[unisog] Security Incident Handling Procedure

Brian Allen ballen at wustl.edu
Fri Mar 24 17:37:41 GMT 2006

Not being allowed to shut off ports for infected machines, even if they belong to students with vocal parents, is unacceptable.  Every machine on the network needs to adhere to at least a basic network policy: Automatic patching turned on, running up-to-date antivirus, some firewall turned on, and if the user gets infected because he clicked on a bogus facebook IM link and didn't have his anti-virus up-to-date, then he will be shut off until it is cleaned, (and we'll even help him clean it).  Most of our students run windows XP and we provide a free copy of Symantec 10 so the first three requirements should be easily met.

I will compromise on a great many issues in security to improve usability for our students, but this one is not negotiable.  If they are infected and causing harm to the rest of the network then we have to remove them.

Brian Allen
Network Security Analyst
Washington University

-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org] On Behalf Of Jenkins, Matthew
Sent: Thursday, March 23, 2006 4:41 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Security Incident Handling Procedure

I would be interested in seeing what you come up with.  I presented some basic steps to my director several months ago.  It was decided that we would shutdown student ports if we knew their machine was infected.  However, in the end, students' parents complained, and we had to turn the ports back on.  We have since begun to better secure our student access ports utilizing protected ports and ACLs so that they do not infect each other and make the problems worse.

I would say that our number one threat was coming from viruses distributed by student access ports.  Second to that are viruses on faculty/staff workstations, which have been sparse thanks to desktop and e-mail virus and spyware/adware scanning.  I would bet that after we are done locking our student access ports and wireless access down, we will see viruses from students be much less of a threat.

We have yet to develop incident response procedures; however, I definitely think that every organization needs them.

I did a quick Google search and came across these links that may help:


I found a few security related resources on:


Matthew Jenkins
Network/Server Administrator
Fairmont State University
AOL: MLJenkinsCom  Yahoo: mljenkins  ICQ: 8116624  MSN
Visit us online at www.fairmontstate.edu
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org] On Behalf Of Tim Lane
Sent: Thursday, March 23, 2006 5:17 PM
To: UNIversity Security Operations Group
Subject: [unisog] Security Incident Handling Procedure

Hi Folks,

I am developing a written procedure "IT Security Incident Handling" to be followed in the event of an incident (mainly virus outbreak or hacking event).

Just wondered if anyone has already been down this track and has some developed procedure that they might like to share???


Tim Lane
Information Security Program Manager

Information Technology and Telecommunication Services
Southern Cross University
PO Box 157 Lismore NSW 2480

P02 6620 3290        02 6620 3033      tlane at scu.edu.au
t http://www.scu.edu.au 

unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list