Re: Google Apps alerts protocol

[Emily Harris <emharris () VASSAR EDU>]

Thanks Ken.  It seems like a lot of work - not for you, necessarily, but
for an institution such as my own that does not have a dedicated IT
Security staff, or even individual.

Can anyone else on the list comment on policies and procedures around the
Google alerts?  Thank you!


On Mon, Oct 7, 2013 at 11:58 AM, Ken Connelly <Ken.Connelly () uni edu> wrote:

> We've been receiving Google alerts for a little over a month now.  In
> the absence of any real policy, here's what I do with them:
>
>  1. Check to see if the account belongs to an
>     actively-enrolled/employeed person.  If not, it's not worth the
>     hassle of tracking further.
>  2. Check to see if the source is really where Google says it is.  I use
>     a combination of TC's IP-to-ASN mapping, ipinfodb.com, and traceroute.
>      1. If the source is a mobile provider, quit digging.
>      2. If the source is relatively local, quit digging.
>      3. If the source is near the person's hometown, quit digging.
>      4. If the source is near where the student is enrolled in study
>         abroad, quit digging.
>  3. If I haven't stopped yet.
>      1. Call the faculty's department office, explain the reason for the
>         call, and ask if the person is traveling and/or on vacation.
>      2. Call the student's cell phone (if available) and ask if they're
>         somewhere other than close to campus.
>
> We've gotten alerts for all sorts of weirdness, including reports of
> "unusual" access from our campus netblock.  I can only guess that the
> student normally uses their phone on a cell network and happened to use
> a campus connection for a change.
>
> We've found a few cases of stolen accounts.  I can count those on one
> hand.  Otherwise, things reported have been explained or explainable.
> It certainly is a *very* poor SNR.
>
> - ken
>
> On 10/7/13 10:22 AM, Emily Harris wrote:
> > We recently turned on Google alerts and we are wondering what to do
> > with them.  We had turned on the alerts previously, back in August,
> > and received 12 in less than 72 hours.  Lacking any protocol or policy
> > on how to handle them, we immediately turned off the alerts.
> >
> > We just re-enable them and are in "wait and see" mode.  We have
> > received about 10 alerts since last Tuesday, and have not yet
> > requested audits.  We are evaluating what we should do with the alerts
> > and what sort of protocol we should develop and follow.
> >
> > We have noticed that the alerts are rudimentary and don't tell us
> > much.  If, for example, I leave my work machine on and logged into
> > google, and then I go on vacation and check email, it will trigger one
> > alert that says I logged in from, say, Mexico.  But it seems to not
> > send another alert or any other information, such as "yesterday this
> > person logged in from Poughkeepsie, and today from Mexico, and two
> > hours later from Wales"  That might indicate a problem, clearly, but
> > the alerts are nowhere near as informational.
> >
> > Can any other college share what protocols and policies you have in
> > place for dealing with Google Alerts?  Thank you!
> >
> > --
> > Emily Harris
> > Director, Networks & Systems, CIS
> > Vassar College
> > 845-437-7221
>
> --
> - Ken
> =================================================================
> Ken Connelly             Associate Director, Security and Systems
> ITS Network Services                  University of Northern Iowa
> email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373
>
> Any request to divulge your UNI password via e-mail is fraudulent!



-- 
Emily Harris
Director, Networks & Systems, CIS
Vassar College
845-437-7221