View
31
Download
0
Category
Tags:
Preview:
DESCRIPTION
U NIFORMED S ERVICES U NIVERSITY of the Health Sciences. James A. Zimble Learning Resource Center. Do You Really Know Who is Using Your Systems?. Stephan Spitzer Lead Developer/DBA, Applied Medical Informatics James A. Zimble Learning Resource Center. Problem Overview. - PowerPoint PPT Presentation
Citation preview
MAC-MLA 2008
Do You Really Know Who is Using Your
Systems?
Do You Really Know Who is Using Your
Systems?Stephan Spitzer
Lead Developer/DBA, Applied Medical Informatics
James A. Zimble Learning Resource Center
Stephan SpitzerLead Developer/DBA, Applied Medical
InformaticsJames A. Zimble Learning Resource
Center
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
Problem OverviewProblem Overview
“On the Internet, Nobody Knows You’re a Dog”
A cartoon by Paul Steiner, which appeared in The New Yorker, July 5th, 1993
“On the Internet, Nobody Knows You’re a Dog”
A cartoon by Paul Steiner, which appeared in The New Yorker, July 5th, 1993
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
Who We Are?Who We Are?
• Uniformed Services University of the Health Sciences (USUHS) • Medical education and
research facility for the nation’s military and public health community
• Located in Bethesda, Maryland
• Uniformed Services University of the Health Sciences (USUHS) • Medical education and
research facility for the nation’s military and public health community
• Located in Bethesda, Maryland
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
Electronic Resources (ER)Electronic Resources (ER)
• Portal to over 9,000 electronic resources
• Services over 7,500 global users:• Current students and staff• Alumni• Affiliate institutions
• Portal to over 9,000 electronic resources
• Services over 7,500 global users:• Current students and staff• Alumni• Affiliate institutions
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
ER - Main DisplayER - Main Display
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
Why Worry About Access? Why Worry About Access?
• Most of our resource offerings are limited by license agreements
• We need to have accurate usage statistics so that we supply resources for our legitimate users
• Affiliate institutions pay us per user• We have a large, mobile, diverse,
and dispersed user population
• Most of our resource offerings are limited by license agreements
• We need to have accurate usage statistics so that we supply resources for our legitimate users
• Affiliate institutions pay us per user• We have a large, mobile, diverse,
and dispersed user population
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
First Step - Record Access Information
First Step - Record Access Information
ACTION:• Each user signon date and time is saved
with patron record
ACTION:• Each user signon date and time is saved
with patron recordRESULT:
• Inactive users can be purged from the active user database
RESULT:• Inactive users can be purged from the
active user databaseACTION:• Each user access of an electronic resource
is logged, including browser’s IP address
ACTION:• Each user access of an electronic resource
is logged, including browser’s IP address
RESULT:• Have basis for more detailed checking
RESULT:• Have basis for more detailed checking
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
Google Analytics - Next StepGoogle Analytics - Next Step• Free service gathers various
usage information about web sites
• Simple to configure
• Free service gathers various usage information about web sites
• Simple to configure
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
Google Analytics - DashboardGoogle Analytics - Dashboard
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
Google Anayltics - Network Detail
Google Anayltics - Network Detail
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
What’s Missing?What’s Missing?
• We have user’s access information
• We have locations that accessed our resources
• Need to match: LOCATION <> USER
• We have user’s access information
• We have locations that accessed our resources
• Need to match: LOCATION <> USER
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
Matching IP to Location - What Doesn’t Work (Well)Matching IP to Location -
What Doesn’t Work (Well)• Internet’s Domain Name
System (DNS) • Distributed database of name
servers• Resolve names to locations
• http://network-tools.com/ information via browser
• Nslookup,whois client, etc. are real-time (ie, too slow)
• Need something static and fast
• Internet’s Domain Name System (DNS) • Distributed database of name
servers• Resolve names to locations
• http://network-tools.com/ information via browser
• Nslookup,whois client, etc. are real-time (ie, too slow)
• Need something static and fast
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
GeoLite City - The Missing Link
GeoLite City - The Missing Link
• Open Source (free) database of geographic information
• Maps IP to City/Country, world-wide
• Self-contained database• Simple API available for most
programming languages
• Open Source (free) database of geographic information
• Maps IP to City/Country, world-wide
• Self-contained database• Simple API available for most
programming languages
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
Putting It All Together Putting It All Together
• Wrote PHP script to query MySQL access logs and call GeoCity API to get user locations
• Find each patron access within a timeframe and list where and when they accessed our resources
• Wrote PHP script to query MySQL access logs and call GeoCity API to get user locations
• Find each patron access within a timeframe and list where and when they accessed our resources
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
Suspicious ActivitySuspicious Activity
• Odd Locations• Siberia?; Philippines?
• “Excessive” Usage• Access 24x7; lots of access in short
timeframes; consistent high access
• Impossible Geographic/Timeframe Usage• Different cities/countries/continents
in same day/hour
• Odd Locations• Siberia?; Philippines?
• “Excessive” Usage• Access 24x7; lots of access in short
timeframes; consistent high access
• Impossible Geographic/Timeframe Usage• Different cities/countries/continents
in same day/hour
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
Example - Odd LocationExample - Odd Location
• Found our Siberian user:• Found our Siberian user:
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
Example - “Excessive” Usage Example - “Excessive” Usage • This is one user for one day:• This is one user for one day:
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
Example - Impossible Geography
Example - Impossible Geography
• Two Users - Two Stories:• Legitimate
• Problematic
• Two Users - Two Stories:• Legitimate
• Problematic
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
FindingsFindings• Site/Organization utilizes
proxies• Account info left in browser• Explicit sharing of account• Account compromised
• Site/Organization utilizes proxies
• Account info left in browser• Explicit sharing of account• Account compromised
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
Access ResultsAccess Results 2007 2008
-------- --------Apr 30,526 38,666
--- take user access actions ---
2007 2008 -------- --------Apr 30,526 38,666
--- take user access actions ---
May 28,469 32,003June 29,439 25,656July 31,747 30,935
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
Follow-UpFollow-Up”Doveryai, No Proveryai”
(Trust, but Verify)• Re-run script periodically to
check compliance
”Doveryai, No Proveryai” (Trust, but Verify)• Re-run script periodically to
check compliance
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
ResourcesResources• Google Analytics• http://www.google.com/analytics/
• GeoLite City• http://www.maxmind.com/app/
geolitecity• This Presentation
• http://www.lrc.usuhs.mil/brown/MAC-MLA2008_Spitzer.pps
• My Contact Information• Stephan.Spitzer.ctr@lrcm.usuhs.mil
• Google Analytics• http://www.google.com/analytics/
• GeoLite City• http://www.maxmind.com/app/
geolitecity• This Presentation
• http://www.lrc.usuhs.mil/brown/MAC-MLA2008_Spitzer.pps
• My Contact Information• Stephan.Spitzer.ctr@lrcm.usuhs.mil
UNIFORMED SERVICES UNIVERSITYof the Health Sciences
James A. Zimble Learning Resource Center
MAC-MLA 2008
Questions? Questions?
Recommended