Educause Security Discussion
mailing list archives
Re: Google Apps alerts protocol
From: Ken Connelly <Ken.Connelly () UNI EDU>
Date: Mon, 7 Oct 2013 10:58:22 -0500
We've been receiving Google alerts for a little over a month now. In
the absence of any real policy, here's what I do with them:
1. Check to see if the account belongs to an
actively-enrolled/employeed person. If not, it's not worth the
hassle of tracking further.
2. Check to see if the source is really where Google says it is. I use
a combination of TC's IP-to-ASN mapping, ipinfodb.com, and traceroute.
1. If the source is a mobile provider, quit digging.
2. If the source is relatively local, quit digging.
3. If the source is near the person's hometown, quit digging.
4. If the source is near where the student is enrolled in study
abroad, quit digging.
3. If I haven't stopped yet.
1. Call the faculty's department office, explain the reason for the
call, and ask if the person is traveling and/or on vacation.
2. Call the student's cell phone (if available) and ask if they're
somewhere other than close to campus.
We've gotten alerts for all sorts of weirdness, including reports of
"unusual" access from our campus netblock. I can only guess that the
student normally uses their phone on a cell network and happened to use
a campus connection for a change.
We've found a few cases of stolen accounts. I can count those on one
hand. Otherwise, things reported have been explained or explainable.
It certainly is a *very* poor SNR.
On 10/7/13 10:22 AM, Emily Harris wrote:
We recently turned on Google alerts and we are wondering what to do
with them. We had turned on the alerts previously, back in August,
and received 12 in less than 72 hours. Lacking any protocol or policy
on how to handle them, we immediately turned off the alerts.
We just re-enable them and are in "wait and see" mode. We have
received about 10 alerts since last Tuesday, and have not yet
requested audits. We are evaluating what we should do with the alerts
and what sort of protocol we should develop and follow.
We have noticed that the alerts are rudimentary and don't tell us
much. If, for example, I leave my work machine on and logged into
google, and then I go on vacation and check email, it will trigger one
alert that says I logged in from, say, Mexico. But it seems to not
send another alert or any other information, such as "yesterday this
person logged in from Poughkeepsie, and today from Mexico, and two
hours later from Wales" That might indicate a problem, clearly, but
the alerts are nowhere near as informational.
Can any other college share what protocols and policies you have in
place for dealing with Google Alerts? Thank you!
Director, Networks & Systems, CIS
Ken Connelly Associate Director, Security and Systems
ITS Network Services University of Northern Iowa
email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373
Any request to divulge your UNI password via e-mail is fraudulent!