Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using Lenel Data To Identify Compromised University Network IDs

Published byDuane Leonard Modified over 6 years ago

Similar presentations

Presentation on theme: "Using Lenel Data To Identify Compromised University Network IDs"— Presentation transcript:

1 Using Lenel Data To Identify Compromised University Network IDs
HELUG Conference 2017 Steve Cramer Columbia University Information Technology

2 Columbia University Network Security
Responsible for protecting: Campus network 80,000+ user accounts This includes identifying University Network IDs (UNI) that have been compromised. Compromised = UNI used by a user other than its assigned owner.

3 How Are UNIs Compromised?
Keylogging viruses Phishing attacks Hacks of non-University application databases containing same credentials as University accounts.

4 What Do Bad Guys Want With UNIs?
Access to valuable University e-resources Legal, scientific and business research services Online books, newspapers and journals Send spam using University system Steal personal information

5 Monitoring Is Important
Detecting UNI misuse requires constant vigilance by University Network Security Team. After identifying, Security Team scrambles password and notifies individual’s school or department.

6 GULP Monitoring System
Processes logs from 14+ different campus services that require UNI authentication. Records UNI, IP address and login location. UNI probably compromised if same UNI logs within 72 hours from either: 6+ locations 2+ countries About 300 UNIs compromised per year.

7 Next Step: Adding ID Card Data
Even with GULP, determining validity of UNI logins remained an imperfect science. The solution: ID card transactions. Card transactions provide strong evidence of a person’s actual location. Matching them with network logins, we can better deduce which net logins are truly valid.

8 Project Approval Public Safety and General Council approved after privacy concerns were met. Only Panel IP to be stored in GULP, not exact reader location. Data to be destroyed after 28 days.

9 Example 1: Without Lenel Data
UNI Login IP Address Location op2168 12/13/ :36 Greece 12/13/ :17 12/13/ :19 Chile 12/13/2016 7:06 Germany This is a pretty clear-cut case. Not possible to visit to Greece, Germany and Chile all within 5 hours.

10 Example 1: With Lenel Data
UNI Login IP Address Location op2168 12/13/ :36 Greece 12/13/ :20 Lenel NYC 12/13/ :17 12/13/ :19 Chile 12/13/2016 7:06 Germany 12/13/2016 0:17 Still, Lenel data makes it that much clearer. Increased certainty is important when deciding to scramble a user’s password.

11 Example 2: Without Lenel Data
UNI Login Date IP Address Location hj2328 5/22/ :59 China 5/22/ :39 Singapore Possible to travel from Singapore to China between login times. Are none, one or both valid? Can’t be sure.

12 Example 2: With Lenel Data
UNI Login IP Address Location hj2328 5/22/ :08 Lenel NYC 5/22/ :59 China 5/22/ :38 5/22/ :48 5/22/ :39 Singapore 5/22/ :24 Lenel data provides the answer – both are invalid.

13 Solution Specifications
Goal: export Lenel access events to GULP database. Requirements Near real-time Only general access events Data destroyed after 28 days No negative impact on Lenel System Not too complicated Export Columns UNI BADGEID EVENTIME SERIALNUM PANELIP

14 Solution Options - Lenel
Lenel DataExchange Analysis: Too simple. Not ideal for multi-step solutions. Lenel DataConduit Analysis: Complex, problematic and requires programming resource.

15 Solution Options – SQL Server
Scheduled SQL Insert Using SQL Agent job. OPENQUERY INSERT statement directly exports records into remote table on GULP database via Linked Server. Analysis: Too intensive to run a query every five minutes against EVENTS table with millions of records.

16 Solution Options – SQL Server
Remote Trigger EVENTS table trigger directly inserts access events into remote table on GULP Server via Linked Server and OPENQUERY. Analysis: Too risky. EVENTS table could freeze if trigger failed due to problems accessing remote server.

17 Solution Options – SQL Server
Local Insert Trigger + Agent Job: EVENTS table trigger inserts access events into local table in ACCESSCONTROL database. Scheduled SQL Agent job exports records from local table to remote table on GULP server via Linked Server and OPENQUERY. Analysis: The winner. Local trigger low-risk and Lenel system not impacted if Agent export job fails. More maintainable. Our expertise is SQL Server, not DataConduit nor Data Exchange.

18 Solutions Steps Create Linked Server to GULP database.
Create insert trigger on EVENTS table to populate local table UDO_EVENTS_GULP. Create SQL Agent job to run every 5 minutes to: Insert unsent events into message queue table. Export events in message queue to table on GULP server via Linked Server and OPENQUERY. Update SENT column in UDO_EVENTS_GULP to “Y”. Clear all events from message queue table. Delete events > 30 days from UDO_EVENTS_GULP.

19 Solution Summary Major success. Network Security Team very happy with having additional monitoring tool. Very few other schools combine logical and physical data in log analysis. Now thinking of other ways we can leverage Lenel data.

20 Trigger Syntax CREATE TRIGGER [dbo].[UDO_SEND_EVENTS_TO_GULP_SERVER] ON [dbo].[EVENTS] AFTER INSERT AS BEGIN *DECLARE AND SET VARIABLES USING INSERTED* IN (0,1,2,3) IS NOT NULL INSERT INTO UDO_EVENTS_GULP END

21 OPENQUERY Syntax To Update GULP
INSERT OPENQUERY(GULP1P,'SELECT ID,EVENTIME,SERIALNUM,UNI, BADGEID,EVENTYPE,EVENTID,PANEL_IPADDRESS FROM GULP_PROD.LENEL_DATA') SELECT ID,EVENTIME,SERIALNUM,UNI, BADGEID,EVENTYPE,EVENTID,PANELIP, FROM UDO_EVENTS_GULP_SEND

22 SQL Server Agent Job Steps

23 Questions

24 For Further Information
Steve Cramer Columbia University Information Technology (212)

Download ppt "Using Lenel Data To Identify Compromised University Network IDs"

Similar presentations

Extern name server - translates addresses of e-mails messages - enables users to use e-mail aliases - … ID cards system - controls entrance to buildings,

Extern name server - translates addresses of s messages - enables users to use aliases - … ID cards system - controls entrance to buildings,
09/04/2015Unit 2 (b) Back-Office processes Unit 2 Assessment Criteria (b) 10 marks.

09/04/2015Unit 2 (b) Back-Office processes Unit 2 Assessment Criteria (b) 10 marks.
Module 12: Auditing SQL Server Environments

Module 12: Auditing SQL Server Environments
Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
Www.regoconsulting.comPhone: 1-888-813-0444 Interface Strategies and Methods.

Interface Strategies and Methods.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Database Management System

Database Management System
NMED 3850 A Advanced Online Design February 25, 2010 V. Mahadevan.

NMED 3850 A Advanced Online Design February 25, 2010 V. Mahadevan.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Uniqueness of user names is enforced Customer information logged to database Require contact information as well as email address Email address will.

Uniqueness of user names is enforced Customer information logged to database Require contact information as well as address address will.
Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.

Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Slide 1 of 9 Presenting 24x7 Scheduler The art of computer automation Press PageDown key or click to advance.

Slide 1 of 9 Presenting 24x7 Scheduler The art of computer automation Press PageDown key or click to advance.
SQL Injection Timmothy Boyd CSE 7330.

SQL Injection Timmothy Boyd CSE 7330.
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
Login Screen This is the Sign In page for the Dashboard New User Registration Enter Id and Password to sign In.

Login Screen This is the Sign In page for the Dashboard New User Registration Enter Id and Password to sign In.
Staying Safe Online Keep your Information Secure.

Staying Safe Online Keep your Information Secure.
@Yuan Xue CS 285 Network Security Fall 2008.

@Yuan Xue CS 285 Network Security Fall 2008.

Similar presentations

Ads by Google