Educause Security Discussion mailing list archives
Re: Login/Logoff Activity
From: Eric Case <eric () ERICCASE COM>
Date: Wed, 24 Apr 2013 20:27:15 -0700
And if Joe never logs out? What if Chris logs an average of 53 hours a week and logs in while home sick? Is Chris fired for being a dedicated employee? If management see Chris is working extra hours to get the job done, does management keep the "profits" or hire more staff? Does management request web history for those logged in for 40 hours a week to ensure they're not spending that time on reddit or eBay? Maybe management can get by with simpler rules (http://www.farnamstreetblog.com/2013/04/does-a-complex-world-need-simpler-r ules/). -Eric IT professionals will never ask for your password - not in email - not over the phone, never. Eric Case, CISSP ecase (at) email (dot) arizona (dot) edu College of Architecture, Planning, and Landscape Architecture http://www.linkedin.com/in/ericcase -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks Sent: Wednesday, April 24, 2013 3:24 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Login/Logoff Activity On Wed, 24 Apr 2013 15:01:36 -0400, Walter Moore said:
investigations. We have never made any effort to see see if people are accessing restricted systems when they are on sick leave or vacation.
Though the case can be made that if Joe Smith is known to be on vacation in Hawaii, any attempted access with his credentials from Zanzibar is probably suspect. On the other hand, a login from Zanzibar is even *more* suspect if Joe is sitting in his office. :) Similarly, it's pretty easy to establish a pattern of when I'm in my office, and when I come in via VPN from a relatively small chunk of Comcast cable address space, so if an attempt is made from a Starbuck's, that's probably well into the unusual... How many of you do anomaly analysis for stuff like this? And what sorts of anomalies have you found useful or not useful to track?
Current thread:
- Login/Logoff Activity Will Froning (Apr 23)
- Re: Login/Logoff Activity Justin Bennett (Apr 24)
- Re: Login/Logoff Activity Walter Moore (Apr 24)
- Re: Login/Logoff Activity Valdis Kletnieks (Apr 24)
- Re: Login/Logoff Activity Justin Bennett (Apr 24)
- Re: Login/Logoff Activity Harry Hoffman (Apr 24)
- Re: Login/Logoff Activity Will Froning (Apr 24)
- Re: Login/Logoff Activity Eric Case (Apr 24)
- Re: Login/Logoff Activity Will Froning (Apr 24)
- Re: Login/Logoff Activity Tim Doty (Apr 25)
- Re: Login/Logoff Activity Walter Moore (Apr 24)
- Re: Login/Logoff Activity Justin Bennett (Apr 24)
- Re: Login/Logoff Activity Eric Case (Apr 24)
- <Possible follow-ups>
- Re: Login/Logoff Activity Shane Williams (Apr 25)