Internal Email Restrictions and Effect on Cold Emailing

[polly_mer]

Thankfully, my institution doesn't really care too deeply about this issue. I mean they certainly try to block such things and send out warnings regarding phishing attempts.

And that works fine...right up until it doesn't and then the recovery activities are extremely resource intensive, especially when the IT department was already very understaffed and is a good five years behind modern in tools and skills that change quarterly.

My current employer cares deeply because we have so much information worth stealing.  We are not undertasked in IT with people just looking for something to do.  We have several teams of highly qualified professionals trying to keep us current against a continuously changing threat.

Even at Super Dinky, every time we got someone who knew about modern risk factors, IT would dig out the plan, sigh about the resources, and then try to negotiate priorities such that we would not be totally screwed after another faculty member clicked on the wrong link or downloaded the wrong plug-in.  Super Dinky had little to steal, but was occasionally subject to the malicious "let's wipe everything and smash the system" attitude.

[Ruralguy]

I get that, and considering you are at a place that not only has proprietary information, but in some cases, I guess, classified information, I see the need to protect that. But if everyone there is so smart, can't they think of a way to do this without skewering colleagues? I feel that there must be a way to do this that's less intense for people who obviously unintentionally engaged in very minor infractions.

I also get that they probably make you sign things that basically have you give up rights to your job under certain circumstances, i.e., can fire you for accidentally sending something to an enemy state, just as a for instance.

I guess I just wonder if there's a better way, and perhaps you do too Polly, since you posted this.

[polly_mer]

I feel that there must be a way to do this that's less intense for people who obviously unintentionally engaged in very minor infractions.

The problem isn't the "very minor" infractions, most of the time.  Even mishandling classified generally doesn't get one fired on the first offense.

The problem is very much related to the mindset of "This rule is personally inconvenient and, therefore, I will figure out a workaround."  I started this thread more as situational awareness for novices who are sure that more senior people are just being rude and arrogant when the response is slow or non-existent.

The last few posts have been more situational awareness of how the world really has changed since the 1950s due to changing from paper to electronics and then all the connectivity of electronics.  Stealing information is only one facet of the hacking problem.  Another huge facet is taking over enough resources hooked up to the internet to be able to shut down normal modern functioning.  For example, denial of service attacks or having enough computing power acquired from linking together resources to just brute force some less guarded entry points. 

Once one is on the internal system as a trusted user, then one can often take a lot of control, especially if that user account hasn't been locked down from practically everything.  That's the problem with not knowing, implementing, and keeping up-to-date current practices separating system administration permissions from minion user permissions.  The patches regularly released for Microsoft and the discontinuation of Flash Player are exactly aimed at ensuring that hackers can't use a minion-level account that shouldn't have the privileges to get around the permissions in place.

Disobeying the rules because they are "stupid" or even just inconvenient as a typical attitude means much more risk for everyone who actively participates in the modern, highly connected, highly dependent on those internet connections world.  Thus, while any one very minor infraction has a tiny probability of a big problem, having "everyone" do "very minor" infractions on a somewhat regular basis all but guarantees big problems.

One thing that many people don't know is how important cybersecurity is to the US national defense.  Sure, we protect classified information, but the much larger concern is all the infrastructure for normal modern life.  https://www.defense.gov/Explore/News/Article/Article/2103843/dods-cyber-strategy-of-past-year-outlined-before-congress/  In many discussions, the next war won't be with armies and physical weapons; the start is cyber with disrupting normal workings that rely on the internet.

That's one reason why the 2018 Nuclear Posture Review includes as official US policy:

The United States would only consider the employment of nuclear weapons in extreme circumstances to defend the vital interests of the United States, its allies, and partners. Extreme circumstances could include significant non-nuclear strategic attacks. Significant non-nuclear strategic attacks include, but are not limited to, attacks on the U.S., allied, or partner civilian population or infrastructure, and attacks on U.S. or allied nuclear forces, their command and control, or warning and attack assessment capabilities.

The United States will not use or threaten to use nuclear weapons against non-nuclear weapons states that are party to the NPT and in compliance with their nuclear non-proliferation obligations.

Given the potential of significant non-nuclear strategic attacks, the United States reserves the right to make any adjustment in the assurance that may be warranted by the evolution and proliferation of non-nuclear strategic attack technologies and U.S. capabilities to counter that threat.

https://media.defense.gov/2018/Feb/02/2001872886/-1/-1/1/2018-NUCLEAR-POSTURE-REVIEW-FINAL-REPORT.PDF p. 21

Non-nuclear strategic attacks include cyber.  Infrastructure includes cyber.

It's funny when the stories circulate about someone taking over a doorbell camera or a thermostat.  It's much less funny when a college has to shut down for a few days because all the systems are borked.  It's not at all funny when the internet of things or all the computing power on campus is deployed as additional computing power that isn't using the expected operating systems and programs and therefore can make a big impact on the internet or specific modern institutions that rely on connection to the internet.

So, yeah, it's inconvenient.  No, I will not be encouraging people to circumvent rules designed to protect networks from malicious efforts.

My best solution is to use the technology we have to be slightly more convenient (e.g., submit plain text through an interface that will scan it and then forward to the appropriate person as an email; be more deliberate as institutions in setting up external sandboxed portals to allow for better scanning) while ensuring we all realize that what was fine in the early 1990s as computers became part of normal, daily, professional life is probably a significant cyber security risk in 2021.

[Aster]

Our IT department was actually forced to apologize because someone thought it was a good idea last spring to run a phishing "test" with a very realistic email telling us to fill out a google form (we're a google campus and google forms are used for official purposes all the time) related to the COVID response-- the form link then took us to a scolding message about detecting phishing, almost none of which things were present in the test email. People were not amused.

What. An. Idiot.

[Descartes]

Good God, I guess the days of e-mailing a faculty member to say that you are interested in their research and ask if they might be kind enough to send a copy of a published journal article that you can't access are over.

[waterboy]

Back to postcards. I miss that.

[Vkw10]

One of my personal guidelines is to look for personality in emails. If an email comes across as completely impersonal, I'm much less likely to respond.

[polly_mer]

I have now received a third email from this particular account that asked me to forward changes in the program to my colleagues (remember, I declined the invite).

I forwarded that email to the relevant internal group and received back a notice of an issue tracker number with a reminder to delete the email and definitely don't respond.

Interestingly, while I've had emails get trapped in the spam filter (to the point that someone called me and asked why I hadn't responded to an email that never showed up), this email address is clearly not blocked.

I do have to wonder if it's a continuing test or really just something changed enough that it gets through our what-should-be-world-class filters.

[polly_mer]

Back to postcards. I miss that.

Due to Covid restrictions, the secretaries have within rounding of zero time in the buildings.  Thus, the mail is not going to anyone's box and internal addresses are not being updated.

Thus, the postcard is also not getting through to the folks who might respond.

[fishbrains]

My employer regularly requires various online training (Title IX, what to do in mass shootings, how to prevent COVID, etc.) which are provided by third-party vendors (which seem to change every year). Every year these third-party vendors send out a generic email which directs us to an email site and asks us for our login credentials. Each year I forward the email to the IT department asking if they are phishing attempts. They are not, but they are written in such a way that actually makes one wonder.

In terms of using personal email. I use my school email for everything directly school related (schedules, talking to students, committee work, etc) but use my gmail account for things that are research related, not so much to circumvent rules, but to make sure that I have all my correspondence in case I switch jobs.

Yes. One year pretty much no one did the online Title IX training because the email looked like a phishing attempt. Now they tell us ahead of time to expect an email from the company and to not delete it. A ne'er-do-well could take advantage of knowing the name of that company.

[onehappyunicorn]

One of the institutions in our system just experienced a massive ransomware attack that shut them down for several days, thus we are undergoing a lockdown of everything. I appreciate the caution but now everything requires permission from IT to run (I had to have them reinstall Zoom and give the program permission to use my camera for example). We just don't have enough IT people on staff to take care of all of the issues resulting from locking so much stuff down, they basically just run all over campus putting out fires. I can't imagine how bad this will be if we are back in full in fall, right now we don't even have 25% of faculty and staff on campus.