The University of Oxford's Computer Emergency Response Team's (OxCERT) ability to detect security incidents is dependent on monitoring of the University backbone and of core University services, and from data obtained by other sources both within and outside the University. The purpose of this document is to describe what monitoring is performed and the purposes to which the information gathered may be used; it was approved by in May 2010 by the OUCS Senior Management Team.
Such monitoring will inevitably impinge to some extent on users' privacy; this must be balanced against the risks of not performing such monitoring. Whereas OxCERT's monitoring involves a limited amount of personal data being exposed to a trusted team within the University, the effects of many compromises are to risk exposure of much more information to the attackers and loss of all control over how that information may be used. Information-stealing malware infections are all too common on desktop PCs and may potentially capture any data stored on that system, together with usernames and passwords for other systems which have been accessed via that PC. Typically such infections only affect a single user's data; a compromise of a server may affect the data of hundreds or thousands of users. Where possible, processes have been automated so that no more information than is necessary is exposed to OxCERT staff; however some degree of manual review is required in order to minimise the risks of false positives.
Historically, when handling incidents OxCERT were generally only interested in computer identifiers (for instance IP address, MAC address) rather than identifiers of individual persons such as usernames, and for many incidents this remains the case. However, as network authentication methods evolve and the threat landscape changes, OxCERT find it increasingly necessary to record such personal identifiers. For instance, authentication to VPN and 802.1x-based networks is by username, while usernames are recorded when handling infections involving information-stealing malware owing to the risks of subsequent abuse of users' accounts. In most cases it will not strictly be necessary for OxCERT to map a username to the name of a person but in general this will be done as part of the team's notifications for the benefit of the local IT staff.
All data are gathered and stored in accordance with UK law, and with University and IT Services policies. Please see the Information Security Team's privacy statement for further details.
Data collected by OxCERT
The following data are collected by OxCERT's own systems. Access to these data is limited to members of OxCERT.
Network flow data
Network flow data are collected from each backbone router and stored in standard formats. These record communications data (source and destination addresses and ports) and statistics for every communication across the University backbone network. Only packet headersare considered and not payload; the information gathered is that needed in any case for the router to send the packet to its destination
Signature-based packet captures
OxCERT's monitoring at the edge of the University network can in theory capture any network traffic flowing in or out of the University. Routinely capturing all traffic in detail would constitute a gross invasion of users' privacy. However, in order for reliable detection of specific threats to the University network it is necessary to read beyond the TCP/IP headers of packets. Packet headers and/or payload matching certain specific patterns strongly indicative of malicious activity may be automatically captured and logged in order for members of OxCERT to analyse. Matching packets will be seen by members of OxCERT in order to confirm the presence of malicious activity; non-matching packets will not be seen by the team.
Other packet captures
In addition to the above signature-based matching, under certain circumstances, where there is strong evidence for malicious activity, it may be necessary to monitor specific communications channels in greater detail. An audit trail exists of all channels monitored in this manner.
A series of network monitors at various points around the University network exist for the purpose of identification of malicious or suspect traffic. Legitimate network traffic should not reach these monitors, but malicious traffic from inside or outside the University network that reaches these monitors may be recorded for analysis.
Data collection requirements for Network Managers
It is vital within the university environment that the source of any abusive or malicious network traffic can easily be traced and isolated. Depending on the nature of the problem, it may be necessary to determine either the user or the computer responsible for particular traffic at a particular time. OxCERT will expect colleges and departments to be able to trace either upon request. Please refer to the logging of network access guidance for details.