Re: Classroom station logout

["Pace, Guy" <gpace () CIS CTC EDU>]

Each of the solutions proposed uses a delay, and that delay provides the
opening for someone to take control of the account and access. They are
also expensive or difficult to support, and each presents its own
technical weaknesses that can be easily circumvented. And, each are
likely to generate major complaints from the faculty who would be
subjected to them.
 
Most, if not all, of you have an AUP or some policy that describes the
responsibility of users (faculty, staff and students) and what
constititues appropriate use of the system and individual accounts. You
normally would have all your faculty, staff and students agree to this
policy through some vehicle. Why would you then subvert your policy and
absolve your users of their responsibility by putting expensive or
difficult to support automated systems in place--especially when those
systems are inadequate or easily exploited?
 
Treat your users like adults, expect them--and let them know you do--to
act like adults and when they screw up they should expect consequences.
Security awareness addresses this more effectively and offers potential
for a longer term solution that attempting to apply questionable
technology that would at best only provide a short term solution.
 

Guy L. Pace, CISSP 
Security Administrator 
Center for Information Services (CIS) 
3101 Northup Way, Suite 100 
Bellevue, WA 98004 
425-803-9724 

gpace () cis ctc edu 

 

________________________________

From: H. Morrow Long [mailto:morrow.long () YALE EDU] 
Sent: Tuesday, April 17, 2007 8:11 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Classroom station logout


1. There are devices which will sense the proximity of a card 
such as a HID prox card and when that is moved away will
begin a countdown to lock or screenlock the system.

2. You can get pressure sensitive mats at which will sense when
someone is standing on them and not standing on them and
can begin a countdown to lock or unlock a system.

3. Many rooms now have a motion or heat sensor to turn off the
lights once everyone has left a room.  You could probably buy
one and have it in front of a UPS so that it would shut
off power to the UPS and the UPS would begin to shut down
power to a desktop PC.

You might find something similar which was driven by the lack
of sound as well.

- H. Morrow Long, CISSP, CISM, CEH
  University Information Security Officer
  Director -- Information Security Office
  Yale University, ITS



On Apr 17, 2007, at 10:46 AM, Pace, Guy wrote:


        I looked at a number of possibilities for automated ways in my
previous
        life. Almost all of them put a burden on the SA staff, rather
than
        responsibility on the faculty, where it belongs. If you have
        administrative support, institutional policies in place and all
that,
        the most effective solution is to do some Security Awareness
training
        around that issue. Get the faculty involved and demonstrate the
damage
        they can do to themselves and their careers by not taking
reponsibility.
        Making threats of termination just doesn't work. The stick
approach just
        doesn't fit the education environment anyway. Use the carrot and
make
        the training a positive approach, but still highlight the
dangers and
        what can happen _to_ _them_ when someone else can use their
accounts.
        Once they get a personal investment in it, you'll see a
significant
        increase in policy compliance.

        This is very much related to the security awareness thread that
has been
        going on the last week. It isn't just faculty who need to log
out of
        podiums, but staff who need to lock systems when they take a
bathroom
        break or go get a cup of coffee. If you combine the training to
include
        both areas, the faculty won't feel targeted and it will be
perceived as
        a broader issue.

        Guy L. Pace, CISSP
        Security Administrator
        Center for Information Services (CIS)
        3101 Northup Way, Suite 100
        Bellevue, WA 98004
        425-803-9724

        gpace () cis ctc edu


        -----Original Message-----
        From: Gary Dobbins [mailto:dobbins () ND EDU] 
        Sent: Tuesday, April 17, 2007 6:16 AM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: [SECURITY] Classroom station logout

        Has anyone found a clever and effective solution to the problem
of
        faculty leaving classroom lectern systems logged in when they
leave?

        A simple timeout doesn't cut it, since some may open a slide
deck for
        the entire period and don't move the mouse, others might
actively use
        the system right up to the end of the period, then walk away.

        Something that "knows when they've left the room" would be
ideal, but it
        would also have to distinguish against other persons who arrived
as the
        original user leaves.


        -- 

           Gary Dobbins, CISSP -- Director, Information Security
           University of Notre Dame, Office of Information Technologies