Information Security Phishing Update CTC 15 April 2015 Julianne Tolson
Phishing Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Wikipedia: http://en.wikipedia.org/wiki/Phishing
Phishing & password compromises The increase in phishing messages sent to SF State email accounts is related to the increase in SF State password compromises. The primary reason for recent password compromises is that SF State individuals responded to phishing messages.
Other reasons for password compromises Absence of password policy on some accounts that permit brute force attacks Using the same password and login on other sites that are compromised Using predictable passwords Malware on devices that capture every keystroke using a keylogger Malware on devices that redirects users to a fake web site
Risks of an account compromise Breach of sensitive information Interruption of business operations Harm to SF State’s reputation
Phishing / account compromise strategy Procedure changes I User education Message filtering Account management Log analysis / management Procedure changes II & III
Compromised account procedure changes I Lock accounts quickly Change password when locked How compromised? Unlock & communicate Improve ticket flow & communication
User education strategy Phishing / security awareness campaign CSU Skillport security awareness / FERPA training Phishme.com Campus e-mail communication authenticity
Message filtering strategy Exchange Online Protection (EOP) Security Appliances Block specific message subjects Implement Sender Policy Framework (SPF)
Account management strategy De-provision or move accounts of separated employees De-provision unused Emeritus accounts Identify unneeded secondary accounts Apply password policy to all exchange accounts – identify service accounts
Compromised account procedure changes II Improve ticket flow & communication – need help listing phone numbers in campus directory Reduce emphasis on devices Provide list of possible phishing reasons
Possible phishing reasons Did you "share your password" with anyone? Did you "upgrade your quota"? Did you "verify your account"? Did you click on an e-mail link to login to Web Mail? Did you use this password for any other account/login Do you use a ‘numbering’ system or other recognizable password pattern?
Compromised account procedure changes III If compromise is explainable as phishing and only symptom is sending e-mail: Device could be compromised so a device scan should still be run Review phishing awareness with users of account Account can be unlocked before the scan is run and used on a safe device Delegated email access strongly recommended
Other Security Initiatives Multi factor authentication (MFA) Identity Manager Endpoint management (SCCM/Casper)
Questions and Suggestions?