Re: Login/Logoff Activity

[Tim Doty <tdoty () MST EDU>]

On 04/25/2013 01:20 AM, Will Froning wrote:
> Hello Eric,
>
> We are a 16 year old Uni, in a country that is only 41 years old (UAE). We
> have a lot of inexperienced management and a small population pool of
> expertise to choose from. So keep that in mind if my comments seem colored.

Where are the login/logout logs coming from? Having worked with AD 
logging myself it depends on what you are trying to show and how 
accurate you need it to be.

For example, logout events cannot be trusted -- they often never occur 
even when a "logout" does. There's a MS KB or blog on this issue.

But you can't even trust login events. A typical case is collecting the 
AD controller login events -- guess what happens when the user logs in 
on a laptop that isn't connected to the network and uses a cached 
credential for login?

This really sounds like the sort of request we occasionally get from 
supervisors who don't want to supervise. They want to replace a 
difficult, often subjective, measure of employee "quality" with a 
simple, "objective" measure.

What is the underlying goal of measuring employee logins/logouts 
compared to official work hours? From the original post:

> monitor logon/logoff time for
> attendance/holiday/sick leave violations.

So, using a measure that is known to not be accurate to monitor for 
violations is good why? Not saying you said it was (you didn't) just 
raising it rhetorically.

For concerns about management requiring work while on sick leave higher 
management should 1) make it clear they don't approve of the practice, 
2) don't push middle and lower management to produce work beyond  what 
they're staffed to do, 3) cultivate an environment where employees feel 
free to speak out, 4) provide a mechanism for complaints without 
retribution. Of course, all of that is more work than instructing IT to 
"audit logon/logoffs vs attendance/holiday/sick leave."

For concerns about employees not working while present at work/on paid 
time then 1) realistic production/effort goals should be set, 2) 
performance should be periodically measured against these goals, 3) 
provide a mechanism for an employee to contest if there is disagreement 
between the supervisor's evaluation and the employee's self assessment. 
Of course, setting realistic production/effort goals requires 
significant effort and continual evaluation as times change.

On the face of it, it would appear that the desire is to push hard 
management work onto IT whether or not IT can even meet the requirements.

Tim Doty



> On Thu, Apr 25, 2013 at 9:15 AM, Eric Case <eric () ericcase com> wrote:
>
> > Hi Will,****
> >
> > ** **
> >
> > Is management willing to “live by the sword and die by the sword” (hire
> > more staff if the logs show the staff is overworked)?  How will management
> > deal with the logs being easily gamed (not logging out)?  What about
> > unintended consequences (your honor, I was logged in at work at the time of
> > the hit and run)?  What does your general counsel think of the idea?  What
> > if someone doesn’t log in but checks email via the web or phone?
>
> We have an external staffing review in progress. So to some extent yes, we
> would hire more people if they find it justified. The login/logout activity
> was specifically generic, the reality would be to use a combination of
> network activity and some form of workstation fingerprinting. I've already
> informed the management of the considerable cost and potential ways to get
> around it.
>
> Right now we don't permit working remotely as a replacement for coming into
> the office.
>
>
> > I believe IT should be an enabler for employees to do more and that
> > includes allowing people to work from home without getting their coworkers
> > sick.  Do you have a pandemic plan?  Can an employee take a sick day
> > because of a sick child but get some work done from home?
>
> No to the 1st. Yes to the 2nd, but it would still be a sick day.
>
>
> > What if someone takes a sick day, never logs in, and goes shopping / site
> > seeing with an out of town friend / relative?  What if someone doesn’t take
> > a sick day but schedules meetings off site and goes shopping / site seeing
> > with an out of town friend / relative?
>
> There is consideration to combine sick days with personal days, which would
> walk around this issue.
>
>
> > I don’t believe IT should be an enabler for employees or management to not
> > do their jobs and what the IA wants can be achieved via forensics on the
> > “home” pc, credit cards, etc.
>
>   Disagree here. I might be reading it wrong, but the first part of that
> sentence makes me think you are against automation of tasks...
>
>    If management is really doing their job, login/logoff activity will be an
> > non-issue.****
> >
> > -Eric
>
> Sure, but this implies that all managers are competent. I'm sure we all
> know a few managers who are new to the job or just generally suck, so why
> not provide some (likely unwanted) assistance?
>
> I appreciate all the responses. It's good that this is a hot topic. One of
> my many responses to not doing this was "Would you be okay with someone
> standing at the door checking off your name as you come and go? If not,
> then this isn't something we should do. It's using technology to accomplish
> the same thing, but intentionally trying to mask the activity."
>
> Thanks,
> Will
>
> ** **
> > IT professionals will never ask for your password – not in email – not
> > over the phone, never.****
> >
> > ** **
> >
> > Eric Case, CISSP****
> >
> > ecase (at) email (dot) arizona (dot) edu ****
> >
> > College of Architecture, Planning, and Landscape Architecture ****
> >
> > http://www.linkedin.com/in/ericcase****
> >
> > ** **
> >
> > ** **
> >
> > IT professionals will *never* ask for your password – not in email – not
> > over the phone, never. ****
> >
> >   ****
> >
> > Eric Case, CISSP****
> >
> > eric (at) ericcase (dot) com****
> >
> > http://www.linkedin.com/in/ericcase****
> >
> > (520) 344-CISO (2476)****
> >
> > ** **
> >
> > *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> > SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Will Froning
> >
> > *Sent:* Wednesday, April 24, 2013 8:24 PM
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > *Subject:* Re: [SECURITY] Login/Logoff Activity****
> >
> > ** **
> >
> > Hello All,****
> >
> > On Thu, Apr 25, 2013 at 3:27 AM, Harry Hoffman <hhoffman () ip-solutions net>
> > wrote:****
> >
> > Nah, this just means that Joe has outsourced his job for a quarter of
> > his pay and browses reddit and 4chan all day long ;-)
> >
> > Cheers,
> > Harry****
> >
> >
> > On 04/24/2013 06:24 PM, Valdis.Kletnieks () vt edu wrote:
> > > On Wed, 24 Apr 2013 15:01:36 -0400, Walter Moore said:
> > > ****
> >
> > > On the other hand, a login from Zanzibar is even *more* suspect if Joe
> > > is sitting in his office. :)
> > > ****
> >
> > ** **
> >
> > This is a request from the internal auditor to see if it is common
> > practice to monitor this in academia (starting to look heavily like NO). *
> > ***
> >
> > ** **
> >
> > As others on the list have mentioned, this is really a management issue at
> > it's core. The rebuttal for that comment was something like: "If
> > technology can help us to identify a management weakness, we can make
> > corrective policy driven actions to fix the weakness. IT isn't there to fix
> > the problem, but to provide visibility into whether or not there is a
> > problem to correct."****
> >
> > ** **
> >
> > So excluding the potential privacy concerns (which wouldn't really apply
> > in the corporate world), in their mind it's just using IT as a tool for
> > efficiency.****
> >
> > ** **
> >
> > Not defending, just relaying.****
> >
> > ** **
> >
> > Thanks,****
> >
> > Will
> > ****
> >
> > ** **
> >
> > --
> > Will Froning
> > Unix SysAdmin
> > Will.Froning () GMail com
> > MSN: wfroning () angui sh
> > YIM: will_froning
> > AIM: willfroning ****

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature