...
The purpose of this page is to summarize the basics of what we are doing and give users, and internal ITS staff, a clearer sense of what we do (and don't) know about the security status of our network, and what we can and can't find out. Not all of the links provided here lead to user-visible pages. Some contain sensitive information. If you have questions, call the Helpdesk (x5999) or talk to the campus IT security officer.
Please note, in general, that ITS does not track intimate details of what individual users , per se, or what they doare doing. Rather, we log and track normal activity in aggregate, and respond to unusual things like exceptional activity spikes, indications of compromise, and malware. We look in detail at individual activity only to the extent needed to respond appropriately, for example, . For example, we may respond to an alert that a user has logged in simultaneously from two different countries by gathering a list of login locations and eyeballing it to be sure it's not a false alarm. We may also take actions like notifying the user and (, rarely) , locking their account if that account appears to be compromisedtemporarily, to try to limit damage not only to the campus, but to the user's own information and resources.
...
The software inventory, operating system, and general configuration parameters are recorded in software we purchase from Dell Computing, called KBox. This software helps us package up other software for easy installation in labs and on user devices like desktops and laptops. Often a particular piece of software will require a special license key, or will need to be pointed at a particular device on campus. The KBox can automate these configuration steps. It can also tell us if, for example, a piece of software needs updating and can take the needed action. This is particularly useful when a serious security issue has been discovered. ITS staff can see this data. We need it in order to understand and diagnose software issues that users call about, and to know where to put what software. We also need it in order to find machines that are not updating their software correctly and are therefore exposing users to hostile activity and malware, or opening them and Carleton to licensing violations.
Cloud Lock, Spirion
Files in Google Drive, and on storage internal to our network, are scanned for personally identifiable information, like social security numbers. In the case of Google Drive, CloudLock does the scanning, and these scans are fully automated. Users get direct email if a possible issue gets uncovered. Spirion (formerly Identity Finder), at least the way we have implemented it, runs under user direction. Users, that is, install the software from the KBox and run it when desired.
Keyserver Logging, License Management
Data is also logged regarding what software is executed, where, and when, via keyserver software, Sassafras /wiki/spaces/itskb/pages/26129581. We do this, when needed, for audit and compliance purposes. General information at this level is visible to a handful of people including desktop computing and software asset management specialists, the IT security officer, and the data warehouse administrator.
...
In general, nearly all devices through which traffic passes on Carleton’s network log that traffic. These logs typically include the source and destination IP address, MAC address, and various other relevant details. Additional detail gets logged for WiFi via PacketFence /wiki/spaces/itskb/pages/26119999. This data, collectively, allows us to locate and fix problems and bottlenecks, and it helps us diagnose problems when we (or our users) discover them. We normally don’t look at this data in detail unless there is a problem. The number of people who can do this is very limited (a few core systems staff and the IT security officer).
...