A hacking attempt or possible compromise that affects a large group of University Users and Systems and has the potential for significant impact and embarrassment to the University including privacy breach due to a hack and illegal activity.
An organized handling of an incident can mean the difference between complete recovery and total disaster. The logical approach to handling different forms of attack, such as system compromise, will include the following sequence of steps:
These practices include measures that will make sure that you are well prepared should an incident happen. These include practices like making sure you know who can handle an Incident (skilled person), also that backup copies are done on a regular basis, real time monitoring for security events and updating software with security fixes against vulnerabilities and updating antivirus, and communication plans and pack of tools to use.
It is important to identify the characteristics of an attack before it can be properly contained. The person will gather data, analyze it, and then determines whether an incident has occurred. The incident handler must calmly assess the situation, be ready to communicate, and be ready to document all evidence such that it can later be used in a court of law if necessary.
Once an attack has been identified, steps must be taken to minimize and prevent any further damage from the effects of the attack. Containment allows the administrator to protect and prevent the spread to other systems and networks from the attack. The initial activities are recommended include disconnecting the network cables, modifying firewall rules or changing DNS data or blocking access to the system via ACLs on packet filtering layer 3 devices on campus, etc. Once the attack has been contained, the final phases are eradication, recovery, analysis and public notification requirements will be addressed.
This phase requires the removal of any malicious code and data left by the intruder after copy of the system is made of the compromised system for forensic analysis. This step includes closing any vulnerabilities holes that were used by the hacker to intrude in the first place. Once the cause of the compromise has been determined and well understood, the system can be rebuilt from a known good backup copy of the system. If no backup are found, then the system must be reinstalled from scratch including the operating system.
Return to normal operations. The system has either been rebuilt from scratch or rebuilt from a backup, and it is ready to be validated for production. This includes verifying the system is secure and will not be compromised again.
The final stage of incident handling is to learn from the mistakes discovered and not repeat them in the new structure. It can also lead to adding more security protection to prevent the event from happening again. This phase involves preparation of final report as well.
Please contact the Information Systems Security Office.