Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Mitigating Phishing Attacks
From: "King, Ronald A." <raking () NSU EDU>
Date: Wed, 14 Nov 2012 15:56:17 -0500

We have too seen a few recently. Within an hour or two of a user responding
to a message, we start to see the user's account sending SAPM.  We
immediately change the password and disconnect the session.  We reset any
password reset profiles.  We notate the account using an support system
ticket number created for said actions so our support folks know.  Our help
desk team will inform the user they need to speak to the security group and
resets their password.  When we talk to the user, we inform them of what
happened, remind them of their annual training they are required to take,
and try to further reinforce safe online habits.  We instruct the user on
the cost that could be incurred if our organization were to suffer loss in
monies and/or reputation.  We inform them that their single action could
land our institution on blacklist requiring our IT support folks to work
tirelessly with different entities trying to convince them we aren't
intentionally trying to act maliciously, and, that we are safe to do
business with.  If needed, we will reset enable their account without
resetting their password a third time.  There is a documented procedure
should we have to produce it.



Ronald King

Security Engineer

Norfolk State University

http://security.nsu.edu <http://security.nsu.edu/> 


From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Christopher Jones
Sent: Wednesday, November 14, 2012 3:04 PM
Subject: [SECURITY] Mitigating Phishing Attacks


We have experienced a number of targeted phishing attacks recently.  Because
the most recent phish led its victims to provide their network credentials
via a realistic looking OWA logon page, we took the following steps to deal
with some resultant compromised accounts:


.         immediately reset the passwords for the affected accounts, 

.         restarted, the IIS service to stop any active webmail sessions

.         alerted the user community



It got me to wondering how other institutions deal with similar situations
where user accounts have been compromised.  If anyone would care to share, I
would be interested how you have handled similar situations. It would be
useful to know your top 3 strategies for preventing and mitigating such
occurrences.  Thanks.



Christopher Jones

IT Security Analyst

University of the Fraser Valley

Christopher.Jones () ufv ca



Attachment: smime.p7s

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]