Educause Security Discussion mailing list archives
Re: Phishing Paranoia
From: Glenn Forbes Fleming Larratt <gl89 () CORNELL EDU>
Date: Fri, 4 Dec 2020 18:32:23 -0500
We have a AAA-protected list of "Verified Communications", to which some of our personnel routinely add messages they've recently sent or are planning to send - they send the message to our SecOps queue and we post.
Unfortunately, we don't get a lot of traction with "the e-mail (you|your outsource vendor) sent matches 8 of the 11 criteria we teach people are phishing techniques".
-g
--
Glenn Forbes Fleming Larratt
Cornell University IT Security Office
On Fri, 4 Dec 2020, SECURITY automatic digest system wrote:
There are 8 messages totalling 2753 lines in this issue. Topics of the day: 1. [EXTERNAL] [SECURITY] Windows Logout after inactivity (2) 2. Phishing Paranoia (4) 3. Microsoft Data Loss Prevention Email Address (2) ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ---------------------------------------------------------------------- Date: Fri, 4 Dec 2020 13:35:28 +0000 From: James Valente <jvalente () SALEMSTATE EDU> Subject: Re: [EXTERNAL] [SECURITY] Windows Logout after inactivity We're not but if you were to go this route I would strongly recommend providing a server or other terminal for batch jobs to get done. Some of our peoplesoft users in finaid/registrar run batches on their desktops (and having that on dedicated server may be better) and being auto-logged out would cause issues. I don't think, in their case, it would take 24 hours but legitimate use cases of a user having something running over the weekend, for example, will come up and you'll want to accommodate those before moving with an auto log out. It will cut out a lot of pushback as users will need to implement behavioral changes (save your excel sheet!) for it to work. James Valente Associate Director of Information Security 978.542.2739 // GPG Key ID: 0xBF201E0A813AEDD1 SALEM STATE UNIVERSITY 352 Lafayette Street Salem, MA 01970 salemstate.edu From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of King, Ronald A. Sent: Wednesday, December 2, 2020 12:40 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [EXTERNAL] [SECURITY] Windows Logout after inactivity CAUTION: This email originated from outside of Salem State University. Do not click links or open attachments unless you recognize the sender and know the content is safe. Good afternoon Security Pros! I hope all is well. I am inquiring today and asking if any institution forces logoff of client workstations after 24 hours of inactivity? This is beyond the lock out that is set for 15 or 30 minutes a lot of us already do. If you do logoff after 24 hours (or some other period) how do you do it in an AD environment? As always, replies directly are welcome if one prefers. Thanks! Ron Ronald King Director of OIT Security With Office 365, you can report a message as phishing or junk. Using Outlook in a web browser or the mobile Outlook app, start by clicking/tapping "Junk/Report Junk!" Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nsu.edu%2F&data=04%7C01%7Cjvalente%40SALEMSTATE.EDU%7Cb8945911b27741bff4f308d896e960ab%7C70d32b73b45749d1950c4f78aeffc21b%7C0%7C1%7C637425276384985963%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2BEGEqXNQTzdxVgc2Ae6Q%2F5ViPT6ZspZq5PL58kHJ8BY%3D&reserved=0> @NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller] ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cjvalente%40SALEMSTATE.EDU%7Cb8945911b27741bff4f308d896e960ab%7C70d32b73b45749d1950c4f78aeffc21b%7C0%7C1%7C637425276384985963%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=aq%2FSnxYaHMPz3fPYUm%2F55hEf0jvxMlJRuWJDkwmFVM4%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ------------------------------ Date: Fri, 4 Dec 2020 15:09:36 +0000 From: Dana Kilcrease <danak () DANAK DEV> Subject: Phishing Paranoia We run regular security awareness training focused largely on simulated phishing campaigns. Overall, the response has been great, and awareness has gone up over the years. However, we have a growing number of users who continue to over report "suspicious" emails, to the point that any corporate communications are typically followed by dozens of phone calls to our Helpdesk reporting these communications as suspicious, even if they do not contain any of the red flags we teach through our training. Has anyone faced