Presentation is loading. Please wait.

Presentation is loading. Please wait.

Staff e-mail addresses Availability tradeoffs December 13, 2012.

Published byConrad Dickerson Modified over 8 years ago

Similar presentations

Presentation on theme: "Staff e-mail addresses Availability tradeoffs December 13, 2012."— Presentation transcript:

1 Staff e-mail addresses Availability tradeoffs December 13, 2012

2 Facts on the ground Starting October 24, we have had 19 user accounts successfully phished. Our normal rate of security incidents is usually 1-2 incidents per month. Successful phishes have resulted in our mail servers being used to send ~4 million spam mails. The amount of spam originating from UCAR has led several service providers to blacklist mail coming from us, including 2 educational institutions (udel.edu, ucsd.edu).

3 Why the increase in successful phishing? Phishers are getting better at writing believable e-mails that look authentic. Attacks are less scripted and have more individualized human attention involved. For example, using Staff Notes subject lines and formatting to try to fool our users. They use tinyurl and google docs links, which in general people trust. New employees and “pre-coffee” users are the ones who have fallen for these attacks. Domino effect: Every time a user falls for phishing, the attackers gain more information about our e-mail patterns and systems used, and have new ways to try to fool our people.

4 What’s the end game? Most likely, identity theft, access to bank accounts and credit card numbers, and the like People leave personal information trails all over the place. E-mails tend to be full of it, and people also reuse passwords on multiple sites. One stolen password can mean a lot of information about that person in the attacker’s hands. An e-mail account also contains many trails leading to other people’s e-mail accounts. Phishing is a numbers game – the more people you touch, the more likely you will have success.

5 Here’s the rub… We consider ourselves an open academic institution, with a high value placed on sharing information externally We have many relationships with other educational and research institutions and organizations, and want to remain accessible How do we balance these needs with the fact that our information is being misused maliciously?

6 Consider the source We have log information showing the attackers are obtaining information about employees and their accounts using people.ucar.edu. We have other sources of people information on websites. Some draw directly from people.ucar.edu, others are standalone. We have not seen direct evidence that other sources have been used in this recent wave, but there’s no reason they couldn’t be the target at some point in the future.

7 The phishing begins… If they obtain someone’s webmail password, they can send e-mail from that user’s account, making it appear legitimate. They are also changing people’s webmail info, such as vacation messages, signatures, and reply- to addresses. People tend to use the same password in multiple locations. Gaining access to one location often leads to access to other locations. Escalating effect: more info obtained gives more leads to conduct more phishing

8 What can we do? We need to stop the current bleeding. We need to protect ourselves to prevent this kind of successful, widespread attack from happening again. We need to anticipate the attackers’ next move, so that we don’t immediately end up back in the same cycle. We need to do all of this in such a way that we don’t turn into a “bubble boy”.

9 People vs. Staff people.ucar.edu is a known current source of information for the attackers. In addition to general info about people, it interfaces with critical business databases (HR information, etc.). It is a potential pathway into these underlying databases. Based on behavior we have seen in our logs, we strongly suspect attackers have attempted to change data in it when they have obtained employees’ passwords. We are therefore moving people.ucar.edu so that it is accessible from internal networks only.

10 People vs. Staff staff.ucar.edu will be our new external source of people information It pulls info from people.ucar.edu, and does not have write access to any of the critical underlying databases All of the people information we wish to share with the world will still be there, but we have some ways to thwart the attackers

11 Staff protections Attackers love being able to gain access to tons of information quickly and in an automated way The following will slow down their access to our information: – E-mail addresses will be somewhat obfuscated with entity encoding. Humans will be able to read the addresses fine, scripts will have a harder time – Searches will be limited to returning a small number of results. – The user must type in at least 3 characters in a name to be able to search.

12 More staff protections There will be operational logging included with staff.ucar.edu. We will be able to see IP addresses of connecting machines, and what searches those machines performed. This will help us respond more intelligently in the event of an incident. There will be some basic flood detection and alerting, watching for search patterns that may indicate malicious activity. Further protections are under discussion. This will be an evolutionary process going forward.

13 Important to understand… The people vs. staff change will NOT completely stop phishing attempts. It will only slow them down. We will no longer be the low-hanging fruit that everyone is going after. But there will always be someone willing to climb the tree to get the good stuff. There is no way to completely shut down phishing attempts other than to isolate ourselves from the rest of the world.. which is unacceptable. We hope that this solution strikes a reasonable balance.

14 The human element No amount of technical solutions will fix the problem completely, as long as we have humans working in our organization. Attackers have numerous ways to trick and manipulate people into giving up information. Education is the only way to thwart this. New employees need to be brought up to speed on phishing, and know who to contact if they see something suspicious. Even the most well-educated people can have a pre-coffee moment.

15 Future technologies The WAG reviews new web technologies, and how we can leverage them at UCAR. New technology can be highly useful, but may also carry new risks. SEG encourages the WAG to consult with us when reviewing new technology. We can help identify the risks, and recommend ways to protect the system without losing utility. It is far less costly to build security in from the start, than to tack it on in an ad hoc fashion later.

Download ppt "Staff e-mail addresses Availability tradeoffs December 13, 2012."

Similar presentations

What Are Scams? Scams are designed to trick you into giving away your money or your personal details. Scams come to you in many forms – by mail, email,

What Are Scams? Scams are designed to trick you into giving away your money or your personal details. Scams come to you in many forms – by mail, ,
Cyber Stalking Cyber Stalking Phishing Hacker 1. Never reveal your home address !!! This rule is especially important for women who are business professionals.

Cyber Stalking Cyber Stalking Phishing Hacker 1. Never reveal your home address !!! This rule is especially important for women who are business professionals.
Victoria ISD Common Sense Media Grade 6: Scams and schemes

Victoria ISD Common Sense Media Grade 6: Scams and schemes
P ASSWORD S ECURITY. I F SOMEONE HAS YOUR PASSWORD, EITHER FROM YOU GIVING IT OUT OR THEM FIGURING OUT, THEY COULD : 1.Send abusive or threatening email.

P ASSWORD S ECURITY. I F SOMEONE HAS YOUR PASSWORD, EITHER FROM YOU GIVING IT OUT OR THEM FIGURING OUT, THEY COULD : 1.Send abusive or threatening .
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.

How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.
What is identity theft, and how can you protect yourself from it?

What is identity theft, and how can you protect yourself from it?
1 What is Phishing? …listening to music by the band called Phish or perhaps …a hobby, sport or recreation involving the ocean, rivers or streams…nope.

1 What is Phishing? …listening to music by the band called Phish or perhaps …a hobby, sport or recreation involving the ocean, rivers or streams…nope.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
Malicious Attacks By Chris Berg-Jones, Ethan Ungchusri, and Angela Wang.

Malicious Attacks By Chris Berg-Jones, Ethan Ungchusri, and Angela Wang.
Network & Computer Security Training.  Prevents unauthorized access to our network and your computer  Helps keep unwanted viruses and malware from entering.

Network & Computer Security Training.  Prevents unauthorized access to our network and your computer  Helps keep unwanted viruses and malware from entering.
Phishing, Pharming, and Spam Margaret StewartTuesday, Oct. 21, 2006.

Phishing, Pharming, and Spam Margaret StewartTuesday, Oct. 21, 2006.
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.

Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
Email By Laura Trawin.

By Laura Trawin.
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 

BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
Department Of Computer Engineering

Department Of Computer Engineering
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?

DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
How It Applies In A Virtual World

How It Applies In A Virtual World

Similar presentations

Ads by Google