Procedure for responding to a compromised computer report

Michael Crowley
2010-01-30; Rev: 2011-03-03

Purpose and application

The purpose of this Procedure is to provide instructions for responding to an actual or suspected compromise of College computing resources.

This Procedure applies to anyone using College computing resources that suspects that the security or privacy of these resources has been compromised. This Procedure also applies to situations where there has been no compromise but someone suspects their computing resources are actively being attacked. This Procedure does not apply to computing resources owned by students.

Definitions

Compromised computer
A Compromised Computer is defined as any computing resource whose confidentiality, integrity or availability has been adversely impacted, either intentionally or unintentionally, by an untrusted source. A compromise can occur either through manual interaction by the untrusted source or through automation. Examples are of compromise are:
- Gaining unauthorized access to a computer by impersonating a legitimate user or by conducting a brute-force attack
- Exploiting a loophole or problem in a computer's configuration
- A computer infected with a virus, worm, trojan or other malicious software
If the malicious software is detected and removed by antivirus software in a timely manner, it is probably not necessary to follow this process. Some level of judgment will need to be used in these situations. Symptoms of a Compromised Computer include, but are not limited to, the following:
Symptoms of compromise
- The computer is experiencing unexpected and unexplainable disk activity
- The computer is experiencing unexpected and unexplainable performance degradation
- Unexpected pop-up windows appear
- The computer's logs (e.g. system logs, application logs, etc.) contain suspicious entries that indicate repeated login failures or connections to unfamiliar services
- The computer displays unusual activity on the campus network.
- A notification is received from a third-party regarding suspicious activity originating from the computer
Personally identifiable information (PII) is defined by various state and federal regulations. In Massachusetts it is information that contains a last name and first name or first initial plus one or more of the following: social security number, drivers license or Mass ID, bank card number.
High risk: If a computer is known to contain PII, it should be considered as a high risk computer. Depending on the use of the computer, if it could have PII, it should be considered high risk.

Regulatory Requirements

The College is required by various state and federal regulations to investigate any incident that may involve the breach of personally identifiable information. The College is also required to notify an individual if the privacy of their personally identifiable information has been breached. Failure to preserve evidence or conduct an investigation related to a compromised computer could result in unnecessary financial costs for the College. It is also important that the details of a compromise and the ensuing investigation remain confidential.

Procedure

The following steps should be taken to response to an actual or suspected compromised computer. It is critically important that any high risk computer be thoroughly investigated by the Networking Department.

Steps to take with a compromised computer

Disconnect the computer from the network
Removing the computer from the network prevents it from damaging other systems and prevents it from any (further) information leaks to unknown recipients.
How to remove it from the network
- Unplug any ethernet cables
- Turn off the wireless interface if it has wireless
- If these steps cannot be taken or if the method is in doubt, power down the computer.
If the computer cannot be removed from the network immediately, the Networking Department should be notified to quarantine the system and/or turn off the switch port as soon as possible. Include identification information when contacting Networking.
Identify the computer and the symptoms
Record the MHC tag number of the computer, the username(s) of all the users of the computer, and the exact location of the computer.
If possible, include the ethernet (MAC) address and IP number. If the computer is high risk, the IP number must be determined. Networking needs the IP number immediately in order to save captured off-campus traffic from the computer.
Record all of the symptoms that led to the system being considered at risk of being compromised. Be detailed and get as much information from the person reporting the problem.
Do not investigate the computer. That could lead to the destruction of important evidence if the computer turns out to be treated as high risk.
Determine if the computer should be considered high risk.
If it is not known whether or not the computer is a high risk computer, it should be considered high risk.
All computers in some departments should be treated as high risk unless there is specific information mitigating that assessment. These include those departments in Mary Woolley, Skinner basement, and Mary Lyon.
Questions to determine if a computer should be considered high risk.
The user(s) of the computer should be asked the following exact questions:
- "In the course of your work, do you ever come into contact with or access social security numbers?"
- "In the course of your work, do you ever come into contact with or access ID numbers which are also social security numbers?" (The MHC ID numbers from the 1970s until approximately 2002 were social security numbers.)
- "In the course of your work, do you ever come into contact with or access to drivers licenses or Mass ID numbers?"
- "In the course of your work, do you ever come into contact with or access bank card numbers?"
Unless all answers are "no" or "never", the computer should be considered high risk. The computer should be considered high risk if any answer is "unknown" or "not sure".
A computer that is not considered high risk may be either disinfected or reimaged by CTMS. Once disinfected or reimaged, contact Networking to remove any quarantine.

Additional steps to follow for a computer considered to be high risk

Do not use the computer. Any use could alter important evidence.
Remove the disk and bring it to Networking.
Confirm that Networking has the proper IP number and has initiated the procedure for saving recent network traffic from that IP number.
Record the serial number of the disk.
Provide the user with a replacement hard disk.
Find out from the user whether or not there were critical work related files on the hard disk so that copies of those files can be made available as soon as possible.
Similarly, find out if there are special applications that are not on the standard image so that it can be determined what might be done.
Networking investigates the computer to determine if it is a high risk system. If it is a high risk computer, determine if a data breach has been detected or cannot be ruled out in a reasonable fashion.
A report is provided to the Director of Risk Management and the Chair of the Privacy/Security task force and further action is taken if warranted.