Re: Login/Logoff Activity

[Justin Bennett <jbennett () MSJC EDU>]

I looked at this from a pure security aspect. Some types of data we audit, counter tactics, or evaluate, especially 
those types that could indicate an attack/brute force/rogue access to systems, seems confidential information to me and 
my organization that would not want to disclose. It's the same reason armored bank trucks have confidential and ever 
changing routes/dates/times - need to know and not everyone needs to.

Justin Bennett
Supervisor of Network Technology
Information Technology
jbennett () msjc edu

Mt. San Jacinto College
Phone 951-639-5090
http://www.msjc.edu

 Security Notice: MSJC Information Technology Staff will never ask for your password. Keep your passwords private to 
protect yourself and the security of our network.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis 
Kletnieks
Sent: Wednesday, April 24, 2013 3:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Login/Logoff Activity

On Wed, 24 Apr 2013 15:01:36 -0400, Walter Moore said:

> investigations. We have never made any effort to see see if people are 
> accessing restricted systems when they are on sick leave or vacation.

Though the case can be made that if Joe Smith is known to be on vacation in Hawaii, any attempted access with his 
credentials from Zanzibar is probably suspect.

On the other hand, a login from Zanzibar is even *more* suspect if Joe is sitting in his office. :)

Similarly, it's pretty easy to establish a pattern of when I'm in my office, and when I come in via VPN from a 
relatively small chunk of Comcast cable address space, so if an attempt is made from a Starbuck's, that's probably well 
into the unusual...

How many of you do anomaly analysis for stuff like this?  And what sorts of anomalies have you found useful or not 
useful to track?