[unisog] Security Incident Handling Procedure

Martin Manjak MManjak at uamail.albany.edu
Fri Mar 24 18:13:27 GMT 2006


Amen! 

To get to this position you must notify parents and students of the network ground rules beforehand so they know what standards they will be held accountable to, and the consequences for being out of compliance.  In the fall of 2004, when we had about 800 hacked machines booted from our network, parents and students complained often and loudly, and they had a legitimate beef. They claimed that they could not do their school work without network access. So we bought a proxy server. The proxy allows "quarantined" students' machines access to albany.edu and a few, select off-campus sites that they need for remediation (ms updates, Symantec, and last, but by no means least, the venerable Jay Loden).

I firmly second Brian's sentiments. A hacked box is a threat to everyone, and if left unattended can create problems that would make an angry parent pale in comparison.


Martin Manjak
Information Security Officer
University at Albany 
GIAC GSEC



-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org] On Behalf Of Brian Allen
Sent: Friday, March 24, 2006 12:38 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Security Incident Handling Procedure


Not being allowed to shut off ports for infected machines, even if they belong to students with vocal parents, is unacceptable.  Every machine on the network needs to adhere to at least a basic network policy: Automatic patching turned on, running up-to-date antivirus, some firewall turned on, and if the user gets infected because he clicked on a bogus facebook IM link and didn't have his anti-virus up-to-date, then he will be shut off until it is cleaned, (and we'll even help him clean it).  Most of our students run windows XP and we provide a free copy of Symantec 10 so the first three requirements should be easily met.

I will compromise on a great many issues in security to improve usability for our students, but this one is not negotiable.  If they are infected and causing harm to the rest of the network then we have to remove them.

Brian Allen
Network Security Analyst
Washington University



-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org] On Behalf Of Jenkins, Matthew
Sent: Thursday, March 23, 2006 4:41 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Security Incident Handling Procedure

I would be interested in seeing what you come up with.  I presented some basic steps to my director several months ago.  It was decided that we would shutdown student ports if we knew their machine was infected.  However, in the end, students' parents complained, and we had to turn the ports back on.  We have since begun to better secure our student access ports utilizing protected ports and ACLs so that they do not infect each other and make the problems worse.

I would say that our number one threat was coming from viruses distributed by student access ports.  Second to that are viruses on faculty/staff workstations, which have been sparse thanks to desktop and e-mail virus and spyware/adware scanning.  I would bet that after we are done locking our student access ports and wireless access down, we will see viruses from students be much less of a threat.

We have yet to develop incident response procedures; however, I definitely think that every organization needs them.

I did a quick Google search and came across these links that may help: http://www.sans.org/resources/policies/item7.pdf

http://www.mtech.edu/NetServe/Security_Policies/Incident%20Handling%20Procedures.htm

I found a few security related resources on: http://www.educause.edu/

Matt

Matthew Jenkins
Network/Server Administrator
Fairmont State University
304.367.4955
AOL: MLJenkinsCom  Yahoo: mljenkins  ICQ: 8116624  MSN
Visit us online at www.fairmontstate.edu ________________________________________
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org] On Behalf Of Tim Lane
Sent: Thursday, March 23, 2006 5:17 PM
To: UNIversity Security Operations Group
Subject: [unisog] Security Incident Handling Procedure

Hi Folks,

I am developing a written procedure "IT Security Incident Handling" to be followed in the event of an incident (mainly virus outbreak or hacking event).

Just wondered if anyone has already been down this track and has some developed procedure that they might like to share???

Thanks,

Tim
Tim Lane
Information Security Program Manager

Information Technology and Telecommunication Services
Southern Cross University
PO Box 157 Lismore NSW 2480

P02 6620 3290    7    02 6620 3033      tlane at scu.edu.au
t http://www.scu.edu.au 

_______________________________________________
unisog mailing list
unisog at lists.sans.org http://www.dshield.org/mailman/listinfo/unisog

_______________________________________________
unisog mailing list
unisog at lists.sans.org http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list