Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Mitigating Phishing Attacks
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Wed, 14 Nov 2012 18:15:12 -0500

Hi,

This GULP presentation <http://www.nysernet.org/workshops/2011/GULP.pdf> has a section on using GULP to discover 
compromised accounts

Thanks,
Joel Rosenblatt

Joel Rosenblatt, Director, Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3



--On Wednesday, November 14, 2012 4:23 PM -0600 Steven Tardy <sjt5 () ITS MSSTATE EDU> wrote:

0a) log all authentications(failed and successful) to a database.
(something homegrown similar to: Grand Unified Logging Project, GULP)

0b) create a database of ip addresses of "known bad guys"
(the phishers will keep trying from the same ip addresses)
export database to "known bad guy" DNSBL.

1) scour auth database for nigerian/anonymous-proxy logins.
    notify security team *immediately* of login from "known bad guy".

2) outbound email server hold/quarantine email on "known bad guy" DNSBL.

3) watch outbound queues/graphs for jumps in size.

not perfect, but catches/prevents quite a bit.



It would be useful to know your top 3 strategies for
preventing and mitigating such occurrences. Thanks.




Joel Rosenblatt, Director, Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault