing “legitimate” Gmail accounts posing as the department head to send phishing emails. I have proposed removing individual contact information on the website and use contact forms, a department email account, along with several other methods to make it more difficult for the bad actors. I have been met with a great deal of resistance. Have you seen this problem? What are you doing to mitigate the risk (beyond training)? Does your website list faculty information? Are faulty required to have their information posted and/or can they opt out? Does your site take any steps to make it more difficult or costly (ie using CAPTCHAs to obtain information)? I am looking for options to help balance leadership’s desire to have public facing directory information with that of risks to individuals and the institution. Any thoughts on this would be helpful. V/R, George ---------------------------------------------------------------- George J. Silowash, MSIA, CISSP-ISSMP, CCFP, GCFE, GCFA Chief Information Security Officer Norwich University 158 Harmon Drive Northfield VT 05663 http://www.norwich.edu ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: [EXTERNAL][SECURITY] Public Facing Faculty listings, (continued)
- Re: [EXTERNAL][SECURITY] Public Facing Faculty listings Stromer, Wade (Dec 09)
- Re: [EXTERNAL][SECURITY] Public Facing Faculty listings Gregg, Christopher S. (Dec 09)
- Re: [EXTERNAL][SECURITY] Public Facing Faculty listings Scantlin, Aaron J. (Dec 09)
- Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Howard, Christopher (Dec 09)
- Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Barton, Robert W. (Dec 09)
- Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Michael Young (Dec 09)
- Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Beth Albertson (Dec 09)
- Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Jamie Schademan (Dec 09)
- Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Scott Norton (Dec 09)
- Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Beth Albertson (Dec 09)
- Re: [EXTERNAL][SECURITY] Public Facing Faculty listings Gregg, Christopher S. (Dec 09)
- Re: [EXTERNAL][SECURITY] Public Facing Faculty listings Stromer, Wade (Dec 09)