Re: [EXTERNAL] [SECURITY] Query: internet browsing logs

[Brian Epstein <bepstein () IAS EDU>]

We only collect telemetry data (DNS lookups, URL visited), but do not
use SSL interception.  I have given many talks against SSL interception,
and how it erodes user trust in higher-ed.  There may be a business
reason on why it is needed somewhere, but in general, I believe it
causes more trouble than it is worth.

We also have a log file retention policy that states that proxy logs are
only kept for 24 hours to further protect our user's privacy.

Thanks,
Brian

On 10/11/2018 11:45 AM, Ronald King wrote:
> This is the same for Morgan State. We do not decrypt avoid the potential
> privacy and compliance issues. By decrypting SSL you will have access to
> and storing HIPAA and PCI data. 
>
> Ron
> *Ronald A. King, CISSP*
> Chief Information Security Officer
> Morgan State UniversityOffice:(443) 885-3372
> 1700 E. Cold Spring Ln.Email:ronald.king () morgan edu
> <mailto:ronald.king () morgan edu>
> Baltimore, MD 21251URL:http://www.morgan.edu
>
> *Growing the future ... Leading the world*
> <http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>
>
>
>
> On Thu, Oct 11, 2018 at 9:30 AM Adam Maynard <AMaynard () clarku edu
> <mailto:AMaynard () clarku edu>> wrote:
>
>     We log all URL’s visited from on Campus with Palo Alto NGFW. We
>     don’t decrypt https, so it just logs the root URL for those. We can
>     trace that traffic back to a user fairly easily. ____
>
>     __ __
>
>     This is pretty helpful for phishing/malware incident response.____
>
>     __ __
>
>     __ __
>
>     V/R,____
>
>     Adam Maynard____
>
>     Information Security Analyst____
>
>     Clark University____
>
>     __ __
>
>     *From:* The EDUCAUSE Security Community Group Listserv
>     <SECURITY () LISTSERV EDUCAUSE EDU
>     <mailto:SECURITY () LISTSERV EDUCAUSE EDU>> *On Behalf Of *Roshan Harneker
>     *Sent:* Thursday, October 11, 2018 09:14
>     *To:* SECURITY () LISTSERV EDUCAUSE EDU
>     <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
>     *Subject:* [EXTERNAL] [SECURITY] Query: internet browsing logs____
>
>     __ __
>
>     Hi,____
>
>     __ __
>
>     We have a requirement to be able to collate internet browsing logs
>     that will also be able to provide us with detail around URLs visited
>     especially when forensic investigations are requested. We don’t have
>     a requirement to view the website contents, just websites visited.
>     In the past TMG was used as a proxy but since so much traffic is now
>     SSL-based, I wanted to know what other universities are using to
>     capture HTTP/HTTPS traffic information and being able to tie each
>     URL visited to an identity. ____
>
>     __ __
>
>     Regards,____
>
>     Roshan ____
>
>     __ __
>
>     Roshan Harneker
>     Senior Manager: Information and Cybersecurity Services____
>
>     Information & Communication Technology Services (ICTS)____
>
>     University of Cape Town
>     Phone: 021 650 3658
>     roshan.harneker () uct ac za <mailto:roshan.harneker () uct ac za>____
>
>     https://csirt.uct.ac.za
>     
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fcsirt.uct.ac.za-26data-3D02-257C01-257Camaynard-2540CLARKU.EDU-257C42760933b7184097adb008d62f7cc34a-257Cb5b2263d68aa453eb972aa1421410f80-257C1-257C0-257C636748610237162871-26sdata-3DCmApkigwvreS-252FEW0UNksB5E2IF2ryX6lfUtCt7JFi5k-253D-26reserved-3D0&d=DwMFAg&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=_EIxEfDkgL9ifVMXlZ0L8xlKKdtQ1gkpX_pwwhyfgFI&s=EgB8VYbCdfT4IPoA_WQS9eaYBpu8vq8sTSTPWpW6bC8&e=>
>     ____
>
>     __ __
>
>     Disclaimer - University of Cape Town This email is subject to UCT
>     policies and email disclaimer published on our website at
>     http://www.uct.ac.za/main/email-disclaimer
>     
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.uct.ac.za_main_email-2Ddisclaimer&d=DwMFAg&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=_EIxEfDkgL9ifVMXlZ0L8xlKKdtQ1gkpX_pwwhyfgFI&s=6UimJZIv5ApoIgXmp_c_7gxOg_8TUewHfziBalHcm9o&e=>
>     or obtainable from +27 21 650 9111. If this email is not related to
>     the business of UCT, it is sent by the sender in an individual
>     capacity. Please report security incidents or abuse via
>     https://csirt.uct.ac.za/page/report-an-incident.php
>     
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__csirt.uct.ac.za_page_report-2Dan-2Dincident.php&d=DwMFAg&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=_EIxEfDkgL9ifVMXlZ0L8xlKKdtQ1gkpX_pwwhyfgFI&s=W-c_3a7SWO-4eRpIDqR_n5TWYrXSaCHmrWzpGoyloig&e=>.
>     ____



-- 
Brian Epstein <bepstein () ias edu>                     +1 609-734-8179
Manager, Network and Security           Institute for Advanced Study
Key fingerprint = A6F3 9F5A 26C5 5847 79ED  C34C C0E5 244A 55CA 2B78

Attachment: signature.asc
Description: OpenPGP digital signature