May 2017 archive

Coming Soon…

The most classic example is the endless stream of phishing attacks directed at us. The attacks often appear to be from legitimate sources, such as Payroll or HR. We had a bunch of people fall for the Payroll phish instantly. They were thinking more about not getting paid than the legitimacy of the message.

One of the best attacks I saw was an extremely well crafted email that was paired with an extremely accurate looking forgery page. The email utilized Drexel branding that was hosted on another academic institution’s website. This meant the message could be opened by many users without creating any kind of suspicious traffic load to the Drexel web server and since the image traffic was coming from another academic institution, it could run over the academic networks. This single image was not more than a few drops in an ocean of traffic on the academic backbone network. The traffic would be obscured by the larger transfers and higher volume going over the network.

The forgery page was built to match an internal authentication system complete with out of date copyright tags. The behavior of the site also claimed the password was incorrect no matter what the user entered. This meant the user could enter multiple possibilities for the password and the system would harvest all of them. This provided the site’s creators with several potential sets of credentials to use to attempt to access other systems. Most people will try the same password entry again after it’s wrong once but on subsequent attempts they typically start trying different/older passwords.

That phishing campaign was, by far, the worst we’ve seen. Since then we’ve developed a better warning system for our users and procedures to get the phishing sites taken offline as soon as we’re alerted to their presence. Hat tip again to @SwiftOnSecurity for the phishing site take down steps.

-Brian

Working as a Systems Administrator in a healthcare environment has led me to a unique perspective towards IT security. I usually tell people that my team has one of the toughest positions within the university. We are constantly trying to balance the need for information security necessitated by health information with the inherent collaborative nature of higher education. We have to do all this for a user base that is not particularly tech savvy.

Cybersecurity frameworks are long on length and generalities but short on specific instructions. Believe it or not but my best source of detailed security practices and issues is a Taylor Swift parody account on Twitter. The account covers a huge gamut of IT security news and practical applications. Some of the larger schemes I’ve put together for our environment have grown out of a single simple tweet.

My department is still growing out of an entirely response oriented help desk into a planned environment with structure and project management. Admittedly, I hate doing all the monotonous work related to the project management documentation but I understand that it’s necessary. We have to be able to justify our actions. We are only just beginning to touch on the risk documentation aspects of project management. This is the core of cybersecurity, risk management and minimization. I don’t say risk elimination because it’s simply not possible.

Every decision we make regarding our IT environment can increase or lower risk. It’s not a matter of whether one of our systems has been or will be compromised, but rather when it happened or will happen and how much information has been/will be compromised. Even employees using their web browser on their work machine give away information. This information is probably related more to the user and there is less risk of exposure of Drexel information but it is certainly possible that some of that information could be used to compromise our organization.

One of the easier ways to illustrate this is with an example. That however, will be saved for the next post.

To be continued…

-Brian