Please enable javascript to view this page in its intended format.

Queen's University
 

What is a High Risk Security Incident?

Definition

A hacking attempt or possible compromise that affects a large group of University Users and Systems and has the potential for significant impact and embarrassment to the University including privacy breach due to a hack and illegal activity.

Response

An organized handling of an incident can mean the difference between complete recovery and total disaster. The logical approach to handling different forms of attack, such as system compromise, will include the following sequence of steps:

  1. Preparation

    These practices include measures that will make sure that you are well prepared should an incident happen. These include practices like making sure you know who can handle an Incident (skilled person), also that backup copies are done on a regular basis, real time monitoring for security events and updating software with security fixes against vulnerabilities and updating antivirus, and communication plans and pack of tools to use.

  2. Identification of Attack

    It is important to identify the characteristics of an attack before it can be properly contained. The person will gather data, analyze it, and then determines whether an incident has occurred. The incident handler must calmly assess the situation, be ready to communicate, and be ready to document all evidence such that it can later be used in a court of law if necessary.

  3. Containment of Attack

    Once an attack has been identified, steps must be taken to minimize and prevent any further damage from the effects of the attack. Containment allows the administrator to protect and prevent the spread to other systems and networks from the attack. The initial activities are recommended include disconnecting the network cables, modifying firewall rules or changing DNS data or blocking access to the system via ACLs on packet filtering layer 3 devices on campus, etc. Once the attack has been contained, the final phases are eradication, recovery, analysis and public notification requirements will be addressed.

  4. Eradication

    This phase requires the removal of any malicious code and data left by the intruder after copy of the system is made of the compromised system for forensic analysis. This step includes closing any vulnerabilities holes that were used by the hacker to intrude in the first place. Once the cause of the compromise has been determined and well understood, the system can be rebuilt from a known good backup copy of the system. If no backup are found, then the system must be reinstalled from scratch including the operating system.

  5. Recovery

    Return to normal operations. The system has either been rebuilt from scratch or rebuilt from a backup, and it is ready to be validated for production. This includes verifying the system is secure and will not be compromised again.

  6. Lessons Learned

    The final stage of incident handling is to learn from the mistakes discovered and not repeat them in the new structure. It can also lead to adding more security protection to prevent the event from happening again. This phase involves preparation of final report as well.

Questions?

Please contact the Information Systems Security Office.

 

    Kingston, Ontario, Canada. K7L 3N6. 613.533.2000