1 / 23

Do You Really Know Who is Using Your Systems?

U NIFORMED S ERVICES U NIVERSITY of the Health Sciences. James A. Zimble Learning Resource Center. Do You Really Know Who is Using Your Systems?. Stephan Spitzer Lead Developer/DBA, Applied Medical Informatics James A. Zimble Learning Resource Center. Problem Overview.

devon
Download Presentation

Do You Really Know Who is Using Your Systems?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. UNIFORMED SERVICES UNIVERSITY of the Health Sciences James A. Zimble Learning Resource Center Do You Really Know Who is Using Your Systems? Stephan Spitzer Lead Developer/DBA, Applied Medical Informatics James A. Zimble Learning Resource Center MAC-MLA 2008

  2. Problem Overview “On the Internet, Nobody Knows You’re a Dog” A cartoon by Paul Steiner, which appeared in The New Yorker, July 5th, 1993 MAC-MLA 2008

  3. Who We Are? • Uniformed Services University of the Health Sciences (USUHS) • Medical education and research facility for the nation’s military and public health community • Located in Bethesda, Maryland MAC-MLA 2008

  4. Electronic Resources (ER) • Portal to over 9,000 electronic resources • Services over 7,500 global users: • Current students and staff • Alumni • Affiliate institutions MAC-MLA 2008

  5. ER - Main Display MAC-MLA 2008

  6. Why Worry About Access? • Most of our resource offerings are limited by license agreements • We need to have accurate usage statistics so that we supply resources for our legitimate users • Affiliate institutions pay us per user • We have a large, mobile, diverse, and dispersed user population MAC-MLA 2008

  7. First Step - Record Access Information ACTION: • Each user signon date and time is saved with patron record RESULT: • Inactive users can be purged from the active user database ACTION: • Each user access of an electronic resource is logged, including browser’s IP address RESULT: • Have basis for more detailed checking MAC-MLA 2008

  8. Google Analytics - Next Step • Free service gathers various usage information about web sites • Simple to configure MAC-MLA 2008

  9. Google Analytics - Dashboard MAC-MLA 2008

  10. Google Anayltics - Network Detail MAC-MLA 2008

  11. What’s Missing? • We have user’s access information • We have locations that accessed our resources • Need to match: LOCATION <> USER MAC-MLA 2008

  12. Matching IP to Location - What Doesn’t Work (Well) • Internet’s Domain Name System (DNS) • Distributed database of name servers • Resolve names to locations • http://network-tools.com/ information via browser • Nslookup,whois client, etc.are real-time(ie, too slow) • Need something static and fast MAC-MLA 2008

  13. GeoLite City - The Missing Link • Open Source (free) database of geographic information • Maps IP to City/Country, world-wide • Self-contained database • Simple API available for most programming languages MAC-MLA 2008

  14. Putting It All Together • Wrote PHP script to query MySQL access logs and call GeoCity API to get user locations • Find each patron access within a timeframe and list where and when they accessed our resources MAC-MLA 2008

  15. Suspicious Activity • Odd Locations • Siberia?; Philippines? • “Excessive” Usage • Access 24x7; lots of access in short timeframes; consistent high access • Impossible Geographic/Timeframe Usage • Different cities/countries/continents in same day/hour MAC-MLA 2008

  16. Example - Odd Location • Found our Siberian user: MAC-MLA 2008

  17. Example - “Excessive” Usage • This is one user for one day: MAC-MLA 2008

  18. Example - Impossible Geography • Two Users - Two Stories: • Legitimate • Problematic MAC-MLA 2008

  19. Findings • Site/Organization utilizes proxies • Account info left in browser • Explicit sharing of account • Account compromised MAC-MLA 2008

  20. Access Results 2007 2008 -------- -------- Apr 30,526 38,666 --- take user access actions --- May 28,469 32,003 June 29,439 25,656 July 31,747 30,935 MAC-MLA 2008

  21. Follow-Up ”Doveryai, No Proveryai” (Trust, but Verify) • Re-run script periodically to check compliance MAC-MLA 2008

  22. Resources • Google Analytics • http://www.google.com/analytics/ • GeoLite City • http://www.maxmind.com/app/geolitecity • This Presentation • http://www.lrc.usuhs.mil/brown/MAC-MLA2008_Spitzer.pps • My Contact Information • Stephan.Spitzer.ctr@lrcm.usuhs.mil MAC-MLA 2008

  23. Questions? MAC-MLA 2008

More Related