Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Google Apps alerts protocol
From: Emily Harris <emharris () VASSAR EDU>
Date: Thu, 10 Oct 2013 09:26:02 -0400

Thanks Ken.  It seems like a lot of work - not for you, necessarily, but
for an institution such as my own that does not have a dedicated IT
Security staff, or even individual.

Can anyone else on the list comment on policies and procedures around the
Google alerts?  Thank you!

On Mon, Oct 7, 2013 at 11:58 AM, Ken Connelly <Ken.Connelly () uni edu> wrote:

We've been receiving Google alerts for a little over a month now.  In
the absence of any real policy, here's what I do with them:

 1. Check to see if the account belongs to an
    actively-enrolled/employeed person.  If not, it's not worth the
    hassle of tracking further.
 2. Check to see if the source is really where Google says it is.  I use
    a combination of TC's IP-to-ASN mapping, ipinfodb.com, and traceroute.
     1. If the source is a mobile provider, quit digging.
     2. If the source is relatively local, quit digging.
     3. If the source is near the person's hometown, quit digging.
     4. If the source is near where the student is enrolled in study
        abroad, quit digging.
 3. If I haven't stopped yet.
     1. Call the faculty's department office, explain the reason for the
        call, and ask if the person is traveling and/or on vacation.
     2. Call the student's cell phone (if available) and ask if they're
        somewhere other than close to campus.

We've gotten alerts for all sorts of weirdness, including reports of
"unusual" access from our campus netblock.  I can only guess that the
student normally uses their phone on a cell network and happened to use
a campus connection for a change.

We've found a few cases of stolen accounts.  I can count those on one
hand.  Otherwise, things reported have been explained or explainable.
It certainly is a *very* poor SNR.

- ken

On 10/7/13 10:22 AM, Emily Harris wrote:
We recently turned on Google alerts and we are wondering what to do
with them.  We had turned on the alerts previously, back in August,
and received 12 in less than 72 hours.  Lacking any protocol or policy
on how to handle them, we immediately turned off the alerts.

We just re-enable them and are in "wait and see" mode.  We have
received about 10 alerts since last Tuesday, and have not yet
requested audits.  We are evaluating what we should do with the alerts
and what sort of protocol we should develop and follow.

We have noticed that the alerts are rudimentary and don't tell us
much.  If, for example, I leave my work machine on and logged into
google, and then I go on vacation and check email, it will trigger one
alert that says I logged in from, say, Mexico.  But it seems to not
send another alert or any other information, such as "yesterday this
person logged in from Poughkeepsie, and today from Mexico, and two
hours later from Wales"  That might indicate a problem, clearly, but
the alerts are nowhere near as informational.

Can any other college share what protocols and policies you have in
place for dealing with Google Alerts?  Thank you!

Emily Harris
Director, Networks & Systems, CIS
Vassar College

- Ken
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

Any request to divulge your UNI password via e-mail is fraudulent!

Emily Harris
Director, Networks & Systems, CIS
Vassar College

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]