OxCERT's ability to detect security incidents is dependent on monitoring of the University backbone and of core University services, and from data obtained by other sources both within and outside the University. The purpose of this document is to describe what monitoring is performed and the purposes to which the information gathered may be used; it was approved by OUCS Senior Management in May 2010.
Such monitoring will inevitably impinge to some extent on users' privacy; this must be balanced against the risks of not performing such monitoring. Whereas OxCERT's monitoring involves a limited amount of personal data being exposed to a trusted team within the University, the effects of many compromises are to risk exposure of much more information to the attackers and loss of all control over how that information may be used. Information-stealing malware infections are all too common on desktop PCs and may potentially capture any data stored on that system, together with usernames and passwords for other systems which have been accessed via that PC. Typically such infections only affect a single user's data; a compromise of a server may affect the data of hundreds or thousands of users. Where possible, processes have been automated so that no more information than is necessary is exposed to OxCERT staff; however some degree of manual review is required in order to minimise the risks of false positives.
Historically, when handling incidents OxCERT were generally only interested in computer identifiers (for instance IP address, MAC address) rather than identifiers of individual persons such as usernames, and for many incidents this remains the case. However, as network authentication methods evolve and the threat landscape changes, OxCERT find it increasingly necessary to record such personal identifiers. For instance, authentication to VPN and 802.1x-based networks is by username, while usernames are recorded when handling infections involving information-stealing malware owing to the risks of subsequent abuse of users' accounts. In most cases it will not strictly be necessary for OxCERT to map a username to the name of a person but in general this will be done as part of the team's notifications for the benefit of the local IT staff.