Last week I attended the Educause Security Professionals Conference 2012 in Indianapolis Indiana and was lucky enough to co-present with Emory University to discuss the phishing problems higher education face. This event had an entire track devoted to Awareness & Training and of course a major topic for discussion was phishing.
Beyond presenting and spending time answer questions at our booth, I spent a lot of time in the sessions learning about the IT security issues they face. The professionals that work in this space really have their work cut out for them.
- They have all the challenges of supporting security, enforcement, abuse of services, and account compromise from the students and alumni services.
- They also have the classic enterprise security challenges when it comes to supporting faculty and business administration.
- On top of that, many have an added layer of challenges keeping their hospitals and research centers protected and in compliance with the applicable regulations.
Maintaining security for these different audiences really keeps you on your toes and the depth of ability and expertise I saw at Educause was truly impressive. (hat tip)
What ‘phishing’ means in Higher Education…
The most visible phishing problem is student account compromise. The attackers want student credentials to abuse resources. This could either mean using a compromised email to phish for more accounts (more about that later), send spam email, access restricted publications/journals, or abuse VPN services to bypass geo restrictions. The earlier emphasis on ‘most visible’ was to speak to the fact that the aftermath of an account compromise is usually the only indicator an email phishing attack occurred. The account compromised will spend out loads of spam or launch further attacks, which of course is quite different from the spear phisher attacker who is trying to gain access to a network and maintain secret control.
A great session I attended was by Harvard Townsend of Kansas State University. He presented the multi-pronged approach they use to bring awareness to the phishing problem. K-State has a lot of valuable data about the types of incidents they respond to, the number, and the frequency. (It’s probably not a surprise that phishing related incidents make up the bulk of their response efforts).
YouTube video: K-State IT Services Cyber Security Awareness
One of the most creative ways I’ve seen to get the word out about phishing was a video Kansas State produced. (besides PhishMe, I’m biased ) This video has fantastic production and insight into the type of phishing problem higher education is facing. In their multi pronged approach they even ran this video on their Jumbotron during a sold out game!
I really enjoyed the Educause Security Professionals Conference and will have more to share about it later this week.
Aaron Higbee - @higbee