Re: Account Lockout Communications Policy

["Barton, Robert W." <bartonrt () LEWISU EDU>]

We’ve had many account issues as well.

1)     When an issue is found, the account is disabled immediately.

2)     If a source IP is identified, a block is put in place.

3)     A ticket is created for the issues (single ticket if more than one account involved in same incident).

4)     The Service Desk is notified and instructed to contact the user and support their reactivation.

5)     The notification is done by phone.

6)     Once the user is reached, the Service Desk will verify the user and then support their reactivation

7)     Tickets are updated.
I don’t want to put tools and be more specific in an open list.  I’m willing to talk by phone, if that is wanted.

Robert W. Barton
Executive Director of Information Security and Policy
Lewis University
One University Parkway
Romeoville, IL  60446-2200
815-836-5663

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jim A. Bole
Sent: Thursday, September 26, 2019 10:58 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Account Lockout Communications Policy

Students must register an external email account as part of our self-service password reset process.

Thankfully, our IMAP policy blocked any access to their on-prem exchange mailbox. So the only thing the malicious 
actors could do was get a successful login.

So I sent out notifications to the students’ registered external email after we had reset their accounts (disabled, 
kill active sessions, reset password, re-enable):

Dear Stevenson University Student,


The Office of Information Technology (OIT) has determined that a malicious actor successfully logged onto your account 
sometime between Sept. 12-16. They were not able access any of your information after they logged in. There are 
indications that the malicious actor may have used information from a 2018 data breach from Chegg.



In some cases when you attempt to access your Stevenson account you may see a message stating your access has been 
blocked due to suspicious activity; there, we ask that you reset your password as soon as possible.



Here are the steps to reset your password:


1.      Go to https://myaccount.stevenson.edu
2.      Click Reset Password.
3.      Enter your Stevenson single sign-on username in the prompt and click Next.
4.      Choose your external email address in the drop down list.
5.      A verification code will be sent to the e-mail address you used for Self Service registration.
6.      You have 30 minutes to input the verification code on the next page.
7.      Reset password using the stated requirements.

Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Chrisinger, Cory A
Sent: Thursday, September 26, 2019 11:33 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Account Lockout Communications Policy

External Email:
This email originated from outside of Stevenson University. Do not click links or open attachments unless you recognize 
the sender and know the content is safe.  -Stevenson University, Office of Information Technology
Hello,

I’m looking for how different organizations handle account compromise notifications to individuals.  Due to the Chegg 
breach we reset 319 accounts towards the end of the day.  We do not necessarily have out of band communication methods 
for affected parties.  I’m hesitant to send a notification to an affected email due to tipping off the attackers. The 
attackers seem to be able to execute additional payload very quickly when they assume the account will be deactivated.  
We do notify our customer services areas, but overnight a student may not have access until business hours resume. 
Thoughts, strategies, ideas are appreciated.


Thank You,

Cory Chrisinger
CISO, CISSP ID#581915
Phone: (608) 243-4575
Email: cchrisinger () madisoncollege edu<mailto:cchrisinger () madisoncollege edu>

Want to discuss a technology project? Please contact me, or complete the Technology Services Project 
Request<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmadisoncollege365.sharepoint.com%2Fsites%2Fpwaprod%2FLists%2FPMO%2520Intake%2520Form%2FNewForm.aspx%3FSource%3D%2Fsites%2Fpwaprod%2FPages%2FThank%2520you%2520for%2520your%2520request.aspx&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C1a34f2dbd1c145abed3208d74296d14a%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637051087833631158&sdata=Q8cZFv5O6063OkCQvD%2BJgAR5LxQdEhGBMGo5ILKdG%2F0%3D&reserved=0>
 form, and we’ll talk!



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C1a34f2dbd1c145abed3208d74296d14a%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637051087833631158&sdata=TV3VbUUvMzZX7bFJ5S9oWDCWOsRHBFuYtbQsu7zHp2Y%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

This message (including any attachments) is intended only for
the use of the individual or entity to which it is addressed and
may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone at (815)-836-5950 and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.

Thank you.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community