Educause 2012 SPC: Quick Review

Share Now


Last week I attended the Educause Security Professionals Conference 2012 in Indianapolis Indiana and was lucky enough to co-present with Emory University to discuss the phishing problems higher education face. This event had an entire track devoted to Awareness & Training and of course a major topic for discussion was phishing.

Beyond presenting and spending time answer questions at our booth, I spent a lot of time in the sessions learning about the IT security issues they face. The professionals that work in this space really have their work cut out for them.

  • They have all the challenges of supporting security, enforcement, abuse of services, and account compromise from the students and alumni services.
  • They also have the classic enterprise security challenges when it comes to supporting faculty and business administration.
  • On top of that, many have an added layer of challenges keeping their hospitals and research centers protected and in compliance with the applicable regulations.

Maintaining security for these different audiences really keeps you on your toes and the depth of ability and expertise I saw at Educause was truly impressive.  (hat tip)

What ‘phishing’ means in Higher Education…

The most visible phishing problem is student account compromise. The attackers want student credentials to abuse resources. This could either mean using a compromised email to phish for more accounts (more about that later), send spam email, access restricted publications/journals, or abuse VPN services to bypass geo restrictions.  The earlier emphasis on ‘most visible’ was to speak to the fact that the aftermath of an account compromise is usually the only indicator an email phishing attack occurred.  The account compromised will spend out loads of spam or launch further attacks, which of course is quite different from the spear phisher attacker who is trying to gain access to a network and maintain secret control.

A great session I attended was by Harvard Townsend of Kansas State University. He presented the multi-pronged approach they use to bring awareness to the phishing problem. K-State has a lot of valuable data about the types of incidents they respond to, the number, and the frequency. (It’s probably not a surprise that phishing related incidents make up the bulk of their response efforts).

YouTube video: K-State IT Services Cyber Security Awareness

One of the most creative ways I’ve seen to get the word out about phishing was a video Kansas State produced. (besides PhishMe, I’m biased 😉 ) This video has fantastic production and insight into the type of phishing problem higher education is facing.  In their multi pronged approach they even ran this video on their Jumbotron during a sold out game!

I really enjoyed the Educause Security Professionals Conference and will have more to share about it later this week.

Aaron Higbee – @higbee



We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.