Road map Mason’s landscape Current Defense Measures Incident Handling History Refining Central IT Incident Handling Procedures
About Mason Public University Main campus in Fairfax, Virginia, is 2 miles from regional interstates and 20 miles from Washington, D.C. Nearly 30,000 students and 7,000 staff and faculty. Four campuses in four counties (5 th campus in UAE). Part of Internet2-Abeleine and National Lambda Rail. Central IT Organization – Information Technology Unit (ITU)
Current Elements of Defense Policies: RUC, Stewardship, Public Internet Address, Wireless Networking People: Security Awareness, Community Involvement through Groups Host & Application: Managed Desktops – M.E.S.A. Network: ResNet-Quarantine System, Firewalls, Unified Threat Management
Mason’s Incident Response History VP of Information Technology initiative. Began taking shape summer 2004 through fall 2004. Researched government and university incident handling procedures. Consensus: Computer Security Incident Response Team (CSIRT)
CSIRT: Two Teams 1. Technicians responsibilities First to respond and evaluate situation. Preserve the evidence while investigating. Contain the problem. 2. Executives responsibilities Report incidents to VITA per Commonwealth Legislative Directive Code of Virginia § 2.2-603.G Create a unified communication strategy.
Ready or not… January 2005 ID Server incident occurs Teams are activated Unfortunately we still make the NEWSPAPER HEADLINES
M edia S crap Book Memories JANUARY 10, 2005 (COMPUTERWORLD) Hacker compromises data at George Mason University Private information on 32,000 students and staff was compromised JANUARY 10, 2005 (CNET News) Hackers steal ID info from Virginia university George Mason University confirmed on Monday that the personal information of more than 30,000 students, faculty and staff had been nabbed by online intruders. JANUARY 11, 2005 (USA Today) Hackers capture info from George Mason U. JANUARY 11, 2005 (Washington Post) Vital Files Exposed In GMU Hacking A computer hacker apparently broke into a George Mason University data base containing student and employee Social Security numbers, leaving 32,000 people uncertain whether their finances or identities might be compromised. JANUARY 13, 2005 (WASHINGTON POST) George Mason Officials Investigate Hacking Incident JANUARY 10, 2005 (ZDNET UK) University suffers massive ID data theft JANUARY 25, 2005 (THE HILL TOP) Hacking at George Mason Stirs Concerns at Howard Some students at Howard University are wondering if they, too, could be at risk for identity theft after a recent incident at George Mason University in which a computer hacker broke into the data base by entering password after password.
Outcome of ID Server Incident Communication, collaboration and community prevail. Mason police maintain important relationships with agencies that focus on cybersecurity. Mason establishes relationship with company specializing in forensics and risk management. Experience spike in reports of suspected compromised machines. Opportunity to review incident handling procedures.
Refining the process-Institutionalize Responsibility and ownership. "Cyber Security on Campus" Executive Awareness Video "Cyber Security on Campus" Executive Awareness Video Define incident handling objectives- focus ITU. Who should be involved? What are the objectives? When should incident response team be activated? Why formalize the incident handling process?
Who is involved? CSIRT Execs VP IT, President and VP of University Relations Advisors from Human Resources, Legal, Safety, and Police. Server Support Group Network Engineers Support Center Desktop Support Services email@example.com Communicate findings Provide direction CSIRT-Techs
What are CSIRT-Techs main objectives? First response. Evaluate the situation. Is it an incident? Preserve the evidence. Contain the problem.
Incident Classification Guide Classification Levels Urgency Level Response Unit CharacteristicsExampleLikelihood to get a Call at SC 0 Standard 16 hours DSS*Annoyance or inconvenience for a single user Low-impact Virus or Spyware Very Likely 1 Immediate 8 hours DSS*Compromises non-sensitive data for a single user Malicious virusLikely 2 Immediate 8 hours DSS*Compromised account access for a single user Faculty/staff’s account has been shared Likely 3 Immediate 8 hours CSIRT**Compromised sensitive data for a single user Faculty’s desktop with names and grades on it. Credit card information. Likely 4 Immediate 8 hours CSIRT**Affects data or services for a group Banner Security Officer Account compromised Rare 5 Emergency 4 hours CSIRT**Large segment of universityID Server hacked intoVery Rare *DSS Desktop Support Services **CSIRT Computer Security Incident Response Team
Updated: 02/20/06 Customer Contacts SC Is it Faculty/Staff? Inform Student to seek Professional Help Consult Matrix to Determine Classification Assign Incident: Urgency Level = Standard Group = DSS Is it Level 0?Is it Level 1-2?Is it Level 5? Assign Incident: Urgency Level = Immediate Group = DSS Call DSS Assign Incident: Urgency Level = Emergency Group = CSIRT Call CSIRT Contact & Activate CSIRT phone tree Clean Workstation Is it Level 3-4? Assign Incident: Urgency Level = Immediate Group = CSIRT Call CSIRT Contact & Activate CSIRT phone tree Close Incident Is there a compromise? Call CSIRT Contact & Activate CSIRT phone tree No Yes No Yes Support Center Procedures
When to activate CSIRT If a compromised computer is suspected or confirmed to contain highly sensitive data. If a computer with a Mason IP address is probing another Mason computer.
Server Support Group and NET Initiate a Magic (help desk system) ticket. ID suspected computer. Alert CSIRT by telephone.
Everyone Remain calm and professional while investigating suspected and confirmed incidents. Main objectives are to Preserve the evidence. Contain the problem. Limit all discussions regarding incidents to those directly involved.
Community Message re: CSIRT? If you suspect that your computer has been compromised you should: Stop what you are doing with the computer. Call the ITU Support Center.
Why formalize Incident Handling? Preparedness Define roles and responsibilities. Everyone knows what to do and when to do it. Metrics Tickets provide tracking system. Repeat offenders. Trends.
Resources Educause http://www.educause.edu/security Data Notification Checklist and more Questions? Cathy HubbsDavid Escalante firstname.lastname@example.org@bc.edu