Educause Security Discussion mailing list archives
Re: Google Apps alerts protocol
From: Ken Connelly <Ken.Connelly () UNI EDU>
Date: Mon, 7 Oct 2013 10:58:22 -0500
We've been receiving Google alerts for a little over a month now. In the absence of any real policy, here's what I do with them: 1. Check to see if the account belongs to an actively-enrolled/employeed person. If not, it's not worth the hassle of tracking further. 2. Check to see if the source is really where Google says it is. I use a combination of TC's IP-to-ASN mapping, ipinfodb.com, and traceroute. 1. If the source is a mobile provider, quit digging. 2. If the source is relatively local, quit digging. 3. If the source is near the person's hometown, quit digging. 4. If the source is near where the student is enrolled in study abroad, quit digging. 3. If I haven't stopped yet. 1. Call the faculty's department office, explain the reason for the call, and ask if the person is traveling and/or on vacation. 2. Call the student's cell phone (if available) and ask if they're somewhere other than close to campus. We've gotten alerts for all sorts of weirdness, including reports of "unusual" access from our campus netblock. I can only guess that the student normally uses their phone on a cell network and happened to use a campus connection for a change. We've found a few cases of stolen accounts. I can count those on one hand. Otherwise, things reported have been explained or explainable. It certainly is a *very* poor SNR. - ken On 10/7/13 10:22 AM, Emily Harris wrote:
We recently turned on Google alerts and we are wondering what to do with them. We had turned on the alerts previously, back in August, and received 12 in less than 72 hours. Lacking any protocol or policy on how to handle them, we immediately turned off the alerts. We just re-enable them and are in "wait and see" mode. We have received about 10 alerts since last Tuesday, and have not yet requested audits. We are evaluating what we should do with the alerts and what sort of protocol we should develop and follow. We have noticed that the alerts are rudimentary and don't tell us much. If, for example, I leave my work machine on and logged into google, and then I go on vacation and check email, it will trigger one alert that says I logged in from, say, Mexico. But it seems to not send another alert or any other information, such as "yesterday this person logged in from Poughkeepsie, and today from Mexico, and two hours later from Wales" That might indicate a problem, clearly, but the alerts are nowhere near as informational. Can any other college share what protocols and policies you have in place for dealing with Google Alerts? Thank you! -- Emily Harris Director, Networks & Systems, CIS Vassar College 845-437-7221
-- - Ken ================================================================= Ken Connelly Associate Director, Security and Systems ITS Network Services University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373 Any request to divulge your UNI password via e-mail is fraudulent!
Current thread:
- Google Apps alerts protocol Emily Harris (Oct 07)
- Re: Google Apps alerts protocol Ken Connelly (Oct 07)
- Re: Google Apps alerts protocol Emily Harris (Oct 10)
- Re: Google Apps alerts protocol Ben Marsden (Oct 10)
- Re: Google Apps alerts protocol Emily Harris (Oct 10)
- Re: Google Apps alerts protocol Ken Connelly (Oct 07)