Educause Security Discussion mailing list archives
Re: Login/Logoff Activity
From: Tim Doty <tdoty () MST EDU>
Date: Thu, 25 Apr 2013 10:40:24 -0500
On 04/25/2013 01:20 AM, Will Froning wrote:
Hello Eric, We are a 16 year old Uni, in a country that is only 41 years old (UAE). We have a lot of inexperienced management and a small population pool of expertise to choose from. So keep that in mind if my comments seem colored.
Where are the login/logout logs coming from? Having worked with AD logging myself it depends on what you are trying to show and how accurate you need it to be.
For example, logout events cannot be trusted -- they often never occur even when a "logout" does. There's a MS KB or blog on this issue.
But you can't even trust login events. A typical case is collecting the AD controller login events -- guess what happens when the user logs in on a laptop that isn't connected to the network and uses a cached credential for login?
This really sounds like the sort of request we occasionally get from supervisors who don't want to supervise. They want to replace a difficult, often subjective, measure of employee "quality" with a simple, "objective" measure.
What is the underlying goal of measuring employee logins/logouts compared to official work hours? From the original post:
monitor logon/logoff time for attendance/holiday/sick leave violations.
So, using a measure that is known to not be accurate to monitor for violations is good why? Not saying you said it was (you didn't) just raising it rhetorically.
For concerns about management requiring work while on sick leave higher management should 1) make it clear they don't approve of the practice, 2) don't push middle and lower management to produce work beyond what they're staffed to do, 3) cultivate an environment where employees feel free to speak out, 4) provide a mechanism for complaints without retribution. Of course, all of that is more work than instructing IT to "audit logon/logoffs vs attendance/holiday/sick leave."
For concerns about employees not working while present at work/on paid time then 1) realistic production/effort goals should be set, 2) performance should be periodically measured against these goals, 3) provide a mechanism for an employee to contest if there is disagreement between the supervisor's evaluation and the employee's self assessment. Of course, setting realistic production/effort goals requires significant effort and continual evaluation as times change.
On the face of it, it would appear that the desire is to push hard management work onto IT whether or not IT can even meet the requirements.
Tim Doty
On Thu, Apr 25, 2013 at 9:15 AM, Eric Case <eric () ericcase com> wrote:Hi Will,**** ** ** Is management willing to “live by the sword and die by the sword” (hire more staff if the logs show the staff is overworked)? How will management deal with the logs being easily gamed (not logging out)? What about unintended consequences (your honor, I was logged in at work at the time of the hit and run)? What does your general counsel think of the idea? What if someone doesn’t log in but checks email via the web or phone?We have an external staffing review in progress. So to some extent yes, we would hire more people if they find it justified. The login/logout activity was specifically generic, the reality would be to use a combination of network activity and some form of workstation fingerprinting. I've already informed the management of the considerable cost and potential ways to get around it. Right now we don't permit working remotely as a replacement for coming into the office.I believe IT should be an enabler for employees to do more and that includes allowing people to work from home without getting their coworkers sick. Do you have a pandemic plan? Can an employee take a sick day because of a sick child but get some work done from home?No to the 1st. Yes to the 2nd, but it would still be a sick day.What if someone takes a sick day, never logs in, and goes shopping / site seeing with an out of town friend / relative? What if someone doesn’t take a sick day but schedules meetings off site and goes shopping / site seeing with an out of town friend / relative?There is consideration to combine sick days with personal days, which would walk around this issue.I don’t believe IT should be an enabler for employees or management to not do their jobs and what the IA wants can be achieved via forensics on the “home” pc, credit cards, etc.Disagree here. I might be reading it wrong, but the first part of that sentence makes me think you are against automation of tasks... If management is really doing their job, login/logoff activity will be annon-issue.**** -EricSure, but this implies that all managers are competent. I'm sure we all know a few managers who are new to the job or just generally suck, so why not provide some (likely unwanted) assistance? I appreciate all the responses. It's good that this is a hot topic. One of my many responses to not doing this was "Would you be okay with someone standing at the door checking off your name as you come and go? If not, then this isn't something we should do. It's using technology to accomplish the same thing, but intentionally trying to mask the activity." Thanks, Will ** **IT professionals will never ask for your password – not in email – not over the phone, never.**** ** ** Eric Case, CISSP**** ecase (at) email (dot) arizona (dot) edu **** College of Architecture, Planning, and Landscape Architecture **** http://www.linkedin.com/in/ericcase**** ** ** ** ** IT professionals will *never* ask for your password – not in email – not over the phone, never. **** **** Eric Case, CISSP**** eric (at) ericcase (dot) com**** http://www.linkedin.com/in/ericcase**** (520) 344-CISO (2476)**** ** ** *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Will Froning *Sent:* Wednesday, April 24, 2013 8:24 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Login/Logoff Activity**** ** ** Hello All,**** On Thu, Apr 25, 2013 at 3:27 AM, Harry Hoffman <hhoffman () ip-solutions net> wrote:**** Nah, this just means that Joe has outsourced his job for a quarter of his pay and browses reddit and 4chan all day long ;-) Cheers, Harry**** On 04/24/2013 06:24 PM, Valdis.Kletnieks () vt edu wrote:On Wed, 24 Apr 2013 15:01:36 -0400, Walter Moore said: ****On the other hand, a login from Zanzibar is even *more* suspect if Joe is sitting in his office. :) ****** ** This is a request from the internal auditor to see if it is common practice to monitor this in academia (starting to look heavily like NO). * *** ** ** As others on the list have mentioned, this is really a management issue at it's core. The rebuttal for that comment was something like: "If technology can help us to identify a management weakness, we can make corrective policy driven actions to fix the weakness. IT isn't there to fix the problem, but to provide visibility into whether or not there is a problem to correct."**** ** ** So excluding the potential privacy concerns (which wouldn't really apply in the corporate world), in their mind it's just using IT as a tool for efficiency.**** ** ** Not defending, just relaying.**** ** ** Thanks,**** Will **** ** ** -- Will Froning Unix SysAdmin Will.Froning () GMail com MSN: wfroning () angui sh YIM: will_froning AIM: willfroning ****
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Login/Logoff Activity Will Froning (Apr 23)
- Re: Login/Logoff Activity Justin Bennett (Apr 24)
- Re: Login/Logoff Activity Walter Moore (Apr 24)
- Re: Login/Logoff Activity Valdis Kletnieks (Apr 24)
- Re: Login/Logoff Activity Justin Bennett (Apr 24)
- Re: Login/Logoff Activity Harry Hoffman (Apr 24)
- Re: Login/Logoff Activity Will Froning (Apr 24)
- Re: Login/Logoff Activity Eric Case (Apr 24)
- Re: Login/Logoff Activity Will Froning (Apr 24)
- Re: Login/Logoff Activity Tim Doty (Apr 25)
- Re: Login/Logoff Activity Walter Moore (Apr 24)
- Re: Login/Logoff Activity Justin Bennett (Apr 24)
- Re: Login/Logoff Activity Eric Case (Apr 24)
- <Possible follow-ups>
- Re: Login/Logoff Activity Shane Williams (Apr 25)