Procedures for handling a computer system compromise incident
- Don't panic. Be as calm and methodical as possible, while thinking about the next course of action.
- Do a quick assessment. Do not immediately shut down the machine, as important information about the compromise may be lost. If the machine is being used to attack others, or if the attacker is actively using or damaging the machine, or if the system contains confidential or sensitive information, you may need to disconnect it from the network. If this does not appear to be the case, leave the system intact for the moment.
- Report the problem. Call the University Information Security and Policy Office (ISPO) (335-6332) and report the problem as soon as possible. IISPO staff will help assess the damage and advise on next steps. Alternatively, you can contact the Information Security and Policy Office by sending an email message to firstname.lastname@example.org. After regular business hours, call the ITS Help Desk at 384-HELP (4357) to have them page a contact in the Information Security and Policy Office, explain your situation to the consultant if available or follow the recorded emergency instructions to have them escalate it to the Information Security and Policy Office.
- Gather all the relevant information you can find. It is highly recommended that you consult with the Information Security and Policy Office before taking any direct action on the compromised machine. Information to gather may include, but is not limited to, system logs, directory listings, electronic mail files, screen prints of error messages, and database activity logs. Copy them to a safe location (that will not be deleted or over-written), so that you and the Information Security and Policy Office personnel can review them later. The ISPO has facilities available for making forensically sound images of computers for analysis.
- Take notes. Record all relevant information, including things you observed, actions taken, dates and times, and the like. It is best to log your activities as they occur. Over time, your actions and the order in which they were executed will not be easily remembered.
- Decide on a course of action for repair. The Information Security and Policy Office personnel will help determine the appropriate responses to recover from the incident. If you feel physically threatened, if system damage has occurred, or if theft of confidential data has occurred, you will probably need to report the incident to The Department of Public Safety, at 335-5022. They will advise you on legal aspects of the computer crime. If there is no physical damage or threat, and confidential data is not involved, and you just want to "clean up" and move on, that is an option. It is also an option to attempt to catch the culprit. The appropriateness of each course of action varies with the severity of the incident, (amount of damage, legal implications, type of data involved, cost of recovery, etc.) and in the case of department-owned systems, the department policy. The University Information Security and Policy Office will assist you in making a decision about the correct course of action, and will provide advice about additional protections that can be applied to your system to prevent future problems.
Other steps you should take:
- Change account passwords. All system accounts that were involved with the incident should have new passwords. Exceptions to this rule are accounts which are authenticated with tokens or certificates, in which case the PIN or pass-phrase for them should be changed. Never share your password (pin, or pass-phrase) with anyone, for any reason. Choose a strong password and change it often.
- Change the status of accounts, if necessary. In the event that a system administrator detects a problem with a system, or user activity on a system, a quick way to stop the unwanted activity is to "close" an account, by restricting access. This results in the account owner having to contact an administrator in order to remove the login restriction. This is not deleting the account, but is merely making the account temporarily unusable.
- Stop rogue service(s), if necessary. In the event that a system compromise or denial-of-service attack is underway, and you are unable to stop or kill the service(s), you may need to disconnect the machine from the network to get them stopped.
- Review your backup policies. If you believe your data and/or operating system has been compromised, you must ensure that a "clean" backup is available for restoration. If your next backup could overwrite an undamaged backup, take immediate steps to prevent that occurrence. If your policy includes multiple levels of backup, and you are uncertain how long the system has been compromised, you must determine which backup version to restore to. Until that time, do not allow any backups to be overwritten.
If you have questions about incident procedures e-mail: email@example.com.