Operational data exposed publicly

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Operational data exposed publicly

Cambre, Aren

My CIO recently expressed concern that “operational data” that provides information for phishing is exposed publicly. For example, information on our pay periods are here: https://www.smu.edu/BusinessFinance/OfficeOfBudgetAndFinance/Payroll/InformationAndFAQs/PayPeriodsDatesDeadlines. That could be used to help craft a legitimate-looking phishing email.

 

Have any of you dealt with similar issues? What did you do?

 

My gut feeling is the best approach is user education over content policing.

 

image001

Aren Cambre, D.Eng., '99, '03, '14
Director, Web Application Services
Office of Information Technology
Southern Methodist University

 

 



You are currently subscribed to [hidden email].
To unsubscribe send an email to [hidden email] with the subject line unsubscribe uwebd. Leave the message body blank. If you experience problems, contact list owner Eric Kreider at [hidden email]. More information is available at: http://www.uakron.edu/webteam/university-web-developers.dot




Reply | Threaded
Open this post in threaded view
|

RE: Operational data exposed publicly

Piero Tintori

Hi Aren,

Would this department have an area on your Intranet / Staff Portal too? Or does the website cover both use cases?

 

Regards,

 

Piero

From: Cambre, Aren [mailto:[hidden email]]
Sent: 29 March 2016 14:05
To: [hidden email]
Subject: [uwebd] Operational data exposed publicly

 

My CIO recently expressed concern that “operational data” that provides information for phishing is exposed publicly. For example, information on our pay periods are here: https://www.smu.edu/BusinessFinance/OfficeOfBudgetAndFinance/Payroll/InformationAndFAQs/PayPeriodsDatesDeadlines. That could be used to help craft a legitimate-looking phishing email.

 

Have any of you dealt with similar issues? What did you do?

 

My gut feeling is the best approach is user education over content policing.

 

image001

Aren Cambre, D.Eng., '99, '03, '14
Director, Web Application Services
Office of Information Technology
Southern Methodist University

 

 



You are currently subscribed to [hidden email].
To unsubscribe send an email to [hidden email] with the subject line unsubscribe uwebd. Leave the message body blank. If you experience problems, contact list owner Eric Kreider at [hidden email]. More information is available at: http://www.uakron.edu/webteam/university-web-developers.dot




Reply | Threaded
Open this post in threaded view
|

RE: Operational data exposed publicly

Cambre, Aren

At this time, www.smu.edu is strictly externally-facing. We have no authentication capability on the public side. Our intent is that users put content needing authentication into other systems.

 

image001

Aren Cambre, D.Eng., '99, '03, '14
Director, Web Application Services
Office of Information Technology
Southern Methodist University

 

 

From: Piero Tintori [mailto:[hidden email]]
Sent: Tuesday, March 29, 2016 8:22 AM
To: [hidden email]
Subject: [uwebd] RE: Operational data exposed publicly

 

Hi Aren,

Would this department have an area on your Intranet / Staff Portal too? Or does the website cover both use cases?

 

Regards,

 

Piero

 

From: Cambre, Aren [[hidden email]]
Sent: 29 March 2016 14:05
To: [hidden email]
Subject: [uwebd] Operational data exposed publicly

 

My CIO recently expressed concern that “operational data” that provides information for phishing is exposed publicly. For example, information on our pay periods are here: https://www.smu.edu/BusinessFinance/OfficeOfBudgetAndFinance/Payroll/InformationAndFAQs/PayPeriodsDatesDeadlines. That could be used to help craft a legitimate-looking phishing email.

 

Have any of you dealt with similar issues? What did you do?

 

My gut feeling is the best approach is user education over content policing.

 

image001

Aren Cambre, D.Eng., '99, '03, '14
Director, Web Application Services
Office of Information Technology
Southern Methodist University

 

 



You are currently subscribed to [hidden email].
To unsubscribe send an email to [hidden email] with the subject line unsubscribe uwebd. Leave the message body blank. If you experience problems, contact list owner Eric Kreider at [hidden email]. More information is available at: http://www.uakron.edu/webteam/university-web-developers.dot




Reply | Threaded
Open this post in threaded view
|

RE: Operational data exposed publicly

wbaumgardner@calbaptist.edu

Aren, is there a public benefit to having that information available on the external facing site? If staff/faculty have access to other systems (such as an intranet), it would make sense to keep that information there.

 

That said I am not sure I agree with your CIO that the availability of the pay schedule represents a major issue.

 

I think the bigger issue, as you alluded to, is user education, in particular as it relates to spotting phishing emails and appropriation actions to take.

 

--

Waylon Baumgardner, M.S.I.T.

Senior Web Services Manager

Marketing and Communication

California Baptist University

Office: 951.343.4876

[hidden email]

www.calbaptist.edu

 

From: Cambre, Aren [mailto:[hidden email]]
Sent: Tuesday, March 29, 2016 06:33
To: [hidden email]
Subject: [uwebd] RE: Operational data exposed publicly

 

At this time, www.smu.edu is strictly externally-facing. We have no authentication capability on the public side. Our intent is that users put content needing authentication into other systems.

 

image001

Aren Cambre, D.Eng., '99, '03, '14
Director, Web Application Services
Office of Information Technology
Southern Methodist University

 

 

From: Piero Tintori [[hidden email]]
Sent: Tuesday, March 29, 2016 8:22 AM
To: [hidden email]
Subject: [uwebd] RE: Operational data exposed publicly

 

Hi Aren,

Would this department have an area on your Intranet / Staff Portal too? Or does the website cover both use cases?

 

Regards,

 

Piero

 

From: Cambre, Aren [[hidden email]]
Sent: 29 March 2016 14:05
To: [hidden email]
Subject: [uwebd] Operational data exposed publicly

 

My CIO recently expressed concern that “operational data” that provides information for phishing is exposed publicly. For example, information on our pay periods are here: https://www.smu.edu/BusinessFinance/OfficeOfBudgetAndFinance/Payroll/InformationAndFAQs/PayPeriodsDatesDeadlines. That could be used to help craft a legitimate-looking phishing email.

 

Have any of you dealt with similar issues? What did you do?

 

My gut feeling is the best approach is user education over content policing.

 

image001

Aren Cambre, D.Eng., '99, '03, '14
Director, Web Application Services
Office of Information Technology
Southern Methodist University

 

 



You are currently subscribed to [hidden email].
To unsubscribe send an email to [hidden email] with the subject line unsubscribe uwebd. Leave the message body blank. If you experience problems, contact list owner Eric Kreider at [hidden email]. More information is available at: http://www.uakron.edu/webteam/university-web-developers.dot