Office of Information Security

We are in the process of deploying a Log Aggregation and Correlation tool. This tool will allow us to gather log data from a variety of sources and allows us to look for patterns of behavior.

It would be difficult to perform the same task manually, as there are thousands of logins a day. We also believe that by automating this process we improve privacy, as we’re not looking at all records, just the ones that match a certain criterion that represents a risk to the institution.

Log data does contain information of a personal nature, such as the IP address of the computer used to visit one of the OSU websites and which web pages were visited. It contains the date and time a system was accessed and which files were downloaded. This information could be used, in certain situations, to track activities to a geographic location. We’re very cognizant that such a tool could be abused, and we have policies, procedures, and technical safeguards in place to prevent misuse of this information.

Vulnerability scanning tools scan devices on the network to see if they are running outdated software that has a known vulnerability. These tools can also identify insecurely configured devices. Hackers frequently use these types of vulnerability to gain access to systems.

The Office of Information Security has two vulnerability scanning systems. One system has been placed just outside our network, and so gives us a view of what an external hacker would see. Because of the large number of systems on our network, we only perform limited scans, looking for new vulnerabilities. The other is placed within our firewalled infrastructure and performs more intensive scans. Result of the scans are forwarded to IT units across campus so they can fix any problems found.

The operation of vulnerability scanning tools represent a minimal risk to privacy.

Due to the size and complexity of our network, network firewalls are only deployed where needed. We use network segmentation to divide the network into functional areas and network firewalls are placed in front of segments where confidential data is processed.

The operation of firewalls represent a minimal risk to privacy.

Similar to the antivirus programs found on personal computers, network malware detection tools scan network traffic to spot harmful programs. Network malware detection tools use two methods to detect harmful programs: signature based and virtualized testing. Signature based detection compares observed network traffic against a database of known malware. During virtualized testing, the tool creates a virtual model of an operating system and runs the suspected malicious file in that model to see if it is harmful.

Network malware detection tools capture and store complete packets, including the data component, for every item they alert on. Because the tools are not perfect, this creates a slight risk to privacy for packets which are captured in the event of a false alarm. Fortunately, false alarms are rare. To mitigate this risk, access to network malware detection tools are limited to OIS employees and alerts are reviewed before sharing any data with technical staff for resolution.

Similar to network malware detection tools, intrusion detection systems look for patterns of behavior in network traffic to flag threats. Intrusion detection tools are signature based.

The Office of Information Security is in the process of deploying intrusion detection systems within network segments of high risk as an additional layer of security. Like network malware detection, intrusion detection systems capture the packets for traffic that generates an alert. False alarms are very rare, but possible, and so there is a slight risk to privacy if packets that are not a threat are captured. This risk is mitigated by removal of the captured packets for any event that is determined to be a false alarm.