Educause Security Discussion mailing list archives
Re: Measures of detecting breached email accounts
From: Valdis Kletnieks <valdis.kletnieks () VT EDU>
Date: Thu, 7 Dec 2017 12:40:36 -0500
On Thu, 07 Dec 2017 00:09:46 -0800, Joseph Tam said:
I've seen both diffuse and intensive failed logins -- neither are worth looking at from a security standpoint. It's not uncommon for me to see thousands of guesses against one account, especially against administrative accounts.
Are you employing any sort of rate limiting or temp lockout/block when these thousands are flooding in from off campus?
What are the *exceptional* circumstances that would allow you differentiate any particular failed authentication versus the thousands of other attempts?
A long string of failures, followed by a success, if the source is off campus. Especially if it's an admin or other sensitive account.
Attachment:
_bin
Description:
Current thread:
- Re: Measures of detecting breached email accounts, (continued)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 05)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 06)
- Re: Measures of detecting breached email accounts Kevin Crider (Dec 07)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 06)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 06)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 07)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 09)