Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tracking use of your central credentials

From: "Bristol, Gary L." <gbristol () OU EDU>
Date: Thu, 20 Nov 2008 17:29:08 -0600
I know this is probably not what you looking for but if the user succumbs to a phishing email then they would change 
their password but then they would like to show instances where it wasn't them logging in.

What type of central logging do you have setup for these systems?

Logging from the central authentication system to a central logging system would track all the instances of use. Then 
that should show when the credentials were used and for what service, I would assume.  A grep through the logs from the 
time of the successful phishing attempt until the enlightenment should show the activity.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bob Bayn
Sent: Thursday, November 20, 2008 5:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Tracking use of your central credentials

I thought I asked these questions before, but didn't get any response.  I'll try framing them a little differently and 
see if anyone has comparable issues or solutions.

We have central credentials based on our SCT Banner ID number, managed in an ldap server and on domain servers, for 
authentication to a variety of services including Banner, Exchange servers, USU-branded gmail, Blackboard (cms), wikis, 
bulletin boards, lab access, desktop logins, etc.  We are looking for a way to track or audit the uses of our central 
credentials, either individually or collectively, on all of those services.

After someone succumbs to a phishing message, we want to know when that user's credentials were used so the user can 
identify instances that were not legit.

We'd like to be able to tell which credentials are being used to login from China so we can check with those users to 
see if they ARE in China.

We'd like to give our users access to a log of their own recent credential transactions for their verification.

Is anybody doing anything like this?  If so, how?  If not, what other way is there to get the assurance that 
credentials are being used only by their rightful owner?


Bob Bayn     (435)797-2396     Security Team coordinator
"IT will NEVER ask for your password via email, honest!"
Office of Information Techology at Utah State University
Previous By Date Next
Previous By Thread Next

Current thread: