Educause Security Discussion mailing list archives
Re: [EXTERNAL] [SECURITY] URL re-writing in emails
From: Jason Edelstein <jasone () UCHICAGO EDU>
Date: Tue, 19 Jan 2021 18:10:45 -0600
Ravi,We also use Proofpoint. My opinions are mine alone and I'm trying to be product-agnostic. To your questions:
1. Yes, we have received lots of objections. Two different kinds: * Privacy-styled discussions. "You are tracking all of my clicks," and "This will block academic freedom," for example. * Creative objections about whether they make things more secure. "I just click everything now!" "I can't see where it goes! How can I check?" "It will block legitimate things."We addressed the privacy stuff by discussing frankly what the technology actually does. The controls the vendor has in place, that we have in place, what clicks are surfaced (the bad ones only!), the fact that the technology does indeed impact privacy slightly. We heavily relied on faculty governance to thrash this stuff out.
The security objections are... a lot less difficult to face, in my opinion. People click. It is a fact. Mobile devices don't support hovering, and people make mistakes. We do not use the language of blame here, we emphasize that people need to move fast and may be surprised or deceived. The human is not a weak point because they are human - they are the target because they have free will. Finally, URL rewriting can be readable! This is the educause community link rewritten:
https://urldefense.com/v3/__https://www.educause.edu/community__;!!BpyFHLRN4TMTrA!pzz7ut_aaLEqkrAEsIfhZVUuyFAWns5l4_55QTAwqXhPqJpA3WhB_LjnL5qnpPy1Rg$ I can pretty easily figure out some stuff there.2. Our awareness training (it is not mandatory) does mention rewriting, but that's it.
3. Without being specific, it has been hugely helpful in giving us insight, especially now that everyone is remote. We are proactive in removing messages that are later detected as having malicious URLs, which is only possible with rewriting (or a lot of elbow grease. We're using Proofpoint's TRAP, now).
Being specific? Our most attacked people were not the ones we always thought they were. Some of our alumni get the worst stuff, not our active staff. It raised eyebrows. And we discovered some faculty were targeted in areas we did not expect (humanities, in our case). Rewriting was an unexpected source of useful metrics and data! Metrics are love.
-je- On 1/19/21 5:13 PM, Ravi Kotecha wrote:
Greetings,I'm curious about your experiences using tools that rewrite URLs in emails. We have Proofpoint's suite and one of the features rewrites URLs in emails with an https://urldefense.com/ <https://urldefense.com/> prefix and clicking the link will pass through Proofpoint's servers.One piece of feedback we received in a pilot was that we had been teaching folks to hover over URLs to determine the destination before clicking links. With re-writing, all links are changed for external sites so that advice is no longer reliable.I'm interested in experiences others have had using this feature. For example:- Have you received negative feedback? If so, how have you addressed it? - How have you augmented awareness training? - Are there any success stories you wish to share? Thanks in advance, Ravi Kotecha kotechar () brandeis edu <mailto:kotechar () brandeis edu> -- Ravi Kotecha '10, M.S. '14, M.S. '20 Privacy & Information Security Analyst Information Technology ServicesSubmit a security request: security () brandeis edu <mailto:security () brandeis edu>Report phishing: phishing () brandeis edu <mailto:phishing () brandeis edu> **********Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://urldefense.com/v3/__https://www.educause.edu/community__;!!BpyFHLRN4TMTrA!pzz7ut_aaLEqkrAEsIfhZVUuyFAWns5l4_55QTAwqXhPqJpA3WhB_LjnL5qnpPy1Rg$>
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- URL re-writing in emails Ravi Kotecha (Jan 19)
- Re: [EXTERNAL] [SECURITY] URL re-writing in emails Jason Edelstein (Jan 19)
- Re: URL re-writing in emails Brian Epstein (Jan 21)
- DNS checking Nathan Phillips (Jan 21)
- Re: DNS checking Menne, Michael S (Jan 21)
- DNS checking Nathan Phillips (Jan 21)
- <Possible follow-ups>
- Re: URL re-writing in emails Walter Roshon (Jan 20)
- Re: URL re-writing in emails Bole, Jim A (Jan 20)
- Re: URL re-writing in emails Beth Albertson (Jan 20)
- Re: URL re-writing in emails Bole, Jim A (Jan 20)