this with their training campaigns? Any insight as to how to strike the best balance to ensure users are reading emails critically, rather than blindly reporting anything that is remotely outside of their day-to-day? Dana Kilcrease Director, Information Security Berkeley College ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ------------------------------ Date: Fri, 4 Dec 2020 09:54:38 -0600 From: Jason Edelstein <jasone () UCHICAGO EDU> Subject: Re: Phishing Paranoia We've gotten this, too - even to the point of people using our Proofpoint "report a phish" button to report their own junkmail summaries or official content from bulkmailing services used. My personal favorite are the reports of our president's periodic but entirely plaintext emails. What we do is twofold: 1. We absorb the reports and do not tell people, "Don't report this!" Instead, we try to take some time and say, "Thanks for this report, but this one is legit. Why did you report it?" and then have an additional learning moment. This reduces the ratio of overzealous folks. 2. Routinely tell distributed IT and divisional folks to proactively educate their users on what is legit, forming a second layer of shielding. If a department's admin team or power users are aware of the official channels, it can help spread awareness outside the routine training campaign. We still have one department chair who forwards emails to us (he won't use the reporting button, it is a source of awe to me) and almost all of them are legitimate. We eventually wrote an automatic reply template to echo #1 as an email so it's click, paste, next ticket. -je- On 12/4/20 9:09 AM, Dana Kilcrease wrote:We run regular security awareness training focused largely on simulated phishing campaigns. Overall, the response has been great, and awareness has gone up over the years. However, we have a growing number of users who continue to over report "suspicious" emails, to the point that any corporate communications are typically followed by dozens of phone calls to our Helpdesk reporting these communications as suspicious, even if they do not contain any of the red flags we teach through our training. Has anyone faced this with their training campaigns? Any insight as to how to strike the best balance to ensure users are reading emails critically, rather than blindly reporting anything that is remotely outside of their day-to-day? Dana Kilcrease Director, Information Security Berkeley College ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ------------------------------ Date: Fri, 4 Dec 2020 16:30:26 +0000 From: "King, Ronald A." <raking () NSU EDU> Subject: Re: [EXTERNAL] [SECURITY] Windows Logout after inactivity Good points. Thank you! Ronald King Director of OIT Security With Office 365, you can report a message as phishing or junk. Using Outlook in a web browser or the mobile Outlook app, start by clicking/tapping "Junk/Report Junk!" Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu<http://www.nsu.edu/> @NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of James Valente Sent: Friday, December 4, 2020 8:35 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] [EXTERNAL] [SECURITY] Windows Logout after inactivity We're not but if you were to go this route I would strongly recommend providing a server or other terminal for batch jobs to get done. Some of our peoplesoft users in finaid/registrar run batches on their desktops (and having that on dedicated server may be better) and being auto-logged out would cause issues. I don't think, in their case, it would take 24 hours but legitimate use cases of a user having something running over the weekend, for example, will come up and you'll want to accommodate those before moving with an auto log out. It will cut out a lot of pushback as users will need to implement behavioral changes (save your excel sheet!) for it to work. James Valente Associate Director of Information Security 978.542.2739 // GPG Key ID: 0xBF201E0A813AEDD1 SALEM STATE UNIVERSITY 352 Lafayette Street Salem, MA 01970 salemstate.edu From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of King, Ronald A. Sent: Wednesday, December 2, 2020 12:40 To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [EXTERNAL] [SECURITY] Windows Logout after inactivity CAUTION: This email originated from outside of Salem State University. Do not click links or open attachments unless you recognize the sender and know the content is safe. Good afternoon Security Pros! I hope all is well. I am inquiring today and asking if any institution forces logoff of client workstations after 24 hours of inactivity? This is beyond the lock out that is set for 15 or 30 minutes a lot of us already do. If you do logoff after 24 hours (or some other period) how do you do it in an AD environment? As always, replies directly are welcome if one prefers. Thanks! Ron Ronald King Director of OIT Security With Office 365, you can report a message as phishing or junk. Using Outlook in a web browser or the mobile Outlook app, start by clicking/tapping "Junk/Report Junk!" Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nsu.edu%2F&data=04%7C01%7Cjvalente%40SALEMSTATE.EDU%7Cb8945911b27741bff4f308d896e960ab%7C70d32b73b45749d1950c4f78aeffc21b%7C0%7C1%7C637425276384985963%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2BEGEqXNQTzdxVgc2Ae6Q%2F5ViPT6ZspZq5PL58kHJ8BY%3D&reserved=0> @NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller] ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cjvalente%40SALEMSTATE.EDU%7Cb8945911b27741bff4f308d896e960ab%7C70d32b73b45749d1950c4f78aeffc21b%7C0%7C1%7C637425276384985963%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=aq%2FSnxYaHMPz3fPYUm%2F55hEf0jvxMlJRuWJDkwmFVM4%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ------------------------------ Date: Fri, 4 Dec 2020 17:14:36 +0000 From: Dana Kilcrease <danak () DANAK DEV> Subject: Re: Phishing Paranoia Thank you - this was helpful. We are rolling out the Proofpoint CLEAR solution by EOY - hoping it helps to relieve some of the burden from the Helpdesk and doesn't create additional headaches for our team. Dana Kilcrease Director, Information Security Berkeley College ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ------------------------------ Date: Fri, 4 Dec 2020 18:09:43 +0000 From: Dave Broucek <dbroucek () HARPERCOLLEGE EDU> Subject: Re: Phishing Paranoia We are very similar in wanting people to report the phishing emails and provide feedback on the legitimacy or lack of legitimacy of the phishing email reported. It also is a conversation on what made them think it was legit and how to further detect emails that appear to be phishing and are not. The conversations help to really give context on how to detect suspicious emails more effectively, and what to focus in on to help with detection. We also add to the conversation, and generally encourage, employees to use the Report as Phishing button that is integrated into our email. Regards, Dave Broucek From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jason Edelstein Sent: Friday, December 4, 2020 9:55 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Phishing Paranoia External Email. We've gotten this, too - even to the point of people using our Proofpoint "report a phish" button to report their own junkmail summaries or official content from bulkmailing services used. My personal favorite are the reports of our president's periodic but entirely plaintext emails. What we do is twofold: 1. We absorb the reports and do not tell people, "Don't report this!" Instead, we try to take some time and say, "Thanks for this report, but this one is legit. Why did you report it?" and then have an additional learning moment. This reduces the ratio of overzealous folks. 2. Routinely tell distributed IT and divisional folks to proactively educate their users on what is legit, forming a second layer of shielding. If a department's admin team or power users are aware of the official channels, it can help spread awareness outside the routine training campaign. We still have one department chair who forwards emails to us (he won't use the reporting button, it is a source of awe to me) and almost all of them are legitimate. We eventually wrote an automatic reply template to echo #1 as an email so it's click, paste, next ticket. -je- On 12/4/20 9:09 AM, Dana Kilcrease wrote: We run regular security awareness training focused largely on simulated phishing campaigns. Overall, the response has been great, and awareness has gone up over the years. However, we have a growing number of users who continue to over report "suspicious" emails, to the point that any corporate communications are typically followed by dozens of phone calls to our Helpdesk reporting these communications as suspicious, even if they do not contain any of the red flags we teach through our training. Has anyone faced this with their training campaigns? Any insight as to how to strike the best balance to ensure users are reading emails critically, rather than blindly reporting anything that is remotely outside of their day-to-day? Dana Kilcrease Director, Information Security Berkeley College ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cdbroucek%40HARPERCOLLEGE.EDU%7Ce4629ed4ee784c523db008d8986ceb01%7C41791c41ffcb45e49c1d11a6b502a6d7%7C0%7C1%7C637426940866101026%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=RgphgJxCkk6BnJLiiptICsbYOZFcD88lKVwXpUv3awI%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cdbroucek%40HARPERCOLLEGE.EDU%7Ce4629ed4ee784c523db008d8986ceb01%7C41791c41ffcb45e49c1d11a6b502a6d7%7C0%7C1%7C637426940866101026%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=RgphgJxCkk6BnJLiiptICsbYOZFcD88lKVwXpUv3awI%3D&reserved=0> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found a ------------------------------ Date: Fri, 4 Dec 2020 19:05:58 +0000 From: "Pardonek, Jim" <jpardonek () LUC EDU> Subject: Microsoft Data Loss Prevention Email Address Hi All! We are using Microsoft Data Loss Prevention and have discovered that if you get a notification that you violated a policy the email is coming from postmaster. We would like to get rid of our postmaster account because it really is a carryover from our GroupWise days and up till now served no purpose. From what I am reading, that setting cannot be changed but I thought it would be good to query the list and see if there is anything that we can do to have the email come from another mailbox that we can monitor and respond if needed. Thanks, James Pardonek, MS, CISSP, CEH, GSNA Associate Director Chief Information Security Officer Loyola University Chicago 1032 W. Sheridan Road | Chicago, IL 60660 *: (773) 508-6086 Loyola University Chicago will never ask you for your username or password. For the latest information security news at Loyola, please follow us online, Twitter: @LUCUISO Facebook: https://www.facebook.com/lucuiso/ Our Blog http://blogs.luc.edu/uiso/ ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ------------------------------ Date: Fri, 4 Dec 2020 15:44:03 -0500 From: Frank Barton <bartonf () HUSSON EDU> Subject: Re: Microsoft Data Loss Prevention Email Address James, I can't talk about the changing the setting - but you shouldn't get rid of POSTMASTER RFC 822 section 6.3 specifies that postmaster must be valid, and some places get super-cranky if it doesn't exist Frank On Fri, Dec 4, 2020 at 2:08 PM Pardonek, Jim <jpardonek () luc edu> wrote:Hi All! We are using Microsoft Data Loss Prevention and have discovered that if you get a notification that you violated a policy the email is coming from postmaster. We would like to get rid of our postmaster account because it really is a carryover from our GroupWise days and up till now served no purpose. From what I am reading, that setting cannot be changed but I thought it would be good to query the list and see if there is anything that we can do to have the email come from another mailbox that we can monitor and respond if needed. Thanks, *James Pardonek, MS, CISSP, CEH, GSNA* *Associate Director* *Chief Information Security Officer* * Loyola University Chicago 1032 W. Sheridan Road | Chicago, IL 60660 * * (**: (773) 508-6086* *Loyola University Chicago will never ask you for your username or password.* *For the latest information security news at Loyola, please follow us online,* *Twitter: @LUCUISO* *Facebook: https://www.facebook.com/lucuiso/ <https://www.facebook.com/lucuiso/>* *Our Blog http://blogs.luc.edu/uiso/ <http://blogs.luc.edu/uiso/>* ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community-- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ------------------------------ End of SECURITY Digest - 3 Dec 2020 to 4 Dec 2020 (#2020-235) *************************************************************
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Phishing Paranoia Dana Kilcrease (Dec 04)
- Re: Phishing Paranoia Jason Edelstein (Dec 04)
- Re: Phishing Paranoia Dave Broucek (Dec 04)
- <Possible follow-ups>
- Re: Phishing Paranoia Dana Kilcrease (Dec 04)
- Re: Phishing Paranoia Glenn Forbes Fleming Larratt (Dec 04)
- Re: Phishing Paranoia Jason Edelstein (Dec 04)