OxCERT's ability to detect security incidents is dependent on monitoring of the University backbone and of core University services, and from data obtained by other sources both within and outside the University. The purpose of this document is to describe what monitoring is performed and the purposes to which the information gathered may be used; it was approved by OUCS Senior Management in May 2010.
Such monitoring will inevitably impinge to some extent on users' privacy; this must be balanced against the risks of not performing such monitoring. Whereas OxCERT's monitoring involves a limited amount of personal data being exposed to a trusted team within the University, the effects of many compromises are to risk exposure of much more information to the attackers and loss of all control over how that information may be used. Information-stealing malware infections are all too common on desktop PCs and may potentially capture any data stored on that system, together with usernames and passwords for other systems which have been accessed via that PC. Typically such infections only affect a single user's data; a compromise of a server may affect the data of hundreds or thousands of users. Where possible, processes have been automated so that no more information than is necessary is exposed to OxCERT staff; however some degree of manual review is required in order to minimise the risks of false positives.
Historically, when handling incidents OxCERT were generally only interested in computer identifiers (for instance IP address, MAC address) rather than identifiers of individual persons such as usernames, and for many incidents this remains the case. However, as network authentication methods evolve and the threat landscape changes, OxCERT find it increasingly necessary to record such personal identifiers. For instance, authentication to VPN and 802.1x-based networks is by username, while usernames are recorded when handling infections involving information-stealing malware owing to the risks of subsequent abuse of users' accounts. In most cases it will not strictly be necessary for OxCERT to map a username to the name of a person but in general this will be done as part of the team's notifications for the benefit of the local IT staff.
All data are gathered and stored in accordance with UK law, and with University and IT Services policy on collection and log retention.
2. Data collected by OxCERT
The following data are collected by OxCERT's own systems. Access to these data is limited to members of OxCERT.
- Network flow data
- Network flow data are collected from each backbone router and stored in standard formats. These record communications data (source and destination addresses and ports) and statistics for every communication across the University backbone network. Only packet headers are considered and not payload; the information gathered is that needed in any case for the router to send the packet to its destination
- Signature-based packet captures
- OxCERT's monitoring at the edge of the University network can in theory capture any network traffic flowing in or out of the University. Routinely capturing all traffic in detail would constitute a gross invasion of users' privacy. However, in order for reliable detection of specific threats to the University network it is necessary to read beyond the TCP/IP headers of packets. Packet headers and/or payload matching certain specific patterns strongly indicative of malicious activity may be automatically captured and logged in order for members of OxCERT to analyse. Matching packets will be seen by members of OxCERT in order to confirm the presence of malicious activity; non-matching packets will not be seen by the team.
- Other packet captures
- In addition to the above signature-based matching, under certain circumstances, where there is strong evidence for malicious activity, it may be necessary to monitor specific communications channels in greater detail. An audit trail exists of all channels monitored in this manner.
- Network monitors
- A series of network monitors at various points around the University network exist for the purpose of identification of malicious or suspect traffic. Legitimate network traffic should not reach these monitors, but malicious traffic from inside or outside the University network that reaches these monitors may be recorded for analysis.
3. Additional data sources
Additionally, OxCERT have access, either directly or upon request, to data logged by many central University network services (for instance SMTP, DNS and VPN logs). Logs from certain college or department systems may also be made available to OxCERT for the purposes of tracing malicious network activity. It is the responsibility of the providers of these services to ensure that these data are made available in accordance with the appropriate privacy policies.
OxCERT also receive various automated and manual reports from various organisations external to the University. Where appropriate and permitted by OxCERT's agreement with the external organisation, information gained from these reports may be redistributed in order to inform system administrators of an incident.
4. Data retention
A record of all incidents is retained indefinitely, including correspondence and summary data.
Detailed data relating to a specific incident may be retained until the conclusion of all investigations related to that incident.
Except where required for an ongoing investigation, network flow data will be retained for a minimum of ninety days and a maximum of one year.
5. Distribution of information
At times OxCERT will need to share information with others, for instance as part of an ongoing investigation. The aim will be at all times to respect users' privacy and to disclose no more personal data than is necessary for proper and prompt investigation of the incident in hand. In most cases, the data will be shared within the University, for instance with a user's local IT support staff or with the IT Services helpdesk.
In certain circumstances it may be necessary to share data with University disciplinary authorities; this will be done upon request of the appropriate University official and with the knowledge of at least one senior manager at IT Services.
Data may be made available to authorised external bodies (normally law enforcement, criminal or civil courts) where required by law.
In reporting specific instances of abuse to an external third party it may be necessary to include a limited amount of personally-identifying information in order that the particular instance of abuse can be traced. For example, a local IP address may be specified as receiving malicious network traffic, or a spam report to another university may include sufficient information to determine the local recipient; omitting such information would merely make it difficult or impossible for the third-party to trace the origin of the problem.
Anonymised and accumulated data (for instance, details of overall network traffic volumes, number of incidents handled) may be made available without restrictions, since no personally-identifying information is being disclosed.