Educause Security Discussion mailing list archives
Re: Measures of detecting breached email accounts
From: Joseph Tam <tam () MATH UBC CA>
Date: Thu, 7 Dec 2017 00:09:46 -0800
On Wed, 6 Dec 2017, Valdis Kletnieks wrote:
Doing exception analysis on successful *and failed* logins is a good start - and done a *lot* more frequently than "monthly". You'll very quickly learn to tell the difference between dictionary attacks trying to get into *any* userid, and targeted attacks on a specific user - if one of your VPs is hit overnight with 17 failed login attempts from Ukraine while they're sleeping in the Carribean night, you have a potential problem.Sounding the alarm on failed login attempt will have me looking at logs every minute, night and day. Even at my modest installation, this happens far too frequently to be consider a useful trigger for notification: it's not anomolous, it's background radiation.I did say *exception* analysis, didn't I? Look for stuff that doesn't look like background radiation. ;)
I've seen both diffuse and intensive failed logins -- neither are worth looking at from a security standpoint. It's not uncommon for me to see thousands of guesses against one account, especially against administrative accounts. The only situation I can possibly think of worth investigating is if the source of attack came from your network, or somehow it can be inferred password guesses are targetted (i.e. typographically close to the actual password). What are the *exceptional* circumstances that would allow you differentiate any particular failed authentication versus the thousands of other attempts? Joseph Tam <tam () math ubc ca>
Current thread:
- Re: Measures of detecting breached email accounts, (continued)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 04)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 05)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 06)
- Re: Measures of detecting breached email accounts Kevin Crider (Dec 07)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 04)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 06)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 06)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 07)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 09)