By: Mikayla Alexander
A month ago, an article was published raising some general concerns and queries regarding phishing attempts towards students and staff at UMSL. Many of those concerns included the motive for targeting students and staff, how to avoid falling victim to attempts and the red banner efficiency.
Credit: iStock
Mark Monroe, UMSL’s information security officer, offered more context as to how the IT department works to protect our information. The first thing to understand is that the system for security runs across all campuses. Not one campus has its own system, but rather all IT security departments work together to protect students and staff against phishing attempts through the UM system. This is referred to as the UM system’s Security Operation Center (SOC).
To paint a bigger picture, Monroe reports, “The SOC cleans up about 200,000 emails. About 100,000 are moved into quarantine state and another 5,000 or so get automatically moved to junk.” The 100,000 emails that are moved to quarantine state meet enough factors within the system to potentially become legitimate suspicious activity, rather than moving automatically to junk. The SOC staff will investigate these emails to determine their legitimacy, then release them to the addressed inboxes (if they are safe) or delete them from the system (if they are indeed suspicious).
The following number that Monroe reports comes from email activity that has already made its way into inboxes. With that, Monroe estimates that the UM System receives, “about 6,500 reported email items a month [and] out of those- about 3,300 or so are phishing, and 1,200 or so are reported as not junk.” Monroe says that each month these numbers tend to grow through the process of UM system users utilizing the newer ‘Report’ button in Outlook, rather than simply forwarding the email to abuse@umsl.edu. It is safe to say that the UM system receives an obscene amount of email activity that the security teams work hard to maintain and protect our campuses against.
The breadth of how our security system operates is crucial to understand when discussing the concerns of the red banner efficiency. The concern is related to the red banner showing up for legitimate communication by third-party apps used by places like the Rec Center. When this example was brought to Monroe, he broke down the intricacies of understanding the red banner and used the Rec Center strictly as an example.
Monroes says, “For example, the Rec Center. Let’s say the company that runs the Rec Center is Centers, at least that is what used to be the name of it. Centers run rec centers at colleges all over the United States and they are like the rec center management company. We own the Rec Center as UMSL, but the people who would work there are not UMSL people, they are Centers people.”
Monroe further explained that the Centers company would have their own communication system where they may approve of various senders and recipients within it. This could include various other campus centers that the company manages. With this, Monroe states, “So, the staff at those other 3000 Rec Centers would all have access to the same system to send things off from.”
The problem that would arise then is if a random person who uses that communication system decides to hack it. Monroe explains “So, if one of those areas gets hacked and sends stuff to the 3000 centers all over the country and it comes in without the red banner, then people would jump on it.” Because of that risk, the third parties that UMSL works with are not whitelisted within the UM system nor is there a dedicated email server provided by those parties to be whitelisted. Whitelisting is a cyber-security strategy that approves certain domain names, IP addresses and emails while declining others.
Concerning whitelisting, Monroe states, “We do have a way to whitelist some, but if we cannot whitelist something that is dedicated to just University of Missouri system stuff, then we can’t whitelist it, because we do not know who is on the other side sending.” Despite being approved to work with UMSL, third parties are not fully verified within the UM system. Unfortunately, that is just the way it is for now.
Monroe goes on to say, “It’s not great, but that’s why some third parties come in without the banner because we can only have a dedicated IP system that only people from UM system are allowed to use.”
In short, any third-party system that is used for communication outside of the dedicated one established for UM will come with a red banner regardless of its legitimacy. This is to protect our campus from the possibility of that public communication server getting hacked. Without the inclusion of the red banner, students and staff would be at risk of misconstruing what would be a hacking/phishing attempt. Although it does not initially seem efficient, the red banner protects us from a wider chance of falling for a phishing attempt.
Essentially, the red banner is working as it should, but Monroe acknowledges that it could be better. This is something that the security department is considering and is actively trying to find a more efficient way to whitelist UMSL-approved third-party apps that are outside of the UM dedicated IP system. This mainly puts students and staff at the forefront of navigating what suspicious activity looks like within their inbox.
Although that may sound tedious, it is a good opportunity for students and staff to practice more critical thinking and deciphering what may be real and fake. In fact, Monroe says that phishers may rely on inexperience when targeting college students. He states, “K-12 Gmail, those accounts are pretty locked down. External third parties can’t even send things to them. So [college students] are not aware of what to look for. They are not jaded yet.” This makes the established tips posted on UMSL’s website and reiteration in the previous University phishing article, even more necessary.
Ultimately, students and staff should verify the identity of the sender and verify the accuracy of the information sent. When checking for the identity, make sure to click on the user and check whether it is coming from a legitimate source rather than a personal email or one you are completely unfamiliar with. If they could be impersonating staff, verify the staff email using UMSL’s directory. Sifting through emails can be inconvenient, but it is important to slow down and pay attention to detail. Think twice before you click on just any links.
Monroe acknowledges that system improvements and more user education opportunities for students are needed. He says there is, “A large hole with user education. [It was] talked about at the system level for some time. We have been working on some possible solutions to provide security education for students so we can access and use it. One problem for the past is the education for faculty and staff are inside training applications used for things like ‘Title 9’, which is a pay-per-seat.”
The goal is to not have students pay to learn how to protect themselves and to implement it on a larger scale, so students are not missing out on proactive methods that they otherwise would have to seek out themselves once they come upon a phishing attempt. In this case, it may be too late if a student is completely unaware of what to look out for.
It has been difficult, especially since the pandemic, to set up seminars for students to attend to learn more about phishing, ransomware and how to avoid it. It is crucial to utilize the resources we currently have such as checking the phishing tips website, using the report button within Outlook and speaking with our very own information security officer.
Monroe is for more student education, so until there are solutions to implement free, campus-wide user education, do not hesitate to contact Monroe, at monroem@umsl.edu, and ask when he may have time to do a presentation for your class or student organization. The first step is simply being aware of the lack of preparedness that puts students at risk of falling for these schemes. The second step is seeking out information and encouraging others on campus to prepare themselves as well.