Educause Security Discussion mailing list archives
Re: [EXTERNAL][SECURITY] Public Facing Faculty listings
From: "Scantlin, Aaron J." <ScantlinA () MISSOURI EDU>
Date: Mon, 9 Dec 2019 15:16:26 +0000
I find that these work due to the prevalence of mobile devices being used to check e-mail – we drafted up a document (attached) that aims to bring awareness to this fact. Feel free to adapt for your campus’ needs. Aaron J. Scantlin Security Analyst, Division of IT GSEC, GCFA, GNFA University of Missouri - Columbia (573) 884 - 7555 scantlina () missouri edu From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Gregg, Christopher S. Sent: Monday, December 9, 2019 9:14 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings We’re in a similar boat. Faculty information on departmental pages is seen as part of the marketing for the university. That is a good point though that perhaps e-mail addresses could be omitted and still accomplish the same goals. We’re using some of the built in anti-impersonation rules within Office365 as well as custom rules to block certain patterns we are seeing. That has reduced the number of “Are you there?” scams, or at least the ones we need to deal with. User awareness is getting out there compared to a year ago so the scams that get through are more of an annoyance than a threat at this point. Finding some wood to knock on right now… Chris Chris Gregg Associate Vice President of Information Security & Risk Management, CISO Innovation & Technology Services (ITS) csgregg () stthomas edu<mailto:csgregg () stthomas edu> p 1 (651) 962-6265 University of St. Thomas | stthomas.edu<https://www.stthomas.edu/> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Stromer, Wade Sent: Monday, December 9, 2019 9:09 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings We are in the same boat as you, George. From what I've heard, it's an uphill battle that we've been fighting for quite some years now. We have seen a pretty significant increase of impersonation email attacks in the last year or so and I blame it on having too much of our employee information out there on our public website also. It's very easy to find out what department, what title, and who their supervisor is and their email address. These attacks are the typical "Are you on campus?" or "Are you available?" and the goal is to get the tricked employee to send pictures of gift cards to the perpetrator. The 'supervisor' is always in a meeting and can't talk on the phone and they need it done 'ASAP as possible' 🙂 We have some email securities in place that catch impersonation email attacks and those securities are helping us thwart some of these particular of attacks. Removing our employee/staff/faculty information from the public eyes is not an option but 'scrubbing' the information should be an option. We know we can't stop end users from publishing their credentials/positions/titles to the public - this is where end user training becomes critical and pertinent. Hopefully some others have been in this situation and can shed some light on what they have done to overcome the sharing of too much user info on their institution's public sites. -Wade ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of George J. Silowash <gsilowas () NORWICH EDU<mailto:gsilowas () NORWICH EDU>> Sent: Monday, December 9, 2019 6:33 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: [EXTERNAL][SECURITY] Public Facing Faculty listings CAUTION: This email originated from outside of the organization. Do not click links, open attachments, or correspond with the sender unless you recognize the sender and know the content is safe. We have recently seen an uptick in phishing attacks utilizing faculty information published on our website. The malicious actors are able to identify department heads and their subordinates. The malicious actors then use this information to target a department head’s subordinates utilizing “legitimate” Gmail accounts posing as the department head to send phishing emails. I have proposed removing individual contact information on the website and use contact forms, a department email account, along with several other methods to make it more difficult for the bad actors. I have been met with a great deal of resistance. Have you seen this problem? What are you doing to mitigate the risk (beyond training)? Does your website list faculty information? Are faulty required to have their information posted and/or can they opt out? Does your site take any steps to make it more difficult or costly (ie using CAPTCHAs to obtain information)? I am looking for options to help balance leadership’s desire to have public facing directory information with that of risks to individuals and the institution. Any thoughts on this would be helpful. V/R, George ---------------------------------------------------------------- George J. Silowash, MSIA, CISSP-ISSMP, CCFP, GCFE, GCFA Chief Information Security Officer Norwich University 158 Harmon Drive Northfield VT 05663 https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.norwich.edu&data=02%7C01%7Cwstromer%40SHERIDAN.EDU%7Ccac2cefc08ec46baf93608d77cac56de%7C4692dd647f4c4fdc8daf050695478412%7C0%7C0%7C637114951946107540&sdata=2OrE26uh5Ary62TtHLR4OI1Uga6juEytPqjixPR5DY0%3D&reserved=0<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.norwich.edu&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cad0ac9b34e784eaaf29208d77cb9afff%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637115009321252306&sdata=yNx%2Bp4%2BV9VR9%2F%2FtnjUp3owORVEtJDyiCON2xUQxTfSQ%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cwstromer%40SHERIDAN.EDU%7Ccac2cefc08ec46baf93608d77cac56de%7C4692dd647f4c4fdc8daf050695478412%7C0%7C0%7C637114951946107540&sdata=7aU1n%2FeQANlqyG2jTdc2p6PjbO0qxj6OrlM0hGSmY0Q%3D&reserved=0<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cad0ac9b34e784eaaf29208d77cb9afff%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637115009321257294&sdata=GccfkUVkE%2B1kD0IuMbvI7Em6uFviScvWNtRo6hBix0Q%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cad0ac9b34e784eaaf29208d77cb9afff%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637115009321257294&sdata=GccfkUVkE%2B1kD0IuMbvI7Em6uFviScvWNtRo6hBix0Q%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Attachment:
Phishing Tactic Notification.pdf
Description: Phishing Tactic Notification.pdf
Current thread:
- Public Facing Faculty listings George J. Silowash (Dec 09)
- Re: Public Facing Faculty listings John McCabe (Dec 09)
- Re: [EXTERNAL][SECURITY] Public Facing Faculty listings Stromer, Wade (Dec 09)
- Re: [EXTERNAL][SECURITY] Public Facing Faculty listings Gregg, Christopher S. (Dec 09)
- Re: [EXTERNAL][SECURITY] Public Facing Faculty listings Scantlin, Aaron J. (Dec 09)
- Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Howard, Christopher (Dec 09)
- Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Barton, Robert W. (Dec 09)
- Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Michael Young (Dec 09)
- Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Beth Albertson (Dec 09)
- Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Jamie Schademan (Dec 09)
- Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Scott Norton (Dec 09)
- Re: [EXT]: Re: [SECURITY] [EXTERNAL][SECURITY] Public Facing Faculty listings Beth Albertson (Dec 09)
- Re: [EXTERNAL][SECURITY] Public Facing Faculty listings Gregg, Christopher S. (Dec 09)
- <Possible follow-ups>
- Re: Public Facing Faculty listings Benjamin Schwartz (Dec 09)