Re: stopping students sharing their login credentials

[Mike Waller <mwaller.distro () GMAIL COM>]

Even with a 2-factor means for getting into the building, you're still going
to be facing the risk of tailgating unless you install man-traps (revolving
doors).

I think the place to start is to sit down and discuss what the real risks
are. If I'm a student and I give someone my credentials to be able to use a
lab, what are the risks? My information is ripe for compromise, but I may
have given up my credentials willingly (though theft is always a
possibility). You're putting a potential malicious user on the network, but
if you have good access controls and a solid defense-in-depth strategy,
you're going to minimize what I can get to from a computer lab.

Ultimately, a student willingly giving his/her credentials to a non-student
(or another student) is going to be a very difficult thing to do. You could
man-trap the door and use a card plus biometric, but that's going to be a
very intrusive and expensive solution -- so are you really applying the
right level of remediation to the problem? My experience at a few different
universities tells me that I would look hard at a solid defense-in-depth
strategy combined with some fairly significant penalties for being caught
doing this sort of thing.

Look at the risks and figure out appropriate counter-measures but remember
that an insider willing to give up his/her credentials is something that is
often exceedingly difficult to prevent.

Mike

On Thu, Jan 22, 2009 at 9:25 PM, Russell Fulton <r.fulton () auckland ac nz>wrote:

> Background:
>
> Earlier this week we had an incident where the building security officer
> noticed a group of unfamiliar people using machines in one of our labs.  She
> asked them for their ID cards and none could (would?) produce one.  On
> questioning they said they were students from a neighbouring institution and
> that they were using "borrowed" credential.
>
> We have cctv footage and swipe card logs from the door (which may show they
> tail gated someone in).   We are now tracking down which machines were being
> used so we can disable the accounts.
>
> To the point.
>
> We (the security techies) have been asked what measures we can deploy to
> prevent this sort of thing happening in future.
>
> We already do lots of education, posters, page on the back of the student
> handbook. Students have no excuse for not knowing that they should not share
> passwords.
>
> On the social/education side we could make an example of anyone we finger
> for this (assuming we can make charges stick) in the hope that this will
> persuade other students not to share their passwords.
>
> Technical solutions seem to revolve around some form of two factor
> authentication.  I.e. something the student has but which they will be
> reluctant to part with for any length of time.  Like their ID card.
>
> Our ID cards have bar codes and classic mag stripe.   Some labs (like this
> one) also have proximity card locks.  Generally only post grad students or
> students in special coursed (like medicine) have proximity cards.
>
> Anyway I would very much like to know what other are doing in this space.
>
> Cheers, Russell