The University of Oxford's Computer Emergency Response Team's (OxCERT) ability to detect security incidents is dependent on monitoring of the University backbone and of core University services, and from data obtained by other sources both within and outside the University.
The purpose of this help page is to describe what monitoring is performed and the purposes to which the information gathered may be used.
- Monitoring, data and privacy
- Data collected by OxCERT
- Network flow data
- Signature-based packet captures
- Other packet captures
- Network monitors
- Support for University members
- Support for IT Support Staff
- Further information
Monitoring, data and privacy
Such monitoring will inevitably impinge to some extent on users' privacy; this must be balanced against the risks of not performing such monitoring. Whereas OxCERT's monitoring involves a limited amount of personal data being exposed to a trusted team within the University, the effects of many compromises are to risk exposure of much more information to the attackers and loss of all control over how that information may be used. Information-stealing malware infections are all too common on desktop PCs and may potentially capture any data stored on that system, together with usernames and passwords for other systems which have been accessed via that PC. Typically such infections only affect a single user's data; a compromise of a server may affect the data of hundreds or thousands of users. Where possible, processes have been automated so that no more information than is necessary is exposed to OxCERT staff; however some degree of manual review is required in order to minimise the risks of false positives.
Historically, when handling incidents OxCERT were generally only interested in computer identifiers (for instance: IP address, MAC address) rather than identifiers of individual persons such as usernames, and for many incidents this remains the case. However, as network authentication methods evolve and the threat landscape changes, OxCERT finds it increasingly necessary to record such personal identifiers. For instance, authentication to VPN and 802.1x-based networks is by username, while usernames are recorded when handling infections involving information-stealing malware owing to the risks of subsequent abuse of users' accounts. In most cases it will not strictly be necessary for OxCERT to map a username to the name of a person but in general this will be done as part of the team's notifications for the benefit of the local IT staff.
Data collected by OxCERT
The following data are collected by OxCERT's own systems. Access to these data is limited to members of OxCERT.
Network flow data
Network flow data are collected from each backbone router and stored in standard formats. These record communications data (source and destination addresses and ports) and statistics for every communication across the University backbone network. Only packet headers are considered and not payload; the information gathered is that needed in any case for the router to send the packet to its destination
Signature-based packet captures
OxCERT's monitoring at the edge of the University network can in theory capture any network traffic flowing in or out of the University. Routinely capturing all traffic in detail would constitute a gross invasion of users' privacy. However, in order for reliable detection of specific threats to the University network it is necessary to read beyond the TCP/IP headers of packets. Packet headers and/or payload matching certain specific patterns strongly indicative of malicious activity may be automatically captured and logged in order for members of OxCERT to analyse. Matching packets will be seen by members of OxCERT in order to confirm the presence of malicious activity; non-matching packets will not be seen by the team.
Other packet captures
In addition to the above signature-based matching, under certain circumstances, where there is strong evidence for malicious activity, it may be necessary to monitor specific communications channels in greater detail. An audit trail exists of all channels monitored in this manner.
A series of network monitors at various points around the University network exist for the purpose of identification of malicious or suspect traffic. Legitimate network traffic should not reach these monitors, but malicious traffic from inside or outside the University network that reaches these monitors may be recorded for analysis.
Support for University members
OxCERT will never directly contact a University member regarding issues related to network monitoring. In the event that you have any concerns about network monitoring, please contact your local ITSS team.
Support for IT Support Staff
Please see the following pages for more information on network monitoring and our intrusion detection system, or contact firstname.lastname@example.org or the team's extension 82222 with any further questions.
Network Monitoring - information for ITSS