Educause Security Discussion mailing list archives
Re: stopping students sharing their login credentials
From: Mike Waller <mwaller.distro () GMAIL COM>
Date: Thu, 22 Jan 2009 21:55:54 -0500
Even with a 2-factor means for getting into the building, you're still going to be facing the risk of tailgating unless you install man-traps (revolving doors). I think the place to start is to sit down and discuss what the real risks are. If I'm a student and I give someone my credentials to be able to use a lab, what are the risks? My information is ripe for compromise, but I may have given up my credentials willingly (though theft is always a possibility). You're putting a potential malicious user on the network, but if you have good access controls and a solid defense-in-depth strategy, you're going to minimize what I can get to from a computer lab. Ultimately, a student willingly giving his/her credentials to a non-student (or another student) is going to be a very difficult thing to do. You could man-trap the door and use a card plus biometric, but that's going to be a very intrusive and expensive solution -- so are you really applying the right level of remediation to the problem? My experience at a few different universities tells me that I would look hard at a solid defense-in-depth strategy combined with some fairly significant penalties for being caught doing this sort of thing. Look at the risks and figure out appropriate counter-measures but remember that an insider willing to give up his/her credentials is something that is often exceedingly difficult to prevent. Mike On Thu, Jan 22, 2009 at 9:25 PM, Russell Fulton <r.fulton () auckland ac nz>wrote:
Background: Earlier this week we had an incident where the building security officer noticed a group of unfamiliar people using machines in one of our labs. She asked them for their ID cards and none could (would?) produce one. On questioning they said they were students from a neighbouring institution and that they were using "borrowed" credential. We have cctv footage and swipe card logs from the door (which may show they tail gated someone in). We are now tracking down which machines were being used so we can disable the accounts. To the point. We (the security techies) have been asked what measures we can deploy to prevent this sort of thing happening in future. We already do lots of education, posters, page on the back of the student handbook. Students have no excuse for not knowing that they should not share passwords. On the social/education side we could make an example of anyone we finger for this (assuming we can make charges stick) in the hope that this will persuade other students not to share their passwords. Technical solutions seem to revolve around some form of two factor authentication. I.e. something the student has but which they will be reluctant to part with for any length of time. Like their ID card. Our ID cards have bar codes and classic mag stripe. Some labs (like this one) also have proximity card locks. Generally only post grad students or students in special coursed (like medicine) have proximity cards. Anyway I would very much like to know what other are doing in this space. Cheers, Russell
Current thread:
- stopping students sharing their login credentials Russell Fulton (Jan 22)
- <Possible follow-ups>
- Re: stopping students sharing their login credentials Mike Waller (Jan 22)
- Re: stopping students sharing their login credentials Jeff Kell (Jan 22)
- Re: stopping students sharing their login credentials Barry Lynam (Jan 22)
- Re: stopping students sharing their login credentials Rizzo, Jim (Jan 22)
- Re: stopping students sharing their login credentials Ray Strubinger (Jan 23)
- Re: stopping students sharing their login credentials Rappaport,Jason (Jan 23)
- Re: stopping students sharing their login credentials Mike Wiseman (Jan 23)
- Re: stopping students sharing their login credentials randy marchany (Jan 23)
- Re: stopping students sharing their login credentials James M. Dutcher - Assoc. VP IS/IT & CIO (Jan 23)
- Re: stopping students sharing their login credentials Christopher Jones (Jan 23)
- Re: stopping students sharing their login credentials randy marchany (Jan 23)
(Thread continues...)