Re: Login/Logoff Activity

[Eric Case <eric () ERICCASE COM>]

And if Joe never logs out?  What if Chris logs an average of 53 hours a week
and logs in while home sick?  Is Chris fired for being a dedicated employee?
If management see Chris is working extra hours to get the job done, does
management keep the "profits" or hire more staff?  Does management request
web history for those logged in for 40 hours a week to ensure they're not
spending that time on reddit or eBay?  Maybe management can get by with
simpler rules
(http://www.farnamstreetblog.com/2013/04/does-a-complex-world-need-simpler-r
ules/). 
-Eric


IT professionals will never ask for your password - not in email - not over
the phone, never.

Eric Case, CISSP
ecase (at) email (dot) arizona (dot) edu 
College of Architecture, Planning, and Landscape Architecture 
http://www.linkedin.com/in/ericcase
-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks
Sent: Wednesday, April 24, 2013 3:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Login/Logoff Activity

On Wed, 24 Apr 2013 15:01:36 -0400, Walter Moore said:

> investigations. We have never made any effort to see see if people are 
> accessing restricted systems when they are on sick leave or vacation.

Though the case can be made that if Joe Smith is known to be on vacation in
Hawaii, any attempted access with his credentials from Zanzibar is probably
suspect.

On the other hand, a login from Zanzibar is even *more* suspect if Joe is
sitting in his office. :)

Similarly, it's pretty easy to establish a pattern of when I'm in my office,
and when I come in via VPN from a relatively small chunk of Comcast cable
address space, so if an attempt is made from a Starbuck's, that's probably
well into the unusual...

How many of you do anomaly analysis for stuff like this?  And what sorts of
anomalies have you found useful or not useful to track?