Educause Security Discussion
mailing list archives
Re: Google Apps alerts protocol
From: Ben Marsden <bmarsden () SMITH EDU>
Date: Thu, 10 Oct 2013 16:07:38 -0400
While I like (and envy) Ken's formalized protocol, ours is minimalist
simple (small school syndrome). We have one sys admin who receives the
alerts, scans them as time permits, and follows up on only the most
obviously alerts (like a "computerstore" login alert from any off campus
We did try following up on some others, eg. one account that logged in from
China -- turns out they were on vacation, in China. And it appears that
scenario for fac, staff, & students is frequent enough so only the most
obvious non-false positives trigger a followup response.
hope this helps,
On Thu, Oct 10, 2013 at 9:26 AM, Emily Harris <emharris () vassar edu> wrote:
Thanks Ken. It seems like a lot of work - not for you, necessarily, but
for an institution such as my own that does not have a dedicated IT
Security staff, or even individual.
Can anyone else on the list comment on policies and procedures around the
Google alerts? Thank you!
On Mon, Oct 7, 2013 at 11:58 AM, Ken Connelly <Ken.Connelly () uni edu>wrote:
We've been receiving Google alerts for a little over a month now. In
the absence of any real policy, here's what I do with them:
1. Check to see if the account belongs to an
actively-enrolled/employeed person. If not, it's not worth the
hassle of tracking further.
2. Check to see if the source is really where Google says it is. I use
a combination of TC's IP-to-ASN mapping, ipinfodb.com, and
1. If the source is a mobile provider, quit digging.
2. If the source is relatively local, quit digging.
3. If the source is near the person's hometown, quit digging.
4. If the source is near where the student is enrolled in study
abroad, quit digging.
3. If I haven't stopped yet.
1. Call the faculty's department office, explain the reason for the
call, and ask if the person is traveling and/or on vacation.
2. Call the student's cell phone (if available) and ask if they're
somewhere other than close to campus.
We've gotten alerts for all sorts of weirdness, including reports of
"unusual" access from our campus netblock. I can only guess that the
student normally uses their phone on a cell network and happened to use
a campus connection for a change.
We've found a few cases of stolen accounts. I can count those on one
hand. Otherwise, things reported have been explained or explainable.
It certainly is a *very* poor SNR.
On 10/7/13 10:22 AM, Emily Harris wrote:
We recently turned on Google alerts and we are wondering what to do
with them. We had turned on the alerts previously, back in August,
and received 12 in less than 72 hours. Lacking any protocol or policy
on how to handle them, we immediately turned off the alerts.
We just re-enable them and are in "wait and see" mode. We have
received about 10 alerts since last Tuesday, and have not yet
requested audits. We are evaluating what we should do with the alerts
and what sort of protocol we should develop and follow.
We have noticed that the alerts are rudimentary and don't tell us
much. If, for example, I leave my work machine on and logged into
google, and then I go on vacation and check email, it will trigger one
alert that says I logged in from, say, Mexico. But it seems to not
send another alert or any other information, such as "yesterday this
person logged in from Poughkeepsie, and today from Mexico, and two
hours later from Wales" That might indicate a problem, clearly, but
the alerts are nowhere near as informational.
Can any other college share what protocols and policies you have in
place for dealing with Google Alerts? Thank you!
Director, Networks & Systems, CIS
Ken Connelly Associate Director, Security and Systems
ITS Network Services University of Northern Iowa
email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373
Any request to divulge your UNI password via e-mail is fraudulent!
Director, Networks & Systems, CIS
Ben Marsden : Information Security Director, CISSP/GISP
ITS, Stoddard Hall, Smith College, Northampton, MA 01063
bmarsden () smith edu (413) 585-4479
=--> Any request to reveal your Smith password via email is fraudulent!